Pentesting on Web Applications using Ethical

Hacking
Rina Elizabeth Lopez de Jimenez
Escuela de Computacion
Itca-Fepade
Santa Tecla, EI Salvador
[email protected]

Abstract- This article focuses on the knowledge of the • "Safety Test where evaluators copied real attacks to
technique Pentesting on web applications, discusses the different subvert security features of an application , system or
phases, most common of these attacks can be victims as well as network ( NIST- National Institute of Standards and
upgrades software tools to make a penetration test- or Pentesting. Technology).

Keywords-Security, Pentesting, Vulnerability, Attack,

The actual defmition is that the Pentesting is a set of tests with
OSSTMM, NIST, Authorization, Authentication, Accounting
the detector objective vulnerabilities of a system , having very
review, Integrity, Availability, Black Box, White Box, Gray Box,
Burp Suite, Exhibition Access Credentials, Cross Site Scripting, clear that no system is 100% secure and inviolable.Maintaining
Cross Site Request Forgery, Sql Injection, Exposure Data, Denied the Integrity of the Specifications [l].
of Service, Ajax Testing, OWASP, ISSAF, CRLF injection, Code
execution, Directory Traversal, File inclusion, MySQL, Oracle, III. WEB APPLlCATION SECURITY
Postgres Sql, DB2.
The growth and evolution of the Internet has significantly
impacted the way we communicate and conduct operations ,
I. INTRODUCTION generating a lot of sensitive information. For example the
Undoubtedly the rapid growth of the Internet and the use of incorporation of e-commerce sites numbers , services, banks ,
an unlimited number of Web and mobile applications have social networking web ; causing data applications can become
come to benefit everyone and change the way we communicate stolen or altered if these do not have the necessary safety
as well as how we conduct transactions; It is because of this measures for handling them are used.
that the count becomes very important security measures to
Computers worldwide are susceptible to attack by hackers
ensure the integrity and reliability of information.
or crackers able to compromise computer systems and steal
Many companies today are concerned that web applications valuable , or delete a large part of her information. This
are the fastest or are developed with the best software situation is essential to know whether these systems and data
development , but very few worry that have the proper security networks are protected from any kind of intrusions. [8]
. For that reason, this article discusses the different techniques
It is commonly believed that flaws or vulnerabilities found in
and penetration test using different software -based tools to
web servers or software development thereof; however it has
establish potential vulnerabilities a web application may have
been achieved detector that most failures are given by the bad
practices of developers. Therefore it is important to understand
II. THAT IS PENTESTING that web applications should not only be designed and
developed to meet the specific objectives for which they are
Pentesting the term is very broad and can give some definitions created , but must also take care of each of the data and
such as: information generated in them. [2]

A. Concepts
• "It is the method for evaluating a system or network by
simulating an attack of hostile origin[l] .

• "A safety test with a specific objective , the test is

terminated when the goal is achieved to obtain , or time
available ( OSSTMM- Open Source Security Testing
Methodologies Manual ) ends.

Fig. 1. lnfOlmation Theft.

Article received on June 30, 2016. This work has been undeltaken with the
financial SUppOlt of the Escuela Especializada en Ingenieria ITCA-FEPADE,
EL SALV ADOR.

lnga. Rina Elizabeth LOpez de Jimenez Escuela de lngenieria en

Computaci6n lTCA-FEPADE, La Libertad, EI Salvador. Tel. (503) 2132-
7572. Fax: (503) 2132-7599. Email: [email protected].
 A. Security Bases IV. PENETRATION TESTING WEB APPLICATIONS

• Authentication: addresses the question: who are you?

It is the process of identifying uniquely customers
A. Test Areas
applications and services. • External: Executed from outside the security
perimeter. Example: Internet
• Authorization: refers to the question: what can you
• Internal: With more access privileges on the network.
do? It is the process that governs the resources and
Example: employee, customer, supplier, free wireless
operations the authenticated client is allowed to
[4] .
access.

