Penetration Testing

Penetration Testing

In "Penetration Testing" you can edit the HTTP request, drop it, and send it to the server. The Penetration Testing tab includes an HTTP(S) interceptor and an HTTP request composer. This unique facility in Vooki will help you perform efficient penetration testing.

How to use?
  • From the left navigation bar, select Penetration Testing.
  • Enter the URL that you want to scan.
  • Choose the browser of your choice from the list.
  • You can also choose "Any Browser (Manual Configuration)" to connect the browser with manual configuration. Choosing this option will not open a browser. It will only open the proxy port.
  • Enter the PORT and press the Launch button.
  • After the browser is launched, crawl all the pages of the website and interact with all the input on the pages.




Intercepting

To intercept the request, follow these steps:
  • Go to the intercept tab and turn on the intercept.
  • Now you will start intercepting the request.
  • Here you can edit the request, and to send it to the server, click on Send to Server.
  • To drop the request, click on the "Drop" button.
  • To get the response and edit it before displaying it on the front end, click on the "Break on Response" button.
  • To use the request later for testing, send it to compose by clicking on the "Send to compose" button.


Compose

To use the compose feature, follow these steps:
  • You can add the request to compose by intercepting the request and sending it by clicking on the "Send to Compose" button.
  • You can also send the request to compose from the history table by right-clicking it and selecting "Send to Compose".
  • Click on the "Compose" tab to view all the available requests.
  • From here, you can edit the request and use it as per your needs.




Scanning

To start the scan, follow these steps:
  • After the crawling of pages is done, right-click on the left tree node (on your host) and click Scan.
  • With the click of the scan, you will get a pop-up window; fill out all of the fields.
    • Scan Configuration
    • Crawler
    • Authentication
    • CSRF token generation
Scan Configuration: Concurrent Request allows you to send the number of parallel requests; Web Crawler Timeout allows you to set the timeout for the crawling request; Scan Request Timeout allows you to set the timeout for the scan.


Crawler: If you click on yes, then it will start crawling the website. Our crawling mechanism performs in-depth scanning of your website. You can identify the webpages exposed on the website.


Authentication: For authentication, we have several modes, which are as follows:
    • Fetch session cookie from proxy.
    • Manually enter session cookie.
    • Simple form authentication.
    • Complex authentication
CSRF token generation: This module is for bypassing the CSRF token. If the website you're scanning has a CSRF, enter the token key and value and click "Check & Save" before clicking Scan. If a CSRF check is not available, click on "Skip & Scan."


When the scan is finished, you can view the scanned app's full details in the scanner tab. You can generate the report and save the data externally.

Report Generation:
To generate the report, follow these steps:
  • Click on "Generate Report" in the scanner tab and choose the report type based on your needs.
  • This will generate the report in HTML/PDF format.
  • Save the file in your preferred location.


Save externally

There are two options to save the scanned data externally. To save the scan data, follow these steps:
  • After the completion of the scan, we get a notification to save the data. To save, click on "OK," choose the preferred location, and save the data.
  • To save afterwards, right-click over the scanned host, click on "Save," and choose the preferred location.



Watch the video demo of How to use Penetration Testing

    • Related Articles

    • How to perform security testing?

      Security Testing is the process which validates whether the confidential data stays confidential, then ensures software systems and applications are free from any risks, threats, vulnerabilities that may cause a big loss and the users can perform ...
    • How to use Vooki - Web Application Scanner ?

      Vooki's web application security scanner is an automated tool to effectively scan and detect many underlying vulnerabilities in web applications in a few minutes. These vulnerabilities include not just the easier ones but the ones that require ...
    • What is Vooki ?

      Vooki is a dynamic web application vulnerability scanner tool that is used by the majority of the world's top companies. We have made this product in such a manner that it is easy to use for any user, from a newbie to a pro. Vooki uses the OWASP Top ...