Embedded Files
Name : Divya Dipak Mali
Class : BE - computer
Roll No : 58
Subject : Cyber - Security Lab
Aim: Study of Web Application Analysis Tools in Kali Linux
1. Web Application Proxies: Burpsuite
Burpsuite can be used as a sniffing tool between your browser and the web servers to find
the parameters that the web application uses.
Burpsuite is one of the most popular web application security testing software. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Kali Linux comes with burp suite community edition which is free but there is a paid edition of this tool known as burp suite professional which has a lot many functions as compared to burp suite community edition.
To open Burpsuite
Go to Applications → Web Application Analysis → burpsuite.
To make the setup of sniffing, configure burpsuite to behave as a proxy.
Go to Proxy →Options; Check the box under Running for interface 127.0.0.1.
In this case, the proxy IP will be 127.0.0.1 with port 8080.
Then configure the browser proxy which is the IP of burpsuite machine and the port.
To start interception, in Burpsuite
Go to Proxy → Intercept → click “Intercept is on”.
Continue to navigate on the webpage that you want to find the parameter to test for
vulnerabilities.
In Burpsuite, Go to “HTTP History”. The line marke d in red arrow shows the last request. In Raw and the hidden parameter such as the Session ID and other parameter such as user name and password has been underlined in red.
References:
1. https://portswigger.net/burp/documentation/desktop/getting-started/proxysetup/
browser
2. https://portswigger.net/burp/documentation/desktop/penetration-testing
2. ZapProxy
ZAP-OWASP Zed Attack Proxy is an easy-to-use integrated penetration testing tool for
finding vulnerabilities in web applications. It is a Java interface.
ZapProxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Step 1 − To open ZapProxy, go to Applications → 03-Web Application Analysis → ZAP.
Step 2 − Click “Accept”.
ZAP will start to load.
Step 3 − Choose one of the Options and click “Start”..
Preferably select “No, I do not want to persist this session at this moment in time ”
Step 4 − Enter URL of the testing web at “URL to attack” → click “Attack”.
After the scan is completed, on the top left panel you will see all the crawled sites.
In the left pane l “Alerts”, you will see all the findings a long with the description.
Step 5 − Click “Spider” and you will see all the links scanned.
References:
1. https://www.zaproxy.org/getting-started/
Page updated
Google Sites
Report abuse