• Accounting review: Effective auditing and logging is

key for non-repudiation. Non-repudiation ensures that B. Types ofpenetration testing
a user can not refuse to perform an operation or the Following are the important types of pen testing:
start of a transaction.
• Black Box Penetration Testing
• Notice: Also known as privacy, is the process of
ensuring that data is kept private and confidential, and
• White Box Penetration Testing

can not be viewed by unauthorized users or intruders • Grey Box Penetration Testing
who control the flow of traffic across a network.
Encryption is often used to enforce confidentiality. �
GBlind Gray Box Tandem
• Integrity: is the guarantee that the data are protected
against possible accidental or deliberate modifications
(malicious).

• Availability: From a security perspective, availability

means that systems remain available to legitimate Double Gray Box
Target's
users.[3].
Knowledge
of Attack
B. Common Attacks
. Double Blind Reversal .
Currently there are numbers attacks on web applications, so in
the following table summarizes mentioning them became the
Attacker's Knowledge
most prominent of Target
Fig. 2.Types of Pentesting.
TABLE I. MOST COMMON AITACKS ON WEB APPLICATIONS [2].
Attack Descri don
• Black Box Penetration Testing: In black box
Such attacks involve a user modifYing the URL discover penetration testing, tester has no idea about the
Semantic URL mode to perform actions that are not originall y planned to be
handled properly by the server
systems that he is going to test. He is interested to
gather information about the target network or
system. For example, in this testing, a tester only
Cross-Site Cross -Site Scripting (XSS) is a type of computer security
knows what should be the expected outcome and he
Scripting vulnerability typic.allyfound in web applications which
allow code injection by malic ious web users. does not know how the outcomes arrives. He does
not examine any programming codes.

Cross-Site This type of attack allows the attacker to send HTTP requests
Request Forgery at will from the victim machine. • White Box Penetration Testing: This is a
comprehensive testing, as tester has been provided

HTTP requests A more sophisticated than the previous attack is to send false with whole range of information about the systems
counterfeited requests using special tools for this purpose. and/or network such as Schema, Source code, OS
details, IP address, etc. It is normally considered as a
simulation of an attack by an internal source. It is
C. Attacks through database.
also known as structural, glass box, clear box, and
Most web applications today are transporting, creating and
open box testing.
showing a lot of information from databases, so maintain the
White box penetration testing examines the code
integrity and reliability of itself becomes an important issue
coverage and does data flow testing, path testing,
when it comes to security. In the following outline major
loop testing, etc.
attacks involving databases are displayed.

• Grey Box Penetration Testing: In this type of

• Exhibition Access Credentials testing, a tester usually provides partial or limited
• SQL Injection information about the internal details of the program
• Exposure data
 of a system. It can be considered as an attack by an • Planning & Preparation
external hacker who had gained illegitimate access to Planning and preparation starts with defining the goals and
an organization's network infrastructure documents objectives of the penetration testing.
[5]. The client and the tester jointly define the goals so that both
the parties have the same objectives and understanding. The
TABLE II. ADVANTAGES AND DISADVANTAGES OF TYPES OF common objectives of penetration testing are:
PENETRATION TESTING

a. To identify the vulnerability and improve the security

of the technical systems.
b. Have IT security confirmed by an external third
Te_ ....d nut l>Ke!:!aIiJ.y be an PartiruJarly,1ile"" _ of
expert, as it doe, nat dem3nd 1:e!I. C351!5 8[!: difficull to party.
",ecifu: I�� knowled2J de;igj:l.
c. Increase the security of the organizational/personnel
Te_ ,:erifie�.:0lIIladicti0ns in the PO!3ibly, it is DOt worth, infrastructure.
aauaI S}"!temaD/lthe ",ec:ificmans incase lie5igDt!f Iw
aJrelidy cDl!l!!ncted a te!t
Test ;. g�' cooduaed ,vim c .....
1ile perspecti\"! of a mer, nDl1ile
• Reconnaissance
de<igner It does nut condua Reconnaissance includes an analysis of the preliminary
O\'ef)'!hing.
infonnation. Many times, a tester doesn't have much
It I!!l5lI[!5 lbat ail il!.dcpendent patl!!!
information other than the preliminary infonnation, an IP
of a module 113\", bee!> """,ci",d.
address or IP address block. The tester starts by analyzing the
It I!nSIlII!!Ilbat aillo!!.ioal deri<i.an;
m-oE! ile@l!l \� :dDng with their
available infonnation and, if required, requests for more
1rue and tal"" ,'3iliJe. information such as system descriptions, network plans, etc.
It <fuCO,",'B tIlie 1>1'Dgr.apbiCal errors from the client. This step is the passive penetration test, a sort
and d oes S}1lI>ix checkilIg.
of. The sole objective is to obtain a complete and detailed
It fin<!; the deign ....OB tI!<tt """. information of the systems.
hat"o:! ocrurred bec..a�e of me:
difference bem...., logical flow of
tIIe program and 1ile acrual
e:xlfomon.
• Discovery
In this step, a penetration tester will most likely use the
A.1ile testet <OOe� DDt require tIIe
acce!3of ,ource code, it is llDI>­ automated tools to scan target assets for discovering
illlms"", and IIUlbiased
vulnerabilities. These tools nonnally have their own databases
A.1iIeIeio c"'ar � e betwel!l1 giving the details of the latest vulnerabilities. However, tester
a det-eJoper and a tester, '0 mere is
Jeast ri!:kof per!:Olla! conflict discover:
a. Network Discovery - Such as discovery of additional
Yo<ll don't need 10 protide tIIe
iIlIemal infonnaticm about the systems, servers, and other devices.
proymn fimI:tiono and other
b. Host Discovery - It determines open ports on these
QIIel aOom
devices.
c. Service Interrogation - It interrogates ports to
c. Main stages ofa pentesting discover actual services which are running on them.
Penetration testing is a combination of techniques that
considers various issues of the systems and tests, analyzes, • Analyzing Information and Risks
and gives solutions. It is based on a structured procedure that In this step, tester analyzes and assesses the information
performs penetration testing step-by-step. gathered before the test steps for dynamically penetrating the
system. Because of larger number of systems and size of
infrastructure, it is extremely time consuming. While
• • • •• • III �
analyzing, the tester considers the following elements:
a. The defined goals of the penetration test.
b. The potential risks to the system.
c. The estimated time required for evaluating potential
•
security flaws for the subsequent active penetration
testing.
d. However, from the list of identified systems, the

Acti�ion Attempts tester may choose to test only those which contain
potential vulnerabilities.
..
• Active Intrusion Attempts
This is the most important step that has to be perfonned with
due care. This step entails the extent to which the potential
Fig. 3. Main Stages of Pentesting
vulnerabilities that was identified in the discovery step which
possess the actual risks. This step must be performed when a b. Authentication Testing
verification of potential vulnerabilities is needed. For those c. Authorization Testing
systems having very high integrity requirements, the potential d. Session Management Testing
vulnerability and risk needs to be carefully considered before e. Business Logic Testing
conducting critical clean up procedures. f. Data Validation Testing
g. Denial of Service Testing
• Final Analysis h. Web Services Testing
This step primarily considers all the steps conducted 1. Ajax Testing [6]
(discussed above) till that time and an evaluation of the
vulnerabilities present in the form of potential risks. Further, • OSSTMM (Open Source Security Testing
the tester recommends to eliminate the vulnerabilities and Methodology Manual)
risks. Above all, the tester must assure the transparency of the It is one of the most complete professional standards and
tests and the vulnerabilities that it disclosed. commonly used in security audits to review the Systems
Security from the Internet. It includes a framework that
• Report Preparation describes the steps that would be made for the implementation
Report preparation must start with overall testing procedures, of the audit.
followed by an analysis of vulnerabilities and risks. The high
risks and critical vulnerabilities must have priorities and then • ISSAF ((Information Systems Security Assessment
followed by the lower order. Framework)
The Security Assessment Framework Information Systems is
However, while documenting the final report, the following a structured methodology for safety analysis in multiple
points needs to be considered: domains and specific details of test or tests for each of these. It
a. Overall summary of penetration testing. aims to provide very detailed procedures for the testing of
b. Details of each step and the information gathered information systems that reflect real situations.
during the pen testing. ISSAF is used mostly to meet the assessment requirements of
c. Details of all the vulnerabilities and risks discovered. organizations and can also be used as a reference for new
d. Details of cleaning and fixing the systems. implementations related to information security. [6]
e. Suggestions for future security. [5]

