As you progress along your cybersecurity journey, you will encounter a lot of malpractice, such as administrative oversights, technical misconfigurations, and procedural weaknesses, within organizations that often lead to their systems and networks being compromised by a threat actor. As an aspiring ethical hacker and penetration tester, you must test for everything that’s within your penetration testing scope, even if it’s something you think is very minor within the IT industry. Many organizations use default user accounts, default configurations, outdated applications, unsecure network protocols, and so on. Being able to compromise the easiest security vulnerability within a web application is all it takes sometimes to gain a bigger doorway into the organization.

In this chapter, you will learn how to discover security vulnerabilities within a vulnerable web application. You will learn how the security risk increases when organizations...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux: https://www.kali.org/get-kali/
• Windows 10 Enterprise: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
• Burp Suite: https://portswigger.net/burp
• OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

As aspiring ethical hacker and penetration testers, we often think all organizations take a strict approach to implementing solutions using best practices and ensuring their IT infrastructure has the latest patches and secure configurations. However, there have been many organizations that have been compromised by threat actors due to vulnerabilities found on their web applications and components on servers.

Using vulnerable and outdated components simply means an organization is using unsupported applications and components, as in they are no longer supported by the vendor, which increases the security risk of a potential cyber-attack. Furthermore, if organizations do not frequently perform security testing on their web applications to discover new security flaws, they are left open to new and emerging cyber-attacks and threats.

In the following exercise, you will learn how to use Burp Suite to discover and exploit broken access...

Sometimes, a web application may not be configured to handle user authentication and allows unauthorized users, such as threat actors, to gain access to restricted resources. If a web application authentication mechanism is poorly designed, then threat actors can perform various types of attacks, such as brute force, password spraying, and credential stuffing, and use default user credentials as a way to gain access to the web application and web server. Sometimes, web administrators use default configurations, default user accounts, and even weak passwords, which simplify the attack that’s being performed by the threat actor.

Therefore, during a web application penetration test, it’s important to test for identification and authentication failures and determine whether the web application can be exploited due to such failures. In the following sub-section, you will learn how to test authentication failures on...

This type of security risk focuses on web applications that cannot protect their assets and data against integrity-based attacks. Imagine a threat actor leveraging a security flaw within a web application by uploading their custom malicious patch to a distribution system. If the distribution does not provide integrity checking on the malicious patch, it can be distributed to clients’ systems, causing the malware to be spread across the internet.

Hence, failure to verify the integrity of a file or data means there’s no checking whether the file or data is accurate, complete, and consistent. Implementing integrity-checking measures such as hashing algorithms enables users and systems to verify the integrity of a file or data before and after transmission.

Server-side request forgery (SSRF) is a security vulnerability that’s found within web applications that allows a threat actor to retrieve resources from other systems on the network via the vulnerable web application. For instance, threat actors can gain unauthorized access to resources, perform data exfiltration and remote code execution, and even bypass security controls on a targeted web application. Imagine you’re a threat actor and you’ve discovered a vulnerable web application that allows you to proxy your attacks to other systems on the same network connection, allowing you to perform port scanning and file retrieval.

SSRF is possible when a web application does not validate and sanitize the user-supplied URL during the HTTP request messages. For instance, implementing strict policies for validating all user input against a whitelist of permitted IP addresses or permitted domains. These whitelists can be used to...

When monitoring the security posture of an organization, cybersecurity professionals need to ensure all their systems, devices, and applications are providing sufficient logs such as login attempts, configuration changes, and network traffic anomalies to their Security Information and Event Management (SIEM) tool and their logging servers for accountability. Each log message will contain specific identifiers such as time and date stamps, user and process identifiers, details about the error messages, and even the 5-tuple (source IP address, destination IP address, source port number, destination port number, and protocol). If web applications and web servers do not provide sufficient logging, it is very challenging for cybersecurity professionals to detect and determine what occurred during a system breach. In addition, secure log management practices include the encryption of log data, access controls, and regular verification...

Cross-site scripting (XSS) is a type of injection-based attack (these were introduced in the previous chapter) that allows a threat actor to inject client-side scripts into a vulnerable web application. When anyone visits the web page containing the XSS code, the web page is downloaded to the client’s web browser and executes with the malicious scripts automatically in the background. XSS attacks are carried out by exploiting web application security vulnerabilities in a dynamically created web page.

Threat actors usually perform XSS attacks on vulnerable applications for various reasons, such as redirecting a user to a malicious URL, data theft, manipulation, displaying hidden iframes, and showing pop-up windows on a victim’s web browser. As an aspiring ethical hacker and penetration tester, it’s important to understand the characteristics of various types of XSS attacks, as follows:

• Stored XSS
• Reflected...

sqlmap is an automated tool for performing and exploiting SQL injection vulnerabilities on a web application. The tool also allows you to perform exploitation attacks, manipulate records, and retrieve data from the backend database from vulnerable web applications. Overall, during a web application penetration testing exercise, using automation can help you save a lot of time when you’re looking for security flaws during an assessment.

In this section, you will learn how to use sqlmap to easily identify SQL injection flaws within a vulnerable web application and retrieve sensitive data.

Part 1 – Discovering databases

To get started with this exercise, please follow these steps:

1. Power on both your Kali Linux and Metasploitable 2 virtual machines. When the Metasploitable 2 virtual machine boots, log in using msfadmin/msfadmin as the username and password. Then, use the ip address command to retrieve its IP address...

The Browser Exploitation Framework (BeEF) is a security auditing tool that’s used by penetration testers to assess the security posture and discover vulnerabilities in systems and networks. It allows you to hook up a client’s web browser and exploit it by injecting client-side attacks. Hooking is the process of getting a victim to click on a web page that contains custom/malicious JavaScript code. This JavaScript code is then processed by the victim’s web browser and binds their web browser to the BeEF server running on your Kali Linux machine, allowing the penetration tester to control the victim’s system and perform various client-side attacks.

In this section, you will learn how to use BeEF to perform a social engineering client-side attack, hook a victim’s web browser, and control their system without their knowledge. For this exercise, you will need to use Kali Linux and one of the Windows 10 Enterprise virtual...

In this chapter, you learned about additional web application security risks and have gained hands-on experience of discovering and exploiting those security vulnerabilities. Furthermore, you have learned how to use tools such as Burp Suite, sqlmap, and BeEF to exploit security flaws in vulnerable web applications.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding empower you in your journey, allowing you to navigate the industry with confidence and make a significant impact.

In the next chapter, Best Practices for the Real World, you will learn about various guidelines that should be followed by all penetration testers, the importance of creating a checklist for penetration testing, some cool hacker gadgets, and how to set up remote access to securely access your penetration...

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• OWASP Top 10 as a standard: https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard/
• AppSec Program with the OWASP Top 10: https://owasp.org/Top10/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10/

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet