In this chapter, we will explore various methods of testing web applications using freely available tools such as your web browser, w3af, WebScarab, and others. We will also discuss methods of bypassing web application firewalls and IDSs, and how to determine if your targets are being load balanced or filtered. This chapter does require significant lab preparation. If you are not following the examples, you may want to bypass these portions.
Businesses will typically use a risk-based approach when deciding on where the security dollars should be spent, and decisions made while under time and budget constraints can sometime lead to unintentional mistakes that have a profound impact on the entire security posture of the environment. A penetration tester must be able to imitate the types of attacks that the client will be likely to face in the wild and provide accurate information about how the vulnerabilities that are found can be mitigated. At times, these applications will even allow an attacker to easily bypass all of the security controls in place. Not only will the business be at risk of losing critical information, but all funds spent on securing the other aspects of the architecture will have been completely wasted.
As with the other chapters, we begin by quickly reviewing the basics of our chosen tools and then moving on to some of the more interesting techniques.
In this chapter, the following topics will be covered:
Penetration testing requires the use of skills that take time and practice to perfect. To encourage the absorption of the material within this chapter, we will be adding a load balanced instance of an intentionally vulnerable Linux distribution to our lab. We will also use our Ubuntu virtual machine to host Mutillidae (provided to the community at http://www.irongeek.com/), which is a web-based application with intentional security flaws which we will then exploit.
If you worked your way through the chapters of this book, you will already be familiar with Kioptrix Level 1. We now move on to a more advanced Kioptrix distribution, that has been made available to the community by Steven McElrea (aka loneferret) and Richard Dinelle (aka haken29a ) of the www.kioptrix.com team.
In order to follow along with the examples in this chapter, the virtual lab will need to be configured as follows:
VMnet9
VMnet9
VMnet9
VMnet9
VMnet9
. This will provide our load balancingAfter the configuration has been completed, an example of this is shown in the following image:
We will be using a virtual load balancer to ensure that we are accurately emulating the types of technologies that are most likely to be found in secured environments. To this end, we will need to create another instance of the KioptrixVM. You could easily follow the steps previously outlined to accomplish this task, or you could take advantage of the cloning feature included with VMware Workstation.
To clone the machine, perform the following steps:
Mutillidae is a collection of scripts created by Adrian "Irongeek" Crenshaw and Jeremy Druin that are intentionally vulnerable to the OWASP top 10. Detailed information about the release can be found at http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasptop-10.
We will be using these scripts to practice some of the techniques that you should become familiar with in order to take on the challenge of performing penetration testing on a secured environment.
As we have previously mentioned, web applications make a very fine target and are often found to be unsecured, due to an assortment of reasons, including unplanned software updates, a general lack of good coding practices, and so on. Let's perform the steps to install Mutillidae on our Ubuntu virtual machine:
Ubuntu_TestMachine_1
to use two network adapters, one for NAT and one for internal network VMnet9
. This process should be familiar by now, so we will forego reviewing the steps required to perform this task.Ubuntu_TestMachine_1
and verify the connectivity to the Internet. This would be the perfect time to grab any software updates that are needed as well.# apt-get install git
# cd /var/www/html # git clone git://git.code.sf.net/p/mutillidae/gitmutillidae
# sudo nano mutillidae/classes/MySQLHandler.php
When the file opens, enter the password that you configured on the Ubuntu machine in the $mMySQLDatabasePassword= "1easyPassword"
variable.
Do you remember the MySQL root password you used in Chapter 2, Preparing a Test Environment? If not, then you can probably identify with the reason that so many passwords are reused by administrators out in the real world! Proper password management is critical in large environments with many machines. There are tools available that can be used to provide one time use passwords as well as other mechanisms that improve authentication methodologies.
http://localhost/mutillidae
.That's it! Now we need to shutdown the machine and change the NAT connection to disconnected so that it is not accessible via the Internet. These pages should NOT be made available to malicious users on the Internet. Enter the following command:
# sudo poweroff
Once the machine is off, click on Edit virtual machine settings | Network Adapter and remove the checkmark in Connect at power on.
Once this has been done, then power the machine back on and login.