Setting up your Web application security testing environment

Hi,

Today i am going to list some free tools that will be very helpful for web application security testing and the great thing about these tools are they all are platform agnostic. This means they all will run on your system no matter what kind of operating system you use and will work with your web application no matter what web technologies your web app is build with. So let’s get set up your environment.

Installing Firefox

The Firefox web browser serves as the best web browser for with its extensible add-on architecture for security testing. Even if your application isn't specifically written for Firefox compatibility, you can use Firefox to test the behind the scenes, security-focused aspects.

Download:  http://www.mozilla.com/en-US/firefox/

Installing Firefox Extensions

Firefox extensions provide a great deal of additional functionality. There are few extensions that comes as very helpful for web application testing.

View Source Chart

https://addons.mozilla.org/en-US/firefox/addon/655

Firebug

https://addons.mozilla.org/en-US/firefox/addon/1843

Tamper Data

https://addons.mozilla.org/en-US/firefox/addon/966

Edit Cookies

https://addons.mozilla.org/en-US/firefox/addon/4510

User Agent Switcher

https://addons.mozilla.org/en-US/firefox/addon/59

SwitchProxy

https://addons.mozilla.org/en-US/firefox/addon/125

Installing Firebug

Firebug is the Swiss army knife of web development and testing tools which lets you trace and tweak every line of HTML, JavaScript, and the Document Object Model (DOM). It'll report on behind the scenes AJAX requests, tell you the time it takes a page to load, and allow you to edit a web page in real time. The only thing it can't do is let you save your changes back to the server. Changes made in Firebug are not permanent. If you refresh the page, all changes will be lost. If you're executing a test that involves locally modifying HTML, JavaScript, or the DOM, be sure to copy and paste your changes into a separate file, or all evidence of your test will be lost.

Installing OWASP's WebScarab

WebScarab is a popular web proxy for testing web application security. Web proxies are vital for intercepting requests and responses between your browser and the server. i.e you can view the request and response between your browser and the application server using WebScarab proxy.

You'll need a recent version of the Java Runtime Environment to run  WebScarab on your system.

To start WebScarab via the Java Web Start version

Go to http://dawes.za.net/rogan/webscarab/WebScarab.jnlp.

To obtain the standalone version, browse to the WebScarab project at SourceForge:

http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823.

The links just mentioned are both available from the WebScarab project page, in the download section:

http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project.

Installing Perl and Packages on Windows

Perl is very useful for automating security test cases and to speed up testing.

Windows installation

Install Perl as part of your Cygwin environment.

Native Windows installation. Download from http://www.activestate.com/store/activeperl/download/

ActivePerl comes with a Perl Package Manager utility. Launch it from your Start menu. It provides a friendly interface for browsing, downloading, and installing packages.

Linux, Unix, or OS X installation

Perl is usually installed by default on non-windows operating systems. If you need the latest version, you can find a port appropriate for your distribution at the Comprehensive Perl Archive Network (CPAN) (http://www.cpan.org/ports/).

Using CPAN for Perl packages installation

The CPAN has modules and libraries for almost everything. No matter what your task, there's probably a CPAN module for it. You can easily install an Perl library package from CPAN. Installing the LibWWW library from Cygwin is as simple as typing:

perl -MCPAN -e 'install LWP'

Other helpful modules include HTTP::Request and Math::Base36.pm, installed as follows:

perl -MCPAN -e 'install HTTP::Request'

perl -MCPAN -e 'install Math::Base36.pm'

You may also install these modules interactively by using a shell:

perl -MCPAN -e shell

install Math::Base36

install LWP

Installing CAL9000

The CAL9000 tool wraps a number of security tools into a single package. It is a prototypical hacker tool, containing a variety of tricks, in the hope that one is enough to break through. In Firefox, navigate to http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project.

Download the latest ZIP containing CAL9000 and unzip it to the directory of your choice. Load the CAL9000.html file in Firefox to open the application.Written mostly in JavaScript, CAL9000 runs directly in Firefox. Thus it can run locally on any machine with a

browser—no proxy set up, no installation, and few access rights required. Despite the convenience, it offers a wide variety of tools, ranging from attack string generators to general helpful tips.

