Home 0P3N Blog Tutorial: An Intro to Blackbox Web Pentesting
Ready to Start Your Career?
Create Free Account
Babak Esmaeilis profile image
By: Babak Esmaeili
December 9, 2016

Tutorial: An Intro to Blackbox Web Pentesting

By: Babak Esmaeili
December 9, 2016
Babak Esmaeilis profile image
By: Babak Esmaeili
December 9, 2016
Hello Friends,Today I'm gonna explain how to pentest a web application of a website in blackbox mode. The steps:

  1. Find the technology and the kind of  web page language
  2. Find all sub-domains exist for the website and repeat number 1 for them too (very important)
  3. Test every input include header and the body page of the web pages in the site and sub domains for possible vulnerabilities
  4. If security issues were found then retest them with Burpsuite scanner in kali or any famous and reliable web scanner like Acunetix or NetSparker
  5. Exploit the vulnerability for the POC [Proof Of Concept]
So, let's start and do a blackbox pentest for the sample vulnerable website of acunetix:


For the first step, I usually use the http://builtwith.com/ website as it is an online website for finding the technologies and languages used for a website. It is up to date and I like it more than whatweb script in Kali Linux.

I go to the BuiltWith website and put the http://testphp.acunetix.com/ in the box and click the lookup button. After a second, it shows several useful information options about the given website such as the kind of WebServer it's run on, the kind of frameworks it uses, etc. What is most important for us is this instance, is the webserver and framework.  We can see that the web server is nginx 1.4 and the language of the website is php.

Now for the second step, I will usually use https://dnsdumpster.com/ website or google.com. In Google, we use the query site:*.acunetix.comIn dnsdumpster, we enter acunetix.com and then click "search".* In my experience, the sub-domains are more likely to have vulnerabilities since the programmers usually don't pay much attention to the security terms of the sub-domains. This is typically because the sub-domains are commonly less interactive with users. Anyway,in our case, we are not going to test all subdomains but instead just test this sub-domain: http://testphp.acunetix.com/

Lastly, for step three, I always start by searching in Google for links. For example, if the website is written in PHP I use the search query: php? site:testphp.acunetix.com/ In this way I can quickly find links that take parameters and test them in random ways for SQli or XSS. If we use this query we can see in the second link from the top: testphp.acunetix.com/listproducts.php?cat=1

Now all of you know how to test forSQLl injection manually. Just add ' after cat=1 and boom : the sql error. You can use SQL map simply to exploit this vulnerability and again for XSS we use this: http://testphp.acunetix.com/listproducts.php?cat=1'>"><img src=x onerror=javascript:prompt(1)> and boom. I typically use hackbar in firefox for manual testing, and I suggest this modified version personally - https://addons.mozilla.org/en-US/firefox/addon/~h3ll4r_h5h-hackmod/

I am not going to explain how to test automatically with Burpsuite as you all know how to do it. I hope you enjoyed this intro to blackbox testing a website. Bye till another OP3N ; )
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry