So far in the book, we have not specifically set a topic point on tools. We have, for the most part, remained process-centric and discussed some tools within each chapter. For web application testing, this is a different matter. As you have seen throughout this chapter, there are many varieties of input and ways to interact with web applications, and this is the challenge with this form of testing. Therefore, it is usually best handled with tools to get the bulk data and then manually go and investigate areas of interest for the bulk data. There are a large number of tools out there, and we will not go through them here. We will, however, look at one of them before we move on. Within the Kali distro we have a number of web scanning tools.
An example of this is shown in the following screenshot:
The first one we will review here is the tool vega. You can access it by opening a terminal window and entering vega. Once the program opens, you will see the main dashboard; this is shown in the following screenshot:
Once the tool opens, enter the IP address of the target and then click on Scan | Start New Scan. An example of the results of the scan for the OWASP BWA machine is shown in the following screenshot:
One of the challenges with web application testing is directing the scanning tool into potential areas of weakness. We could scan and try to find the weak locations as we have done previously, but a better option is to use another approach to find the weaknesses and then direct the tool at that location. This is not only more effective, but much quieter as well. A simple tool for doing this is the nikto tool, so let us use this to scan and discover an area to potentially attack. We used the tool previously to generate alerts in the WAF, so now we will use the tool to see its capability to assist in locating weaknesses.
Our target for this will be the OWASP Broken Web Application virtual machine. In Kali Linux, open a terminal window and enter the command nikto -h <IP address of the target> -o BWA.html.
The -o option will output the results of the scan to a file for us in HTML format, so we can view it in the browser. Once the scan completes, in the terminal window, enter firefox BWA.html.
Once the file opens, take a few minutes and look for items that we might want to explore further with our tool. There are many areas with this virtual machine that can be exploited, so we have a number of things we could choose from. For now, we just want to explore this a little further and provide the seed for you to research more on your own. Have you found anything of interest in the results? An example of something that might be of interest is shown in the following screenshot:
This finding is of particular interest, because according to the nikto report we can execute arbitrary PHP code with this. We will now use the techniques and the processes that we have explored throughout the book, and see if we can find a matching exploit for this. We will use the Metasploit tool for our search. Open a terminal window and enter service postgresql start. Once the service has started, enter msfconsole. Once the Metasploit tool launches, we want to search for the tikiwiki application to see if we might find an exploit. Enter search tikiwiki.
An example of the result of this search is shown in the following screenshot:
As the previous screenshot shows, we have been successful, and we have a remote code execution exploit with an excellent rank, so chances are very good that we will be able to exploit this vulnerability as long as we have that permission from our scope of work. Once you enter the exploit and set the RHOST with the target IP address, all that remains is to enter exploit. An example of this is shown in the following screenshot:
As the previous screenshot shows, we have been successful, and we now have a shell on that machine.
You now have the process, and it does not change; you just have to continue to practice it. The last thing we will do here is show the web scanning capability from within Metasploit. In the msfconsole, enter load wmap. This will load the wmap plugin, as shown in the following screenshot:
Now that we have the plugin loaded we just point it at the website we want to add to the database and enter wmap_site -a <target URL>. Once the scan has completed, you can access the results by entering vulns.