Pentesting from Beginner to Advanced
Purpose
Provide a structured learning path for web application penetration testing, progressing from foundational concepts through advanced exploitation techniques. Guide learners through each phase of the web security assessment process.
Inputs/Prerequisites
-
Basic computer and networking knowledge
-
Kali Linux or security-focused OS
-
BurpSuite installed and configured
-
Lab environment (bWAPP, DVWA, or similar)
-
Web browser with developer tools
Outputs/Deliverables
-
Foundational web security knowledge
-
Practical exploitation skills
-
Understanding of OWASP Top 10
-
Ability to conduct web application assessments
-
Vulnerability identification and reporting skills
Core Workflow
Phase 1: History and Fundamentals
Understanding the Internet:
-
Learn how the internet was developed
-
Understand client-server architecture
-
Grasp basic web communication models
Key Concepts:
-
HTTP protocol fundamentals
-
Request/response structure
-
Client vs server-side processing
Phase 2: Web and Server Technology
HTTP Protocol Basics:
HTTP Request Structure: GET /page HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Accept: text/html Cookie: session=abc123
HTTP Response Structure: HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: session=xyz789
<html>...</html>
Essential Concepts:
Topic Description
HTTP Methods GET, POST, PUT, DELETE, OPTIONS
Status Codes 200 OK, 301 Redirect, 403 Forbidden, 404 Not Found, 500 Error
Headers Request and response metadata
Cookies Session management, tracking
Sessions Server-side state management
URLs Structure and parameters
REST APIs Resource-based web services
Encoding Types:
URL Encoding
Space -> %20 < -> %3C
-> %3E " -> %22
HTML Encoding
< -> <
-> > & -> &
Base64 Encoding
echo "text" | base64 echo "dGV4dAo=" | base64 -d
Phase 3: Lab Setup with BurpSuite
Install BurpSuite:
Download from PortSwigger
Configure browser proxy: 127.0.0.1:8080
Import Burp CA certificate
Configure Browser:
-
Set proxy to 127.0.0.1:8080
-
Import BurpSuite CA certificate
-
Disable certificate validation for testing
BurpSuite Modules:
Module Purpose
Proxy Intercept and modify traffic
Repeater Manually modify and resend requests
Intruder Automated attacks and fuzzing
Scanner Automated vulnerability detection
Decoder Encode/decode data
Comparer Compare responses
Sequencer Analyze session token randomness
Set Up Practice Lab:
Install Docker
apt install docker.io
Run bWAPP
docker run -d -p 80:80 raesene/bwapp
Run DVWA
docker run -d -p 80:80 vulnerables/web-dvwa
Access at http://localhost
Phase 4: Application Mapping
Discovery Techniques:
Robots.txt analysis
Directory brute forcing
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt dirbuster -u http://target -l /usr/share/wordlists/dirb/common.txt
Spidering with Burp
Use Target > Site Map > Spider
Entry Point Identification:
-
Forms and input fields
-
URL parameters
-
Hidden fields
-
Cookies
-
HTTP headers
Technology Fingerprinting:
Whatweb
whatweb http://target
Wappalyzer (browser extension)
Nmap fingerprinting
nmap -sV --script http-enum target
Banner grabbing
curl -I http://target
Phase 5: OWASP Top 10 Vulnerabilities
- Injection (A03:2021)
SQL Injection
' OR 1=1-- " OR ""=" '; DROP TABLE users;--
Command Injection
; ls -la | cat /etc/passwd && whoami
LDAP Injection
)(uid=))(|(uid=*
- Broken Authentication (A07:2021)
- Weak passwords
- Session fixation
- Credential stuffing
- Missing MFA
- Insecure password recovery
- Cross-Site Scripting (A03:2021)
<!-- Reflected XSS --> <script>alert('XSS')</script>
<!-- Stored XSS --> <img src=x onerror="alert('XSS')">
<!-- DOM-based XSS --> <svg onload="alert('XSS')">
<!-- Filter bypass --> <ScRiPt>alert('XSS')</ScRiPt> <img src="x" onerror="alert('XSS')">
- Insecure Direct Object Reference (A01:2021)
IDOR Examples
/api/user/123 -> /api/user/124 /download?id=1 -> /download?id=2 /invoice/10001 -> /invoice/10002
- Security Misconfiguration (A05:2021)
- Default credentials
- Unnecessary features enabled
- Error messages revealing info
- Missing security headers
- Outdated software
- Sensitive Data Exposure (A02:2021)
- Unencrypted transmission
- Weak encryption
- Exposed API keys
- Hardcoded credentials
- Information in error messages
- Missing Access Controls (A01:2021)
- Horizontal privilege escalation
- Vertical privilege escalation
- Forced browsing to admin pages
- API without authentication
- Cross-Site Request Forgery (A01:2021)
<!-- CSRF Attack Form --> <form action="http://target/transfer" method="POST"> <input type="hidden" name="amount" value="10000"> <input type="hidden" name="to" value="attacker"> <input type="submit" value="Click Me!"> </form>
- Components with Known Vulnerabilities (A06:2021)
Check for CVEs
searchsploit apache 2.4 searchsploit wordpress 5.0
Retire.js for JavaScript
retire --path /path/to/js
- Insufficient Logging (A09:2021)
- Failed login attempts not logged
- No audit trail
- Logs not monitored
- Logs stored insecurely
Phase 6: Session Management Testing
Session Analysis:
Burp Sequencer
Analyze token randomness and predictability
Check for:
- Session fixation
- Session hijacking
- Weak session tokens
- Missing timeout
- Insecure transmission
Cookie Security Flags:
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict
Flag Purpose
Secure HTTPS only
HttpOnly No JavaScript access
SameSite CSRF protection
Phase 7: Bypassing Client-Side Controls
Hidden Field Manipulation:
<!-- Original --> <input type="hidden" name="price" value="100">
<!-- Modified in Burp --> <input type="hidden" name="price" value="1">
JavaScript Validation Bypass:
-
Disable JavaScript in browser
-
Intercept and modify with Burp
-
Replay requests with modified values
Phase 8: Authentication Attacks
Common Techniques:
Brute force
hydra -l admin -P passwords.txt target http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
Username enumeration
Different responses for valid/invalid users
Password reset flaws
Predictable tokens, no rate limiting
Phase 9: Access Control Testing
IDOR Testing:
Increment IDs
/user/1 -> /user/2
Change parameters
?role=user -> ?role=admin
Use Burp Intruder for automation
Phase 10: Input Validation Testing
Injection Points:
All user input
URL parameters
Form fields
Headers (User-Agent, Referer)
Cookies
File uploads
Fuzzing with Burp:
-
Send request to Intruder
-
Mark injection points
-
Select payload list
-
Analyze responses
Phase 11: Error Code Analysis
Force errors for information
- Invalid input types
- Long strings
- Special characters
- SQL syntax errors
Look for:
- Stack traces
- Database errors
- Path disclosure
- Version information
Phase 12: Cryptography Testing
Check for:
- Weak algorithms (MD5, SHA1, DES)
- ECB mode usage
- Hardcoded keys
- Missing encryption
SSL/TLS testing
sslscan target:443 testssl.sh target
Phase 13: Business Logic Vulnerabilities
Common Issues:
-
Price manipulation
-
Skipping workflow steps
-
Race conditions
-
Abuse of functionality
Testing Approach:
-
Understand normal workflow
-
Attempt to skip steps
-
Modify values mid-process
-
Test race conditions
Quick Reference
Essential Tools
Tool Purpose
BurpSuite Web proxy and testing
OWASP ZAP Open source alternative
sqlmap SQL injection automation
Nikto Web server scanning
Gobuster Directory enumeration
Testing Checklist
□ Map application and entry points □ Test authentication mechanisms □ Check authorization controls □ Test input validation □ Analyze session management □ Check for injection flaws □ Test business logic □ Review error handling □ Assess cryptographic implementation
Constraints
-
Only test authorized systems
-
Lab environments are essential for learning
-
Real-world applications may differ from labs
-
Tools require understanding, not just execution
Examples
Example 1: Quick XSS Test
<script>alert(document.domain)</script>
Example 2: SQLi Detection
' OR '1'='1
Troubleshooting
Issue Solution
Burp not intercepting Check proxy settings, CA certificate
Lab not loading Verify Docker is running
Payloads blocked Try encoding, alternative syntax
Tool errors Check dependencies, permissions