Skills
skills/zebbern/secops-cli-guides/Pentesting from Beginner to Advanced

Pentesting from Beginner to Advanced

SKILL.md

Pentesting from Beginner to Advanced

Purpose

Provide a structured learning path for web application penetration testing, progressing from foundational concepts through advanced exploitation techniques. Guide learners through each phase of the web security assessment process.

Inputs/Prerequisites

  • Basic computer and networking knowledge
  • Kali Linux or security-focused OS
  • BurpSuite installed and configured
  • Lab environment (bWAPP, DVWA, or similar)
  • Web browser with developer tools

Outputs/Deliverables

  • Foundational web security knowledge
  • Practical exploitation skills
  • Understanding of OWASP Top 10
  • Ability to conduct web application assessments
  • Vulnerability identification and reporting skills

Core Workflow

Phase 1: History and Fundamentals

Understanding the Internet:

  • Learn how the internet was developed
  • Understand client-server architecture
  • Grasp basic web communication models

Key Concepts:

  • HTTP protocol fundamentals
  • Request/response structure
  • Client vs server-side processing

Phase 2: Web and Server Technology

HTTP Protocol Basics:

HTTP Request Structure:
GET /page HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Cookie: session=abc123

HTTP Response Structure:
HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: session=xyz789

<html>...</html>

Essential Concepts:

Topic Description
HTTP Methods GET, POST, PUT, DELETE, OPTIONS
Status Codes 200 OK, 301 Redirect, 403 Forbidden, 404 Not Found, 500 Error
Headers Request and response metadata
Cookies Session management, tracking
Sessions Server-side state management
URLs Structure and parameters
REST APIs Resource-based web services

Encoding Types:

# URL Encoding
Space -> %20
< -> %3C
> -> %3E
" -> %22

# HTML Encoding
< -> &lt;
> -> &gt;
& -> &amp;

# Base64 Encoding
echo "text" | base64
echo "dGV4dAo=" | base64 -d

Phase 3: Lab Setup with BurpSuite

Install BurpSuite:

# Download from PortSwigger
# Configure browser proxy: 127.0.0.1:8080
# Import Burp CA certificate

Configure Browser:

  1. Set proxy to 127.0.0.1:8080
  2. Import BurpSuite CA certificate
  3. Disable certificate validation for testing

BurpSuite Modules:

Module Purpose
Proxy Intercept and modify traffic
Repeater Manually modify and resend requests
Intruder Automated attacks and fuzzing
Scanner Automated vulnerability detection
Decoder Encode/decode data
Comparer Compare responses
Sequencer Analyze session token randomness

Set Up Practice Lab:

# Install Docker
apt install docker.io

# Run bWAPP
docker run -d -p 80:80 raesene/bwapp

# Run DVWA
docker run -d -p 80:80 vulnerables/web-dvwa

# Access at http://localhost

Phase 4: Application Mapping

Discovery Techniques:

# Robots.txt analysis
curl http://target/robots.txt

# Directory brute forcing
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
dirbuster -u http://target -l /usr/share/wordlists/dirb/common.txt

# Spidering with Burp
# Use Target > Site Map > Spider

Entry Point Identification:

  • Forms and input fields
  • URL parameters
  • Hidden fields
  • Cookies
  • HTTP headers

Technology Fingerprinting:

# Whatweb
whatweb http://target

# Wappalyzer (browser extension)

# Nmap fingerprinting
nmap -sV --script http-enum target

# Banner grabbing
curl -I http://target

Phase 5: OWASP Top 10 Vulnerabilities

1. Injection (A03:2021)

# SQL Injection
' OR 1=1--
" OR ""="
'; DROP TABLE users;--

# Command Injection
; ls -la
| cat /etc/passwd
&& whoami

# LDAP Injection
*)(uid=*))(|(uid=*

2. Broken Authentication (A07:2021)

- Weak passwords
- Session fixation
- Credential stuffing
- Missing MFA
- Insecure password recovery

3. Cross-Site Scripting (A03:2021)

<!-- Reflected XSS -->
<script>alert('XSS')</script>

<!-- Stored XSS -->
<img src=x onerror="alert('XSS')">

<!-- DOM-based XSS -->
<svg onload="alert('XSS')">

<!-- Filter bypass -->
<ScRiPt>alert('XSS')</ScRiPt>
<img src="x" onerror="alert('XSS')">

4. Insecure Direct Object Reference (A01:2021)

# IDOR Examples
/api/user/123    -> /api/user/124
/download?id=1   -> /download?id=2
/invoice/10001   -> /invoice/10002

5. Security Misconfiguration (A05:2021)

- Default credentials
- Unnecessary features enabled
- Error messages revealing info
- Missing security headers
- Outdated software

