Test for Configuration and deployment

Aim: To famialirize tools configuration and deployment testing

Description:

The intrinsic complexity of interconnected and heterogeneous web server infrastructure,

which can include hundreds of web applications, makes configuration management and
review a fundamental step in testing and deploying every single application. It takes only a
single vulnerability to undermine the security of the entire infrastructure, and even small and
seemingly unimportant problems may evolve into severe risks for another application on the
same server. In order to address these problems, it is of utmost importance to perform an in-
depth review of configuration and known security issues, after having mapped the entire
architecture.

Proper configuration management of the web server infrastructure is very important in order
to preserve the security of the application itself. If elements such as the web server software,
the back-end database servers, or the authentication servers are not properly reviewed and
secured, they might introduce undesired risks or introduce new vulnerabilities that might
compromise the application itself.

For example, a web server vulnerability that would allow a remote attacker to disclose the
source code of the application itself (a vulnerability that has arisen a number of times in both
web servers or application servers) could compromise the application, as anonymous users
could use the information disclosed in the source code to leverage attacks against the
application or its users.

The following steps need to be taken to test the configuration management infrastructure:

 The different elements that make up the infrastructure need to be determined in order
to understand how they interact with a web application and how they affect its
security.
 All the elements of the infrastructure need to be reviewed in order to make sure that
they don’t contain any known vulnerabilities.
 A review needs to be made of the administrative tools used to maintain all the
different elements.
  The authentication systems, need to reviewed in order to assure that they serve the
needs of the application and that they cannot be manipulated by external users to
leverage access.
 A list of defined ports which are required for the application should be maintained and
kept under change control.

Procedure:

tools:

1.WPScan

Wpscan is a WordPress security scanner used to test WordPress installations and WordPress-
powered websites. This is a command line tool used in Kali Linux. This tool can be used to
find any vulnerable plugins, themes, or backups running on the site. It is usually used by
individual WordPress site owners to test their own websites for vulnerabilities and also by
large organizations to maintain a secure website. This tool can also be used to enumerate
users and perform brute-force attacks on known WordPress users. In this article, We are going
to take you through different commands of wpscan tool, the most commonly used attacks on
WordPress sites, and tips to defend against them. The below functionalities of this tool can be
used from the point of view of a hacker or even just someone who wants to test if their
WordPress site is secure enough.

 –url : (basic scan)

wpscan –url IP_ADDRESS_OF_WEBSITE

 –help: (help options)
wpscan --help

It’s a common practice in Linux to use the “–help” option to get the complete list of the
usability of the tool using different switches for different functionalities.
 -e u: (enumerating website users)
wpscan –url IP_ADDRESS_OF_WEBSITE -e u

This lets the wpscan tool enumerate the WordPress site for valid login usernames. After the
scan, it would give all the usernames the tool has enumerated which are valid users of the
WordPress site and are often times brute forced to gain unauthorized access to the
WordPress admin/author dashboard.

 -U -P: (brute-forcing password for the identified user)

wpscan –url IP_ADDRESS_OF_WEBSITE -U USER_NAME -P

PATH_TO_WORDLIST

As we managed to enumerate some usernames for the WordPress site above, let’s try to
brute-force the user “kwheel”.

 Brute forcing: It is a technique where a wordlist is used against a tool that

effectively finds the matching password for the given username.
  Wordlist: The password cracking tool uses a wordlist, which is nothing but a
text file containing a set of commonly used passwords. Ex: 12345678, qwerty,
pizza123,etc.
Now let’s try to brute force the user “kwheel”.

rockyou.txt is a quite commonly used wordlist for brute force attacks.

2. OWASP ZAP

ZAP has installers for Windows, Linux, and Mac OS/X, as well as Docker images.
Download the appropriate installer from the download page and install it on the machine
where you will run the penetration test.

Java 8 or higher is required to run ZAP. The Mac OS/X installer includes the appropriate
Java version, but Java 8+ must be installed separately for Windows, Linux, and cross-
platform versions. The Docker version already includes Java.

When you start ZAP for the first time, you need to choose whether to make the ZAP
session persistent. If you persist the session, it will be saved to a local HSQLDB.
Otherwise, files will be deleted when you log out of ZAP.

Before proceeding, ensure you have permission from the web application owner to perform
a penetration test.

Run a quick start auto scan:

 Start ZAP and click the Quick Launch tab in the workspace window.
 Click the Auto Scan button.
 In the Attack URL text box, enter the full URL of the web application.
 Select either Use traditional spider, Use ajax spider, or both (more details below)
 Click Attack.

1. Click Attack.

ZAP uses a crawler to go through the web application and scan pages it finds. It then uses the
active scanner to attack every page, function, and parameter it finds.

ZAP-spiders
ZAP provides two spiders for scraping web applications, which you can select in the
automated scan dialog:

 The traditional ZAP spider inspects HTML in a web application's response to detect
links. Although this spider is fast, it is less effective when navigating AJAX web
applications that use JavaScript to generate links.

 The ZAP AJAX spider is more effective for JavaScript applications. It navigates a
web application by invoking a browser, rendering the full JavaScript of the page, and
following any links on the resulting page. AJAX spiders are slower than traditional
spiders and require additional configuration to be used in a headless environment.
ZAP uses two forms of scanning:
 Passive scanning investigates all proxy requests and responses, but does not change
the response in any way and is considered safe. It can be done on a background thread
so it doesn't slow down the application. This can find some vulnerabilities and can
help you understand the basic security posture of a web application.

 Active scanning attempts to find additional vulnerabilities using known attack vectors
against the selected target. Do not use active scans against targets you don't have
permission to test, as active scans are real attacks that might cause damage .