Tutorial: An Intro to Blackbox Web Pentesting

December 9, 2016 | Views: 10016

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello Friends,

Today I’m gonna explain how to pentest a web application of a website in blackbox mode.

The steps :

  1. Find the technology and the kind of  web page language
  2. Find all sub-domains exist for the website and repeat number 1 for them too (very important)
  3. Test every input include header and the body page of the web pages in the site and sub domains for possible vulnerabilities
  4. If security issues were found then retest them with Burpsuite scanner in kali or any famous and reliable web scanner like Acunetix or NetSparker
  5. Exploit the vulnerability for the POC [Proof Of Concept]

So, let’s start and do a blackbox pentest for the sample vulnerable website of acunetix: http://testphp.acunetix.com/

For the first step, I usually use the http://builtwith.com/ website as it is an online website for finding the technologies and languages used for a website. It is up to date and I like it more than whatweb script in Kali Linux.

I go to the BuiltWith website and put the http://testphp.acunetix.com/ in the box and click the lookup button. After a second, it shows several useful information options about the given website such as the kind of WebServer it’s run on, the kind of frameworks it uses, etc.

What is most important for us is this instance, is the webserver and framework.  We can see that the web server is nginx 1.4 and the language of the website is php.

Now for the second step, I will usually use https://dnsdumpster.com/ website or google.com. In Google, we use the query site:*.acunetix.com

In dnsdumpster, we enter acunetix.com and then click “search”.

* In my experience, the sub-domains are more likely to have vulnerabilities since the programmers usually don’t pay much attention to the security terms of the sub-domains. This is typically because the sub-domains are commonly less interactive with users.

Anyway,in our case, we are not going to test all subdomains but instead just test this sub-domain: http://testphp.acunetix.com/


Lastly, for step three, I always start by searching in Google for links. For example, if the website is written in PHP I use the  search query: php? site:testphp.acunetix.com/

In this way I can quickly find links that take parameters and test them in random ways for SQli or XSS. If we use this query we can see in the second link from the top:


Now all of you know how to test forSQLl injection manually. Just add ‘ after cat=1 and boom : the sql error

You can use SQL map simply to exploit this vulnerability and again for XSS we use this:

?cat=1’>”><img src=x onerror=javascript:prompt(1)> and boom

I typically use hackbar in firefox for manual testing, and I suggest this modified version personally – https://addons.mozilla.org/en-US/firefox/addon/~h3ll4r_h5h-hackmod/

I am not going to explain how to test automatically with Burpsuite as you all know how to do it.

I hope you enjoyed this intro to blackbox testing a website.

Bye till another OP3N ; )

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Unfortunately, http://testphp.acunetix.com looks down from here 🙁

  2. This is awesome, thank you!

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?