Powered by Blogger.
Home » » Module 08: Web Application Penetration Testing Methodology 3

Module 08: Web Application Penetration Testing Methodology 3

Written By AKADEMY on Thursday, July 4, 2019 | 10:09 PM

Exercise 3: Pentesting Identified Web Applications Vulnerabilities

Scenario

In the previous lab exercise, you have performed web application vulnerability analysis using Vega. In that exercise, the web app scanner discovered two major vulnerabilities - XSS and SQL Injection. When attackers identify such vulnerabilities, they gain access to sensitive information, leading to the data breach.
As a Penetration Tester, you should have knowledge of how to pentest these vulnerabilities and extract sensitive data.
In this lab, you will learn how to:
i. Pentest a cross-site scripting vulnerability using java script
ii. Pentest a SQL injection vulnerability using sqlmap
Lab Duration30 Minutes
  1. In this task, we are going to perform Cross-Site Scripting attack on www.luxurytreats.com website since we found in the previous exercise that this site possesses XSS vulnerability.
  2. Click Kali Linux (External Network).
    If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  3. Type root in the Username field and click Next.
    Screenshot
  4. Type toor in the password field and click Sign In.
    Screenshot
  5. Launch a web browser, type http://www.luxurytreats.com and press Enterto launch the luxurytreats website as shown in the screenshot.
    Screenshot
  6. Click on the Contact page from the menu (at top-right). Contact page appears as shown in the screenshot.
    Screenshot
  7. Enter any email id in the Email field.
    Type <script>alert("XSS attack")</script> in the Comment field and click Save Comment.
    Here, we have used abc@testmail.com as a sample mail ID. You can use any email ID as per your preference.
    Screenshot
  8. A pop-up window appears displaying XSS attack. This proves that the website is vulnerable to XSS attack.
    Click OK and close all the opened windows.
    Screenshot
  9. Comment Successfully Added! will appear displaying the email ID which you have entered in the Email field.
    This suggests that the script has been stored in the backend database and whenever you try to open the Contact page, this script will get executed and the pop-up window displaying XSS attack appears. You can attempt this by reloading the Contact page.
    Screenshot
  10. Close all the opened windows.
  11. From our Vega scan in the previous exercise, we have observed that www.luxurytreats.com is vulnerable to SQL Injection attack. Here we are going to attempt SQL Injection attack on the website to extract sensitive information from its database.
    Screenshot
  12. Double-click on SQL Injection Request file on Desktop to open the file.
    Screenshot
  13. SQL Injection Request File opens up as shown in the screenshot.
    Screenshot
  14. Select all the content, right-click on it and click Copy to copy the complete request content. Minimize the text editor after copying.
    Screenshot
  15. Now we shall use sqlmap to extract databases.
    To extract, open a command terminal, type the following command and press Enter.
    sqlmap -u "www.luxurytreats.com" --method POST --data "[Copied POST Request]" --dbs
    Screenshot
  16. sqlmap displays a notification guessing the backend database as Microsoft SQL Server and asks you if you want to skip test payloads specific for other DBMSes.
    Type y and press Enter to skip test payloads specific for other DBMSes.
    Screenshot
  17. Type Y and press Enter to include all the tests for Microsoft SQL Server extending provided level (1) and risk (1) values.
    Screenshot
  18. Type N and press Enter to skip testing the other parameters.
    Screenshot
  19. sqlmap extracts all the databases in the DBMS as shown in the screenshot below.
    In this lab, we shall target the hotel database.
    Screenshot
  20. Type sqlmap -u "www.luxurytreats.com" --method POST --data "[Copied POST request]" -D hotel --tables and press Enter to extract tables in the hotel database.
    Screenshot
  21. The tables in hotel database are extracted as shown in the screenshot. We will use CustomerLogin table and extracts its details in the next step.
    Screenshot
  22. Type sqlmap -u "www.luxurytreats.com" --method POST --data "[Copied POST request]" -D hotel -T CustomerLogin --dump and press Enter to dump all the details of CustomerLoginTable.
    Screenshot
  23. sqlmap displays a notification asking you whether you want to store hashes to a temporary file. Type N and press Enter.
    Screenshot
  24. Type Y and press Enter to crack the hashes via a Dictionary-based attack.
    Screenshot
  25. sqlmap asks you to choose a dictionary. Type 1 and press Enter to choose sqlmap default dictionary file.
    Screenshot
  26. Type N and press Enter if you are prompted regarding common password suffixes as shown in the screenshot.
    Screenshot
  27. The passwords for the respective usernames are cracked as shown in the screenshot.
    The screenshot also displays the columns present in the CustomerLogin table.
    Screenshot
  28. Launch the Firefox web browser and browse http://www.luxurytreats.com website.
    Use username admin and password Passw0rd to log in to the website as shown in the screenshot.
    Screenshot
  29. You will be successfully logged into the website with the cracked credentials.
    Screenshot
  30. Close all the opened windows.
In this lab, you have learned how to pentest XSS and SQL injection vulnerabilities that were discovered by web application vulnerability scanner
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT