Options

WebApp Test needed

GOGONUT2KGOGONUT2K Member Posts: 12 ■□□□□□□□□□
in Other Security Certifications
Hello guys!

I am self-studying for OSCP (haven't enrolled yet in the course, mostly reading books about metasploit) and recently I was challenged by one of my friends to test a web site for file upload. The task require to successfully upload a file on a webserver.

I already tried with Nessus and Metasploit but nothing worked. Can you guide me on how to handle this task ?

What are the best tools to use ? Where should I search for exploits ? What path should I follow ?

Thank you and I look forward to your positive responses.
· Share on FacebookShare on Twitter

Comments

  • Options
    JaxinJaxin Member Posts: 7 ■□□□□□□□□□
    Nessus and Metasploit are generally pretty useless against custom web applications. If you really want to practice, learn to use a web proxy such as BurpSuite, and avoid the automated tools ;)

    If OSCP is really what you want, just jump into it - buy the 30 day lab package, get the material, have fun in the labs, and when the time expires, you should have a better idea where and how you need to self-study. Then, after some more focused self-study time, just buy some more lab time.I found that to work best for me, rather than aimlessly studying without really knowing what to focus my studies on :)
    · Share on FacebookShare on Twitter
  • Options
    NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    Agree with Jaxin. Automated tools are generally going to get you nowhere with web-apps. You need an intercepting proxy like Burp or Zap.

    The OWASP entry on Unrestricted Upload covers some techniques that can be used to bypass common blacklist filtering techniques.

    https://www.owasp.org/index.php/Unrestricted_File_Upload
    · Share on FacebookShare on Twitter
Sign In or Register to comment.