Video Tutorial: Introduction to Web Application Pen-Testing

Blog Post created by webpwnized on May 28, 2013

Instructors: Jeremy Druin (webpwnized), Conrad Reynolds, Adrian Crenshaw (Irongeek)
Twitter: @webpwnized
Title: ISSA KY Web Application Pen Testing Workshop
Tools Used: Mutillidae 2.5.7 (hxxp://sourceforge.net/projects/mutillidae/), Burp Suite 1.5 Free Edition
Recorded By: Adrian Crenshaw of irongeek.com


The KY ISSA hosted a one-day web application pen testing workshop in support of the Johnny Long family (@ihackstuff) which many know from Hackers for Charity. The demonstrations were performed on Mutillidae 2.5; a deliberately vulnerable web application freely available on Sourceforge. Mutillidae 2.5 is developed by Jeremy Druin (aka webpwnized). It contains 42 vulnerabilities in many different context. It is a free download.


The interception proxy used is Burp Suite 1.5 Free edition. Both Mutillidae and Burp-Suite may be installed on Windows or Linux. They may be installed on the same host or two different hosts (more realistic). Mac OSX is not officially supported but Mutillidae and Burp-Suite have been known to run well using MAMP and Java respectively.


The workshop was done to support the Long family. Johnny Long is a well-known speaking and author otherwise known as "j0hnny" or "j0hnnyhax". He moved to Africa in order to build computer training facilities in Uganda. Donations are given by browsing to http://www.hackersforcharity.org/donate/ then clicking the “Make a one-time donation directly to the Long family” link.


Topics which were generally covered were:


  • Injection point identification, prefixes, suffixes, and context
  • SQL Injection
  • Cross Site Scripting / Beef Hooks
  • HTML Injection
  • JSON injection
  • Authentication Bypass (SQLi)
  • Authentication Bypass (Cookie Tampering)
  • Local File Inclusion
  • Remote File Inclusion
  • Cross Site Request Forgery
  • Web Shells


Before the workshop began, students were expected to have Mutillidae and Burp-Suite installed and operational so these topic were not covered. However, the following pre-requisite videos cover these topics using older versions of Mutillidae.



Installing and Using Burp Suite: http://www.youtube.com/watch?v=L4un5IppoY4




Installing NOWASP Mutillidae on Samurai Linux: http://www.youtube.com/watch?v=y-Cz3YRNc9U




Installing XAMPP/Mutillidae on Windows: http://www.youtube.com/watch?v=1hF0Q6ihvjc




Note: The specific environment used in the class was Mutillidae 2.5 running on a Windows XP virtual machine and Burp-Suite 1.5 Free running on both the localhost and a Kali Linux host. All of the hosts were on a Virutal Box host only network. No software was installed on the host operation system. All demos were run from virtual guests.


The modules were recorded in sections. Some sections covered speaker introductions, mentions of the ISSA hosts, and other material which was not related to the instruction. Therefore the instructional "parts" are not sequential.



ISSA 2013 Web Pen-testing Workshop - Part 1 - Intro to Mutillidae, Burp Suite & Injection




ISSA 2013 Web Pen-testing Workshop - Part 2 - SQL Injection




ISSA 2013 Web Pen-testing Workshop - Part 3 - Uploading Web Shells via SQL Injection




ISSA 2013 Web Pen-testing Workshop - Part 4 - Auth Bypass via SQLi & Cookie Tampering




ISSA 2013 Web Pen-testing Workshop - Part 6 - Local/Remote File Inclusion




ISSA 2013 Web Pen-testing Workshop - Part 7 - Webshells




ISSA 2013 Web Pen-testing Workshop - Part 9 - HTML & Javascript Injection




ISSA 2013 Web Pen-testing Workshop - Part 10 - Beef Hooks




ISSA 2013 Web Pen-testing Workshop - Part 12 - JSON Injection