A Beginner's Guide To Web Application Penetration Testing E-Book

Table of Contents

Cover

Table of Contents

Title Page

Foreword

Introduction

CHAPTER 1: Introduction to Web Application Penetration Testing

The Importance of Web Application Security

Overview of Web Application Penetration Testing

The Penetration Testing Process

Methodologies

Tools and Techniques

Reporting

Types of Web Application Vulnerabilities

Key Takeaways

CHAPTER 2: Setting Up Your Penetration Testing Environment

Setting Up Virtual Machines

Container Option

Kali Linux Installation

PentestBox

Installing DVWA

OWASP Juice Shop

Burp Suite

OWASP ZED Attack Proxy

WILEY Preconfigured Environment

Key Takeaways

CHAPTER 3: Reconnaissance and Information Gathering

Passive Information Gathering

Automating Subdomain Enumeration

Active Information Gathering

Open-Source Intelligence Gathering

Key Takeaways

CHAPTER 4: Cross-Site Scripting

XSS Categories

Reflected XSS

Stored XSS

Automatic User Session Hijacking

Website Defacement Using XSS

DOM-Based XSS

Self-XSS

Browser Exploitation Framework

XSS Payloads and Bypasses

XSS Mitigation Techniques

Reflected XSS Bypass Techniques

Stored XSS Bypass Technique

Key Takeaways

CHAPTER 5: SQL Injection

What Is SQL Injection?

Types of SQL Injection

Error-Based SQL Injection

Union-Based SQL Injection

Blind SQL Injection

SQLMap

SQL Injection Payloads with ChatGPT

SQL Injection Prevention

Key Takeaways

CHAPTER 6: Cross-Site Request Forgery

Hunting CSRF Vulnerability

CSRF Exploitation

XSS and CSRF

Clickjacking

Generating an Effective Proof of Concept Using ChatGPT

Tips for Developers

Key Takeaways

CHAPTER 7: Server-Side Attacks and Open Redirects

Server-Side Request Forgery

SSRF in Action

SSRF Vulnerability

Blind SSRF

Local File Inclusion

Remote File Inclusion

Open Redirect

Server-Side Attacks Differences

Security Mitigations

Key Takeaways

CHAPTER 8: XML-Based Attacks

XML Fundamentals

XXE Exploitation

Hunting XML Entry Points

SSRF Using XXE

DoS Using XXE

XXE Payload and Exploitation with ChatGPT

XML-Based Attacks Countermeasures

Key Takeaways

CHAPTER 9: Authentication and Authorization

Password Cracking and Brute-Force Attacks

Credential Stuffing Attack

Password Spraying

Password Spraying Using Burp Suite Intruder

Other Automated Tools for Password Attacks

JSON Web Token

Key Takeaways

CHAPTER 10: API Attacks

OWASP API Top 10

API Enumeration and Discovery

API Discovery Using ChatGPT

API Broken Object-Level Authorization Exploitation

Rate Limiting

API Penetration Testing Tools

API Security Tips

Key Takeaways

APPENDIX A: Best Practices and Standards

Information Gathering

Configuration and Deployment Management Testing

Identity Management Testing

Authentication Testing

Authorization Testing

Session Management Testing

Input Validation Testing

Testing for Error Handling

Testing for Weak Cryptography

Business Logic Testing

Client-Side Testing

APPENDIX B: CWE and CVSS Score

Base Score

Temporal Score

Environmental Score

APPENDIX C: Writing Effective and Comprehensive Penetration Testing Reports

Table of Contents (ToC)

Project History and Timeline

Scope

Testing Approach

Executive Summary

Industry Standard

Findings Table

Findings Details

Key Takeaways

Index

Copyright

Dedication

Acknowledgments

About the Author

End User License Agreement

List of Tables

Chapter 6

Table 6.1: CSRF vs. XSS

Chapter 7

Table 7.1: The Differences Between Server-Side Attacks

Table 7.2: Recommended HTTP Headers for Server-Side Attacks

Chapter 9

Table 9.1: Different Authentication Method

Table 9.2: Different Authorization Methods

Table 9.3: Different Hash Algorithms

Table 9.4: Different Encryption Algorithms

Appendix B

Table B.1: CVSS 4.0 Scoring Matrix

Appendix C

Table C.1: A Sample Findings Table

Table C.2: Necessary Sections

Table C.3: An Example of Findings Table for a Vulnerability

List of Illustrations

Chapter 1

Figure 1.1: The CIA triad

Figure 1.2: A web application architecture and related attack surfaces

Figure 1.3: The lifecycle highlights that penetration testing is just one co...

Figure 1.4: The penetration testing process

Figure 1.5: Different pentest approaches divided by the pentester's knowledg...

Figure 1.6: The OWASP Top 10 vulnerabilities

Chapter 2

Figure 2.1: Locating the Kali Linux ISO file

Figure 2.2: Allocating hardware (virtual) resources to my virtual machine

Figure 2.3: Kali Linux partition configuration

Figure 2.4: Finalizing the portioning settings

Figure 2.5: Choosing software to install on Kali Linux

Figure 2.6: Kali Linux tools and installed applications

Figure 2.7: Cloning the DVWA project into the local directory

Figure 2.8: DVWA database config file

Figure 2.9: Starting MySQL service

Figure 2.10: DVWA MySQL user creation and configuration details

Figure 2.11: Granting full privileges to the DVWA database user

Figure 2.12: Enabling URL handling settings in PHP configuration

Figure 2.13: DVWA database setup and connection

Figure 2.14: DVWA login page

Figure 2.15: DVWA security levels

Figure 2.16: Burp Suite's Proxy tab

Figure 2.17: Intercepting a request using the Burp Suite browser

Figure 2.18: Proxy settings in Burp Suite

Figure 2.19: Firefox proxy settings

Figure 2.20: Sending an HTTP request to Burp Suite Repeater

Figure 2.21: ZAP built-in browsers

Figure 2.22: Proxy settings in ZAP

Figure 2.23: Configuring ZAP BOAST server

Figure 2.24: Adding OAST callback tab to check interactions

Chapter 3

Figure 3.1: A simple DNS process flow shows how your device uses a DNS query...

