Practical Web Application Security and Testing

15

September, 2022

Days 49 – 54

Practical Web Application Security

100 Days of Hacking

Photo cred – Markus Spiske

For these Days of Hacking I wanted to take a break from the Bug Bounty Job Role path on HTB and turn my attention to a curse that had dropped over on TCM Security called Practical Web Application Security and Testing. This course was loaded with both fundamental and advanced concepts. Overall, what I particularly loved about the course was the hands-on activities with docker containers and OWASP Zap. I completed the course and again, the following are from the Days of Hacking while working on it.

The first lab was setting up a web server running nginx inside of a docker container. 

After setting up the lab, we then made a few requests from our Kali machine to the web server. Our first set of requests were made using curl. The image on the left is a web server access log. Looking at the last line we can see source ip, timestamp, http method, the uri, the protocol, the response and size of the response.

flat screen computer monitor displaying white and black screen

Then we made a request to the server using the path /test. Again, we see the ip but instead of a 200 response we get a 400. In addition to the 400 on the access log, we also receive an error log along with the default page that the server is configured to serve up on 404 responses.

flat screen computer monitor displaying white and black screen

Next, we try making the same request as above but with a utility called netcat.

And then moving along, we demonstrate making a request the most common way requests are made and that’s with a web browser.

flat screen computer monitor displaying white and black screen

Enumerating and Fuzzing with Zap

Next we start our intro to using Zap by examining the Spider feature. Naturally, as we know from our fundamental web security skills, we must examine the source code (or view source) of our pages. What we’re doing is looking for comments that devs have left behind.

We also explored using wordlists to do Fuzzing with Zap.

That’s about as far as I got on those days. Hopefully, it was enough of a preview that someone reading this will take interest in the course. It’s a very awesome course that I highly recommend to anyone looking to get into Bug Bounty or Web App Security and seasoned vets who’ve been away from their craft for some time and needing to vamp up.

As always, it’s been Real. Hack On, Ladz & Gentz!

5 1 vote
Article Rating
0
Would love your thoughts, please comment.x
()
x

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This