09/04/2012

The Perfect Web Pen Test

Intro

From time to time I think what would be the Perfect Web Application Penetration Test, how can you be sure that you tested the Web Application the best possible way? How can you be sure that you managed to guess and by pass all possible badly designed input filters? Well the answer was right in front of me, simply sent all possible character-set combinations!! By sending all possible character-set combinations you do two things that are not desirable 1st you increase the traffic load a lot and 2nd you increase significantly the amount of time the penetration test is going to take (some payloads are for sure not going to help you find any kind of vulnerability or bypass any type of filter and filter bypassing can probably be achived only of you do further payload obfuscation e.g. add comment characters e.t.c).

Now a few of the side effects that might arise are 1st your might cause a DoS attack (if you do a pentest it should be included in the engagement rules) and 2nd you cannot hide your source IP so easily from Network Intrusion Detection Systems/Network Intrusion Prevention Systems, Host-based Intrusion Detection Systems /Host-based Intrusion Prevention Systems, Network Firewalls and Web Application Firewall device (meaning that the devices mentioned above probably will block your traffic).

But if you do not care about being spotted or the client does not care about testing his/her web site for DoS attack (it is not so easy to cause a DoS attack but I have seen that happening) then you can simply write your own payload generator and forward all payloads to the target Web Site using Burp Intruder or WSFuzzer. The programming language of my choice of course Python.

Other payloads lists in the Internet

The funny thing is that many people use fuzzdb to get strings to use for penetration testing purposes which is not bad of you have a relatively limited amount of time to perform the penetration test. But if you want to run a thorough penetration test then generating you own payload list is better.

Generating your own payloads using Python

Generating your own payloads is relatively easy when using Python. Python has a library that helps you print all element combination of a list. The library I am referring to is the itertool  module which implements a number of iterator building blocks inspired by constructs from APL, Haskell, and SML. Each has been recast in a form suitable for Python.

So lets say for example that you want to test the target web site for error based SQL injections, but you do not want to exploit the SQL injection just to identify vulnerable variables (that when tampered a database error is returned back and splashed into your screen) then as already mentioned in other posts of this blog you need only a char-set of  a few specific characters: ' , ; , ), (, -, ". Now that we have this information the only thing that remains is to write a python program that is going to get as an input the list of the characters shown above. Now we will generate a list with all combinations, remove duplicates (if there are any duplicates) from the list and then write all combination to a text file for later use.

The following picture shows the python program it took me 5 minutes to write it:


The list when opened looks exactly like that:


Note: You should by now be capable to understand that you can easily convert this program to a password generator and then add some statistical analysis to the strings in order to appear more often (the most desired strings of course).

A simple way to improve your results, on identifying SQL injections, would be to use a Python list with more characters such as this one:


Note: If you do a wc -l in a Unix-like command shell you will see that you get 5041 different payloads!!

If you want to convert your little Python program into a password generator you can add this Python list:


Note: Again if you do a wc -l in a Unix-like command shell you will see that you get 40320 different passwords containing all combinations using the char-set of a,b,c,d,e,a,!,@.

Using the generated list with Burp Intruder

Now that we generated the list we have to feed it in a tool in order to use it later on, we run Burp then go to Intruder and load the list to burp intruder:


The we add a costume payload:


And we point our payload to the target Web Site:


Note: If you see carefully the above image you will see that I am using the sniper mode for the test (best choice when trying to identify initial SQL injection vulnerabilities)

Analyzing the data

After performing the Web Application fuzzing Burp Intruder gives the possibility to analyze the returned data and process them using the Buro Intruder flexible Grep Functionality, meaning:
  1. Grep Match 
  2. Grep Extract 
  3. Grep Payloads
The following screens shows how you can actuall analyze the retunred data from the fuzz just done:


Note: This is the Grep Match feature.


 Note: This is the Grep Extract feature.


Note: This the payload extract.


The following picture show how you save your data:


Note: By cliking to Save you get a whole new menu to analyze your data.

The following picture shows that format you can use to save the data:


Note: Very simple GUI and easily managable.

Epilogue

This post proved you that you do not need to use string lists such as fuzzdb to test a web application, you can very easily use your own. If you want to test for XSS or XML Injections you have obviously to change the char-set. It would be a very good idea to add some statistical analysis and filter out your list in such a way so that more interesting characters in certain positions appear at the top of the list, meaning that it would be a good idea for example to have single quote at the begging of the string and not the end. 

References:
  1. http://docs.python.org/library/itertools.html