Ready to Start Your Career?

Tutorial: An Intro to Blackbox Web Pentesting

Babak Esmaeili's profile image

By: Babak Esmaeili

December 9, 2016

Hello Friends,Today I'm gonna explain how to pentest a web application of a website in blackbox mode. The steps:

  1. Find the technology and the kind of  web page language
  2. Find all sub-domains exist for the website and repeat number 1 for them too (very important)
  3. Test every input include header and the body page of the web pages in the site and sub domains for possible vulnerabilities
  4. If security issues were found then retest them with Burpsuite scanner in kali or any famous and reliable web scanner like Acunetix or NetSparker
  5. Exploit the vulnerability for the POC [Proof Of Concept]
So, let's start and do a blackbox pentest for the sample vulnerable website of acunetix:

For the first step, I usually use the website as it is an online website for finding the technologies and languages used for a website. It is up to date and I like it more than whatweb script in Kali Linux.

I go to the BuiltWith website and put the in the box and click the lookup button. After a second, it shows several useful information options about the given website such as the kind of WebServer it's run on, the kind of frameworks it uses, etc. What is most important for us is this instance, is the webserver and framework.  We can see that the web server is nginx 1.4 and the language of the website is php.

Now for the second step, I will usually use website or In Google, we use the query site:*.acunetix.comIn dnsdumpster, we enter and then click "search".* In my experience, the sub-domains are more likely to have vulnerabilities since the programmers usually don't pay much attention to the security terms of the sub-domains. This is typically because the sub-domains are commonly less interactive with users. Anyway,in our case, we are not going to test all subdomains but instead just test this sub-domain:

Lastly, for step three, I always start by searching in Google for links. For example, if the website is written in PHP I use the search query: php? In this way I can quickly find links that take parameters and test them in random ways for SQli or XSS. If we use this query we can see in the second link from the top:

Now all of you know how to test forSQLl injection manually. Just add ' after cat=1 and boom : the sql error. You can use SQL map simply to exploit this vulnerability and again for XSS we use this:'>"><img src=x onerror=javascript:prompt(1)> and boom. I typically use hackbar in firefox for manual testing, and I suggest this modified version personally -

I am not going to explain how to test automatically with Burpsuite as you all know how to do it. I hope you enjoyed this intro to blackbox testing a website. Bye till another OP3N ; )
Schedule Demo