Practical Web Application Penetration Testing Series

September 16, 2016 | Views: 16337

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello Friends,

Today, I’m gonna start series of how to do Practical Web Application Penetration Testing  on an online website in black box mode. For pentesting a website, we need to perform the following steps:

  1. Find the technology and the programming language used. 
  2. Find all sub-domains that exist for the website and repeat number 1 for them too (very important: these sub-domains usually are less interactive with users, so programmers don’t pay much attention to their security).
  3. Test every input including the header and the body of the web pages in the site, and sub domains for possible vulnerabilities with a web vulnerability scanner like burp-suite (automation is good).
  4. If security issues were found, then try to find a proof of concept for them.
  5. Make a good documented report for the vulnerabilities.
    • “Good” means that it is a logical report that someone else could follow/understand without knowing the full context.

So, let’s start with a sample vulnerable website of acunetix: http://testphp.acunetix.com/

Screenshot from 2016-09-11 12-22-14.png

Step 1: We can use the http://builtwith.com/ website as it is an online website for finding the technologies and languages used for a website. It is up to date and I like it more than whatweb script in Kali Linux; however, we could still use whatweb in Kali Linux.  I will show you both. Go to http://builtwith.com/ and put the url http://testphp.acunetix.com/ in the input box, then click the lookup button.

Screenshot from 2016-09-11 12-34-59.png

After a second, it shows many useful tidbits of info about the given website such as the kind of WebServer, the kind of Frameworks and …

What is very important for us is the webserver and framework. We can see that the web server is nginx 1.4 and the language of the website is php.

Alternatively we can use whatweb in kali:

Screenshot from 2016-09-11 12-42-09.png

We found many useful bits of information about the website. In the next chapter we will start the burp suite scanner and go further.

Thanks!

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
21 Comments
  1. Simple and straightforward

Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel