1. Theory
A. What is Web Application Penetration Testing?
Web Application Penetration Testing is the process of evaluating web apps for security vulnerabilities that an attacker could exploit. Unlike network pentesting, it focuses on application logic, inputs, and user interactions rather than just open ports.
Key Goals:
- Identify flaws in authentication, authorization, and input validation.
- Exploit vulnerabilities to demonstrate risks (safely).
- Provide recommendations to fix issues.
B. Web Application Architecture Overview
- Client-Server Model: Browser (client) sends requests → Server responds.
- HTTP/HTTPS Protocols: How requests are made (GET, POST) and responses are returned.
- Sessions & Cookies: Maintain user state between requests.
- Inputs & Endpoints: Forms, URL parameters, API endpoints—all attack surfaces.
C. Common Web Application Vulnerabilities (OWASP Top 10)
- Injection (SQL, Command)
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
D. Tools Overview
- Burp Suite Community Edition: Proxy for intercepting HTTP requests.
- Browser Dev Tools: Inspect requests, responses, cookies.
- Nmap: Identify running web services.
- Vulnerable web apps in your lab: DVWA, Mutillidae, bWAPP.
2. Hands-On Exercise
Objective: Explore your lab web application and understand its structure.
Step 1: Identify Running Web Services
┌──(ehis㉿ehis)-[~]
└─$ nmap -sV -p 80,443 192.168.71.128
Starting Nmap 7.93 ( https://nmap.org ) at 2025-09-02 07:31 EDT
Nmap scan report for 192.168.71.128
Host is up (0.010s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
443/tcp closed https
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.71 seconds
┌──(ehis㉿ehis)-[~]
└─$
-sVdetects service versions.- Note down the web server version (Apache, etc.).
Step 2: Browse Web Applications
- Open DVWA:
http://<Metasploitable-IP>/dvwa/ - Open Mutillidae:
http://<Metasploitable-IP>/mutillidae/
Step 3: Map Inputs and Endpoints
- Identify all forms, input fields, search bars, and URL parameters.
- Write them down in a simple reconnaissance table:
| Page URL | Input Field | Method (GET/POST) | Notes |
|---|---|---|---|
| /dvwa/login.php | username, password | POST | Login form |
Step 4: Capture Requests with Burp Suite
- Go to Settings from your browser and Configure your browser to use Burp as a proxy (
127.0.0.1:8080).
- Intercept requests while interacting with forms.
- Examine headers, parameters, cookies, and responses.
Step 5: Explore HTTP Methods
- Try
curl -I http://<Metasploitable-IP>/dvwa/to see headers. - Observe server info, cookies, and other HTTP metadata.
┌──(ehis㉿ehis)-[~]
└─$ curl -I http://192.168.71.128/dvwa
HTTP/1.1 301 Moved Permanently
Date: Tue, 02 Sep 2025 12:27:19 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Location: http://192.168.71.128/dvwa/
Content-Type: text/html; charset=iso-8859-1
✅ Lesson Outcome:
By the end of this lesson, you should be able to:
- Explain web application architecture and common vulnerabilities.
- Identify input points, forms, and endpoints in a lab environment.
- Capture and analyze HTTP requests using Burp Suite.
- Prepare for deeper attacks like SQLi and XSS in the next lessons.
I’m Emmanuel Okaiwele, a Secure Web Developer, Offensive Security Engineer, Member Cybersecurity Experts Association of Nigeria – CSEAN, and the founder of Nebitex Africa — a platform dedicated to making cybersecurity simple, practical, and accessible for Africans.
