Day 4: Web Vulnerability Scanning

Web App Pentesting with Nikto, Burp Suite & OWASP ZAP

Web applications are prime targets for cyberattacks due to their accessibility and complexity. Penetration testing (pentesting) of web applications is a critical skill for identifying vulnerabilities and securing systems. Parrot OS, a Debian-based Linux distribution designed for cybersecurity professionals, provides a robust suite of tools for web vulnerability scanning. On Day 4 of this 7-day learning series, we explore the essentials of web application pentesting. This article covers common web attacks such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and Local File Inclusion (LFI); guides you through automated scanning with Nikto, WPScan, and OWASP ZAP; explains manual testing with Burp Suite; and demonstrates practical testing using a local Damn Vulnerable Web Application (DVWA) on a LAMP stack. Additional tools like Dirb and Gobuster are included to enhance your reconnaissance capabilities. By mastering these techniques, you will be equipped to identify and mitigate web vulnerabilities in a controlled, ethical environment.

Understanding Web Attacks

Web applications are susceptible to various attacks due to coding flaws, misconfigurations, or outdated software. Understanding common vulnerabilities is essential for effective pentesting. Below are key web attacks to recognize:

Cross-Site Scripting (XSS)

XSS occurs when attackers inject malicious scripts into web pages viewed by users. These scripts execute in the victim’s browser, potentially stealing cookies, session tokens, or redirecting users to malicious sites.

• Types:
  • Stored XSS: Malicious code is stored on the server (e.g., in a database) and executed when users access the page.
  • Reflected XSS: Malicious code is embedded in a URL or form input and executed when the user interacts with it.
  • DOM-based XSS: The attack manipulates the Document Object Model (DOM) in the browser.
• Example: Injecting <script>alert('XSS')</script> into a form field to display a pop-up.

SQL Injection (SQLi)

SQLi exploits vulnerabilities in database-driven applications by injecting malicious SQL queries, allowing attackers to bypass authentication, extract data, or modify databases.

• Example: Entering ' OR '1'='1 in a login form to bypass authentication.
• Impact: Data theft, unauthorized access, or database corruption.

Local File Inclusion (LFI)

LFI allows attackers to include files from the server’s file system in the application’s output, often due to improper input validation.

• Example: Accessing ../../etc/passwd via a vulnerable URL parameter.
• Impact: Exposure of sensitive files or remote code execution (if combined with other vulnerabilities).

Other Common Attacks

• Cross-Site Request Forgery (CSRF): Tricks users into performing unintended actions on a trusted site.
• Remote File Inclusion (RFI): Allows attackers to include remote files, potentially executing malicious code.
• Directory Traversal: Exploits path manipulation to access restricted directories.
• Insecure Deserialization: Manipulates serialized data to execute arbitrary code.

Outcome: You understand the mechanics and risks of common web vulnerabilities, preparing you to identify them during testing.

Setting Up a Local DVWA/LAMP Stack

Before using pentesting tools, set up a local testing environment using Damn Vulnerable Web Application (DVWA) on a LAMP (Linux, Apache, MySQL, PHP) stack. DVWA is a deliberately vulnerable web application designed for learning pentesting.

Installing the LAMP Stack

1. Install Apache, MySQL, and PHP:

   sudo apt update
   sudo apt install apache2 mysql-server php php-mysql libapache2-mod-php

   This installs the necessary components for a LAMP stack.
2. Start Services:

   sudo systemctl start apache2
   sudo systemctl start mysql

   Enable services to start on boot:

   sudo systemctl enable apache2
   sudo systemctl enable mysql

3. Verify Apache: Open a browser and navigate to http://localhost to confirm the Apache default page.

Installing DVWA

1. Download DVWA:

   git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa

   This clones DVWA into Apache’s web directory.
2. Configure DVWA:
   • Copy the configuration file:

     cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php

   • Edit /var/www/html/dvwa/config/config.inc.php to set the database credentials (default: root, no password).
3. Configure MySQL:

   sudo mysql
   CREATE DATABASE dvwa;
   GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';
   FLUSH PRIVILEGES;
   EXIT;

4. Set Permissions:

   sudo chown -R www-data:www-data /var/www/html/dvwa
   sudo chmod -R 755 /var/www/html/dvwa

5. Access DVWA: Navigate to http://localhost/dvwa in a browser, click “Create / Reset Database,” and log in with admin/password.

Outcome: You have a local DVWA instance for safe, controlled pentesting.

Using Nikto for Automated Scanning

Nikto is an open-source web server scanner that identifies vulnerabilities, misconfigurations, and outdated software.

Running Nikto

• Basic Scan:

  nikto -h http://localhost/dvwa

  Scans the DVWA instance for common issues.
• Output to File:

  nikto -h http://localhost/dvwa -o nikto_results.html

  Saves results in HTML format.
• Tuning Options:

  nikto -h http://localhost/dvwa -Tuning 123

  Limits the scan to specific tests (e.g., XSS, SQLi).

