Vulnerability Analysis in Web Application using Burp Scanner

at 10:56 PM Tuesday, July 18, 2017
Hello friends! Today we are going to use Burp Suite Scanner which is use for website security testing to identify certain vulnerability inside it. It is the first phase for web penetration tesing  for every security tester.

Burp Scanner is a tool for automatically finding security vulnerabilities in web applications. It is designed to be used by security testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Target:  www.testphp.vulnweb.com
Lets Start with burp proxy in order to intercept request between browser and website. From screenshot you can perceive that we have forwarded the intercepted data for “an active scan”.


Note: Always configure your browser proxy while making use of burp suite to intercept the request.


Through a window alert it will ask to confirm your action for active scan; press YES to begin the active scan on targeted website.


Issue Activity
The issue activity tab contains a sequential record of the Scanner's activity in finding new issues and updating existing issues. This is useful for various purposes:

·         An index number for the item, reflecting the order in which items were added.
·         The time that the activity occurred.
·         The action that was performed.
·         The issue type.
·         The host and URL path for the issue.
·         The insertion point for the issue, where applicable.
·         The severity and confidence of the issue.

From screenshot you can observe that it highlighted 8 types of issues found inside website from scanning result as following:
1.       Cross-site scripting (reflected)
2.       Flash cross-domain policy
3.       SQL injection
4.       Unencrypted communications
5.       Cross-domain Referer leakage
6.       Email addresses disclosed
7.       Frameable response (potential Clickjacking)
8.       Path-relative style sheet import


Active Scan Queue

Active scanning typically involves sending large numbers of requests to the server for each base request that is scanned, and this can be a time consuming process. When you send requests for active scanning, these are added to the active scan queue, in which they are processed in turn.

·         An index number for the item, reflecting the order in which items were added.
·         The destination protocol, host and URL.
·         The current status of the item, including percentage complete.
·         The number of scan issues identified for the item.
·         The number of requests made while scanning the item.
·         The number of network errors encountered.
·         The number of insertion points created for the item.
·         The start and end times of the item's scanning.

One by one we are going to demonstrate these vulnerabilities in details using request and response.


 Advisory on Cross-site scripting (reflected)

It gave your brief detail of vulnerability and idea to exploit it.
Issue:  
Cross-site scripting (reflected)
Severity:  
High
Confidence:  
Certain
Host:  
http://testphp.vulnweb.com
Path:  
/listproducts.php

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload was submitted in the cat parameter. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

 Inside request tab we will get Inject payload with intercepted data in order to receive certain response of generated request. In given image you can observe that it has injected JavaScript inside URL with Cat parameter

As response we can see the injected payload get submitted inside database. Now it will generate an alert prompt on screen when get executed on website.


Let’s verify it manually on running website.
Execute following script inside URL with cat parameter As result you will receive prompt 1 as alert window.

 Advisory on SQL injection
Similarly test for other vulnerability
Issue:  
SQL injection
Severity:  
High
Confidence:  
Firm
Host:  
http://testphp.vulnweb.com
Path:  
/listproducts.php

The cat parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cat parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether vulnerability is present.

The database appears to be MySQL.

 Under request tab single code () will pass with cat parameter to break the SQL statement in order to receive database error as response. 

Under response tab you can read the highlighted text which is clearly point towards SQL vulnerability inside database.

 Advisory on Flash cross-domain policy

Issue:  
Flash cross-domain policy
Severity:  
High
Confidence:  
Certain
Host:  
http://testphp.vulnweb.com
Path:  
/crossdomain.xml

The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.



Similarly as above it has generated the request through GET method using crossdomain.xml

 It has receive successful response over its GET request , inside highlighted text you can read it has allow to access this site from any domain with any port number and security is set as False.
In this way we can see how the burp suite scanner tests the security loop holes in a website.

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)