V. TOOLS TO MAKE PENTESTING

D. Methodologies
There are many software tools for pentesting based on free
software, each capable of making different kinds of
• O WASP (Open Web Application Security Project) penetration tests. Below is a list of the most used tools made:
It is an open source project dedicated to identifying and
combating the causes that make the software is unsafe. The • Burp Suite
OWASP Foundation is a nonprofit organization that supports Burp Suite is an excellent platform for PenTest and security
and manages OWASP projects and infrastructure. The most websites. This tool has very good features like:
successful documents include OWASP Guide and the widely a. Proxy Intercept
adopted self-evaluation document OWASP Top 10. b. Spider (to "crawling ")
c. Automatic detection of vulnerabilities
Test method for Web applications based on two phases: d. Repeat Tool
passive and active. His approach is "black box" preferably e. Ability to write own plugins
little or no application that will test known even in the context
that will do the tests. • Acunetix - Scanner for web vulnerabilities
Powerful tool for MS Windows that detects a large number of
Passive phase. vulnerabilities , including Cross -Site Scripting , SQL
It is testing to understand the logic of the application that is
Injection, CRLF injection , Code execution , Directory
under testy check if it sheds any element that could mean an
Traversal , File inclusion , looking for vulnerabilities in file
open door for detailed analysis.
upload form (file upload)

Active phase. It also has a scanner integrated own ports, which although not
The "tester" begins to test all recommended in this process
replace nmap (nmap.org) Current transition a state of ports
methodology. This phase focuses specifically on 9
that are exposed. It also has several independent tools to
subcategories of 66 processes:
perform specific tasks such as Fuzzer HTTP, HTTP Editor,
Authentication Tester, etc.
a. Configuration Management Testing (Information gat
hering + configuration management).
 • SQLmap maintained by Offensive Security, a leading information
Developed by Bernardo Damele and Miroslav Stampar, security training company.
sqlmap is a tool that no auditor web application must do
without. Kali Linux was released on the 13th March, 2013 as a
It is an open source and free web-based tool that automates complete, top-to-bottom rebuild of Backtrack Linux, adhering
command line detecting and exploiting SQL Injection completely to Debian development standards.
vulnerabilities and extracting information from databases.
Currently it supports: a. More than 600 penetration testing tools
a. MySQL included: After revlewmg every tool that was
b. Oracle included in BackTrack, we eliminated a great number
c. PostgreSQL of tools that either simply did not work or which
d. Microsoft SQL Server duplicated other tools that provided the same or
Also partially it supports other DBs as: similar functionality.
a. Microsoft Access b. Free (as in beer) and always will be: Kali Linux, like
b. DB2 BackTrack, is completely free of charge and always
c. Informix will be. You will never, ever have to pay for Kali
d. Sybase Linux.
e. Interbase c. Open source Git tree: We are committed to the open
source development model and our development
tree is available for all to see. All of the
source code which goes into Kali Linux is available
for anyone who wants to tweak
or rebuild packages to suit their specific needs.
d. FHS compliant: Kali adheres to the Filesystem
Hierarchy Standard, allowing Linux users to easily
locate binaries, support files, libraries, etc.
e. Wide-ranging wireless device support: A regular
sticking point with Linux distributions has been
supported for wireless interfaces. We have built Kali
Linux to support as many wireless devices as we
possibly can, allowing it to run properly on a wide
variety of hardware and making it compatible with
numerous USB and other wireless devices. [9]

Fig. 4. SqlMap on Kali Linux

11 .... •.... -
• What Web
.. .....
This tool is useful for one of the first steps in an audit or 11 1· " .... _
.-.
•• 1· ...................

