Most tools for web application security testing have the approach of going deep into an application to uncover issues inside a single web application. There's nothing wrong with this approach if you want to do a deep dive into one specific web application, especially if it is a major application exposed on the Web. The other approach is to see what web servers are running on a network and seeing if they can be exploited with quick and scalable testing. This is the approach Metasploit Pro takes.
When conducting a penetration test, especially an internal one, a web app scan with Metasploit Pro will reveal a lot of web servers you didn't know you had. In a quick scan on a sample network with 78 hosts, I found 18 hosts that were running a total of 34 HTTP/HTTPS services. That's almost half the hosts exposing a web interface. Some of these were servers, laptops, and VOIP devices, often exposing an administration interface or sometimes a rogue webserver - providing a potential way to exploit the host. Most of these would be overlooked in a dedicated web app audit that focuses only deep on one web application.
Here is how you run a Web app audit on your network:
- Run a Network Discovery on the IP range of your network
- Select all the hosts in the list and click on WebScan
- After the WebScan is completed, select all websites in the Web Apps tab and click on Audit Web Apps
- If you want to try exploitation, select all websites in the Web Apps tab and click on Exploit Web Apps.
The Web Apps feature is exclusive to Metasploit Pro. If you'd like to test drive it on your network, download your free Metasploit Pro trial today.