Inspiring the Next Generation with INE and the eJPT, Web Application Pentesting - Part 6 of 8

Happy weekend everyone, and I’m back to provide some updates about the ongoing Hacker Bootcamp I am hosting for 10 Penn State Students!

Last week we discussed regulatory compliance and nmap as part of our course materials to give the students some perspective on what regulations govern cybersecurity activities through enterprises and the government sector. Check that post out here: Inspiring the Next Generation with INE and the eJPT, Regulatory Compliance and Nmap - Part 5 of 8

This week we have entered the Web Application attacks module! Time to get our hands dirty with some basic exploitation such as XSS, SQLi, other attacks, and very importantly - Burp Suite.

If you did not know about Burp Suite it is a web proxy that comes with a lot of built-in attack vectors and useful tools. Burp Suite has the ability to intercept requests sent to a web server, and this can be very useful for bypassing some forms of input validation (such as file uploads) which can then allow you to execute attacks such as a shell upload, XSS or SQL Injection. Burpsuite also has the ability to utilize the Repeater (to repeat requests) and the Intruder (to alter requests continuously according to a payload list). These two tools can also come in handy when testing APIs for rate limiting as well.

A lesser known area of Burpsuite is their amazing catalog of extenders.

Especially if you are in an enterprise environment, or you are hunting for specific Bug Bounties, the Burp Suite extender store is a great resource. Some of the extenders that I recommend you use on a regular basis are the following:

  • JSON Web Token (JWT4B) - used for decoding and checking the security of JSON Web Tokens which is a very popular authentication method a lot of APIs and Web Applications use these days!
  • Param Miner - used to find hidden parameters in requests that may be vulnerable to XSS or SQLi, etc.
  • Bypass WAF - used to modify specific aspects of requests (like the originating IP, etc.) to help in bypassing some web application firewalls.
  • CO2 - this extender has a lot of functionality, but one of my favorite functions is the SQLMapper functionality. This extender can take a request that you sent to it and automatically create the SQL Map command to exploit whatever parameter you are targeting, it takes the work out of typing SQLMap requests.

I hope you found that list of Burp Extenders interesting, and please let me know if you have a favorite extender!

As always here are the assignments I gave my students for the week, I hope you can follow along!
Read/Watch the Following Sections from “Penetration Testing Prerequisites”:

  • Web Applications
    • Here we will learn about the basics of HTTP, Cookies, and how to use Burp Suite

Do the following Labs from "Penetration Testing Prerequisities"

  • Burp Suite Basics
  • Burp Suite

Read/Watch the Following Sections from “Penetration Testing Basics”:

  • Web Attacks
    • Here we will learn some basic web attacks like directory busting, SQL Injection, and XSS (Cross-Site Scripting)

Do the Following Labs from “Penetration Testing Basics”:

  • Dirbuster
  • Cross-Site Scripting
  • SQL Injection

Week 5 Homework:

  1. Please describe the mitigation strategy to prevent attacks such as SQL Injection and XSS (Cross-Site Scripting).

  2. What is the password for the admin@awdmgmt.labs account in the “SQL Injection” Lab?

  3. Do some research on the “OWASP Top Ten” what is the #1 web application attack vector? What attacks from the labs/material fall into this category of attacks?