Figure 3.2: The output file from DNSenum shows the nameservers for the speci...

Figure 3.3: A load balancer/WAF blocking a malicious payload and distributin...

Figure 3.4: A simple TCP SYN scan

Figure 3.5: Zenmap main interface showing an intense scan with no ping

Figure 3.6: Zenmap Profile Editor window

Figure 3.7: Using the

nmap --script-help

command to show all the scripts und...

Figure 3.8: Zenmap scripting categories

Figure 3.9: Creating a simple port scanner using ChatGPT

Figure 3.10: The output of our simple port scanner provided by ChatGPT

Figure 3.11: ChatGPT advanced service scanner results

Figure 3.12: Wappalyzer result showing website technologies and versions

Figure 3.13: A Nikto scan output

Figure 3.14: Recon-ng main switches

Figure 3.15: Module information and options

Figure 3.16: The Recon-ng output shows information about the domain target

Figure 3.17: theHarvester main dashboard

Figure 3.18: Shodan.io website

Figure 3.19: Search websites that have the word

Apache

in their HTML

Figure 3.20: Shodan CLI configuration and host command

Chapter 4

Figure 4.1: Attacker exploiting reflected XSS to acquire user data

Figure 4.2: A reflected XSS payload is executed in the browser

Figure 4.3: Attacker exploiting stored XSS to steal other user cookies

Figure 4.4: A stored XSS exploit is executed on the user's browser disclosin...

Figure 4.5: The XSS payloads stored on the website

Figure 4.6: Injecting an XSS payload that includes the address of the cookie...

Figure 4.7: The web page defaced by a stored XSS attack

Figure 4.8: A successful DOM-based XSS attack that reveals the victim's data...

Figure 4.9: A successful DOM-based XSS executed on the victim's browser

Figure 4.10: A self-XSS attack powered by a social engineering technique

Figure 4.11: BeEF initial setup and main GUI

Figure 4.12: A victim's browser was compromised using BeEF by clicking a phi...

Figure 4.13: An alert was triggered on the victim's browser using BeEF

Figure 4.14: The XSS payload didn't work due to a security mechanism

Figure 4.15: The HTML source code to analyze the payload reflection

Figure 4.16: The source code provided by DVWA to analyze the security patter...

Figure 4.17: The new payload successfully bypassed the filter and executed

Figure 4.18: The code sanitizing user input to prevent script tags

Figure 4.19: Exploiting the PHP code with a crafted SVG payload triggering a...

Figure 4.20: PHP code sanitizing the Message and Name input fields

Figure 4.21: Modifying

maxlength

via inspect element functionality to use th...

Figure 4.22: Successful stored-XSS exploitation after bypassing security pro...

Chapter 5

Figure 5.1: An in-band SQL injection shows an attacker retrieving data from ...

Figure 5.2: A time-based SQL injection identification and a Boolean-based bl...

Figure 5.3: An out-of-band SQL injection shows how the attacker collects dat...

Figure 5.4: The SQL error shows a successful error-based SQL injection vulne...

Figure 5.5: By responding to the payload, the database is vulnerable to SQL ...

Figure 5.6: The last valid column in the database

Figure 5.7: The database version retrieved through a UNION SQLi query

Figure 5.8: The database user retrieved through a UNION SQLi query

Figure 5.9: Listing all the database tables in information schema

Figure 5.10: The column names of the

users

table

Figure 5.11: The usernames retrieved from the

users

column

Figure 5.12: The passwords retrieved from the

users

column

Figure 5.13: Merging queries to retrieve usernames and passwords

Figure 5.14: Successful time-based query delaying server response

Figure 5.15: Server responding differently with the number changed to 3, ind...

Figure 5.16: Different response at 4 indicating the database name length is ...

Figure 5.17: A modified POST request has been successfully executed on the s...

Figure 5.18: Locating the cookie value to use for the SQLMap query

Figure 5.19: SQLMap confirmed the exploitation of a vulnerable parameter

Figure 5.20: SQLMap successfully extracted and cracked usernames and passwor...

Figure 5.21: The POST request includes user data

Figure 5.22: Fetching data from the

users

table using direct SQL query

Chapter 6

Figure 6.1: A successful CSRF attack

Figure 6.2: A potential CSRF vulnerability in a password reset form

Figure 6.3: An unsuccessful CSRF attempt

Figure 6.4: HTTP Referrer header was added to the request

Chapter 7

Figure 7.1: A successful SSRF attack allows the attacker to obtain informati...

Figure 7.2: The demo web page vulnerable to SSRF

Figure 7.3: A successful SSRF via curl reveals the target local server's use...

Figure 7.4: Reading hostnames and IP addresses via SSRF

Figure 7.5: Configuring the OWASP ZAP out-of-the-band server

Figure 7.6: A successful blind SSRF using OWASP ZAP BOAST

Figure 7.7: DVWA-vulnerable LFI page shows that page parameter reading a loc...

Figure 7.8: A successful LFI exploitation revealed local user accounts

Figure 7.9: An unsuccessful LFI exploitation

Figure 7.10: A successful LFI exploitation using Base64 encoding

Figure 7.11: The /etc/passwd content decoded from Base64

Figure 7.12: The web server successfully reading data from external resource...

Figure 7.13: A successful RFI exploitation via out-of-band method

Figure 7.14: An open redirect example can expose users to phishing credentia...

Figure 7.15: The response shows a possible open redirect vulnerability

Figure 7.16: A successful redirection from DVWA to www.google.com

Chapter 8

Figure 8.1: A normal output of the vulnerable web application

Figure 8.2: Verifying that the web application is vulnerable to XXE

Figure 8.3: The successful XXE exploitation resulted in the reading of the l...