6. Sensitive Data Exposure (A02:2021)

- Unencrypted transmission
- Weak encryption
- Exposed API keys
- Hardcoded credentials
- Information in error messages

7. Missing Access Controls (A01:2021)

- Horizontal privilege escalation
- Vertical privilege escalation
- Forced browsing to admin pages
- API without authentication

8. Cross-Site Request Forgery (A01:2021)

<!-- CSRF Attack Form -->
<form action="http://target/transfer" method="POST">
  <input type="hidden" name="amount" value="10000">
  <input type="hidden" name="to" value="attacker">
  <input type="submit" value="Click Me!">
</form>

9. Components with Known Vulnerabilities (A06:2021)

# Check for CVEs
searchsploit apache 2.4
searchsploit wordpress 5.0

# Retire.js for JavaScript
retire --path /path/to/js

10. Insufficient Logging (A09:2021)

- Failed login attempts not logged
- No audit trail
- Logs not monitored
- Logs stored insecurely

Phase 6: Session Management Testing

Session Analysis:

# Burp Sequencer
# Analyze token randomness and predictability

# Check for:
- Session fixation
- Session hijacking
- Weak session tokens
- Missing timeout
- Insecure transmission

Cookie Security Flags:

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict
Flag Purpose
Secure HTTPS only
HttpOnly No JavaScript access
SameSite CSRF protection

Phase 7: Bypassing Client-Side Controls

Hidden Field Manipulation:

<!-- Original -->
<input type="hidden" name="price" value="100">

<!-- Modified in Burp -->
<input type="hidden" name="price" value="1">

JavaScript Validation Bypass:

  • Disable JavaScript in browser
  • Intercept and modify with Burp
  • Replay requests with modified values

Phase 8: Authentication Attacks

Common Techniques:

# Brute force
hydra -l admin -P passwords.txt target http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# Username enumeration
# Different responses for valid/invalid users

# Password reset flaws
# Predictable tokens, no rate limiting

Phase 9: Access Control Testing

IDOR Testing:

# Increment IDs
/user/1 -> /user/2

# Change parameters
?role=user -> ?role=admin

# Use Burp Intruder for automation

Phase 10: Input Validation Testing

Injection Points:

# All user input
# URL parameters
# Form fields
# Headers (User-Agent, Referer)
# Cookies
# File uploads

Fuzzing with Burp:

  1. Send request to Intruder
  2. Mark injection points
  3. Select payload list
  4. Analyze responses

Phase 11: Error Code Analysis

# Force errors for information
- Invalid input types
- Long strings
- Special characters
- SQL syntax errors

# Look for:
- Stack traces
- Database errors
- Path disclosure
- Version information

Phase 12: Cryptography Testing

# Check for:
- Weak algorithms (MD5, SHA1, DES)
- ECB mode usage
- Hardcoded keys
- Missing encryption

# SSL/TLS testing
sslscan target:443
testssl.sh target

Phase 13: Business Logic Vulnerabilities

Common Issues:

  • Price manipulation
  • Skipping workflow steps
  • Race conditions
  • Abuse of functionality

Testing Approach:

  1. Understand normal workflow
  2. Attempt to skip steps
  3. Modify values mid-process
  4. Test race conditions

Quick Reference

Essential Tools

Tool Purpose
BurpSuite Web proxy and testing
OWASP ZAP Open source alternative
sqlmap SQL injection automation
Nikto Web server scanning
Gobuster Directory enumeration

Testing Checklist

□ Map application and entry points
□ Test authentication mechanisms
□ Check authorization controls
□ Test input validation
□ Analyze session management
□ Check for injection flaws
□ Test business logic
□ Review error handling
□ Assess cryptographic implementation

Constraints

  • Only test authorized systems
  • Lab environments are essential for learning
  • Real-world applications may differ from labs
  • Tools require understanding, not just execution

Examples

Example 1: Quick XSS Test

<script>alert(document.domain)</script>

Example 2: SQLi Detection

' OR '1'='1

Troubleshooting

Issue Solution
Burp not intercepting Check proxy settings, CA certificate
Lab not loading Verify Docker is running
Payloads blocked Try encoding, alternative syntax
Tool errors Check dependencies, permissions
Weekly Installs
0
Repository
zebbern/secops-…i-guides
GitHub Stars
14
First Seen
Jan 1, 1970
Security Audits
Gen Agent Trust HubFail
SocketPass
SnykWarn