Simple Web Penetration Testing
Penetration testing definition provided by wikipedia:
Penetration Testing is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.
In doing Penetration Testing (PenTest) you need to follow each stage of PenTest life cycle.
- Planning and Reconnaissance
- Scanning
- Gaining Access
- Maintaining Access
- Analysis and WAF Configuration
To get the whole picture of PenTest quickly I’ll show you top 10 web application security risk researched by OWASP:
○ Injection: SQL Injection, Code Injection, etc
○ Broken Authentication: weak password, session, etc
○ Sensitive data exposure: weak data protection
○ XML External Entities: poor XML handling/security
○ Broken access control: improper access control
○ Security misconfiguration: default configuration, verbose
error message, etc
○ Cross-Site Scripting XSS
○ Insecure Deserialiation
○ Using Components with known vulnerabilities
○ Insufficient logging & Monitoring
To exploit the you can follow the methodology provided in The web application hacker’s handbook. It’ll give you the picture on how to penetrate your web app.
Doing PenTest
Here i’ll show you one example of the scanning phase of PenTest life cycle.
Tools used: OWASP ZAP (https://www.zaproxy.org/)
When you open the app it’ll look like this
In this example I’ll use my school project from Proyek Perangkat Lunak Course, http://hqo-frontend.netlify.app/. Insert the url and click attack
After ZAP finish the process you can get several information like this
And if you see the spider section, (FYI, A Web crawler, sometimes called a spider or spiderbot and often shortened to crawler, is an Internet bot that systematically browses the World Wide Web, typically for the purpose of Web indexing (web spidering). — wikipedia). It could reveal the backend server you’re using
There are a lot of method to do your scan. You can use any tools provided in the internet. After scanning now you can move on to exploit your web app and gaining acces to it.
I hope this article could be useful. Thank you
