Web application penetration testing: Tools and Techniques for web security auditing

Every pentester has it's own tool and technique for web app security auditing, Some time it depend on the type of website  we are pentesting. We are gonna see some common tool and technique that can help us to audit our web application security.

Detecting web application firewall and other services

You can start with by detecting is there any web application firewall in use? Later we can see if there's any way to bypass it. 

Recommend tool : 

fofa.so It is a cyberspace search engine launched by White Hat. It can help researchers or enterprises quickly match network assets by performing cyberspace mapping, for example, analyzing the scope of vulnerability. 

shodan.io It is most poplar search engine among pentester for finding various online vulnerable IoT devices, online open ports from various web servers.

wafw00f  This tool allow you to detect and identify what Web Application is in use that is protecting the website. 

Bypassing Cloudflare

Many website uses CloudFlare for CDN and mitigation DDoS Attack , it is necessary to get the real IP of the website so that further exploitation can be carry on which could be hidden behind CloudFlare.

Recommend tool:  

cloud-buster This tool will help you to resolve CloudFlare and you can get the IP address of the website behind the firewall. 

CloudFail Similar to cloud-buster this tool will check for DNS misconfiguration and old database record to help you find hidden IP behind the CloudFlare network. 

Whois Record,Reverse IP lookup and DNS enumeration 

Whois record can help you to find you info about the target website like database information that stores registered users information. These type of info can be useful for Social Engineering Attack.

Recommend Tools : https://www.whois.com/whois

Next step should getting DNS related information like mail exchange server, name server , getting zone transfer info that can help us to find misconfiguration and gather information about topology of their network and to determine which machine is accessible. 

Recommend Tools: 

Online resource: 

https://securitytrails.com This website will help you to get almost all DNS related information about the website like DNS records, Historical data , A records , MX records etc.

DNSdumpster  It's a free domain research tool to find that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

CLI tools :  
amass : In-Depth DNS Enumeration and Network Mapping
 

dnsrecon This is dns enumeration tool to discover various dns related information

Dig , dnsenum, nslookup ( for windows) . 

 Reverse IP lookup is a technique to find if there's any other website is hosted on the same server, this will help us to find if the website is using any shared hosting or not.  

Recommend tools: 

Yougetsignals This website contain lot of online resource like reverse IP lookup, Reverse E-mail lookup etc. 

https://hackertarget.com/reverse-ip-lookup Similar to yougetsignal will perform reverse IP lookup

Web Technology Detection 

These days websites are using various web technologies like some content management framework ,various JavaScript plugins etc. Knowledge of what web technologies are the target website using can make it easy to find vulnerability on the website by finding security holes on one of those web technologies that the site is using. 

Recommend tools: 
Wappalyzer It is a cross platform tool which can help you to identify technologies that the websites are using. It come in both Firefox and chrome extension.   

builtwith.com Similar to wappalyzer this website can help you to identify various running technology on a website .

Information gathering about the organization  

During pentesitng geting as much information about the organization is very important like information of the website owner, who are their employee, getting information about their employee is also important and LinkedIn is a good source for getting information about the organization so that we can make our social engineering attack infallible. 

Recommend Tools:

Raven raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using LinkedIn. 

ScrapedIn This tool will help you to scrape LinkedIn without API restrictions for data reconnaissance.

theHarvester This is very popular OSINT tool for gathering names, emails, subdomains, virtual hosts, open ports/banners, and employee names from different public sources of an organization.
 

 Scanning Hidden directory 

Scanning web directory could be a good way to find admin panels of a website if you have got password using some social engineering attack. This can also help you to get some hidden directories.

Recommend tools: 
DIRB  It is a fast web content scanner tool, it can help a pentester to find hidden directory of a website.It works by launching dictionary attack against the target website .

dirsearch Another fast web path scanner which work based on dictionary attack. 

Subdomain Enumeration 

Subdomain enumeration is important for a web pentesting. If the website is using a subdomain for some services and later they stop using it but forgot to remove that subdomain redirection pointing to the website. In this case the attacker can register the subdomain. Now the attacker can clone the website and can phish users to get their login credentials by adding login forms. 

Recommend Tools: 
aquatone : A fast subdomain brute force tool for subdomain enumeration.

Sublist3r Similar to aquatone Fast subdomains enumeration tool for penetration testers.
 

Exploitation

After getting what technology is in use we can check if there's any outdated version is running and if there's any outdated version is running we should check is if there's any exploit available for that version or not. 

Recommend Tools:

Exploit-Database Maintained by Offensive Security This  Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software this can help you to get exploits for various outdated vulnerable software.

Searchsploit Command line version of exploit-db 

https://cxsecurity.com Another online search tool for getting exploit of vulnerable software.  

Static Code analysis 

Vulnerabilities like Injection attack such as SQL Injection,XSS, LDAP injection can happen due to code error in website, Static code analysis is important for checking code error that can help us to find most of the vulnerability in websites for example we should first focus on OWASP top 10 vulnerabilities. OWASP releases list of top 10 vulnerabilities every year which tell what are the most critical vulnerabilities which causing most website attacks.

Recommend tools: 

Buirp suite Burp Suite is a graphical tool for testing Web application security.You can also do code analysis of the websites ,manipulate GET-POST request to see how the website is behaving by doing so. This tool also contain  intruder functions for intercepting website request and response and later you can also change the response by using repeater function of this tool. 

awesome-burp-extensions This Repo contains some awesome burp plugins for people who want to enhance their burp experience. 

cobra A source code security auditing tool that supports detection of most of the significant security issues and vulnerabilities in a variety of development language source code.

NodeJsScan This is a is a static security code scanner for Node.js applications.