Web Application Penetration Testing

Web Application Pentesting is a method of identifying, analyzing and Report the vulnerabilities which are existing in the Web application including buffer overflow, input validation, code Execution, Bypass Authentication, SQL Injection, CSRF, Cross-site scripting in the target web Application which is given for Penetration Testing.

Repeatable Testing and Conduct a serious method One of the Best Method conduct Web Application Penetration Testing for all kind of web application vulnerabilities.

Web Application Penetration Testing Checklist

Information Gathering

1. Retrieve and Analyze the robot.txt files by using a tool called GNU Wget.

2. Examine the version of the software. database Details, the error technical component, bugs by the error codes by requesting invalid pages.

3. Implement techniques such as DNS inverse queries, DNS zone Transfers, web-based DNS Searches.

4. Perform Directory style Searching and vulnerability scanning, Probe for URLs, using tools such as NMAP and Nessus.

5. Identify the Entry point of the application using Burp Proxy, OWSAP ZAP, TemperIE, WebscarabTemper Data.

6. By using traditional Fingerprint Tool such as Nmap, Amap, perform TCP/ICMP and service Fingerprinting.

7.By Requesting Common File Extension such as.ASP,EXE, .HTML, .PHP ,Test for recognized file types/Extensions/Directories.

8. Examine the Sources code From the Accessing Pages of the Application front end.

Authentication Testing

1. Check if it is possible to “reuse” the session after Logout.also check if the application automatically logs out a user has idle for a certain amount of time.

2. Check whether any sensitive information Remain Stored stored in browser cache.

3. Check and try to Reset the password, by social engineering crack secretive questions and guessing.

4.check if the “Remember my password” Mechanism is implemented by checking the HTML code of the login page.

5. Check if the hardware devices directly communicate and independently with authentication infrastructure using an additional communication channel.

6. Test CAPTCHA for authentication vulnerabilities presented or not.

7. Check whether any weak security questions/Answer are presented.

8. A successful SQL injection could lead to the loss of customer trust and attackers can steal phone numbers, addresses, and credit card details. Placing a web application firewall can filter out the malicious SQL queries in the traffic.

Authorization Testing

1. Test the Role and Privilege Manipulation to Access the Resources.

2.Test For Path Traversal by Performing input Vector Enumeration and analyze the input validation functions presented in the web application.

3.Test for cookie and parameter Tempering using web spider tools.

4. Test for HTTP Request Tempering and check whether to gain illegal access to reserved resources.

Configuration Management Testing

1. Check directory and File Enumeration review server and application Documentation. also, check the infrastructure and application admin interfaces.

2. Analyze the Web server banner and Performing network scanning.

3. Check and verify the presence of old Documentation and Backup and referenced files such as source codes, passwords, installation paths.

4.check and identify the ports associated with the SSL/TLS services using NMAP and NESSUS.

5.Review OPTIONS HTTP method using Netcat and Telnet.

6. Test for HTTP methods and XST for credentials of legitimate users.

7. Perform application configuration management test to review the information of the source code, log files and default Error Codes.

Session Management Testing

1. Check the URL’s in the Restricted area to Test for Cross sight Request Forgery.

2.Test for Exposed Session variables by inspecting Encryption and reuse of session token, Proxies and caching, GET&POST.

3. Collect a sufficient number of cookie samples and analyze the cookie sample algorithm and forge a valid Cookie in order to perform an Attack.

4. Test the cookie attribute using intercept proxies such as Burp Proxy, OWASP ZAP, or traffic intercept proxies such as Temper Data.

5. Test the session Fixation, to avoid seal user session.(session Hijacking )

Data Validation Testing

1. Performing Sources code Analyze for javascript Coding Errors.

2. Perform Union Query SQL injection testing, standard SQL injection Testing, blind SQL query Testing, using tools such as sqlninja,sqldumper,sql power injector .etc.

3. Analyze the HTML Code, Test for stored XSS, leverage stored XSS, using tools such as XSS proxy, Backframe, Burp Proxy, OWASP, ZAP, XSS Assistant.

4. Perform LDAP injection testing for sensitive information about users and hosts.

5. Perform IMAP/SMTP injection Testing for Access the Backend Mail server.

6.Perform XPATH Injection Testing for Accessing the confidential information

7. Perform XML injection testing to know information about XML Structure.

8. Perform Code injection testing to identify input validation Error.

9. Perform Buffer Overflow testing for Stack and heap memory information and application control flow.

10. Test for HTTP Splitting and smuggling for cookies and HTTP redirect information.

Denial of Service Testing

1. Send Any Large number of Requests that perform database operations and observe any Slowdown and New Error Messages.

2.Perform manual source code analysis and submit a range of input varying lengths to the applications

3.Test for SQL wildcard attacks for application information testing. Enterprise Networks should choose the best DDoS Attack prevention services to ensure the DDoS attack protection and prevent their network

4. Test for User specifies object allocation whether a maximum number of object that application can handle.

5. Enter Extreme Large number of the input field used by the application as a Loop counter. Protect website from future attacks Also Check your Companies DDOS Attack Downtime Cost.

6. Use a script to automatically submit an extremely long value for the server can be logged the request.

Web server pentesting performing under 3 major category which is identity, Analyse, Report Vulnerabilities such as authentication weakness, configuration errors, protocol Relation vulnerabilities.

1. “Conduct a serial of methodical and Repeatable tests “ is the best way to test the web server along with this to work through all of the different application Vulnerabilities.

2. “Collecting as Much as Information” about an organization Ranging from operation environment is the main area to concentrate on the initial stage of web server Pen testing.

3. Performing web server Authentication Testing, use Social engineering techniques to collect the information about the Human Resources, Contact Details, and other Social Related information.

4. Gathering Information about Target, use whois database query tools to get the Details such as Domain name, IP address, Administrative Details, autonomous system number, DNS etc.

5. Fingerprint webserver to gather information such as server name, server type, operating systems, an application running on the server etc use fingerprint scanning tools such as, Netcraft, HTTPrecon, ID Serve.

6. Crawel Website to gather Specific information from web pages, such as email addresses

7. Enumerate web server Directories to extract important information about web functionalities, login forms etc.

8. Perform Directory traversal Attack to access Restricted Directories and execute the command from outside of the Web server root directories.

9. Performing vulnerability scanning to identify the weakness in the network use the vulnerability scanning tools such as HPwebinspect, Nessus . and determine if the system can be exploited.

10. Perform we cache poisoning attack to force the web server’s cache to flush its actual cache content and send a specifically crafted request which will be stored in the cache.

11. Performing HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header.

12. Bruteforce SSH,FTP, and other services login credentials to gain unauthorized access.13. Perform session hijacking to capture valid session cookies and ID’s,use tools such as Burb suite , Firesheep ,jhijack to automated session hijacking.

14. Performing a MITM attack to access sensitive information by intercepting the communications between the end-users and web servers.

15. Use tools such as Webalizer, AWStats to examine the web server logs .

Important Checklist Suggested by Microsoft

Services

• Unnecessary Windows services are disabled.
• Services are running with least-privileged accounts.
• FTP, SMTP, and NNTP services are disabled if they are not required.
• Telnet service is disabled.

Protocols

• WebDAV is disabled if not used by the application OR it is secured if it is required.
• TCP/IP stack is hardened
• NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).

Accounts

• Unused accounts are removed from the server.
• Guest account is disabled.
• IUSR_MACHINE account is disabled if it is not used by the application.
• If your applications require anonymous access, a custom least-privileged anonymous account is created.
• The anonymous account does not have write access to Web content directories and cannot execute command-line tools.
• Strong account and password policies are enforced for the server.
• Remote logons are restricted. (The “Access this computer from the network” user-right is removed from the Everyone group.)
• Accounts are not shared among administrators.
• Null sessions (anonymous logons) are disabled.
• Approval is required for account delegation.
• Users and administrators do not share accounts.
• No more than two accounts exist in the Administrators group.
• Administrators are required to log on locally OR the remote administration solution is secure.

Files and Directories

• Files and directories are contained on NTFS volumes
• Web site content is located on a non-system NTFS volume.
• Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.
• The Everyone group is restricted (no access to \WINNT\system32 or Web directories).
• Web site root directory has denied write ACE for anonymous Internet accounts.
• Content directories have deny write ACE for anonymous Internet accounts.
• Remote administration application is removed
• Resource kit tools, utilities, and SDKs are removed.
• Sample applications are removed

Shares

• All unnecessary shares are removed (including default administration shares).
• Access to required shares is restricted (the Everyone group does not have access).
• Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).