Outcome: You can use Nikto to quickly identify potential vulnerabilities in web servers.

Scanning WordPress with WPScan

WPScan is a specialized tool for scanning WordPress sites, identifying vulnerable plugins, themes, and configurations.

Setting Up WPScan

1. Update WPScan:

   sudo wpscan --update

   Ensures the vulnerability database is current.
2. Basic Scan:

   wpscan --url http://localhost/wordpress

   Scans a WordPress site (replace with a test WordPress instance if not using DVWA).
3. Enumerate Users:

   wpscan --url http://localhost/wordpress --enumerate u

   Lists usernames.
4. Plugin Scanning:

   wpscan --url http://localhost/wordpress --enumerate vp

   Identifies vulnerable plugins.

Note: For testing, set up a local WordPress instance or use a vulnerable WordPress setup like those in Metasploitable.

Outcome: You can assess WordPress-specific vulnerabilities with WPScan.

Web Scanning with OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is a comprehensive tool for automated and manual web vulnerability scanning.

Using OWASP ZAP

1. Launch ZAP:

   zaproxy

   Open ZAP from the terminal or Parrot menu.
2. Configure Proxy:
   • In ZAP, go to Tools > Options > Local Proxy and note the proxy address (default: 127.0.0.1:8080).
   • Configure your browser to use this proxy.
3. Spider the Site:
   • Add http://localhost/dvwa to the Sites tree.
   • Right-click and select “Spider” to crawl the site.
4. Active Scan:
   • Select “Active Scan” to test for vulnerabilities like XSS and SQLi.
5. Review Alerts: Check the Alerts tab for detected vulnerabilities.

Outcome: You can perform automated web vulnerability scans with OWASP ZAP.

Manual Testing with Burp Suite

Burp Suite is a powerful tool for manual web application testing, allowing you to intercept, modify, and analyze HTTP/S traffic.

Using Burp Suite

1. Launch Burp Suite:

   burpsuite

   Open Burp Suite from the terminal or Parrot menu.
2. Configure Proxy:
   • Go to Proxy > Options and set the proxy to 127.0.0.1:8080.
   • Configure your browser to use this proxy.
3. Intercept Requests:
   • Enable interception in the Proxy tab.
   • Browse to http://localhost/dvwa and inspect intercepted requests.
4. Test for XSS:
   • Intercept a form submission, modify the input to include <script>alert('XSS')</script>, and forward the request.
   • Check if the script executes in the browser.
5. Use Intruder:
   • Select a request in the Target > Site Map.
   • Send to Intruder and configure payloads to test for SQLi (e.g., ' OR '1'='1).
   • Analyze responses for anomalies.

Outcome: You can manually test web applications for vulnerabilities using Burp Suite.

Additional Tools: Dirb and Gobuster

Dirb and Gobuster are directory brute-forcing tools that discover hidden directories and files on web servers.

Dirb

• Basic Scan:

  dirb http://localhost/dvwa /usr/share/dirb/wordlists/common.txt

  Scans for common directories and files.
• Output to File:

  dirb http://localhost/dvwa -o dirb_results.txt

Gobuster

• Basic Scan:

  gobuster dir -u http://localhost/dvwa -w /usr/share/wordlists/dirb/common.txt

• Advanced Options:

  gobuster dir -u http://localhost/dvwa -w /usr/share/wordlists/dirb/big.txt -x php,html,txt

  Includes file extensions in the search.

Outcome: You can discover hidden web resources using directory brute-forcing tools.

Practical Exercise

1. Install and configure a LAMP stack and DVWA.
2. Run Nikto against DVWA and review the vulnerability report.
3. Install WordPress locally and scan it with WPScan.
4. Use OWASP ZAP to perform a spider and active scan on DVWA.
5. Manually test DVWA for XSS and SQLi using Burp Suite.
6. Enumerate directories on DVWA with Dirb and Gobuster.

Conclusion

Day 4 of this 7-day series has equipped you with the knowledge and skills to perform web vulnerability scanning using Parrot OS’s powerful tools. By understanding common web attacks like XSS, SQLi, and LFI, and mastering tools such as Nikto, WPScan, OWASP ZAP, Burp Suite, Dirb, and Gobuster, you can effectively identify and analyze vulnerabilities in web applications. Testing on a local DVWA/LAMP stack ensures a safe, ethical learning environment. Continue practicing these techniques, and prepare for Day 5, where you will explore advanced penetration testing techniques.

Next Steps:

• Experiment with additional DVWA vulnerabilities (e.g., file upload, CSRF).
• Explore other Parrot OS web tools like sqlmap for automated SQLi testing.
• Engage with cybersecurity communities on platforms like X to share insights and learn advanced techniques.