Web Application Penetration Testing With WFuzz (Wfuzz İle Web Uygulama Güvenliği Testleri)

28 Kasım 2017 Salı

Web Application Penetration Testing With WFuzz (Wfuzz İle Web Uygulama Güvenliği Testleri)







What İs WFuzz?


WFuzz is a powerful tool for general web security testing where we can perform security tests on web applications, perform XSS and SQL injection tests on our web pages with their own wordlists, and perform page and page directory browsing (BruteForce). In addition to these, Encode (Encryption) is also capable of doing.


How To İnstall Wfuzz?


We download the wfuzz-2.1.3.tar.gz file located in the Downloads section at https://github.com/xmendez/wfuzz/releases/tag/v2.1.3 and open the console. We go to the Downloads folder and open our file and go there:

1) $ cd Downloads
2) $ tar -xvf wfuzz-2.1.3.tar.gz
3) $ cd wfuzz-2.1.3

Wfuzz Parameters

-c = Http allows status codes to output in color.
-z = We will not use wordlist when we are doing Fuzz operation.
-hc xxx = xxx The status code can not be shown on the status code screen.

The number of answers like 404 (Page Not Found) is quite high because some sites have a long scan. So it might make sense to use it.

-d: post request

FUZZ: I want to make a fuzz section

The most commonly used HTTP Status Codes are as follows;

     • 100 = Continue
     • 200 = OK (Successful)
     • 201 = Created.
     • 202 = Accepted.
     • 204 = No Content
     • 301 = Permanently Redirected or Moved
     • 302 = Temporarily Redirected or Moved
     • 400 = Bad Request
     • 401 = Authorization Required.
     • 403 = Prohibited
     • 404 = Not Found
     • 500 = Critical Server Error


    Wfuzz is more than a web content browser:

 • Wfuzz can help you secure your web applications by finding and exploiting web application security vulnerabilities. Wfuzz's web application is supported by security vulnerable browser plugins.

• Wfuzz is a completely modular framework and makes it even easier for the newest Python developers to contribute. The building inserts are simple and take a little more than a few minutes.
     
 • Offers a simple language interface to previous HTTP requests / responses using other tools such as Wfuzz, Wfuzz or Burp. This allows you to do manual and semi-automated tests with the full content and understanding of your actions and context without relying on a web application browser based on the application.

OK. It's so good here. Let's go to practice :)

• Now, when I do content management, we scan the admin panes
   


       wfuzz -c -z file, / usr / share / wfuzz / worldlist / general / admin-panels.txt - hc 404 http://harranbilisim.com/FUZZ
 


       The first time I use this command directory, the -c parameter,
       We wanted it to be colored so the codes could be recognized.
        We will use it with -z file
     
       We made the WordList selection.
       The 404 status code for 137 keywords scanned with -hc 404
       We got a big part back.
       Then we used http://www.agamakala.com/FUZZ.
     
       If you want to make an experiment by putting each keyword in the Wordlist
       we are writing the key word "FUZZ" in capital letters.




   200 returning answers admin user login page 

   Ok we found the panel with the necessary parameters
    Okay Now Scan Sql Vulnerability

wfuzz -c -z file,/usr/share/wfuzz/worldlist/Injections/SQL.txt – hc 404 www.blablablabla.com/index.php?id=51/FUZZ


   Many successful responses have returned

We Can XSS Scanning
wfuzz -c -z file,XSS.txt --hc 404 http://blablablabla.bla/inc/takvim/index.php?month=3&year=2017/FUZZ

   
   Many successful answers have returned now let's check manually


Finding Sensitive Files

WFUZZ with the apache.txt file located under usr / share / wfuzz / wordlist / vulns directory

.htaccess
.htpasswd
.meta
.webm
access_log
cgi
cgi-bin
cgi-pub
cgi-script

Let's test it looking for sensitive files like

wfuzz -c -z file, apache.txt -hc 404 http://blablabla.bla/FUZZ



   We can download the logs and htaccess file and view the contents.

   We are still trying to read server-side etc / passwd with dirTraversal-nix.txt file located under the         
same directory


Did not get any successful results
looking for a windows server-side sensitive file with dirTraversal-win.txt in the same directory

I can with stress testing / usr / share / wfuzz / wordlist / stress / test_ext


Thank you for reading. You can follow me on twitter https://twitter.com/berkdusunur

0 yorum :

Yorum Gönder