As an aspiring ethical hacker and penetration tester, you will encounter a lot of organizations that develop and deploy web applications; either they are available for their internal employees or publicly available to users on the internet. The number of web applications on the internet is continuously increasing, as more organizations are creating their online presence to support their potential and existing customers.

During this chapter, you will learn about the importance of and need for performing web application penetration testing. You will discover how the Open Web Application Security Project (OWASP) Top 10 helps cybersecurity professionals such as penetration testers to discover security vulnerabilities within web applications. You will gain the skills to perform vulnerability discovery and exploitation on a web application while using the OWASP Top 10 as a methodological approach.

In this chapter, we will cover the following...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux – https://www.kali.org/get-kali/
• Burp Suite – https://portswigger.net/burp
• OWASP Juice Shop – https://owasp.org/www-project-juice-shop/

As we use the internet each day, we commonly interact with web applications, whether performing a transaction at your favorite e-commerce website or even using an online learning management system (LMS) for e-learning with your educational provider. Web applications are all around and used by many industries, such as education, banking, manufacturing, entertainment, e-commerce/e-business, and even government services. They allow organizations to provide electronic services to their users and customers by simply using the internet and a web browser.

Imagine you’re enrolled to complete an academic program within a university. After your registration, the university sends you access to their e-learning online platform, which contains a lot of study resources to help you with your studies during the course of your program. For the university to deliver the resources to their students (users), a web application needs to be deployed on a web server...

OWASP is a community-led and driven non-profit foundation that helps everyone understand how to better secure their web application during the development and post-development phases. Web application developers will learn about their secure coding practices and how to fuzz their application to ensure it can handle any type of input without crashing and leaking sensitive information. Fuzzing is the process of sending malformed data into a web application during the development phase to determine how the web application handles the input, whether the application crashes or even leaks sensitive information. The results from fuzzing help application developers identify vulnerabilities and improve their coding to ensure their application is built using secure coding practices. Many types of web applications have been found to be vulnerable and exploited by threat actors.

Hence, the OWASP provides a lot of resources, such as documentation, tools, and...

Burp Suite is a very popular web application security vulnerability and exploitation tool that is commonly used among web application security professionals and penetration testers within the industry.

Burp Suite is a proxy-based tool that enables a penetration tester to intercept the communication messages between the attacker’s web browser and the targeted web application, allowing the penetration tester to modify the request messages from the client side. Put simply, the penetration tester will use Burp Suite as an intercepting proxy, which will capture any request messages originating from the web browser on their machine, allowing the penetration tester to modify the field in the request message and then forward it to the targeted web application server.

The following diagram shows a visual representation of Burp Suite as an intercepting proxy:

Figure 16.4: Burp Suite proxy placement

As shown in the preceding...

Injection-based attacks allow threat actors and penetration testers to inject customized code into an input field within a form on a web application. The web application will process the input and provide a response, as it is designed to operate in a client-server model and a request-response model too. However, if a user submits malformed code to a login form on a web application, the user may be able to retrieve sensitive information from the web application and the database server, and even perform operations on the host operating system that’s running the vulnerable web application.

Without proper validation and sanitization of users’ input, threat actors are able to determine whether a web application has security vulnerabilities, manipulate the data stored within the backend database server, and even perform command-injection attacks on the host operating system.

Let’s consider a targeted web application that...

Broken access controls permit both authenticated and unauthenticated users to perform actions on a web application or systems that are not permitted. Implementing access controls on a system and even web applications helps administrators restrict access to sensitive and confidential directories and data from unauthorized users.

However, while many organizations will implement a pre-built web application framework on their web server, many pre-built and ready-to-use web application frameworks contain default security configurations, and if implemented without using best practices, threat actors can simply gain unauthorized access by exploiting the broken access control mechanisms.

In this section, you will gain hands-on experience in discovering and exploiting the security vulnerabilities of broken access control on a vulnerable web application such as OWASP Juice Shop.

To get started with this exercise, please follow these instructions...

Cryptographic failures on a web application simply define the security vulnerabilities found within a web application that allow a threat actor to gain access to confidential data, such as users’ credentials, that are either stored on a server or transmitted over a network.

When deploying web applications, it’s always important to ensure best practices on using recommended cryptographic solutions, such as secure encryption algorithms, to ensure data in motion, data at rest, and data in use are always kept safe from unauthorized users, such as threat actors.

If a developer implements a weak or insecure encryption algorithm within a web application, threat actors can simply discover the type of encryption algorithm being used and its security vulnerabilities. Once a vulnerability is found, it’s only a matter of time until that vulnerability is exploited by a threat actor. As a penetration tester, understanding how to test...

Insecure design focuses on understanding how security risks increase when a web application is not developed, tested, and implemented properly on a system. When designing a web application, the organization usually ensures the code passes through each phase of a secure development life cycle (SDLC), which helps developers thoroughly test the application to ensure there are as few security risks as possible.

This technique ensures the web application is designed using secure coding practices and design, secure library components of programming languages, and even threat modeling to help understand how threat actors may be able to component the web application. Without secure designs, the security posture of the web application is left very vulnerable to various types of web application attacks. Overall, it is important that developers and organizations implement proper development, security testing, and maintenance on their web applications and servers...

Sometimes, web applications are deployed without using security best practices or ensuring either the web application or the web server is hardened to prevent a cyberattack. Without proper security configurations and practices, threat actors are able to enumerate and exploit vulnerable services running on the web server. A simple example of security misconfiguration is administrators leaving unnecessary running services and open service ports on a web server; typically, a web server should not have any open service ports except those that are required, such as port 443 for HTTPS and 22 for Secure Shell (SSH). Threat actors will perform port scanning on their targets to identify any open ports and running services, which will allow them to remotely test for security vulnerabilities on the web server and exploit the system.

Most commonly, you will discover that a lot of devices, such as web servers, are using default accounts, which is a huge...

During the course of this chapter, you have discovered the fundamentals of web applications and how HTTP operates between a web browser and a web application. You have also learned how the OWASP Top 10 list of security risks for web applications helps cybersecurity professionals improve the security of web servers and their applications. Furthermore, you have gained the skills for simulating various types of web application cyberattacks on vulnerable applications to discover and exploit security vulnerabilities on a target. When simulating attacks, it should be done in a controlled, ethical environment, such as a lab setup or with permission from the application owner.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding empower you in your journey, allowing you to navigate the industry...

• OWASP Top 10 Web Application Security Risks – https://owasp.org/www-project-top-ten/
• OWASP 10 as a standard – https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard/
• AppSec Program with the OWASP Top – https://owasp.org/Top10/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10/
• Importance of using HTTPS – https://www.cloudflare.com/learning/ssl/why-use-https/

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet