WebApps Attack and Penetration

If the WebApps Information Gathering step identifies target pages and/or web services, the WebApps Attack and Penetration step can detect whether those pages will be vulnerable to a number of different attack types.

Use the following steps to begin the WebApps Attack and Penetration step:

1. Click WebApps Attack and Penetration in the RPT process panel. When the Wizard displays click the Next button.

2. On the Target Selection dialog, click the ellipsis () button to display a list of existing scenarios.

   

3. The Select TARGET dialog displays. Place a check next to each scenario that is to be tested for vulnerabilities. You can alternatively check individual pages within the scenario.

   

   Click the OK button.

4. The Target Selection dialog of the wizard displays again with the selected scenario.

   

   Click the Next button.

   Available attacks are presented next on these two dialogs:

   

   There are many options in the WebApps Attack and Penetration wizard and several combinations of attacks you can perform. For the sake of documenting the options, we will provide instructions on each attack path individually, but please understand that these options can be combined to undertake a complex and comprehensive test.

   Core Impact is designed to make it easy for your organization to assess the OWASP Top 10 security risks for web applications (see http://www.owasp.org for details on OWASP). On the Risk Types dialogs of the Wizard, select any of the following options.

   • A01:2021 - Broken Access Control
   • A02:2021 - Cryptographic Failures
   • A03:2021 - Injection
   • A05:2021 - Security Misconfiguration
   • A06:2021 - Vulnerable and Outdated Components
   • A07:2021 - Identification and Authentication Failures
   • A08:2021 - Software and Data Integrity Failures

5. Click Next to continue.

6. The final Risk Types dialog displays after selecting any attack.

   

   Select any of the Other items to add to the test.

   Execute exploits for known vulnerabilities of checked risk types: - Check this option if you want Core Impact to attempt to execute exploits as a part of the test.

7. Click Next and continue to any selected attack(s) dialogs to review or configure their parameters.

8. At the end of all selected attacks and dialogs, click the Finish button and the WebApps Attack and Penetration step will commence. You will see module progress in the Executed Modules panel and specific output in the Module Log panel.

If the WebApps Attack and Penetration is successful, then WebApps Agents will appear under vulnerable pages in the Entity View. See Interacting with WebApps Agents for information about how to leverage the WebApps Agents. Additionally, if a vulnerability is found, it is assigned a Vulnerability ID which will allow Core Impact users to track reported vulnerabilities after testing. The Vulnerability ID will appear in the ''Information'' pane when the vulnerable web page is selected and also in the name of the agent that is deployed for the page.