Figure 8.4: A successful SSRF attack exploiting the XXE vulnerability reveal...

Chapter 9

Figure 9.1: Reproducing a login request using Burp Suite Repeater

Figure 9.2: Payload positioning

Figure 9.3: Payload simple list

Figure 9.4: Enabling Burp Suite Intruder to follow redirections

Figure 9.5: Attack result that shows a different response length

Figure 9.6: The password was entered correctly, and the attack was successfu...

Figure 9.7: OpenBullet 2 main dashboard

Figure 9.8: OpenBullet 2 requests options

Figure 9.9: OpenBullet 2 HTTP request configurations

Figure 9.10: Password spraying mechanism

Figure 9.11: Configuring Burp Suite for a password spraying attack

Figure 9.12: A successful password spraying attack

Figure 9.13: A low-level account with limited menus

Figure 9.14: A low-level account accessing the admin area by directly naviga...

Figure 9.15: A successful authorization bypass updated the user details

Figure 9.16: A simple JWT mechanism

Figure 9.17: A decoded JWT

Chapter 10

Figure 10.1: Modified wordlist

Figure 10.2: Valid API endpoint found on

https://restful-api.dev

Figure 10.3: Valid API endpoints found on my crAPI

Figure 10.4: A successful API BOLA attack

Figure 10.5: My vehicle VIN and PIN

Figure 10.6: Adding my vehicle to the dashboard

Figure 10.7: API request to retrieve my car location

Figure 10.8: Locating the community tab

Figure 10.9: Adding a new post

Figure 10.10: The server exposed the vehicle IDs of other customers

Figure 10.11: A successful BOLA exploitation allowed me unauthorized access ...

Figure 10.12: A Contact Mechanic request captured

Figure 10.13: A Contact Mechanic request captured

Figure 10.14: Successful API rate limiting exploitation caused a DoS of the ...

Figure 10.15: Creating a new scan in Astra

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Author

Foreword

Introduction

Begin Reading

Appendix A: Best Practices and Standards

Appendix B: CWE and CVSS Score

Appendix C: Writing Effective and Comprehensive Penetration Testing Reports

Index

End User License Agreement

Pages

iii

xvii

xviii

xix

xx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

307

308

309

311

312

313

314

315

317

318

319

320

321

322

323

324

325

326

327

328

329

330

iv

v

vii

ix

331

A Beginner’s Guide to Web Application Penetration Testing

Foreword

In the ever-evolving world of information security, adaptive and robust strategies are paramount. As the threat landscape expands and diversifies, the importance of a comprehensive and well-rounded approach to security cannot be overstated. With great enthusiasm and a profound sense of responsibility, I write this foreword for a book that serves as an invaluable resource in navigating these complex waters.

Information security is not merely a technical field but a domain where strategy, awareness, and foresight converge to create a resilient defense mechanism against ever-present threats. This book, which delves into the intricate world of web application security, stands as a beacon for professionals seeking to enhance their understanding and fortify their defenses.

Over the years, I have worked alongside countless hard-core AppSec experts and enthusiasts. This book embodies those conversations and interactions around AppSec by providing actionable insights grounded in real-world execution and informed by the latest advancements in the field.

The chapters are meticulously crafted, covering various topics, from foundational concepts to advanced application security testing approaches. Each section is designed to build upon the previous one, creating a cohesive and progressive learning experience. Whether you are a seasoned professional looking to refine your skills or a newcomer eager to gain a foothold in AppSec, this book provides a wealth of knowledge that will prove indispensable.

The author has leveraged his extensive experience and expertise to present information in a way that is both engaging and enlightening. His commitment to excellence and passion for the subject matter are evident and inspiring throughout the text. This book is not just a collection of theories and practices; it reflects the dedication and perseverance required to excel in the dynamic world of application security.

In conclusion, I wholeheartedly recommend this book to anyone serious about advancing their knowledge and skills in application security. It is a testament to the author's collective wisdom and expertise and a vital resource for anyone committed to mastering the art and science of application security.

Sincerely,

Irfaan Santoe

CISO and OWASP Netherlands Chapter Leader

Introduction

This book is about the fundamentals and required practices of web application penetration testing, aiming to educate its readers on how to secure web applications by identifying and exploiting vulnerabilities. It's designed to address the increasing importance of web application security in an era where online services, e-commerce, and web-based applications play an important role in handling sensitive user data and are frequent targets of cyberattacks by gaining deep insights into the most prevalent web application vulnerabilities and the attack vectors hackers use. This includes the OWASP Top 10 vulnerabilities, representing web applications’ most critical security risks.

You will also learn to identify and exploit vulnerabilities using automated tools and manual testing methodologies. The book provides hands-on guidance on using leading web application security tools, such as Burp Suite, OWASP ZAP, and Nmap. It covers how to conduct common attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF), required for a practical understanding of web application vulnerabilities.

Beyond just identifying vulnerabilities, the book guides on analyzing testing results to improve the security measures of web applications systematically. It explores web application security frameworks and standards, helping you to align your security practices with industry-recognized guidelines. The book focuses on practical exercises and real-world examples, making it an essential tool for anyone looking to understand or improve the security of web applications. This hands-on approach ensures that you can translate theoretical knowledge into actionable skills.

By reading and practicing this book, you gain theoretical understanding and practical skills. This dual approach equips you to kick-start your journey in the field and perform comprehensive web application penetration testing.

The book will help the target audience, which includes software engineers (without any security background), security analysts, web developers, IT professionals, and students interested in cybersecurity.

In this book, we have used artificial intelligence, utilizing the large language model ChatGPT, developed by OpenAI. This has been done to integrate cutting-edge technology. Leveraging these solutions makes operations and out-of-the-box thinking easier for readers, allowing them to be more creative and save time.

This book is all about giving you what you need to handle the security issues in web applications nowadays. It's like your go-to guide, helping you gain the knowledge and skills you need in the field of web application penetration testing. This comprehensive guide serves as a very good starting point for anyone who aspire to begin their career as a web penetration tester or pursue web application security.

The primary purpose of this book is to provide a step-by-step guide on web application penetration testing (keep in mind that a complete penetration test can involve more steps and is not limited to those covered here; our goal is to give you an idea to start your journey), understanding mitigation solutions, developing skills related to web security standards, and writing reports. Therefore, it is not intended for those seeking to engage in bug bounty hunting or web application hacking. All materials presented are strictly for educational purposes, and it is important to adhere to the law and use these skills responsibly.

This book assumes that readers have a basic understanding of computer programming, web technologies, and the fundamentals of the Internet.

CHAPTER 1Introduction to Web Application Penetration Testing

In today's increasingly complex online landscape, it's essential to prioritize website security to safeguard personal information. With advancing technology, hackers are becoming more sophisticated in their endeavors to compromise security measures and access private data; for example, just take a look at the report “Top data breaches and cyber attacks in 2024” (https://www.techradar.com/pro/top-data-breaches-and-cyber-attacks-in-2024). One effective method of defense is ethical hacking, which involves testing website security by attempting to uncover vulnerabilities constructively. This proactive approach, including conducting red team exercises and continuous integration/continuous deployment (CI/CD) pipeline security assessments, enables companies and organizations to identify and address cybersecurity weaknesses before malicious actors exploit them.

Hacking web applications from an attacker's perspective allows for a more thorough and accurate evaluation of the application's real-world security as it uncovers vulnerabilities that are often missed by automated tools and standard security audits. By exploiting vulnerabilities as malicious hackers would, penetration testers gain a deeper understanding of an application's actual weaknesses and uncover issues that traditional methods often overlook. For example, automated vulnerability scanning can identify surface-level security flaws but may not reveal the complex exploit sequences that a skilled attacker could utilize. This human-led, outside-in approach discovers more vulnerabilities and offers valuable insight into enhancing an application's defense against sophisticated cyberattacks. On the other hand, approaches focused solely on technical weaknesses or following best-practice guidelines often fail to replicate the tactics, techniques, and procedures of actual cybercriminal operations. For these reasons, web application penetration testing has become essential to robust security applications for every business.

Web application security contains a broad range of practices, such as static and dynamic application security testing (SAST/DAST) and software composition analysis (SCA), aimed at protecting web-based assets, including websites and their data, from threats such as hackers, malware, and misconfigured applications. Since web applications interact with users over the public Internet, they are vulnerable to security risks from threats such as hackers, malware, and misconfigured applications. Web application security is designed to protect the confidentiality, integrity, and availability of web-based assets like websites and their data.

To secure web applications, common measurements include the following:

Authentication and authorization:

Implement multifactor authentication (MFA) and role-based access control (RBAC).

Session management:

Use a strong session ID and securely manage it. Apply secure cookies with the HttpOnly and Secure flags.

Input validation:

Use whitelisting methods and regular expressions to clean and validate user inputs.

Output encoding:

Use encoding libraries such as OWASP Java Encoder.

Secure configuration:

Follow security hardening guidelines like CIS benchmarks.

Encryption:

Use Transport Layer Security (TLS) for data in transit and Advanced Encryption Standard (AES) for data at rest.

Web applications face various security threats, such as the following:

Injection vulnerabilities:

SQL injection (SQLi) and command injection

Authentication issues:

Brute-force attacks and credential stuffing

Session management:

Session hijacking and session fixation

Cross-site scripting:

Reflected, stored, and DOM-based XSS

Insecure direct object references (IDOR):

Unauthorized access to protected data

Security misconfiguration:

Unpatched software and exposed configuration files

Lack of transport layer protection:

Man-in-the-middle (MitM) attacks

To counter these threats, web application security solutions use strategies such as securing the development process, deploying web application firewalls, and performing regular security patching and audits. Penetration tests for web applications are important for staying ahead of evolving threats. They find problems before they can be misused, which helps lower the chances of security breaches, loss, and damage.

In this chapter, I'll discuss why web application security and penetration testing are important for all businesses. I'll start with an overview of the web penetration testing process and the techniques to use. Then, I'll discuss common web-based vulnerabilities and attacks that every penetration tester should know about.

The Importance of Web Application Security

The need to keep our online spaces safe affects every part of the Internet, not just websites. Protecting all online information equally is important, whether for websites or anything else online. Unfortunately, when hackers find a weak spot, it can cost companies a lot of money. This includes the money they have to spend to fix the problem, the money they lose because their services are down, and the trust they lose from their customers. For instance, the direct costs of remediation include repairing systems, hiring cybersecurity experts, and conducting thorough investigations. Additionally, companies face significant revenue losses during service downtimes as customers cannot access services. Moreover, the long-term impact on customer trust and brand reputation can be devastating. For example, the 2017 Equifax breach resulted in millions in fines, steep stock price drops, and irreparable damage to consumer confidence. Think about how bad it would be if the stock market went down for just an hour or someone got into a lot of customer credit card info. This shows why it's so important to keep online spaces secure. IBM's “Cost of a Data Breach Report 2023” discusses how expensive cyberattacks can be. You can access this report for free at https://www.ibm.com/reports/data-breach to see how much money these attacks can cost.

Businesses of all sizes now prioritize application security for several reasons. They employ security consultants, establish in-house security teams, and collaborate with third parties to assess and enhance their web application security. What was considered a luxury or limited to critical infrastructure is now standard practice for most organizations that depend on web applications.

The CIA Triad

As a web application security professional or penetration tester, it's crucial to understand how to measure the risk and impact of vulnerabilities and attacks. This understanding helps assess the potential harm these security issues may cause a web application. It's important to know about the CIA triad, a fundamental information security principle.

The CIA triad is a necessary concept in information security, covering three essential principles as illustrated in Figure 1.1.

Keeping information confidential means making sure only authorized people can access it. This stops unauthorized access, sharing, or theft.

Integrity means keeping data accurate and consistent. It acts as a protection against any unauthorized changes, tampering, or corruption.

Availability confirms that authorized entities like users can access data and resources consistently without disruptions or service denials. These three pillars are crucial for securing information systems, emphasizing the importance of protecting sensitive data, maintaining its accuracy, and ensuring access for authorized individuals.

Figure 1.1: The CIA triad

Web apps use input validation, output encoding, and transaction security techniques to ensure data accuracy and prevent unauthorized modifications. Input validation filters out malicious data before processing, output encoding ensures safe data rendering, and transaction security maintains the integrity of sensitive transactions. If data is changed without authorization, it could lose its reliability and value.

Implementing authentication, authorization, and encryption in web apps assures that only users with proper authorization can access restricted data, keeping it confidential. Without adequate access controls, sensitive data in web apps are at risk of exposure.

Using secure configuration, patch management, and denial-of-service prevention, web apps can stay up and running and available for legitimate users. This is important because if web applications go offline, it can cost businesses millions of dollars per hour and harm their reputation.

When these CIA objectives are achieved, web applications can work safely and dependably, safeguarding the interests of businesses, customers, and users. The CIA triad offers a high-level structure for companies to assess the effectiveness of their web app security measures.

Proper input validation and output encoding are important for maintaining data integrity by filtering out malicious content that could alter data. However, it can be challenging to balance the CIA triad. For instance, increasing authentication for more robust confidentiality can affect availability, while implementing encryption for better integrity could create more user friction. Web application security needs to find the right balance.

Industry Needs

Web applications are complicated and involve many different technologies, platforms, and components. For instance, a modern web application may integrate with multiple application programming interfaces (APIs), utilize microservices architecture, and depend on third-party libraries, each raising unique security challenges. To perform security testing effectively, a deep understanding of these elements must pinpoint vulnerabilities across the entire system, from the client side to the server side and backend databases.

As web apps evolve, new vulnerabilities are frequently discovered. This requires security teams and specialists to continuously research, learn, and update their testing processes with the latest methods.

Detecting potential vulnerabilities in modern web applications requires automated testing tools and specialized knowledge. Specialists who understand how specific technologies or architectures operate are essential because many threats are associated with those tools and code.

The demand for web application security specialists is expected to increase due to constant attacks and emerging risks. As web apps remain complex and vulnerable, securing them will continue to require ongoing learning and adaptation.

Meeting regulations like General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Network and Information Security Directive (NIS2) requires expertise in identifying sensitive data, assessing risks, and implementing necessary application controls. This demand is increasing the need for web app security professionals.

TIPYou can find more information about these standards here:

https://gdpr.eu

https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf

https://www.hhs.gov/hipaa/index.html

https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

The field of web app security attracts experts from various backgrounds in development, quality assurance (QA) testing, IT security, and compliance. Each contributes different skill sets required to secure today's complex web application ecosystems comprehensively.

There is a significant shortage of people skilled in cybersecurity and web application security. This high demand means that experts in this area can earn high salaries. The need for specialists in web application security is increasing due to several reasons: more aspects of our lives are moving online, providing more targets for hackers; cybercriminals are becoming more sophisticated in their methods; new rules and regulations are being introduced to protect data; and businesses are rapidly transitioning to digital platforms. This situation is clearly shown in the NIST infographic at https://www.nist.gov/system/files/documents/2023/06/05/NICE%20FactSheet_Workforce%20Demand_Final_20211202.pdf. The infographic shows why a career in cybersecurity, especially in web application security, is in high demand and fulfilling.

Overview of Web Application Penetration Testing

Penetration tests for web applications extend beyond automated tools. While these tools can identify common issues, they may overlook more intricate ones. Manual tests conducted by experienced professionals provide a more thorough analysis and reveal complex vulnerabilities that automated tools might miss, allowing for a comprehensive evaluation of the application's security.

In addition to identifying vulnerabilities, penetration tests are a proactive risk management measure. They facilitate the effective prioritization and allocation of resources to address issues. Pentest reports offer valuable insights into the potential impacts and likelihood of exploitation, which empower informed decisions regarding security spending and mitigation efforts. This approach focuses resources on areas with the highest potential for harm, making security more effective overall.

Based on Figure 1.2, the general architecture of a web application consists of a front end that users interact with, such as menus, and a backend that includes servers for handling requests and responses connected to a database. It also includes APIs for linking to third parties and other components of web applications. Each section has its vulnerabilities to specific types of attacks, which we will cover in this book.

Pentests also help create a security culture by increasing teams’ awareness of secure coding, configuration, and practices. Integrating security into development proactively addresses security, identifies recurring issues, and fosters a security mindset among teams, as shown in Figure 1.3.

TIPIn this book, we will learn and practice web-based penetration testing, focusing on the security of live web applications deployed in production. It's important to note that this environment may sometimes be replicated in a controlled or developed environment. Our approach is to engage with live web applications, not the code!

Figure 1.2: A web application architecture and related attack surfaces

Figure 1.3: The lifecycle highlights that penetration testing is just one component of web app security

The Penetration Testing Process

A successful web application penetration test involves several stages, as shown in Figure 1.4. Some of these stages are not purely technical. The testing process begins with an important phase called scoping and reconnaissance. Though not technical, this phase is crucial for the entire test's success. It's about preparing and setting everything up for what's to come. During this stage, the tester takes time to understand the client's needs, identifies the main areas to focus on, and determines their goals for the test. It's not just about knowing how to break into systems or find vulnerabilities; it also involves planning ahead, organizing the work, and ensuring that the most critical tasks receive the highest priority.

Figure 1.4: The penetration testing process

During this initial phase, it's important to define the objectives and scope of the test clearly. This involves understanding the client's needs, identifying potential risks, and deciding on specific goals. A clear plan at this stage helps the penetration tester focus their efforts and resources efficiently. Another vital aspect is organizing the test. This means coordinating with everyone involved, scheduling activities, and allocating resources effectively. This organization ensures that the test runs smoothly and everyone involved understands what's happening.

In this phase, it's important to prioritize goals. The tester evaluates which vulnerabilities or security weaknesses could have the most significant impact. They then focus their attention and resources on these areas. This approach ensures efforts are concentrated where they can make the most difference by first addressing the most critical security threats.

After completing these basic steps, the tester is ready to advance to the more technical phases of the process. They should follow the structure outlined in the figure, moving from scanning to gaining access, then to maintaining access, and finally to analysis and report. Every step in the process builds on the work done during the scoping and reconnaissance phase. It highlights the importance of initial planning and organization in conducting a thorough and effective penetration test.

Scoping and Reconnaissance

The initial stages of any penetration test are scoping and reconnaissance. Proper scoping is important as it determines the test's boundaries, limitations, and objectives, ensuring an effective and targeted analysis. During scoping, discussions with the client help to understand their key requirements, priorities, and risk tolerance. Based on these inputs, the penetration tester will define what systems, applications, and data will be included or excluded from the test. Clear scoping also establishes expectations and lays the foundation for a thorough and actionable test report.

Gathering intelligence about the target systems and networks, known as reconnaissance, comes after scoping. This involves collecting information passively and actively from sources like company websites, social media, search engines, vulnerability databases, and subpoenaed documents. The penetration tester will map the network architecture, identify critical systems and applications, and determine employees and contractors. This reconnaissance provides valuable insights to assess exploitation techniques and prioritize test efforts within legal and ethical boundaries.

After completing basic scoping and reconnaissance, the penetration tester can create a test plan that details specific weaknesses and vulnerabilities to target. Based on the intelligence gathered, test cases are designed to systematically evaluate security controls and identify exploitable vulnerabilities. Technical tools are used to perform targeted scans, intercept web traffic, and attempt privilege escalation. This will be covered separately later in this book.

The outcomes of scoping, reconnaissance, test planning, and initial testing form the basis for the rest of the penetration test. Any extra systems found or data exposed during active testing can be added to the original scope. Well-planned scoping and reconnaissance establish the foundation for a thorough and insightful penetration test that identifies actual security weaknesses and provides practical remediation suggestions.

HINTThe first and most important stage of any successful penetration test is reconnaissance, which provides the depth of information needed to identify genuine vulnerabilities. Proper scoping determines the boundaries and objectives of the test, but without accurate and thorough reconnaissance, the rest of the test will be limited and less insightful.

Scanning

Penetration testing is a process of uncovering hidden information on a target system. This involves using various automated tools and techniques, such as port scanning to detect open ports, service scanning to identify running services, and network scanning to map the network layout. Additionally, vulnerability scanning is used to pinpoint security flaws, while host scanning is used to inventory network-connected devices. SSL/TLS scanning is used to identify encryption issues.

Port scanning checks for open ports that allow external connections, which helps penetration testers find vulnerabilities. Service scanning determines active services, revealing potential attack points. Network scanning creates a map of the network structure, providing a layout of the target environment. Vulnerability scanning looks explicitly for security holes that could be exploited. Network-connected devices are logged when scanning hosts, giving penetration testers a complete view of the target. SSL/TLS scanning looks for incorrect encryption setups and identifies issues with security protocols designed to protect data.

By using these techniques, penetration testers are highly likely to discover vulnerabilities that may jeopardize the security and integrity of the target system. The scanning phase establishes the foundation for subsequent exploitation by thoroughly understanding the target and its potential attack points. In general, scanning plays a crucial role in the penetration testing process.

Gaining Access

After the initial scanning, the next phase is gaining access, which is an exciting part of a penetration test. During the scanning phase, penetration testers try to exploit those weaknesses and gain access to the target system when vulnerabilities are found. This may involve accessing an open port, cracking weak login credentials, hijacking a session, or exploiting a software flaw. Gaining initial access can be pretty challenging as it requires navigating through layers of security controls.

An open or vulnerable port frequently serves as the entry point for unauthorized access. Ports that are open to the Internet enable incoming connections, and if not adequately secured, they can provide penetration testers with an initial point of access. Subsequently, testers will attempt to gain entry into login portals and try to guess or crack account passwords through brute-force methods. If they are successful, they can access user accounts and potentially the entire system with escalated privileges.

DEFINITIONGaining initial access or a foothold into a target system is an important first step in penetration testing. Establishing a foothold provides a starting point for penetration testers to investigate the network further and enhance access.

At times, more technical approaches are necessary to gain access. For instance, exploiting weaknesses in web software or a server to run harmful code, acquire higher privileges, and gain control. Other advanced tactics include intercepting and taking over user sessions and exploiting vulnerabilities in enterprise services like remote access or administration protocols.

Once inside, penetration testers typically have broad access to resources!

Maintaining Access

After initially gaining access to a target system, penetration testers often aim to maintain that access and establish a foothold to conduct further testing. Like real attackers, testers work to cover their tracks and ensure they can regain access even if their initial method is discovered or blocked.

Security testers may deploy backdoors, rootkits, or other forms of malicious software to establish covert access. Moreover, they may exploit authorized tools and applications that blend in with regular system operations. This could require creating accounts with elevated permissions, extracting and decoding password hashes, or misusing remote administration tools. Additionally, testers may infiltrate less critical systems within the network that are not precisely monitored, utilizing them as initial access points to progress further within the environment.

DEFINITIONThe concept of pivoting needs to leverage a previously compromised system or network to access other systems or networks within the targeted environment. This approach enables the tester to broaden the scope of their assessment by traversing interconnected systems, thereby facilitating a more comprehensive penetration test.

Maintaining access over time enables penetration testers to replicate a committed attacker's actions. It allows them to thoroughly examine the target's network, identify additional vulnerabilities, and gain higher privileges when necessary to uncover weaknesses across multiple layers. This stage can expose flaws in an organization's incident response and threat-hunting capabilities, highlighting areas that real attackers could exploit to operate without detection for extended periods. By exercising persistence within controls and limitations, penetration testers offer valuable insights to strengthen defenses and minimize the risks of covert, long-term security breaches.

DEFINITIONThreat hunting represents a proactive cybersecurity approach that actively explores potential threats within an organization's network. This process involves using advanced techniques to detect and mitigate these threats before they inflict harm.

Analysis and Report

After penetration testers have gained and maintained access to a target system, the next step is to analyze their findings and compile a comprehensive report thoroughly. This requires documenting all identified vulnerabilities, tested attack vectors, exploited weaknesses, and any access or privileges obtained. It also involves mapping the scope of impact, such as compromised systems, exposed data, and potential business risks.

The analysis process demands detailed consideration of the importance of comprehensive security arising from the test results. Pentesters must adopt the perspective of potential attackers to evaluate the realistic extent of damage that could be inflicted through the attained access level. Also, they need to assess how easy it is for attackers to find and use weaknesses and look for ways attackers could gain more access or move through the network.

The final report presents the testers’ findings and recommendations clearly and actionably. It outlines the discovered vulnerabilities, the ones that were attempted but not successfully exploited, and other significant findings. The report also includes and assigns risk ratings using the Common Vulnerability Scoring System (CVSS) and suggests solutions for remediation. The report may model potential attack scenarios for high-risk vulnerabilities, showing how an attacker could inflict severe damage if the problems are not addressed.

The analysis and reporting phase includes converting raw test data into actionable intelligence that organizations can leverage to fortify their defensive measures. An extensive, well-communicated report is pivotal in enabling stakeholders to comprehend the actual risks they confront and confirm the resources required for efficacious remediation. The main aim is to give context and urgency to the findings, which will help companies prioritize the most effective security improvements.

Detailed information and examples are provided in Appendices B and C.

Methodologies

Web application penetration testing methodologies are structured frameworks that outline the steps and procedures involved in executing thorough and effective penetration tests on web applications. These methodologies have a systematic approach, comprehensive reconnaissance, vulnerability scanning, exploitation, and complete reporting, ensuring a detailed assessment of the application's security posture. This book will align with the OWASP Top 10 as a foundational framework for further discussion and analysis.

OWASP Top 10

OWASP provides two main web application penetration testing approaches: the Top 10 and the Testing Guide. The OWASP Top 10 (https://owasp.org/Top10) has a prioritized list of the most critical web application security risks, including injection, broken authentication, and sensitive data exposure, while the OWASP Testing Guide is a detailed methodology for assessing each vulnerability category, including information gathering, configuration management testing, and business logic testing. Together, they form a comprehensive framework for penetration testers.

The OWASP Top 10 highlights the 10 most important web application vulnerabilities. It is a guideline for organizations to identify and fix issues like injection flaws, cross-site scripting, and broken authentication. Addressing the risks outlined in the OWASP Top 10 can significantly strengthen an application's overall security, providing a robust defense against the most prevalent and dangerous threats.

DEFINITIONThe Open Web Application Security Project (OWASP) is an open-source community of professionals collaborating to create standards, tools, and projects that help experts build secure applications.

OWASP Web Security Testing Guide

The OWASP Web Security Testing Guide (https://owasp.org/www-project-web-security-testing-guide) presents comprehensive methodologies for assessing each vulnerability category within the Top 10. It contains techniques for gathering information, conducting configuration management testing, assessing authentication systems for bypass potential, and testing business logic. Following the Testing Guide protocols guarantees a careful evaluation of each area posing a Top 10 risk.

The OWASP Top 10 and Testing Guide work together to give structure and flexibility to web application assessments. The Top 10 lists the most critical vulnerabilities to focus on first, while the Testing Guide outlines the methods needed to identify those issues. This helps penetration testers optimize their efforts and measure how well an application defends against the most common risks that attackers exploit.

NOTEThis book will use OWASP as our main framework. OWASP is designed for web application penetration testing and is considered the standard for web application security best practices.

Open-Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM (https://www.isecom.org/OSSTMM.3.pdf) is a framework for penetration testing created by ISECOM. Its purpose is to thoroughly evaluate the security of a network's broadcast domain, which includes all devices that can communicate with each other in a network.

What makes the OSSTMM different is its broad focus. It doesn't just search for weaknesses in software or networks. It also looks at how practical staff training is, considers the impact of human behavior on security, and examines physical security measures. This means the OSSTMM covers everything from how well employees can defend against attacks to potential security risks posed by people to the security of the physical premises.

By addressing these areas, the OSSTMM offers a complete view of an organization's security situation, ensuring that all potential threats, whether digital, human, or physical, are considered.

The Penetration Testing Execution Standard (PTES)

PTES (http://www.pentest-standard.org/index.php/Main_Page) is another widely recognized web application penetration testing methodology. PTES follows a comprehensive approach that includes information gathering, vulnerability scanning, exploitation, and reporting. It highlights the importance of planning, scoping, and documenting the testing process. By following PTES, penetration testers can ensure that they cover all the necessary steps and provide a thorough assessment of the web application's security. PTES offers a well-defined framework that helps maintain consistency and ensures that no critical areas are overlooked during testing.

TIPPTES is a highly adaptable framework used in various domains, such as network, system, wireless, and others. It is not specifically designed only for web application penetration testing.

Tools and Techniques

The web application penetration testing process requires security analysts to use different tools and methodologies to identify vulnerabilities. These tools contain both free and open-source options as well as commercial products. Additionally, manual methods such as code reviews and inspections hold significance. It is imperative to recognize the perpetual relevance of the human element. It's important to carefully examine all results and outputs, regardless of the tools used. There is a chance of experiencing false positives, where the tool must provide accurate information. Human discernment and astute analysis assume pivotal roles in the comprehensive evaluation and interpretation of results, ensuring precise decision-making.

Many free and open-source tools are available to help with web application penetration testing. Both command-line and graphical user interface (GUI)–based tools can handle tasks such as intercepting web traffic, conducting fuzz testing, and automating SQL injection attacks. These tools can quickly and efficiently identify issues on a large scale, making it difficult to find them manually. Open-source tools offer a variety of capabilities at no cost. However, they may lack the advanced functionality of commercial products.

TIPYou can find more information and a list of free and open-source testing tools here:https://owasp.org/www-project-web-security-testing-guide/v41/6-Appendix/A-Testing_Tools_Resource.

Commercial web application penetration testing tools offer enhanced features for a fee. These tools typically have advanced capabilities such as tailored vulnerability modeling, asset identification and mapping, automated report generation, and exploit development. Important considerations should be reflected when selecting a tool. Manual methods will continue to be essential for comprehensive testing. In the interim, a blend of tools, methodologies, and expertise is imperative to guarantee comprehensive penetration testing of stylish, detailed web applications.

A web proxy is a commonly used toolset in web application penetration testing. It is an intermediary between the tester and the web application, allowing them to intercept and modify requests and responses. This enables testers to analyze the traffic, manipulate inputs, and identify security vulnerabilities. Web proxies are crucial in identifying issues such as insecure transmission of sensitive data, insufficient input validation, and weak authentication mechanisms.

NOTEIn the upcoming chapters and scenarios, we will use proxy tools extensively. In the following chapter, I will demonstrate how to configure web proxies.

Fuzzing tools are required for web application penetration testing. They generate a substantial volume of random or malformed inputs to produce unexpected behavior and expose vulnerabilities within the application. The practice of fuzzing is instrumental in identifying buffer overflows, input validation flaws, and other security weaknesses that may not be easily noticeable through traditional testing methodologies. Fuzzing tools are great at finding complex problems and providing helpful insights for further analysis and solutions.

DEFINITIONFuzzing is like testing software by putting in weird or random data to see if it has any problems. The goal is to find security issues and weaknesses by giving the system different inputs to see what happens.

Web application penetration testing uses different methodologies in addition to tools and techniques. These methodologies are white-box, gray-box, and black-box testing (see Figure 1.5). White-box testing grants you complete access to the application's internal architecture, source code, and structural intricacies. This methodology helps comprehensive testing and in-depth analysis, thus enabling the thorough identification of vulnerabilities. Gray-box testing provides partial knowledge of the application, such as restricted access to the website or specific system details. This methodology balances white-box and black-box testing, affording a realistic assessment of the application's security posture. On the other hand, black-box testing emulates an external hacker without knowledge of the application. You solely rely on publicly available information to disclose potential vulnerabilities exploitable by real attackers.

Figure 1.5: Different pentest approaches divided by the pentester's knowledge about the target

Different testing approaches use various tools and techniques. In white-box testing, manual code review, thorough scanning with vulnerability scanners, and extensive manual testing are expected. Gray-box testing may involve a combination of automated scanning tools, manual testing, and limited access to the application's internals. Black-box testing relies on automated scanners, web proxies for traffic analysis, and manual testing techniques that simulate an attacker's perspective. (It can also be manual testing only. So, automated testing is not mandatory.)

Reporting

I'd like to emphasize the significance of reporting. Reporting shouldn't just be about finding vulnerabilities but should also include actionable recommendations for fixing them. These recommendations should be practical and customized to the web application's specific vulnerabilities and context. They should offer clear guidance on how to address the identified security weaknesses and enhance the application's overall security.

NOTEYou will learn how to write an impactful web application penetration testing report in Appendix C.

Effective stakeholder communication is indispensable throughout the reporting process. Penetration testers should be able to articulate the findings clearly and comprehensively, eschewing technical terminology where possible. Furthermore, it is important to actively engage with the management level and address any questions or concerns regarding the findings or recommendations.

Providing practical, achievable, and industry-standard actionable recommendations to enhance application security is very important. These recommendations should encompass specific steps or measures aimed at mitigating identified vulnerabilities, such as patch applications, adoption of secure coding practices, or enhancement of access controls.

Moreover, reporting should be directed only toward technical stakeholders. It should also be understandable for nontechnical stakeholders, like senior management or business owners. This will help them grasp the risks and make well-informed decisions regarding the application's security and any necessary remediation efforts.

Reporting should be timely. The report should be delivered promptly after the web application penetration testing is completed. This ensures that stakeholders receive the findings and recommendations promptly, allowing them to take immediate action to address the identified vulnerabilities.

Regular checking and retesting can confirm that the recommended fixes have been implemented properly. This shows that the fixes are working and ensures that the web application's security is improving.

Clear and brief reporting is also important in web application penetration testing. This is vital for effectively communicating findings, documenting vulnerabilities, assigning risk ratings, and providing actionable recommendations. It helps effective communication with stakeholders and managers, enhances the understanding of the security posture, and supports decision-making processes to improve application security. In this book, I will demonstrate in detail and provide practical examples to help you master the art of clear and straightforward reporting in web application penetration testing.

Types of Web Application Vulnerabilities

This section will reference the OWASP Top 10 to explore various web application vulnerabilities. The goal is to analyze the standard security flaws found in web applications as outlined by OWASP. By using the OWASP Top 10, we can comprehensively understand these vulnerabilities and their potential impact on web application security.

The following topics are related to OWASP's Top 10 categories, each representing a high-risk issue that threatens web applications. We will delve into these extensively to understand their nature and impact.

The OWASP Top 10 changes regularly to cover new threats. Focusing on its flaws helps teams prioritize fixing vulnerabilities and allocating resources for better security. The list acts as a security benchmark, letting organizations align their strategies with industry standards.

Figure 1.6 shows the OWASP's Top 10 most exploited weaknesses. Understanding and addressing these vulnerabilities can significantly reduce risk and protect applications and users from attacks. Developers and security teams must stay current with the OWASP Top 10 and enforce effective measures to mitigate these issues.

Figure 1.6: The OWASP Top 10 vulnerabilities

Broken Access Control