Ports

• Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used)
• Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.

Registry

• Remote registry access is restricted.
• SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

Auditing and Logging

• Failed logon attempts are audited.
• IIS log files are relocated and secured.
• Log files are configured with an appropriate size depending on the application security requirement.
• Log files are regularly archived and analyzed.
• Access to the Metabase.bin file is audited.
• IIS is configured for W3C Extended log file format auditing.

Server Certificates

• Ensure certificate date ranges are valid.
• Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail).
• Ensure the certificate’s public key is valid, all the way to a trusted root authority.
• Confirm that the certificate has not been revoked.

Web Application Pentesting Tools are more often used by security industries to test the vulnerabilities of web-based applications. Here you can find the Comprehensive Web Application Pentesting ToolsWeb Application Penetration Testing list that covers Performing Penetration testing Operation in all the Corporate Environments.

You can learn best Master level Web Hacking and Penetration Testing Complete Bundle from Leading Elearning Cybersecurity platform.

Web Application Pentesting Tools

Organization

• OWASP — The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.

Web Application Firewall

• ModSecurity — ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.
• NAXSI — NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX, NAXSI means Nginx Anti Xss & Sql Injection.
• sql_firewall SQL Firewall Extension for PostgreSQL
• ironbee — IronBee is an open source project to build a universal Web Application Pentesting Tools . IronBee as a framework for developing a system for securing web applications — a framework for building a web application firewall (WAF).
• Indusface — A new age web application firewall aimed in thwarting the threat actors to exfiltrate into the system, by detecting the application vulnerabilities, malware, and logical flaws.

Scanning / Pentesting

• sqlmap — sqlmap is an open source Web Application Penetration Testing Tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
• ZAP — The Zed Attack Proxy (ZAP) is an easy to use integrated Web Application Pentesting Tools for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
• OWASP Testing Checklist v4 — List of some controls to test during a web vulnerability assessment. Markdown version may be found here.
• w3af — w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
• Recon-ng — Recon-ng is a full-featured Web Reconnaissance framework written in Python. Recon-ng has a look and feels similar to the Metasploit Framework.
• PTF — The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.
• Infection Monkey — A semi automatic pen testing tool for mapping/pen-testing networks. Simulates a human attacker.
• ACSTIS — ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection (sometimes referred to as CSTI, sandbox escape or sandbox bypass). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability.

Runtime Application Self-Protection

• Sqreen — Sqreen is a Runtime Application Self-Protection (RASP) solution for software teams. An in-app agent instruments and monitors the app. Suspicious user activities are reported and attacks are blocked at runtime without code modification or traffic redirection.

Development

• Secure by Design — Book that identifies design patterns and coding styles that make lots of security vulnerabilities less likely. (early access, published continuously, final release fall 2017)
• Securing DevOps — Book that explores how the techniques of DevOps and Security should be applied together to make cloud services safer. (early access, published continuously, final release January 2018)
• Understanding API Security — a Free eBook sampler that gives some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.
• OAuth 2 in Action — Book that teaches you practical use and deployment of OAuth 2 from the perspectives of a client, an authorization server, and a resource server.

Usability

• Usable Security Course — Usable Security course at coursera. Quite good for those looking for how security and usability intersects.

Big Data

• data_hacking — Examples of using IPython, Pandas, and Scikit Learn to get the most out of your security data.
• hadoop-pcap — Hadoop library to read packet capture (PCAP) files.
• Workbench — A scalable python framework for security research and development teams.
• OpenSOC — OpenSOC integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis.
• Apache Metron (incubating) — Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis.
• Apache Spot (incubating) — Apache Spot is open source software for leveraging insights from flow and packet analysis.
• binarypig — Scalable Binary Data Extraction in Hadoop. Malware Processing and Analytics over Pig, Exploration through Django, Twitter Bootstrap, and Elasticsearch.

DevOps

• Securing DevOps — A book on Security techniques for DevOps that reviews state of the art practices used in securing web applications and their infrastructure.