Installing the ViewState Decoder

Web applications written using ASP.NET include a hidden variable called the ViewState within every page. In order to add state to HTTP request, which are inherently stateless, this ViewState variable maintains data between requests.

Navigate to http://www.pluralsight.com/tools.aspx and download the ViewState Decoder zip archive. Unzip it to the directory of your choice. Double click the ViewStateDecoder.exe executable.

The ViewState is notoriously complex. Most developers err on the side of including too much information in the ViewState. Just by opening up the ViewState, you can find out if inappropriate data (such as internal records, database connection details, or debug records) is being sent to the client. That's one basic security test right there.

Installing cURL

The cURL tool is a command-line utility that supports an array of web protocols and components. It can be used as a browser-without-a-browser; it implements browser-like features, yet may be called from any ordinary shell. It handles cookies, authentication, and web protocols better than any other command-line tool.

Download : http://curl.haxx.se/download.html.

Tutorial :  http://curl.haxx.se/docs/httpscripting.html.

You may also download cURL as part of your Cygwin installation.

Installing Pornzilla

Pornzilla isn't an individual tool, but rather a collection of useful Firefox bookmarklets and extensions. It provides a number of convenient tools useful for web application security testing.

Pornzilla is not installed as a cohesive whole. You may find all of the components at

http://www.squarefree.com/pornzilla/.

To install a bookmarklet, simply drag the link to your bookmark toolbar or bookmark organizer.

To install an extension, follow the links and install the extension as you would any Firefox extension.

The collection of tools really does provide a number of convenient abilities, unrelated to the intended use of the collection itself.

For example:

• RefSpoof modifies HTTP Referer information, possibly bypassing insecure login mechanisms.
•  Digger is a directory traversal tool.
•  Spiderzilla is a website spidering tool
•  Increment and Decrement tamper with URL parameters.

Installing Cygwin (For Windows only )

Cygwin allows you to use a Linux environment within Windows. It is useful for running all the utilities and scripts built for Linux, without having requiring a full Linux installation.

Download the Cygwin installer from http://www.cygwin.com/, and execute it.

Installing Nikto 2[web vulnerability scanner]

Nikto is the most widely used of the few open source, freely available web vulnerability scanners. It comes configured to detect a variety of problems with minimal manual guidance.

Download : http://www.cirt.net/nikto2.

Documentation  : http://cirt.net/nikto2-docs/index.html.

You'll need to unzip that package and run Nikto from within Cygwin or another Unix-likeenvironment.

Nikto has one external dependency, which is the LibWhisker module. You may download the latest version of

LibWhisker at http://sourceforge.net/projects/whisker/.

Once you've unzipped both files into the same directory, you may call Nikto via Perl from the command line, as in:

perl nikto.pl -h 192.168.0.1

Installing Burp Suite

The Burp Suite is a collection of web application security tools which includes components to intercept, repeat, analyze, or inject web application requests.

Download : http://portswigger.net/suite/download.html.

As a Java application, it shouldn't matter which operating system you're using, as long as you have the Java Runtime Environment installed.

The Burp Suite combines several tools:

• Burp proxy
• Intercepts requests, just like any other web proxy. It is the starting point for using the rest of Burp Suite.
• Burp spider
• Will crawl your web application, logging each page it touches. It will use supplied credentials to log in, and it will maintain cookies between connections.
• Burp sequencer
• Performs analysis on the predictability of session tokens, session identifiers, or other keys that require randomness for security.
• Burp repeater
• Allows one to tweak and resubmit a previously recorded request.

Installing Apache HTTP Server

The Apache HTTP Server is an open source web server that is currently the most popular HTTP server on the World Wide Web. You may need to set up an HTTP server to carry out some of the advanced cross-site scripting (XSS) exploits as well as to test for PHP Include file injection.

Download : http://httpd.apache.org/download.cgi.

Windows Installation

In windows you can easily install binary packages with or without crypto support (Crypto support is needed if you want to set up a web server with an SSL certificate).

Unix/Linux Installation

Download one of the source packages.

Execute following commands to compile, install, and start the Apache web server

$ ./configure --prefix=PREFIX

$ make

$ make install

$ PREFIX/bin/apachectl start

Email Spoofing : How to spoof email address

In my post i have used mailserver.com just for example you need to use an real time mail server for yourself.
Why not try on your org email domain :)

Open Command prompt then enter the following commands.
telnet smtp.mailserver.com 25
HELO QA <PRESS ENTER>
MAIL FROM:yourid@mailserver.com   <PRESS ENTER>
RCPT TO:yourid@mailserver.com   <PRESS ENTER>
DATA   <PRESS ENTER>
Subject:test mail <PRESS ENTER TWICE>
This a test mail           (This is body text)
.                                 (This '.' is to end the mail)

If you see something like following message, then it means you have successfully spoofed the sender email.
250 2.0.0 qA28jUNa098936 Message accepted for delivery

Type QUIT to quit.

Install windows from bootable USB DRIVE/Pendrive

Hello friends,

Most of the time my friends asks me to help them install windows to their system via USB pen drive. So today I am going to write down the steps to make win7/vista bootable pen drive.

To make a bootable pendrive . You should have –
 Atleast 4 to 8 Gb pendrive.
 Windows 8/7/vista DVD or Windows 8/7/DVD image 

So once you have it.
10 Steps to make your pen drive boot-able :.
1.       Plugin your pendrive to your PC or laptop.
2.       Go to ‘My Computer’ and format the pen drive.
3.       Now open command prompt with Administrator priviledges.
(Go to Start > All programs > Accessories > command prompt , right click on command prompt and run it as an administrator.)
4.       When command prompt opens,enter the following command in series as written below
a.       DISKPART   ,  and press enter.

b.      LIST DISK  , press enter.
     
Once 'LIST DISK' command is completed. From the results remember the disk name of your pen drive. As in my case my USB name is “Disk 2”. So we will be using ‘Disk 2 ’ in our example.
Now, execute the following command one by one.


SELECT DISK 2
CLEAN
CREATE PARTITION PRIMARY
SELECT PARTITION 1
ACTIVE
FORMAT FS = NTFS
ASSIGN
EXIT


Now,don’t close the command prompt.
5.       Put your windows disk in you CD ROM (if your system CD ROM is  not working then you can use windows image file and mount it to virtual CD ROM).Now suppose your windows CD ROM drive is  “E:”.
6.       Then go to command prompt and execute following command.

E:
E:\> CD BOOT. Press enter  (Here ‘E:’ is your windows 7/vista disk drive name)
E:\BOOT> BOOTSECT.EXE /NT60 D:  (Here ‘D:’ is your USB disk drive name).

7.       Once above commands is executed. close the command prompt.
8.       Select all the files from your windows 8/7/Vista disk and copy them to your USB drive.Now USB is ready to boot windows.
9.       Now restart windows and boot from USB.(You can change boot priority in BIOS)
10.   Windows installation will start as normally like windows disk.(Enjoy : ))

If you find any problem ,then feel free to ask question and leave your comments…

How to locate element in Html 'svg' tag in Selenium 2(Webdriver)

Sample svg code enbeded into Html code

 <html>  
 <head>  
 <title>automatethebox.blogspot.com</title>  
 </head>  
 <body>  
 <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="939" height="360">  
 <defs>  
 <g zIndex="10">  
 <tspan x="5.5">You</tspan>  
 </g>  
 <g zIndex="20">  
 <tspan x="5.5">Me</tspan>  
 </g>  
 <g zIndex="30">  
 <tspan x="5.5">None</tspan>  
 </g>  
 </svg>  
 </body>  
 </html>  

Selenium 2 (Webdriver) code to locate and intract with an svg element embeded into HTML 
Suppose in above given svg code three buttons are embeded into the svg.
Now we will be finding the button and be clicking on them using 'css locators'.Here we go....

