.

What is possible in Webpage hacking?

<<

The_UnKn@wn

Newbie
Newbie

Posts: 3

Joined: Mon Mar 01, 2010 9:19 pm

Post Fri Mar 05, 2010 5:48 pm

What is possible in Webpage hacking?

hi

I created a webpage which is basically a projectmanagement site which uses a MySQL database in the background for storing informatiion. I would want to test this webpage, but I have basically no idea what I could do?

I have a basic information about SQL injection, but that's it. What else could I do?

the webpage is written in PHP/HTML using a MySQL Database.

Thanks
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Fri Mar 05, 2010 5:54 pm

Re: What is possible in Webpage hacking?

Hey The_Unkn@wn,

I'd suggest a web vulnerability scanner to start out with. Then go as far as you could to prove they exist.

You may want to take a look at the Top 10 Web Vulnerability Scanners List Below:

http://sectools.org/web-scanners.html

I've used Nikto personally and like it - but I've also heard positives about Burpsuite as well.

There's also a couple of useful add-ons for firefox like:

SQL Inject Me:

https://addons.mozilla.org/en-US/firefox/addon/7597

That'll just run tests on the page with a simple click of a button and report back to you. A good test that I set up was I followed the Metasploit Unleashed course in setting up a vulnerable ASP page, along with SQL Server and attacked it. Those just a couple of pointers.

You could find out how to setup the vulnerable page if you go to the Metasploit Unleashed Course Then Hit -> Required Materials - > Windows XP SP2
Last edited by KrisTeason on Fri Mar 05, 2010 5:56 pm, edited 1 time in total.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Mar 05, 2010 6:07 pm

Re: What is possible in Webpage hacking?

I'd adhere to xXxKrisxXx's advice only if you own the server or have written permission to audit it. If it is hosted on some kind of hoster where you have only the rights to host your stuff, you might get into serious trouble otherwise.

That said, I would recommend Burp Suite which is really great and offers dozens of useful functions.

As you stated that you have no idea on how to do something like this, you may take a look at the OWASP project which offers many great resources and read-ups on how to do those things you are asking about. One part of it would be their Testing Guide, where you will find many useful tips.
Additionally you may then search for some of the most common web-based attacks, such as sql injections etc.

Depending on the project, you should also consider to hire a professional pentesting company, as those should have in-depth experience with this kind and will most probably get quite a lot more out than you could in the same time (as it seems you have no experience with this kind at this point).
<<

The_UnKn@wn

Newbie
Newbie

Posts: 3

Joined: Mon Mar 01, 2010 9:19 pm

Post Fri Mar 05, 2010 6:25 pm

Re: What is possible in Webpage hacking?

thanks guys. Yes, that's right, I have at that point no clue how to hack a website.
I could hire a pentest company, but the thing is that I want to test it by my own and I want to learn something.

What would be fore example a successful hack? That I get a mysql error or what?

@awesec: I wrote this page and I run it on a local server, so permissions don't matter here.
Last edited by The_UnKn@wn on Fri Mar 05, 2010 6:27 pm, edited 1 time in total.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Mar 05, 2010 6:32 pm

Re: What is possible in Webpage hacking?

I see. Pointing on the legal aspect might seem a little 'boring', but it is a necessity in my opinion. ;)
 
Getting a mysql error can help in the hacking process, as, depending on the error, you might be able to retrieve sensitive data which can be used to proceed. Also it might be already the very beginning of an attack.

As you said you would like to learn more about it, OWASP should be able to give you plenty of stuff to go on. Another project of theirs, which should help you in your process of learning, is WebGoat.

"The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security."
Last edited by UNIX on Fri Mar 05, 2010 6:42 pm, edited 1 time in total.
<<

The_UnKn@wn

Newbie
Newbie

Posts: 3

Joined: Mon Mar 01, 2010 9:19 pm

Post Fri Mar 05, 2010 7:22 pm

Re: What is possible in Webpage hacking?

ok, thank you.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Mar 05, 2010 8:40 pm

Re: What is possible in Webpage hacking?

There is definitely more out there than SQLi.  You have XSS, CSRF, etc.  I use a few different web scanners, including w3af, nikto, paros, and now grendelscan.  The automated tools offer some great benefits and identify quite a few vulnerabilities.  However, they also miss some, and identify some false positives. 

Awesec mentioned OWASP already.  They have a fantastic web app pen testing guide.  It does a great job explaining what the vulnerabilities are, how to test for them, and what tools you can use.

http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
~~~~~~~~~~~~~~
Ketchup
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Mon Mar 08, 2010 3:37 am

Re: What is possible in Webpage hacking?



this is probably the best link for web application testing!

all the methods are explained and even how to test them yourself! just start with this document and try all the different vulnerabilities/attacks. make a chart of what worked, what didnt work, how it worked and how you will prevent them from happening in production. this is probably the best way to test it (atleast best practice)
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software