Learn Web Application Penetration Testing
I was given a PDF a few months back by a friend. It was a result of asking them if they could provide me with some good resources to further my learning and develop my “cyber” skills.
(I don’t like the word Cyber, but thought in this case it got my point across) :-)
Anyway the PDF had loads of great content in it so I thought I would share it here. ( I don’t know who/where the PDF originated from, if you recognise it as yours please let me know and I’ll add a credit to it).
*********** Update 07/2020 ************
The original author of the PDF has reached out to me, they can be found on twitter.
Phase 1 — History
Phase 2 — Web and Server Technology
- Basic concepts of web applications, how they work and the HTTP protocol
- HTML basics part 1
- HTML basics part 2
- Difference between static and dynamic website
- HTTP protocol Understanding
- Parts of HTTP Request
- Parts of HTTP Response
- Various HTTP Methods
- Understanding URLS
- Intro to REST
- HTTP Request & Response Headers
- What is a cookie
- HTTP Status codes
- HTTP Proxy
- Authentication with HTTP
- HTTP basic and digest authentication
- What is “Server-Side”
- Server and client side with example
- What is a session
- Introduction to UTF-8 and Unicode
- URL encoding
- HTML encoding
- Base64 encoding
- Hex encoding & ASCII
Phase 3 — Setting up the lab with BurpSuite and bWAPP
MANISH AGRAWAL
- Setup lab with bWAPP
- Set up Burp Suite
- Configure Firefox and add certificate
- Mapping and scoping website
- Spidering
- Active and passive scanning
- Scanner options and demo
- Introduction to password security
- Intruder
- Intruder attack types
- Payload settings
- Intruder settings
ÆTHER SECURITY LAB
- №1 Penetration testing tool
- Environment Setup
- General concept
- Proxy module
- Repeater module
- Target and spider module
- Sequencer and scanner module
Phase 4 — Mapping the application and attack surface
- Spidering
- Mapping application using robots.txt
- Discover hidden contents using dirbuster
- Dirbuster in detail
- Discover hidden directories and files with intruder
- Identify application entry points
- Identify application entry points Pt.2
- Identify client and server technology
- Identify server technology using banner grabbing (telnet)
- Identify server technology using http recon
Phase 5 — Understanding and exploiting OWASP top 10 vulnerabilities
IBM
- Injection
- Broken authentication and session management
- Cross-site scripting
- Insecure direct object reference
- Security misconfiguration
- Sensitive data exposure
- Missing functional level access controls
- Cross-site request forgery
- Using components with known vulnerabilities
- Unvalidated redirects and forwards
F5 CENTRAL
- Injection
- Broken authentication and session management
- Insecure deserialisation
- Sensitive data exposure
- Broken access control
- Insufficient logging and monitoring
- XML external entities
- Using components with known vulnerabilities
- Cross-site scripting
- Security misconfiguration
LUKE BRINER
- Injection explained
- Broken authentication and session management
- Cross-site scripting
- Insecure direct object reference
- Security misconfiguration
- Sensitive data exposure
- Missing functional level access control
- Cross-site request forgery
- Components with known vulnerabilities
- Unvalidated redirects and forwards
Phase 6 — Bypassing client-side controls
- What is hidden forms in HTML
- Bypassing hidden form fields using tamper data
- Bypassing hidden form fields using Burp Suite (Purchase application)
- Changing price on eCommerce website using parameter tampering
- Understanding cookie in detail
- Cookie tampering with tamper data
- Cookie tamper part 2
- Understanding referer header in depth using Cisco product
- Introduction to ASP.NET viewstate
- ASP.NET viewstate in depth
- Analyse sensitive data in ASP.NET viewstate
Phase 7 — Attacking authentication/login
- Attacking login panel with bad password — Guess username password for the website and try different combinations
- Brute-force login panel
- Username enumeration
- Username enumeration with bruteforce password attack
- Authentication over insecure HTTP protocol
- Authentication over insecure HTTP protocol Pt.2
- Forgot password vulnerability — Case 1
- Forgot password vulnerability — Case 2
- Login page autocomplete feature enabled
- Testing for weak password policy
- Insecure distribution of credentials — When you register in any website or you request for a password reset using forgot password feature, if the website sends your username and password over the email in cleartext without sending the password reset link, then it is a vulnerability.
Phase 8 — Attacking access controls (IDOR, Priv esc, hidden files and directories)
Completely unprotected functionalities
- Finding admin panel
- Finding admin panel and hidden files and directories
- Finding hidden webpages with dirbuster
Insecure direct object reference
Privilege escalation
- What is privilege escalation
- Privilege escalation
- Privilege escalation — Case 2
Phase 9 — Attacking data stores (Various types of injection attacks — SQL|MySQL|NoSQL|Oracle, etc.)
Bypassing login panel
SQL injection
- Part 1 — Install SQLi lab
- Part 2 — SQL lab series
- Part 3 — SQL lab series
- Part 4 — SQL lab series
- Part 5 — SQL lab series
- Part 6 — Double query injection
- Part 7 — Double query injection cont..
- Part 8 — Blind injection boolean based
- Part 9 — Blind injection time based
- Part 10 — Dumping DB using outfile
- Part 11 — Post parameter injection error based
- Part 12 — POST parameter injection double query based
- Part 13 — POST parameter injection blind boolean and time based
- Part 14 — Post parameter injection in UPDATE query
- Part 15 — Injection in insert query
- Part 16 — Cookie based injection
- Part 17 — Second order injection
- Part 18 — Bypassing blacklist filters — 1
- Part 19 — Bypassing blacklist filters — 2
- Part 20 — Bypassing blacklist filters — 3
- Part 21 — Bypassing WAF
- Part 22 — Bypassing WAF — Impedance Mismatch
- Part 23 — Bypassing addslashes — CharSet Mismatch
NoSQL injection
Xpath injection
LDAP injection
Phase 10 — Attacking back-end components (OS command injection, XMl interpreters, mail services, etc.)
OS command injection
*******************************************************************
This is still a living document and I’ll try to add more to it as I find it.
If any of the links appear broken, let me know and I’ll try to find solutions.
If you found this article helpful, please give it some 👏 and share it with anyone who you think might find it helpful too! + Feedback and coffees are always welcome! 😄
Take care and hopefully I’ll see you back here soon for more content and walkthroughs.
This story is published in Noteworthy, where 10,000+ readers come every day to learn about the people & ideas shaping the products we love.
Follow our publication to see more product & design stories featured by the Journal team.