SEC542: Web App Penetration Testing and Ethical Hacking™

Overview

Successful web application penetration testing hinges on understanding the attacker's perspective. This course begins with an in-depth look at foundational web technologies from this viewpoint, covering protocols, languages, clients, and server architectures. Special emphasis is placed on techniques for DNS reconnaissance, including the discovery and analysis of virtual hosts, as well as understanding the nuances of the HTTP protocol, such as HTTP response and cookie security controls, and HTTP methods.

A key component of the course is the OWASP-developed assessment methodology, which plays a pivotal role in delivering high-quality assessments. Essential tools in a penetration tester's toolkit are discussed, with a particular focus on interception proxies. Students are guided through the initial configuration of important tools like the Zed Attack Proxy (ZAP) and BurpSuite Professional. Both tools are extensively used for proxying SSL traffic and exploring vulnerable web applications.

Section one also delves into the intricacies of Secure Sockets Layer (SSL) configurations, highlighting common weaknesses. It guides students through the process of target discovery and profiling, utilizing tools like cURL, nmap, and testssl.sh for content discovery and spidering/crawling of web applications. Hands-on labs provide practical experience in reconnaissance to identify potential configuration flaws and build a comprehensive profile of each server

Topics

• Overview of the web from a penetration tester's perspective
• Web application assessment methodologies
• The penetration tester's toolkit
• Interception proxies
• Proxying SSL through BurpSuite Pro and Zed Attack Proxy
• DNS reconnaissance
• Virtual host discovery
• The HTTP protocol
  • HTTP response security controls
  • Cookie security controls
  • HTTP methods
• Secure Sockets Layer (SSL) configurations and weaknesses
• Target discovery and profiling
• Content Discovery: Spidering/Crawling

Overview

This section of the course continues the information gathering process, introducing essential techniques such as fuzzing, vulnerability scanning, and forced browsing. These methods, complementing the initial steps discussed in the previous section, are crucial for acquiring the comprehensive details needed to effectively analyze vulnerabilities in web applications. Emphasizing the significance of this phase in the penetration testing process, the course includes many hands-on labs. These labs are designed to enhance students' proficiency with essential tools such as interception proxies and command line utilities like ffuf, ensuring a comprehensive understanding of both the theory and practice of these advanced testing methods.

As vulnerability scanning and forced browsing progress, the course next addresses key elements of web application assessments: authentication, authorization, and session management. Students are introduced to a range of authentication mechanisms, including Basic, Digest, Forms, Windows Integrated, SAML, and OAuth. The course not only explains the workings of these technologies but also delves into various attack vectors associated with them. Practical exercises include username enumeration, password guessing, and leveraging both interception proxies and command-line fuzzers. Additionally, a dedicated lab utilizing Burp Suite's Sequencer feature provides hands-on experience in identifying predictable session identifiers, a key skill in assessing session security.

Topics

• Fuzzing
• Information Leakage
• Burp Professional's Vulnerability Scanning
• Content Discovery: Forced Browsing
• Finding unlinked content with ZAP and ffuf
• Web authentication mechanisms
• Federated Identity and Access Protocols (SAML and OAuth)
• JWTs and Flask Session Cookies
• Username harvesting and password guessing
• Session management and attacks
• Burp sequencer

Overview

Section 3 of the course delves into authentication and authorization bypasses, illustrating how these vulnerabilities can expose sensitive data and business functions to attackers. It wraps up with a hands-on lab where students exploit authentication and authorization flaws in Mutillidae, providing practical experience in identifying and leveraging such weaknesses.

At this point in the course, we consider that the results of vulnerability scans should be available. Students will work with common vulnerabilities and investigate those that necessitate manual, human intervention. This phase leverages the knowledge gained from earlier exercises in target profiling, spidering, and forced browsing, enhancing students' abilities to uncover and validate vulnerabilities within an application.

A significant focus is placed on manual testing techniques for vulnerability discovery, particularly using interception proxies. The course introduces various common injection flaws, including command injection, local file inclusion (LFI), and remote file inclusion (RFI), each complemented by lab exercises for practical application and reinforcement of the concepts.

In addition, the course covers the intricate topic of insecure deserialization in object-oriented programming languages. Through the accompanying lab, students will exploit a Java insecure deserialization vulnerability to extract a secret file from a vulnerable web application, demonstrating the complexity and impact of chaining vulnerabilities.