Method 1

 // First of all find the 'svg' tag in the page and save it into as WebElement instance.  
 WebElement svgElement = driver.findElement(By.cssSelector("svg"));  
   
 // Get the Buttons with which we want to interact in a list  
 List<WebElement> gElements = svgElement.findElements(By.cssSelector("g"));  
   
 // Click on 'Me' Button  
 WebElement button = gElements.get(0).findElement(By.cssSelector("tspan");  
 button.click();  
   
 // Click on 'You' Button  
 WebElement button = gElements.get(1).findElement(By.cssSelector("tspan");  
 button.click();  
   
 // Click on 'None' Button  
 WebElement button = gElements.get(2).findElement(By.cssSelector("tspan");  
 button.click();  

Method 2

 // Locate buttons and save in the WebElement instances.  
 WebElement meButton = driver.findElement(By.cssSelector("//*[local-name()='svg' and namespace-uri()='http://www.w3.org/2000/svg']//*[local-name()='tspan' and text()='Me']"));  
 WebElement youButton = driver.findElement(By.cssSelector("//*[local-name()='svg' and namespace-uri()='http://www.w3.org/2000/svg']//*[local-name()='tspan' and text()='You']"));  
 WebElement noneButton = driver.findElement(By.cssSelector("//*[local-name()='svg' and namespace-uri()='http://www.w3.org/2000/svg']//*[local-name()='tspan' and text()='None']"));  
   
 // Click on the buttons.  
 meButton.click();  
 youButton.click();  
 noneButton.click();  

How to switch between browser windows in Selenium 2 (WebDriver Java)

 // Store you current window handle in a String variable.  
 String parentWindow = driver.getWindowHandle();  
   
 // Click on the the page element which causes a new window to be opened,suppose a link.  
 driver.findElement(BY.linkText("myLink")).click();  
   
 // Get the window handle of the new browser window opened.  
 String childWindow = (String) driver.getWindowHandles().toArray()[1];  
   
 // Switch to newly opened window.  
 driver.switchTo().window(childWindow);  
   
 // Switch back to main window.  
 driver.switchTo().window(parentWindow);  

---

© automatethebox. All Rights Reserved

How Google reCaptcha works.

Capcha stands for 'Completely Automated Public Turing test to tell Computers and Humans Apart'

Google reCaptcha usually contains two ciphered words as shown in above image.
Among the two words one word is 'Control word' while other is 'Unknown word' i.e. 'Control word' is the word for which reCaptcha software knows the correct result where for the 'unknown word' Google reCaptcha software itself don't know the exact result.

Q :  So, the question is if i write a invalid word in place of 'unknown word' in the reCapcha response will it pass.
A  : Yes, it will pass as Google itself does not know the correct result  :)

For example :
If  two words are displayed as a challenge, then the word which seems more difficult to be readable by humans and OCR  is the 'Unknown word.' (In above picture "ynnonp" looks like the unknown word.)
So if you type the first word(ynnonp) incorrectly and second word (execellent) correctly, you will be authenticated successfully.

To get more info about 'Control word' and 'Unknown word' and what is the story behind this go to "http://www.google.com/recaptcha/learnmore".

---

© automatethebox. All Rights Reserved

Stop the Jmeter process from windows command line

Hi,

Today i got into a problem when i wanted to stop/kill Jmeter process from command line.
But as Jmeter runs as a java.exe process, so we cant just kill the java processes to stop the Jmeter.
So i tried just a little hack to kill only the Jmeter process and it worked... :)

You can try the following command in windows command promt for this.

Execute the following command on windows command line one by one ================================================================

1:  FOR /F "tokens=*" %%G IN ('netstat -o ^| find /C "8085"') DO SET JCOUNT=%%G  
2:  SET /a JCOUNT-=1  
3:  FOR /F "tokens=5 skip=%JCOUNT%" %%G IN ('netstat -o ^| findstr 8085') DO taskkill /F /PID %%G  

Or you can put all the above files in a batch file and execute that.

In the above command replace the port '8085' with the port number you are using for Jmeter to start on.

Cheers!!!

---

© automatethebox. All Rights Reserved