As you progress through your cybersecurity journey, you will encounter a lot of malpractices within organizations that often lead to their systems and networks being compromised by a threat actor. As an aspiring ethical hacker and penetration tester, you must test for everything, even if it's something you think is very minor within the IT industry. Many organizations use default user accounts, default configurations, outdated applications, insecure network protocols, and so on. Being able to compromise the easiest security vulnerability within a web application is all it takes sometimes to gain a bigger doorway into the organization.

In this chapter, you will learn how to discover security vulnerabilities within a vulnerable web application. You will learn how the security risk increases when organizations deploy their web applications with vulnerable and outdated components, poorly configured authentication mechanisms, integrity...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux 2021.2: https://www.kali.org/get-kali/
• Windows 10 Enterprise: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
• Burp Suite: https://portswigger.net/burp
• OWASP Broken Web Applications: https://sourceforge.net/projects/owaspbwa/files/
• OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

As an aspiring ethical hacker and penetration tester, we often think all organizations take a strict approach to implementing solutions using best practices and ensuring that their IT infrastructure has the latest patches and secure configurations. However, there have been many organizations that have been compromised by threat actors due to vulnerabilities found on their web applications and components on servers. Using vulnerable and outdated components simply means an organization is using unsupported and out-of-date applications and components, which increases the security risk of a potential cyber-attack. Furthermore, if organizations do not frequently perform security testing on their web applications to discover new security flaws, they are left open to newer cyber-attacks and threats.

Discovering vulnerable components

In this exercise, you will learn how to use Burp Suite to discover and exploit broken access control within...

Sometimes, a web application may not be configured to handle user authentication and allows unauthorized users, such as threat actors, to gain access to restricted resources. If a web application authentication mechanism is poorly designed, then threat actors can perform various types of attacks such as brute force, password spraying, and credential stuffing and use default user credentials as a way to gain access to the web application and web server. Sometimes, web administrators use default configurations, default user accounts, and even weak passwords, which simplify the attack that's being performed by the threat actor.

During a web application penetration test, it's important to test for identification and authentication failures and determine whether the web application can be exploited due to identification and authentication failures. In the following sub-section, you will learn how to test authentication...

This type of security risk focuses on web applications that cannot protect their assets and data against integrity-based attacks. Imagine a threat actor leveraging a security flaw within a web application by uploading their custom malicious patch to a distribution system. If the distribution does not provide integrity checking on the malicious patch, it can be distributed to clients' systems, causing the malware to be spread across the internet.

Important Note

To learn more about Software and Data Integrity Failures, please see the official OWASP documentation at https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/.

In the next section, you will learn about the security flaws in security logging and monitoring failures.

When monitoring the security posture of an organization, cybersecurity professionals need to ensure all their systems, devices, and applications are providing sufficient logs to their Security Information and Event Management (SIEM) and their logging servers for accountability. If web applications and web servers do not provide sufficient logging, it is very challenging for cybersecurity professionals to detect and determine what occurred during a system breach.

Security logging and monitoring involves the logs of authentication attempts, their successes and failures, error and system warnings, usage of application programming interface (API) calls, port scanning, and so on, which may indicate a potential threat or cyber-attack against the system.

Important Note

To learn more about Security Logging and Monitoring Failures, please see the official OWASP documentation at https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures...

Server-side request forgery (SSRF) is a security vulnerability that's found within web applications that allows a threat actor to retrieve resources from other systems on the network via the vulnerable web application. Imagine you're a threat actor and have discovered a vulnerable web application that allows you to proxy your attacks to other systems on the same network connection, allowing you to perform port scanning and file retrieval.

SSRF is possible when a web application does not validate and sanitize the user-supplied URL during the HTTP request messages. If a threat actor can perform SSRF on a web application that is accessible over the internet, the threat actor can leverage the security flaw and bypass the firewall, access control lists (ACLs), and other security controls implemented by the organization.

In the following lab exercise, you will discover the security risks involved when using a web application that allows...

Sqlmap is an automatic SQL injection tool that allows a penetration tester to easily discover SQL injection-based vulnerabilities on a web application. The tool also allows you to perform exploitation attacks, manipulate records, and retrieve data from the backend database from vulnerable web applications. Overall, during a web application penetration testing exercise, using automation can help you save a lot of time when you're looking for security flaws during an assessment.

In this section, you will learn how to use Sqlmap to easily identify SQL injection flaws within a vulnerable web application and retrieve sensitive data.

Part 1 – discovering databases

To get started with this exercise, please follow these steps:

1. Power on both your Kali Linux and OWASP BWA virtual machines. When the OWASP BWA virtual machine boots, the banner will provide its IP address and user credentials, as shown here:

   Figure 16.20 – OWASP...

Cross-site scripting (XSS) is a type of injection-based attack that allows a threat actor to inject client-side scripts into a vulnerable web application. When anyone visits the web page containing the XSS code, the web page is downloaded to the client's web browser and executes with the malicious scripts in the background. XSS attacks are carried out by exploiting web application security vulnerabilities in a dynamically created web page. Threat actors usually perform XSS attacks on vulnerable applications for various reasons, such as redirecting a user to a malicious URL, data theft, manipulation, displaying hidden IFrames, and showing pop-up windows on a victim's web browser.

As an aspiring ethical hacker and penetration tester, it's important to understand the characteristics of various following types of XSS attacks:

• Stored XSS
• Reflected XSS
• Cross-site request forgery (CSRF)

Stored XSS is persistent on...

The Browser Exploitation Framework (BeEF) is a security auditing tool that's used by penetration testers to assess the security posture and discover vulnerabilities of systems and networks. It allows you to hook up a client's web browser and exploit it by injecting client-side attacks. Hooking is the process of getting a victim to click on a web page that contains custom/malicious JavaScript code. This JavaScript code is then processed by the victim's web browser and binds their web browser to the BeEF server running on your Kali Linux machine, allowing the penetration tester to control the victim's system and perform various client-side attacks.

In this section, you will learn how to use BeEF to perform a social engineering client-side attack, hook a victim's web browser, and control their system without their knowledge. For this exercise, you will need to use Kali Linux and one of the Windows 10 Enterprise virtual machines...

During this chapter, you learned about additional web application security risks and have gained hands-on experience in discovering and exploiting those security vulnerabilities. Furthermore, you have learned how to use various tools such as Burp Suite, Sqlmap, and BeEF to exploit security flaws in vulnerable web applications.

I hope this chapter has been informative for you and is helpful in your journey as an aspiring penetration tester, learning how to simulate real-world cyber-attacks to discover security vulnerabilities and perform exploitation using Kali Linux. In the next chapter, Best Practices for the Real World, you will get additional guidance as an aspiring ethical hacker and penetration tester who is entering the world of cybersecurity.

To learn more about the topics that were covered in this chapter, please go to the following links:

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• OWASP Top 10 as a standard: https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard/
• AppSec Program with the OWASP Top 10: https://owasp.org/Top10/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10/