wapt hpwebinspect

All posts tagged wapt hpwebinspect

Good evening friends. Today we will see the second part of WAPT with HPWebinspect. If you didn’t go through the first part, we ended it by scanning a website for vulnerabilities. The results have given us vulnerabilities categorized as critical, high, medium and low. That was the easiest part. Now we will go through analysis of these vulnerabilities.

Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation.

The analysis is very important part of the WAPT. Let us see how to perform this analysis with HPWebinspect. We will take our previous scan report.

hpwapt1

Before we do the analysis, let us have a look at the interface of HPWebinspect.  To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.

hpwapt2

The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.

hpwapt3

Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.

Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.

hpwapt4

Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.

hpwapt5

It also shows us the emails we found during scan.

hpwapt6

Also the forms.

hpwapt7

Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyse each vulnerability for this exact reason.

hpwapt8

In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyse this vulnerability.

hpwapt9

Click on the vulnerability. The dashboard will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.

hpwapt10

Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)

hpwapt10a

Now right click on the vulnerability we are analysing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.

hpwapt11

We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.

hpwapt12

Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.

hpwapt13

Another window will open as shown below. It will automatically show you the browser view.

hpwapt14

We can click on “Request tab”to see the request sent by our tool.

hpwapt15

Similarly the response tab shows us the response given by the target.

hpwapt16

We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.

hpwapt17

Close the window. Once again right click on the vulnerability. You can see the option “change severity”.

hpwapt18

For instance, the vulnerability detected by HPwebinspect is not that critical, we can change its severity suitably to high or medium or low.

hpwapt19

Now what if the vulnerability detected  is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.

hpwapt20

We can also access this option from the “review vulnerability” window as already shown above.

hpwapt20a

When we click on that option, we get two sub-options to mark it either as false positive as shown below

hpwapt21

or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.

hpwapt22

When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.

hpwapt23

Select whatever you want to include in your report as shown below and click on Finish.

hpwapt24

The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.

hpwapt25