Lecture: Web Application Penetration Testing Series by Floyd

Introduction

• Purpose: Introduction to the web application penetration testing series.
• Target Audience: Beginners interested in learning bug bounty hunting.
• Core Tool: Burp Suite – an integrated platform for performing security testing of web applications.

Setting Up Burp Suite

1. Download and Installation:
   • Available on Windows, Linux (e.g., Kali, ParrotOS).
   • Community version is free; professional version is recommended for advanced users.
2. Configuring Proxy in Firefox:
   • Go to Preferences > Network Settings > Manual Proxy Configuration.
   • Set proxy to localhost:8080 and use it for all protocols.
3. Launching Burp Suite:
   • Start a temporary project if using the community version.
   • Use Burp defaults for initial setup.

Burp Suite Interface Overview

• Tabs: Target, Proxy, Spider, Scanner, Repeater, Sequencer, Decoder, Comparer, Extender, Project Options, User Options, Alerts.
• Proxy Listener: Ensure it's set to localhost:8080.
• Intercepting Traffic: Turn intercept on/off as needed.
• HTTP History: View GET and POST requests.

Practical Demonstration: Intercepting Example.com

• Steps to Intercept:
  • Set up localhost:8080 proxy in Firefox.
  • Open Burp Suite and ensure intercept is on.
  • Visit a webpage and observe intercepted GET requests.
• Analyzing HTTP Headers:
  • Inspect requests and responses in HTTP History.
  • Understand headers like GET, POST, Host, User-Agent, and others.

Advanced Features of Burp Suite

Spidering

• Purpose: Mapping out a web application to find files, forms, and links.
• Automatic Spidering:
  • Procedure: Spider follows links to discover content.
  • Settings: Adjust link depth, request headers, form submissions, etc.
• Control Tab: Start/stop spidering, clear queues.
• Options Tab: Configure crawling behavior, form submissions, spider engine, etc.
• Spidering Practical:
  • Define scope and spider a web application.
  • Examine results for discovered links and directories.

Examples Using Damn Vulnerable Web Application (DVWA) and Metasploitable2

• Setup: Run vulnerable applications on Metasploitable2 (get local IP, access via browser).
• Performing Spidering: Target DVWA, map the application.
• Demonstrations: Brute-forcing login pages using Intruder, manipulating intercepted requests.

Using ZAP (Zed Attack Proxy)

• Introduction: Alternative to Burp Suite, free and powerful.
• Setup: Similar proxy configuration as Burp Suite.
• Forced Browsing: Discover hidden files and directories.
• Practical Use: Spidering sites, analyzing results with ZAP.

Cross-Site Scripting (XSS)

• Types: Reflected, Stored, DOM-based
• Reflected XSS: Injecting script in URL parameters, immediate execution.
• Stored XSS: Injecting script in data stored by the server (e.g., blog comments).
• DOM-Based XSS: Client-side script execution (e.g., via AJAX).
• Example Attacks:
  • Testing using OWASP Juice Shop and WebGoat.
  • Injecting JS code to trigger alerts or perform malicious actions.

Cross-Site Request Forgery (CSRF)

• Definition: Attacker tricks a user into executing unwanted actions on a web application where they are authenticated.
• Procedure:
  • User must be logged in.
  • Unauthorized request crafted and sent to the victim.
  • Example: Changing user password using CSRF.
• Practical Demonstration: Using Burp Suite and custom scripts.

Session Management and Cookies

• Types of Cookies: Session, Permanent, Third-party.
• Importance: Track user sessions, authenticate users.
• Cookie Manipulation: Analyze cookies using tools like cookie editors.
• Security Attributes: HttpOnly, Secure, etc.
• Practical Example: Viewing and manipulating cookies using OWASP Juice Shop.

Conclusion

• Recap: Setup of Burp Suite, spidering, XSS, CSRF, session management using cookies.
• Next Steps: Advanced testing techniques, using ZAP, finding hidden files.