A substantial portion of this section is dedicated to SQL injection, given its prevalence and the significant impact it can have. This includes traditional and blind SQL injection, error-based SQL injection, and the exploitation of these vulnerabilities. Students will learn both the theoretical aspects and practical application, including the use of specialized tools like sqlmap, to master this critical area of web application penetration testing.

Topics

• Authentication and authorization bypass
• Command injection: Blind and Non-Blind
• Directory traversal
• Local File Inclusion (LFI)
• Remote File Inclusion (RFI)
• Insecure Deserialization
• SQL injection
• Blind SQL injection
• Error-based SQL injection
• Exploiting SQL injection
• SQL injection tools: sqlmap

Overview

Section four advances the exploration of injection flaws, with a focus on Cross-Site Scripting (XSS) vulnerabilities, encompassing reflected, stored, and DOM-based XSS. The section emphasizes manual discovery methods through hands-on labs, where students utilize developer tools in browsers to analyze client-side JavaScript in modern web applications.

This section also introduces the Browser Exploitation Framework (BeEF), a tool used in multiple labs. The course delves into AJAX, examining how it extends the attack surface for penetration testers and interacts with other vulnerabilities previously covered.

The use of tools like Postman and SOAPUI are reviewed with respect to working with REST (Representational State Transfer) and SOAP (Simple Object Access Protocol) APIs, providing insights into these web services. Section four concludes with an in-depth look at server-side request forgery (SSRF) and XML external entities (XXE), each accompanied by a lab exercise. The SSRF lab, in particular, demonstrates the chaining of multiple vulnerabilities, integrating concepts and techniques learned earlier in the course.

Topics

• Cross-Site Scripting (XSS)
• Browser Exploitation Framework (BeEF)
• AJAX
• XML and JSON
• Document Object Model (DOM)
• API attacks
• Data attacks
• REST and SOAP
• Prototype Pollution
• Server-Side Request Forgery (SSRF)
• XML External Entity (XXE)

Overview

Section five escalates the course to actual exploitation of real-world applications, demonstrating how to expand a foothold within an application and extend it to the network it resides on. This part of the course emphasizes leveraging previously discovered vulnerabilities to gain deeper access, underscoring the cyclical nature of web application penetration testing.

The section acknowledges that modern web applications are often inadequately monitored, presenting opportunities for attackers to exploit vulnerabilities undetected. To address this, the course briefly looks into logging configuration and basic incident response testing, emphasizing the importance of proper monitoring for security events.

A focused discussion on the OWASP Top 10 for Large Language Models (LLM) provides insights into common vulnerabilities in web applications utilizing LLM technology.

In the exploitation phase, the course expands on the use of tools such as ZAP, BurpSuite Pro, sqlmap, and Metasploit to craft exploits against various web applications. Students engage in practical exercises, launching SQL injection and Cross-Site Request Forgery attacks, among others. These exercises include data theft, session hijacking, website defacement, shell gaining, network pivoting, and more, offering a comprehensive understanding of the potential business impacts of these flaws.

Students are also introduced to Nuclei, a modern, open-source vulnerability scanner popular among bug bounty hunters, in a lab that combines its use with Metasploit.

The final lab of section five presents a challenging scenario where a Metasploit module fails to exploit a confirmed vulnerability. Students learn to research the flaw, manually exploit it, and then modify the Metasploit module to successfully gain a shell, equipping them with skills to go beyond automated tools.

The course concludes with guidance on preparing for penetration testing assessments and essential post-assessment activities, including report writing.

Topics

• Cross-Site Request Forgery (CSRF)
• Logic Flaws
• Logging and monitoring
• Python for web app penetration testing
• WPScan
• ExploitDB
• BurpSuite Pro scanner
• Nuclei
• Metasploit
• When tools fail
• Business of Penetration Testing:
  • Preparation
  • Post Assessment and Reporting

Overview

During section six, students form teams and compete in a web application penetration testing tournament. This Netwars-powered Capture-the-Flag exercise provides students an opportunity to wield their newly developed or further-honed skills to answer questions, complete missions, and exfiltrate data, applying skills gained throughout the course. The style of challenge and integrated hint system allows students of various skill levels to both enjoy a game environment and solidify the skills learned in class.