🔬Web App Scanning

Lab 1 - ZAProxy

🔬 Scanning Web Application with ZAProxy

Target IP: 192.192.29.3

Scan and identify a vulnerable web app (bWAPP) with ZAProxy

ip -br -c a
	eth1@if203734  UP  192.192.29.2/24

nmap -sS -sV 192.192.29.3

Start owasp-zap from the start menu
- Use Manual Explore and input the URL
  - http://192.192.29.3/
- Launch Browser to open the browser session with the ZAP HUB

Login to the web app with bee:bug credentials
- set the security level to low

Try some HTML and SQL Injection or other bugs from the https://192.192.29.3/portal.php page

Try to navigate to https://192.192.29.3/htmli_stored.php, inject the XSS (Cross-site Scripting) payload and Submit it
- The XSS payload will be triggered

Using the ZAP HUD, Site Alerts can be accessed. Every vulnerability is clickable and can be directly tried via the URL

Try a SQL Injection attack by opening this link
- http://192.210.141.3/sqli_1.php?action=search&title=ZAP'+OR+'1'%3D'1'+--+
- The table records will be dumped on the web page

🔬 Scanning Web Application with Nikto

Target IP: 192.157.60.3

Scan and identify web app vulnerabilities (Multillidae II) with Nikto

LFI

ip -br -c a
	eth1@if203734  UP  192.157.60.2/24

nmap -sS -sV 192.157.60.3

nikto -h http://192.157.60.3 -o niktoscan-192.157.60.3.txt

Scan the target web app for Local File Inclusion (LFI) vulnerability by copying the link from the browser
- http://192.157.60.3/index.php?page=arbitrary-file-inclusion.php
- output to an HTML file

nikto -h http://192.157.60.3/index.php?page=arbitrary-file-inclusion.php -Tuning 5 -o nikto.html -Format htm

firefox nikto.html

The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host
- View the contents of the passwd file of the target machine
- http://192.157.60.3/index.php/index.php?page=../../../../../../../../../../etc/passwd