Web Penetration Testing

Web Application Information Gathering

Retrieve HTTP response header

curl -I -i -X HEAD --insecure example.com
echo -e 'HEAD / HTTP/1.0\r\n\r\n' | nc example.com 80

Malformed requests test

GET / HTTP/3.1
Host: hostname
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html
Accept-Language: en-US,en;q=0.5
Content-Length: 0
Connection: close
GET / JUNK/1.1
Host: hostname
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html
Accept-Language: en-US,en;q=0.5
Content-Length: 0
Connection: close
FTW / HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html
Accept-Language: en-US,en;q=0.5
DNT: 1
Content-Length: 0
Connection: close

Search in netcraft

http://toolbar.netcraft.com/site_report?url=example.com

Retrieve robots.txt file

e.g. https://example.com/robots.txt

wget "http://example.com/robots.txt"
wget "https://example.com/robots.txt" --no-check-certificate

Enumerate Applications on Webserver

nmap -sS -vv -p80,443,8080 -O -T4 -Pn --reason --open example.com

Webpage comments and metadata

  • Check HTML source code for comments containing sensitive information that can help the attacker gain more insight about the application.
  • Check meta tags containing information.

Web Application Framework

Common locations to look in in order to define the current framework:

  • HTTP headers
  • Cookies
  • HTML source code (comments)
  • HTML source code (meta tags)
  • Specific files and folders
  • File Extensions
  • Error Messages
  • robots.txt

Tools: