As an aspiring ethical hacker and penetration tester, you will encounter a lot of organizations that develop and deploy web applications; either they are available for their internal employees or publicly available to users on the internet. The number of web applications on the internet is continuously increasing, as more organizations are creating their online presence to support their potential and existing customers.

During this chapter, you will learn about the importance of and need for performing web application penetration testing. You will discover how the OWASP Top 10 helps cybersecurity professionals such as penetration testers to discover security vulnerabilities within web applications. You will gain the skills to perform vulnerability discovery and exploitation on a web application while using the OWASP Top 10 as a methodological approach.

In this chapter, we will cover the following topics:

• Understanding...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux 2021.2 – https://www.kali.org/get-kali/
• Burp Suite – https://portswigger.net/burp
• OWASP Juice Shop – https://owasp.org/www-project-juice-shop/

As we use the internet each day, we commonly interact with web applications, whether performing a transaction at your favorite e-commerce website or even using an online Learning Management System (LMS) for e-learning with your educational provider. Web applications are all around and used by many industries, such as education, banking, manufacturing, entertainment, e-commerce/e-business, and even government services. They allow organizations to provide electronic services to their users and customers by simply using the internet and a web browser.

Imagine you're enrolled to complete an academic program within a university. After your registration, the university sends you access to their e-learning online platform, which contains a lot of study resources to help you with your studies during the course of your program. For the university to deliver the resources to their students (users), a web application needs to be deployed on a web server...

The Open Web Application Security Project (OWASP) is a community-led and driven non-profit foundation that helps everyone to understand how to better secure their web application during the development and post-development phases. While web application developers will learn about their secure coding practices and how to fuzz their application to ensure it can handle any type of input without crashing and leaking sensitive information, there are many types of web application that have been found to be vulnerable and exploited by threat actors.

Hence, OWASP provides a lot of resources, such as documentation, tools, and strategies, which are widely adopted by developers to ensure their applications are secure and resilient against potential cyberattacks and threats. However, since many organizations often use a lot of web applications that connect to their database servers and their network, penetration testers are often hired to discover any hidden...

Burp Suite is a very popular web application security vulnerability and exploitation tool that is commonly used among web application security professionals and penetration testers within the industry. Burp Suite is a proxy-based tool that allows a penetration tester to intercept the communication messages between the attacker's web browser and the web application, allowing the penetration tester to modify the request messages from the client side. Put simply, the penetration tester will use Burp Suite as an intercepting proxy, which will capture any request messages originating from the web browser on their machine, allowing the penetration tester to modify the field in the request message and then forward it to the web application server.

The following diagram shows a visual representation of Burp Suite as an intercepting proxy:

Figure 15.4 – Burp Suite intercepting request messages

As shown in...

Injection-based attacks allow threat actors and penetration testers to inject customized code into an input field within a form on a web application. The web application will process the input and provide a response, as it is designed to operate in a client-server model and a request-response model too. However, if a user sends malformed code to a login form on a web application, the user may be able to retrieve sensitive information from the web application and the database server, and even perform operations on the operating system of the hosting web server.

Without proper validation and sanitization of users' input, threat actors are able to determine whether a web application has security vulnerabilities, manipulate the data stored within the backend database server, and even perform command injections on the host operating system.

The following diagram shows a visual representation of a web server deployment:

Broken access controls simply allow authenticated and unauthenticated users to perform actions on a web application or systems that are not permitted.Implementing access controls on a system and even web applications helps administrators to restrict access to sensitive and confidential directories and data from unauthorized users. However, while many organizations will implement a pre-built web application framework on their web server, many pre-built and ready-to-use web application frameworks contain default security configurations, and if implemented without using best practices, threat actors can simply gain unauthorized access by exploiting the broken access control mechanisms.

Up next, you will gain hands-on experience of discovering and exploiting the security vulnerabilities of broken access control on a vulnerable web application such as OWASP Juice Shop.

Exploring broken access control

In this exercise, you will be learning...

Cryptographic failures on a web application simply define the security vulnerabilities found within a web application that allow a threat actor to gain access to confidential data, such as users' credentials, that are either stored on a server or transmitted over a network. When deploying web applications, it's always important to ensure best practices on using recommended cryptographic solutions, such as secure encryption algorithms, to ensure data in motion, data at rest, and data in use are always kept safe from unauthorized users such as threat actors.

If a developer implements a web application using a weak or insecure encryption algorithm, threat actors can simply discover the type of encryption algorithm and discover security vulnerabilities. Once a vulnerability is found, it's only a matter of time for the vulnerability to be exploited by a threat actor. As a penetration tester, understanding how to test for cryptographic...

Insecure design focuses on understanding how security risks increase when a web application is not designed, tested, and implemented properly on a system. When designing a web application, the organization usually ensures the code passes through each phase of a Secure Development Lifecycle (SDL), which helps developers to thoroughly test the application to ensure there are as few security risks as possible.

This technique ensures the web application is designed using secure coding practices and design, secure library components of programming languages, and even threat modeling to help understand how threat actors may be able to component the web application. Without secure designs, the security posture of the web application is left very vulnerable to various types of web application attacks. Overall, it is important that developers and organizations implement proper development, security testing, and maintenance on their web applications and servers...

Sometimes, web applications are deployed without using security best practices to ensure the web application and the web server are hardened to prevent a cyberattack. Without proper security configurations and practices, threat actors are able to enumerate and exploit vulnerable services running on the web server. A simple example of security misconfiguration is administrators leaving unnecessary running services and open service ports on a web server; typically, a web server should not have any open service ports except those which are required, such as port 443 for HTTPS and 22 for Secure Shell (SSH). Threat actors will perform port scanning on their targets to identify any open ports and running services, which will allow them to remotely test for security vulnerabilities on the web server and exploit the system.

Most commonly, you will discover a lot of devices such as web servers are using default accounts, which is a huge security risk....

During the course of this chapter, you have discovered the fundamentals of web application and how HTTP operates between a web browser and a web application. You have also learned how the OWASP Top 10 list of security risks for web applications helps cybersecurity professionals to improve the security of web servers and their applications. Furthermore, you have gained the skills for simulating various types of web application cyberattacks on vulnerable applications to discover and exploit security vulnerabilities on a target.

I hope this chapter has been informative for you and is helpful in your journey as an aspiring penetration tester learning how to simulate real-world cyberattacks to discover security vulnerabilities and perform exploitation using Kali Linux. In the next chapter, Chapter 16, Advanced Website Penetration Testing, you will be discovering additional web application vulnerabilities and exploitation techniques.

To learn more about the topics covered in this chapter, you can refer to the following links:

• OWASP Top 10 – https://owasp.org/www-project-top-ten/
• OWASP Top 10 as a standard – https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard/
• AppSec Program with the OWASP Top 10 –https://owasp.org/Top10/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10/