Books

• http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/8126533404/ The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
• http://www.amazon.com/Hacking-Web-Apps-Preventing-Application/dp/159749951X/ Hacking Web Apps: Detecting and Preventing Web Application Penetration Testing Problems
• http://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643/ Hacking Exposed Web Applications
• http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/ SQL Injection Attacks and Defense
• http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/ The Tangled WEB: A Guide to Securing Modern Web Applications
• http://www.amazon.com/Web-Application-Obfuscation-Evasion-Filters/dp/1597496049/ Web Application Obfuscation: ‘-/WAFs..Evasion..Filters//alert(/Obfuscation/)-‘
• http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ XSS Attacks: Cross Site Scripting Exploits and Defense
• http://www.amazon.com/Browser-Hackers-Handbook-Wade-Alcorn/dp/1118662091/ The Browser Hacker’s Handbook
• http://www.amazon.com/Basics-Web-Hacking-Techniques-Attack/dp/0124166008/ The Basics of Web Hacking: Tools and Techniques to Attack the Web
• http://www.amazon.com/Web-Penetration-Testing-Kali-Linux/dp/1782163166/ Web Penetration Testing with Kali Linux
• http://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168/ Web Application Security, A Beginner’s Guide
• https://www.crypto101.io/ — Crypto 101 is an introductory course on cryptography
• http://www.offensive-security.com/metasploit-unleashed/ — Metasploit Unleashed
• http://www.cl.cam.ac.uk/~rja14/book.html — Security Engineering
• https://www.feistyduck.com/library/openssl-cookbook/ — OpenSSL Cookbook

Documentation

• https://www.owasp.org/ — Open Web Application Pentesting tools & Project
• http://www.pentest-standard.org/ — Penetration Testing Execution Standard
• http://www.binary-auditing.com/ — Dr. Thorsten Schneider’s Binary Auditing

Tools

• http://www.metasploit.com/ — World’s most used penetration testing software
• http://www.arachni-scanner.com/ — Web Application Penetration Testing Scanner Framework
• https://github.com/sullo/nikto — Nikto web server scanner
• http://www.tenable.com/products/nessus-vulnerability-scanner — Nessus Vulnerability Scanner
• http://www.portswigger.net/burp/intruder.html — Burp Intruder is a Web Application Penetration Testing Tools for automating customized attacks against web apps.
• http://www.openvas.org/ — The world’s most advanced Open Source vulnerability scanner and manager.
• https://github.com/iSECPartners/Scout2 — Security auditing tool for AWS environments
• https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project — Is a multi threaded java application designed to brute force directories and files names on web/application servers.
• https://www.owasp.org/index.php/ZAP — The Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
• https://github.com/tecknicaltom/dsniff — dsniff is a collection of tools for network auditing and penetration testing. * https://github.com/WangYihang/Webshell-Sniper — Manage your webshell via terminal. * https://github.com/DanMcInerney/dnsspoof — DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response
• https://github.com/trustedsec/social-engineer-toolkit — The Social-Engineer Toolkit (SET) repository from TrustedSec
• https://github.com/sqlmapproject/sqlmap — Automatic SQL injection and database takeover tool
• https://github.com/beefproject/beef — The Browser Exploitation Framework Project
• http://w3af.org/ — w3af is a Web Application Attack and Audit Framework
• https://github.com/espreto/wpsploit — WPSploit, Exploiting WordPress With Metasploit * https://github.com/WangYihang/Reverse-Shell-Manager — Reverse shell manager via terminal. * https://github.com/RUB-NDS/WS-Attacker — WS-Attacker is a modular framework for web services penetration testing
• https://github.com/wpscanteam/wpscan — WPScan is a black box WordPress vulnerability scanner
• http://sourceforge.net/projects/paros/ Paros proxy
• https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Web Scarab proxy
• https://code.google.com/p/skipfish/ Skipfish, an active Web Application Penetration Testing reconnaissance tool
• http://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner
• http://www-03.ibm.com/software/products/en/appscan IBM Security AppScan
• https://www.netsparker.com/web-vulnerability-scanner/ Netsparker web vulnerability scanner
• http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html HP Web Inspect
• https://github.com/sensepost/wikto Wikto — Nikto for Windows with some extra features
• http://samurai.inguardians.com Samurai Web Testing Framework
• https://code.google.com/p/ratproxy/ Ratproxy
• http://www.websecurify.com Websecurify
• http://sourceforge.net/projects/grendel/ Grendel-scan
• https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project DirBuster
• http://www.edge-security.com/wfuzz.php Wfuzz
• http://wapiti.sourceforge.net wapiti
• https://github.com/neuroo/grabber Grabber
• https://subgraph.com/vega/ Vega
• http://websecuritytool.codeplex.com Watcher passive web scanner
• http://xss.codeplex.com x5s XSS and Unicode transformations security testing assistant
• http://www.beyondsecurity.com/avds AVDS Vulnerability Assessment and Management
• http://www.golismero.com Golismero
• http://www.ikare-monitoring.com IKare
• http://www.nstalker.com N-Stalker X
• https://www.rapid7.com/products/nexpose/index.jsp Nexpose
• http://www.rapid7.com/products/appspider/ App Spider
• http://www.milescan.com ParosPro
• https://www.qualys.com/enterprises/qualysguard/web-application-scanning/ Qualys Web Application Scanning
• http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina
• https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework
• https://github.com/future-architect/vuls Vulnerability scanner for Linux, agentless, written in golang.
• https://github.com/rastating/wordpress-exploit-framework A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
• http://www.xss-payloads.com/ XSS Payloads to leverage XSS vulnerabilities, build custom payloads, practice penetration testing skills.
• https://github.com/joaomatosf/jexboss JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool
• https://github.com/commixproject/commix Automated All-in-One OS command injection and exploitation tool
• https://github.com/pathetiq/BurpSmartBuster A Burp Suite content discovery plugin that add the smart into the Buster!
• https://github.com/GoSecure/csp-auditor Burp and ZAP plugin to analyze CSP headers
• https://github.com/ffleming/timing_attack Perform timing attacks against web applications
• https://github.com/lalithr95/fuzzapi Fuzzapi is a tool used for REST API pentesting
• https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)
• https://github.com/nccgroup/wssip Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
• https://github.com/tijme/angularjs-csti-scanner Automated client-side template injection (sandbox escape/bypass) detection for AngularJS (ACSTIS).

Cheat Sheets

• http://n0p.net/penguicon/php_app_sec/mirror/xss.html — XSS cheatsheet
• https://highon.coffee/blog/lfi-cheat-sheet/ — LFI Cheat Sheet
• https://highon.coffee/blog/reverse-shell-cheat-sheet/ — Reverse Shell Cheat Sheet
• https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ — SQL Injection Cheat Sheet
• https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/ — Path Traversal Cheat Sheet: Windows

Docker images for Penetration Testing

• docker pull kalilinux/kali-linux-docker official Kali Linux
• docker pull owasp/zap2docker-stable — official OWASP ZAP
• docker pull wpscanteam/wpscan — official WPScan
• docker pull pandrew/metasploit — docker-metasploit
• docker pull citizenstig/dvwa — Damn Vulnerable Web Application (DVWA)
• docker pull wpscanteam/vulnerablewordpress — Vulnerable WordPress Installation
• docker pull hmlio/vaas-cve-2014–6271 — Vulnerability as a service: Shellshock
• docker pull hmlio/vaas-cve-2014–0160 — Vulnerability as a service: Heartbleed
• docker pull opendns/security-ninjas — Security Ninjas
• docker pull usertaken/archlinux-pentest-lxde — Arch Linux Penetration Tester
• docker pull diogomonica/docker-bench-security — Docker Bench for Security
• docker pull ismisepaul/securityshepherd — OWASP Security Shepherd
• docker pull danmx/docker-owasp-webgoat — OWASP WebGoat Project docker image
• docker pull citizenstig/nowasp — OWASP Mutillidae II Web Pen-Test Practice Application

Vulnerabilities

• http://cve.mitre.org/ — Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names. Web Application Pentesting Tools.
• https://www.exploit-db.com/ — The Exploit Database — ultimate archive of Exploits, Shellcode, and Security Papers.
• http://0day.today/ — Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals.
• http://osvdb.org/ — OSVDB’s goal is to provide accurate, detailed, current, and unbiased technical security information.
• http://www.securityfocus.com/ — Since its inception in 1999, SecurityFocus has been a mainstay in the security community.
• http://packetstormsecurity.com/ — Global Security Resource
• https://wpvulndb.com/ — WPScan Vulnerability Database

Courses

• Best Source for learning Burp suite https://ethicalhackersacademy.com/collections/ethical-hackers-academy/products/learn-burp-web-penetration-testing
• You can find the best web application testing courses at https://ethicalhackersacademy.com/collections/ethical-hackers-academy/products/bug-bounty-web-hacking
• https://www.elearnsecurity.com/course/web_application_penetration_testing_extreme/ eLearnSecurity Web Application Penetration Testing eXtreme
• https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/ Offensive Security Advanced Web Attacks and Exploitation (live)
• https://www.sans.org/course/web-app-penetration-testing-ethical-hacking Sans SEC542: Web App Penetration Testing and Ethical Hacking
• https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking Sans SEC642: Advanced Web Application Penetration Testing Tools and Ethical Hacking * http://opensecuritytraining.info/ — Open Security Training
• http://securitytrainings.net/security-trainings/ — Security Exploded Training
• http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/ — FSU — Offensive Computer Security
• http://www.cs.fsu.edu/~lawrence/OffNetSec/ — FSU — Offensive Network Security
• http://www.securitytube.net/ — World’s largest Infosec and Hacking Portal.

Online Hacking Demonstration Sites

• http://testasp.vulnweb.com/ — Acunetix ASP test and demonstration site
• http://testaspnet.vulnweb.com/ — Acunetix ASP.Net test and demonstration site
• http://testphp.vulnweb.com/ — Acunetix PHP test and demonstration site
• http://crackme.cenzic.com/kelev/view/home.php — Crack Me Bank
• http://zero.webappsecurity.com/ — Zero Bank
• http://demo.testfire.net/ — Altoro Mutual

Labs

• http://www.cis.syr.edu/~wedu/seed/all_labs.html — Developing Instructional Laboratories for Computer SEcurity EDucation
• https://www.vulnhub.com/ — Virtual Machines for Localhost Penetration Testing.
• https://pentesterlab.com/ — PentesterLab is an easy and great way to learn penetration testing.
• https://github.com/jerryhoff/WebGoat.NET — This Web Application Pentesting Tools platfrom is a learning platform about common web security flaws.
• http://www.dvwa.co.uk/ — Damn Vulnerable Web Application (DVWA)
• http://sourceforge.net/projects/lampsecurity/ — LAMPSecurity Training
• https://github.com/Audi-1/sqli-labs — SQLI labs to test error based, Blind boolean based, Time based.
• https://github.com/paralax/lfi-labs — small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
• https://hack.me/ — Build, host and share vulnerable web apps in a sandboxed environment for free
• http://azcwr.org/az-cyber-warfare-ranges — Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
• https://github.com/adamdoupe/WackoPicko — WackoPicko is a vulnerable web application used to test Web Application Pentesting Tools for scanners.
• https://github.com/rapid7/hackazon — Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.

SSL

• https://www.ssllabs.com/ssltest/index.html — This service performs a deep analysis of the configuration of any SSL web server on the public Internet.
• https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html — Strong SSL Security on nginx
• https://weakdh.org/ — Weak Diffie-Hellman and the Logjam Attack
• https://letsencrypt.org/ — Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.
• https://filippo.io/Heartbleed/ — A checker (site and tool) for CVE-2014–0160 (Heartbleed).

Security Ruby on Rails

• http://brakemanscanner.org/ — A static analysis security vulnerability scanner and Web Application Security Tools for Ruby on Rails applications.
• https://github.com/rubysec/ruby-advisory-db — A database of vulnerable Ruby Gems
• https://github.com/rubysec/bundler-audit — Patch-level verification for Bundler
• https://github.com/hakirisec/hakiri_toolbelt — Hakiri Toolbelt is a command line interface for the Hakiri platform.
• https://hakiri.io/facets — Scan Gemfile.lock for vulnerabilities.
• http://rails-sqli.org/ — This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input.
• https://github.com/0xsauby/yasuo — A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network

Conclusion

Web application pentesting tools are very essential to perform penetration testing over the various web-based application to find security flaws and protect the application from cybercriminals. there are various pentesting Tools are available, above mentioned web application pentesting Tools are top list to perform a various level of pentesting operation and report to the respective vendor to patch the web application vulnerabilities.