How to do it?

[LoGiCaL__]

And it is not illegal to pen-test your own webpage.

Well for the most part no, it's not. It depends. If you have your own web server set up, then by any and all means necessary go ahead and do what you feel. For some servers that you are just using their space, or renting out, it depends on the server/network admins terms of service.

**edit**

caracarn001 got to it just before I did lol.

[jgreen45]

or you could find a free web host and dump your things on there. And it is not illegal to pen-test your own webpage.

Having said that, when i was looking around for a free hosts, I noticed that there is a strict 'No-Hacking policy' on many of the free hosts. That could be a problem.

[Assassian360]

It really comes down to what sort of pen-testing you are actually doing. If you are just looking for potential vulnerabilities in your own site, than there is nothing inherently wrong with it. If you are trying to pen-test your site in such a way that is actually meaning a pen-test on your site's host than that would be illegal.

Anyone worrying about whether what they are doing is illegal or not can just run a local server on their own machine. They are easy to setup and configure for the most part.

[Goatboy]

It really comes down to what sort of pen-testing you are actually doing. If you are just looking for potential vulnerabilities in your own site, than there is nothing inherently wrong with it. If you are trying to pen-test your site in such a way that is actually meaning a pen-test on your site's host than that would be illegal.

I wouldn't even say that. It really depends on the ToS. HTS lets people test security here and we make that very clear. A free web-host would almost certainly frown on this, because an attack on a user's page could compromise everything. Even if you only mean to test your own site, they will probably see it as a malicious act against them. I'd go with your advice of hosting your own server, so you can control all the rules (and the variables).

[iistapp]

So once I got XAMPP up and running, could I just get the source code of a random page that I know is vulnerable and run for example paros, and I will eventually find whats vulnerable, or have I got this all wrong in theory?

Or do I need to actually set up my own web page for this to work?

If so, I'm sort of lost, as I can't figure out how to actually use paros proberly, I'm not sure how I even run it in a proper way, so I guess I have to do some more reading and testing and see what I can figure out.

This is sort of a side project for now, but I hope I will make some progress sooner or later, because this really makes me get the feeling that I want to learn this, as it's very interesting and I think I will have need for this later in life

Once again, thanks Goatboy for helping me, and answering my questions in such a good way that even I managed to understand it in a proper way, hehe. I hope I soonish can post some progress to show of what I've learned

[Goatboy]

Paros does not find vulnerabilities for you. That is up to you. The main functions of Paros are as follows:

Intercepting Proxy: Paros acts as a proxy between your browser and the Internet. When you visit a page, your request first goes to Paros, which logs and forwards it to the website. The request is similarly logged and forwarded back to you. This means you can view exactly what is being sent and received. You can also edit either one. For sending, this makes it easier to fine-tune your attack by controlling precisely what HTTP headers, variables, etc. get sent. You can edit your response, but there aren't nearly as many cases where that would be useful. Generally, you will use this to map out exactly what is being sent in each request/response.

Spider: After you have walked through the web site yourself, you might want to discover all of the publicly-available content. You could do this manually by visiting every link, but you might miss a few. Paros takes care of this by automatically following the links it finds, creating a tree-like map of what is discovered. This can be dangerous, however, because if it finds a logout link or any other undesirable function, it will follow it.

Vulnerability Scanner: I lied earlier. Paros can find some vulns, but in my experience this has been completely unreliable. Paros will look for things like default files/directories, admin/login pages, etc., but if custom 404 pages are created, it is not intelligent enough to figure this out. You get a ton of false positives. I would avoid this function in most cases, as it can quickly lead you down the wrong path.

Those are the three that I know of. The program has not been updated since 2004, so unless they are developing a newer version in secret, that's all it can do. Burp Proxy and Webscarab are both more functional, but the interface might be a tad overwhelming at first. Stick to Paros until you get a good feel for what's going on under the hood, then switch over.

[iistapp]

So with an intercepting proxy you don't really find vulns, you just get sort of a map of the whole page, and have to work your way out of that?

Can't say I'm on the developing level yet, but who knows in the future, hehe.

[Goatboy]

Vulns are not something you can just see. A typical process might go like this:

1.) See a search form
2.) Enter SQL injection test string
3.) It works as you expect, so you formulate a complex attack payload
4.) Payload works, you are in

None of this would be revealed to you by Paros. The "map" of the page is already given to you by your browser when you visit a page. Paros simply shows the details that made that page, along with other useful bits of information. It's up to you to test each area to determine if and how it can be exploited.

[iistapp]

I used an SQL injection in one of the missions, but I found that by doing quite a lot of googleing, so people who do this on a "daily" basis, do they have like huge libraries of sql injection strings that they look up? If so, do they just randomly try these out on the page, or are there some more magic to this?

[pretentious]

I used an SQL injection in one of the missions, but I found that by doing quite a lot of googleing, so people who do this on a "daily" basis, do they have like huge libraries of sql injection strings that they look up? If so, do they just randomly try these out on the page, or are there some more magic to this?

I'm going to assume that you just guessed your way through realistic 2. I know i did If you actually learn what the query is doing, it all makes sense. I can't speak for the 'people who do this on a "daily" basis' but i'm assuming that their approaches are quite well thought out and logical.

1.) See a search form
2.) Enter SQL injection test string
3.) It works as you expect, so you formulate a complex attack payload
4.) Payload works, you are in

Well there you go