Pentesting, gathering information and which identifies ............. _.­

-" ""-*-'
_H_",-wwlM.

whether the "target" uses any Content Manager (CMS) .0.- .... .,.,_ .. <10(_ .....
g ...,.-
0"-
platform Blog, Servers, Javascipts, etc. ,,�-
" ......
Q50___
Previous work recommended for recognition of what is going
to be tested.

• Nessus Fig. 4. Kali Linux Menu

Nessus is targeting a more extensive use in the field of tests
(ie, large, large number of devices networks, etc.) is also very • Parrot Security OS
useful for web applications Pentesting to enabling and It is an operating system based on Debian, it is developed by
configuring the correct modules. [7] the team of Frozenbox. This operating system is designed for
ethical hacking, computer forensics testing, ethical hacking,
• Kali Linux cryptography, etc. Parrot Security OS promises to be a highly
Kali Linux is a Debian-based Linux distribution aimed at efficient lightweight operating system.
advanced Penetration Testing and Security Auditing. Kali
contains several hundred tools aimed at various information • Backbox Linux
security tasks, such as Penetration Testing, Forensics and This is an operating system based on Ubuntu, with its focus on
Reverse Engineering. Kali Linux is developed, funded and safety assessment and penetration testing. It has a wide range
of security analysis tools for web applications, network
analysis, etc.
 • Samurai Web Testing Framework
It is basically a real environment of Linux that comes pre - REFERENCES
configured to function as a web pen -testing platform. It
contains several free hacking tools and open for detecting [I] R. Guirado, Penetration Testing, General Concepts and CUITent
vulnerabilities in web sites code. [10] . Situation, CISA CGEIT, 2009.
[2] Coordinacion de Seguridad de la Informacion Direccion General de
Computo y Tecnologjas de Infonnacion y Comunicacion, «Aspectos
VI. CONCLUSION Basicos de la Seguridad en Aplicaciones Web,» Abril 2016. [En linea].
Available: http://www.seguridad.unam.mx/documentol?id=1 7.
In the previous article an analysis of the main intrusion test [3] «Web Application Security Fundamentals,» Junio 2003. [En linea].
was performed on web applications; with a brief preamble on AvailabIe: https:!/msdn. microsoft. com/en-us/library/ff648636.aspx.
what the meaning of the term Pentesting and types that exist, [4] «ESEl Dojos, Test de Intrusion pentesting,» 2012.
as well as major attacks that may suffer the web applications [5] «Types of Penetration Testing,» 2016. [En linea]. Available:
are also described. http://www.tutorialspoint.com/penetration _testing/penetration _ testing_i
ntroduction.htm.
[6] M. C. P. Fernandez, «Comparativa Metodologjas, Auditorias y
Besides the main methodologies are described Pentesting , Pentesting,» Elche, 2012.
making learning more about each of them ; at once she made a [7] «5 Herramientas utiles en Penetration Testing para Aplicaciones Web,»
list of the software tools most commonly used for penetration II Abril 2012. [En linea]. Available:
testing , highlighting including Kali Linux , a free tool capable https:!lseguridadetica.wordpress.coml2012/04/1115-heramientas-utiles­
en-penetration-testing-para-aplicaciones-web/.
of modeling numbers attacks in order to obtain information
[8] A. R. Plata, «Ethical Hacking,» Mexico, 2010.
about vulnerabilities that websites may have
[9] Kali Linux organization, <<Kali Linux Official Documentation,» 2016.
[En linea]. Available: http://docs.kali. orgiintroductionlwhat-is-kali­
After perfonned the analysis of the collected infonnation can linux.
be confirmed that no web application is perfectly safe and free [10] Creadpag, <<10 best operating systems for Ethical Hacking and
from attacks, but with the use of techniques or intrusion test Penetration Testing,» 2016. [En linea]. Available:
(Pentesting) as tools Ethical Hacking, all those vulnerabilities hltps:!Icreadpag. wordpress.coml2016/01129/1O-mejores-sistemas­
operalivos-para-ethical-hacking-y-penetralion-testing/.
can be overcome, avoiding attacks that undermine the
integrity and reliability of the data they handle.