install LWP
The format used in these examples should work for any other CPAN module.
Recipe 2.7. Installing CAL9000 2.7.1. Problem
The CAL9000 tool wraps a number of security tools into a single package. It is a prototypical hacker tool, containing a variety of tricks, in the hope that one is enough to break through. Having this collection at your disposal both helps identify a wide variety of tests and aid in their execution.
2.7.2. Solution
In Firefox, navigate to http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project.
Download the latest ZIP containing CAL9000 and unzip it to the directory of your choice. Load the CAL9000.html file in Firefox to open the application.
2.7.3. Discussion
Written mostly in JavaScript, CAL9000 runs directly in Firefox. Thus it can run locally on any machine with a browser—no proxy set up, no installation, and few access rights required. Despite the convenience, it offers a wide variety of tools, ranging from attack string generators to general helpful tips.
CAL9000 isn't guaranteed to be safe. It is a dangerous tool in the wrong hands. Use it locally on your machine. Do not install it on the server. Despite being written to run in a browser, it will attempt to write to local files and connect to external websites. Exposing CAL9000 on your website, accessible to the public, is about as dangerous as leaving the administrator password as "admin." If left in place, you can be sure that people will find it and use it.
Recipe 2.8. Installing the ViewState Decoder 2.8.1. Problem
Web applications written using ASP.NET include a hidden variable called the ViewState within every page. In order to add state to HTTP request, which are inherently stateless, this ViewState variable maintains data between requests.
2.8.2. Solution
Navigate to http://www.pluralsight.com/tools.aspx and download the ViewState Decoder zip archive. Unzip it to the directory of your choice. Double click the ViewStateDecoder.exe executable.
2.8.3. Discussion
The ViewState Decoder is a Windows executable. However, if the app is written in ASP.NET, there's a good chance of finding several Windows machines nearby—check the developers' workstations!
The ViewState is notoriously complex. Most developers err on the side of including too much information in the
ViewState. Just by opening up the ViewState, you can find out if inappropriate data (such as internal records, database connection details, or debug records) is being sent to the client. That's one basic security test right there.
Recipe 2.9. Installing cURL 2.9.1. Problem
The cURL tool is a command-line utility that supports an array of web protocols and components. It can be used as a browser-without-a-browser; it implements browser-like features, yet may be called from any ordinary shell. It handles cookies, authentication, and web protocols better than any other command-line tool.
2.9.2. Solution
To Install cURL, navigate to http://curl.haxx.se/download.html.
Select the download option appropriate to your operating system, download the zip file, and unzip it to the location of your choice.
Navigate to that directory in a terminal or shell, and you may execute cURL from there.
2.9.3. Discussion
Like many command-line utilities, cURL has a great number of options and arguments. cURL's authors recognized this and put together a brief tutorial, available at http://curl.haxx.se/docs/httpscripting.html.
You may also download cURL as part of your Cygwin installation.
Recipe 2.10. Installing Pornzilla 2.10.1. Problem
Pornzilla isn't an individual tool, but rather a collection of useful Firefox bookmarklets and extensions. While ostensibly this collection is maintained for more prurient purposes, it provides a number of convenient tools useful for web application security testing.
2.10.2. Solution
Pornzilla is not installed as a cohesive whole. You may find all of the components at http://www.squarefree.com/pornzilla/.
To install a bookmarklet, simply drag the link to your bookmark toolbar or bookmark organizer.
To install an extension, follow the links and install the extension as you would any Firefox extension.
2.10.3. Discussion
The collection of tools really does provide a number of convenient abilities, unrelated to the intended use of the collection itself. For example:
RefSpoof modifies HTTP Referer information, possibly bypassing insecure login mechanisms.
Digger is a directory traversal tool.
Spiderzilla is a website spidering tool.
Increment and Decrement tamper with URL parameters.
NOTE
None of these tools will install, download, or display pornography unless specifically used for that purpose. None of the individual bookmarklets or extensions contain inappropriate language, content, or instructions. We assure you that the tools themselves are agnostic; it is the use of the tools that determines what is displayed. The tools themselves do not violate any U.S. obscenity laws, although they may violate company policy.
Recipe 2.11. Installing Cygwin 2.11.1. Problem
Cygwin allows you to use a Linux environment within Windows. It is useful for running all the utilities and scripts built for Linux, without having requiring a full Linux installation. It's not only useful to have around, it's necessary to install other tools we recommend.
2.11.2. Solution
If you're already working on a Unix, Linux, or Mac OS machine—you don't need Cygwin. You already have the environment you need via the standard terminal.
Download the Cygwin installer from http://www.cygwin.com/, and execute it.
Select the "Install from the Internet" option when asked to choose an installation type. You may select where to install Cygwin—note that this will also set the simulated root directory, when accessed from within Cygwin. Once you've set appropriate options regarding users and your Internet connection, you'll need to select a mirror for downloading packages.
Packages are all the various scripts and applications pre-compiled and available for Cygwin. All of the mirrors should be identical; pick whichever one works for you. If one is down, try another. Cygwin will then download a list of available packages. It presents the packages available in a hierarchy, grouped by functionality. Figure 2-2 shows the package selection list. We recommend you select the entire Perl directory, as well as the curl and wget applications from the web directory.
Figure 2-2. Selecting Cygwin packages
You may also download development tools and editors of your choice, particularly if you'd like to compile other applications or write custom scripts from within the Linux environment.
Once you've selected the appropriate packages, Cygwin will download and install them automatically. This can take some time. Once the installation is complete, fire up the Cygwin console and you may use any of the installed packages.
Run Cygwin setup again at any time to install, modify, or removes packages, using the exact same sequence as the first install.
2.11.3. Discussion
Cygwin provides a Unix-like environment from within Windows, without requiring a restart, dual-boot, or virtualized machine. This does mean that binaries compiled for other Unix variants will not necessary work within Cygwin; they will need to be recompiled for or within Cygwin itself.
In order to create a Unix-compatible file structure, Cygwin will consider the folder where it is installed as the root folder, and then provide access to your other drives and folders via the cygdrive folder.
Note that Cygwin lacks many of the protections associated with partitioned, dual-boot environments or virtual machines. Within Cygwin, you have access to all of your files and folders. There will be nothing to prevent you from modifying these files, and actions may be irreversible. For those of you used to the Windows environment, note that there isn't even a Recycle Bin.
Recipe 2.12. Installing Nikto 2 2.12.1. Problem
Nikto is the most widely used of the few open source, freely available web vulnerability scanners. It comes configured to detect a variety of problems with minimal manual guidance.
2.12.2. Solution
Nikto is, at heart, a Perl script. Download it at http://www.cirt.net/nikto2.
You'll need to unzip that package and run Nikto from within Cygwin (see Section 2.11) or another Unix-like environment.
Nikto has one external dependency, which is the LibWhisker module. You may download the latest version of LibWhisker at http://sourceforge.net/projects/whisker/.
Once you've unzipped both files into the same directory, you may call Nikto via Perl from the command line, as in:
perl nikto.pl -h 192.168.0.1 2.12.3. Discussion
Nikto is quite extensible, and is built to incorporate tests beyond just the basic functionality. For details on integration Nikto with Nessus, SSL, or NMAP, see Nikto's documentation at http://cirt.net/nikto2-docs/index.html.
From a testing perspective, Nikto serves as an automation script that has been written for you. For the tests that is is built to handle, it will test faster and with more combinations than you could. It frees you to focus your intuition and efforts into more complex or risky areas. On the other hand, running a set of stock automated tests doesn't guarantee high accuracy or coverage. It may not find a high percentage of bugs. When it does identify issues, they may not be true problems, and will require some investigation. It is not truly a "fire-and-forget" solution—you'll have to
investigate the results and determine if what it found was useful.
Recipe 2.13. Installing Burp Suite 2.13.1. Problem
The Burp Suite is a collection of web application security tools, not unlike OWASP's WebScarab. It includes components to intercept, repeat, analyze, or inject web application requests.
2.13.2. Solution
Download the Burp Suite from http://portswigger.net/suite/download.html.
Unzip the Burp Suite folder, and run the JAR file. The JAR file typically has the version number in it, like
burpsuite_v1.1.jar. As a Java application, it shouldn't matter which operating system you're using, as long as you have the Java Runtime Environment installed.
2.13.3. Discussion
The Burp Suite is the "least free" tool we recommend. It is not open source, and the Intruder component is disabled until you purchase a license. While the Intruder component is necessary to develop complex attacks for penetration testing, the basic functionality is more than enough if your goal is not to fully exploit the application.
The Burp Suite combines several tools:
Burp proxy
Intercepts requests, just like any other web proxy. It is the starting point for using the rest of Burp Suite.
Burp spider
Will crawl your web application, logging each page it touches. It will use supplied credentials to log in, and it will maintain cookies between connections.
Burp sequencer
Performs analysis on the predictability of session tokens, session identifiers, or other keys that require randomness for security.
Burp repeater
Allows one to tweak and resubmit a previously recorded request.
Recipe 2.14. Installing Apache HTTP Server 2.14.1. Problem
The Apache HTTP Server is an open source web server that is currently the most popular HTTP server on the World Wide Web. You may need to set up an HTTP server to carry out some of the advanced cross-site scripting (XSS) exploits discussed in Chapter 12, as well as to test for PHP Include file injection (also discussed in Chapter 12).
2.14.2. Solution
Go to http://httpd.apache.org/download.cgi.
Download the latest version of the Apache HTTP Server and install it.
2.14.3. Discussion
In Windows, it is easiest to install one of the binary packages. The binary without crypto support will be sufficient in most cases. You may need the binary with crypto support if you want to set up a web server with an SSL certificate.
One reason why you might want to do this is discussed in Section 12.2.
In Unix-like operating systems, you will need to download one of the source packages and compile them. In most cases, the following commands will be sufficient to compile, install, and start the Apache web server: