What is a web pentest and why it is needed
Web applicationpenetration testing is a controlled imitation of an attack on awebsite or web service to find vulnerabilities before someone doeswith other intentions. According to Verizon DBIR, attacks on webapplications are consistently among the leading vectors of dataleaks.
In the terminology of MITRE ATT&CK what we willdo, the technique ExploitPublic-Facing Application (T1190, Initial Access) - an attackersearches and exploits vulnerabilities in publicly available webapplications. Intelligence stage - Vulnerability Scanning (T1595.002,Reconnaissance) and Network Service Discovery (T1046,Discovery).
The difference between a pentester and anintruder is a permit. Before any testing, you must have the writtenconsent of the owner of the system. Therefore, we start with a localenvironment: you can break your own Docker container without anyone’sapproval.
Setting up the room for a pentest: what to install
This is where mostnewcomers stumble for the first time. I want to open the terminalimmediately and start “hacking”, but without the rightenvironment you will spend time fighting tools, not withvulnerabilities.
Kali Linux or regular system
Kali Linux is adistribution based on Debian with pre-installed pentest tools: Nmap,Burp Suite Community, sqlmap, fff, Metasploit Framework and hundredsmore utilities. If you start the site pentest from scratch, Kalisaves the clock on installation.
But Kali is notmandatory. All the same can be put on Ubuntu, Fedora and even macOS.I recommend Kali to beginners for one reason: don’t have to google“how to install sqlmap on Windows” instead of learning to useit.
Options for launching Kali:
Raising a vulnerable app through Docker
Testing otherpeople's sites without permission is a criminal offense. Testingspecially created vulnerable applications on your machine is a legaland effective practice.
DVWA (Damn Vulnerable WebApplication) is a classic simulator used in most ethical hackingcourses. Inside - vulnerabilities from OWASP Top 10 with three levelsof complexity: low, medium, high. Start to low and switch higher asyou grow.
Launch of one team: dockerrun --rm -it -p 80:80 vulnerables/web-dvwa. After that, openhttp://localhost in the browser, get tothe Setup page (/setup.php), click"Create / Reset Database". Login - admin,password - password. That's it, you canbreak.
Alternative - OWASP Juice Shop, a more modernapplication on Node.js with elements of gamification. Launch: dockerrun --rm -p 3000:3000 bkimminich/juice-shop. The Juice Shopbetter mitates the real online store and fits as the next step afterthe DVWA.
Why Docker and not to install on a host? Thecontainer is insulated: after stopping there are no traces, and whenthe configuration breaks, it is enough to recreate it in seconds.
BurpSuite: Training to Intercept Traffic from the Scratch
Burp Suite is themain tool for web pentest. According to HackerOne, it is used by thevast majority of baghunters and pentesters. The Community Edition isfree and already stands on Kali Linux.
Burp works as aproxy between the browser and the target application. Each requestpasses through it - you can view, change, send again. This is thefoundation of manual testing.
Configuring proxy and installing a certificate
Here is the sequencethat raises the most questions among the trainees:
Without acertificate, HTTPS sites will be argued to be an error. With DVWA (itis default on HTTP) is not critical, but the habit of configured acertificate is better to work immediately - on a real project withoutit anywhere.
The first intracted request - what we see
Includesinterception: tab Proxy → InterceptThe “Intercept is on”button. Go to DVWA, try to log in. Burp intercepts the POST request:
Here beginnersusually light up their eyes. Login and password - in plain form.Headings, cookies, CSRF-token (user_token),which DVWA generates at each page loading - everything is like in thepalm of your hand. "Forward" - skip the request further,"Drop" - block.
Now Now Proxy → HTTP history -here all requests that have passed through the proxy are stored. Anyof them can be sent to Repeareter (right click → Send to Repeater)and modify as many times as you want.
It is in theRepeater that the main work takes place: change the parameters,substitute the pace, observe the reaction of the server. Remember
roxy - interception, Repeater - experiments, Intruder - automatedtoo much.
Intelligence: what we can learn about the web application
Before you look forvulnerabilities, you need to understand what we are working with.This phase is reconnaissance (intelligence), and is divided intopassive and active.
Scanningports and services with Nmap
Nmap is the industrystandard for discovering open ports and defining service versions. Inthe web-based test, we are interested in ports 80 (HTTP), 443(HTTPS), 8080, 8443 and others on which web servers can beplayed.
For our DVWA container nmap-sV -sC localhost show the open port 80 with Apache. MySQLworks inside the container and out of the outside is not thrown out -Nmap will not see it. Flag -sVDetermines the versions of the services, -sCRuns standard NSE scripts for basic security checks.
Addedon a real project nmap -sS -p- target_ip- scanning of all 65535 ports. Sometimes developers leave the adminon some 9090 or 4443, and here begins the most interesting. Flag -sS- SYN scanning, fast and relatively quiet method.
Why knowthe version? Outdated Apache or PHP is a potential attack vector.Remember CVE-2021-44228(Log4Shell)? CVSS 10.0, one log entry - and arbitrary code on theserver. Knowledge of the component version is the first step todetecting such problems.
Rebounding directories and hidden files
Web applicationsoften contain hidden pages: administration panels, backups ofconfiges, forgotten test files. Tools for their detection - fff,gobuster, diserarch.
I prefer fff for speed andflexibility. Typical launch: ffuf -uhttp://localhost/FUZZ -w /usr/share/wordlists/dirb/common.txt.FUZZ - a marker, instead of which fffsubstitutes words from the dictionary. In the results you will seedirectories like /admin, /config,/backup - if they exist.
Ingobster, a similar task: gobuster dir -uhttp://localhost -w /usr/share/wordlists/dirb/common.txt. Bothdo the same thing - choose which is more comfortable.
Whatto look at in the results: 200 - page is, 301/302 - redirection(often on the login), 403 - access is prohibited, but the resourceexists. 403 is especially interesting: sometimes the prohibition isby adding slash, changing the track registry or headlineX-Forwarded-For: 127.0.0.1. On oneproject, we found the forgotten phpMyAdmin so much - it gave 403 on/phpmyadmin, but 200 on /phpmyadmin/.
OWASPTop 10 in practice: search for vulnerabilities in webapplications
OWASP Top 10 is alist of the most critical categories of web applicationvulnerabilities updated by the OWASP community. It is not aninstrument or a scanner, it is a framework of thinking. When you testthe application, mentally pass by category and check each.
Forthe first practical experience, focus on two things that are easiestto find and understand: SQL injection (category A03:2021 - Injection)and reflected XSS (ibid., A03:2021).
SQL injection: Your first vulnerability found
Open DVWA, set thelevel of safety Low (DVWA Security → Low), go to the "SQLInjection" section. field "User ID" - enter 1,squeeze Submit. The application shows user data.
Now weintroduce 1' OR '1'='1. The applicationis vulnerable (on Low - guaranteed), and you see the data of allusers. What happened? The server code substitutes input directly tothe SQL request. Instead of SELECT FROMusers WHERE id='1' The server has completed SELECT FROM users WHERE id='1' OR '1'='1' - the condition isalways true, all records are back.
Fix the moment: youjust found a vulnerability. This is the Expressoit Public-FactingApplication (T1190) technique by injection into user input.
Let'smove on. Send a request to Burp Repeater (right click in HTTP history→ Send to Repeater). In the Repeater tab you can change theparameter id and instantly see theanswer. First, determine the number of columns: 1'ORDER BY 2-- - (working), 1' ORDER BY3-- - (mistake) - so, the column two. Now Peyload 1'UNION SELECT user, password FROM users-- -. A short comment:comment # also works in MySQL, but whensending through the browser form, the symbol #interpreted as a piece of URL and does not fly to the server - itneeds to be URLed as %23. Through BurpRepeater # It works without coding. Inthe answer, you get MD5-heshi passwords (for example,5f4dcc3b5aa765d61d8327deb882cf99 - it'spassword)
Confirmation of vulnerability through sqlmap
Manual operation isneeded to understand mechanics, but on a real project, sqlmap saves awatch. Save a request from Burp (right click → Save item → filerequest.txt) and feed sqlmap:
-rrequest.txt downloads a request from the file, --dbslists available databases, --batchautomatically selects the default responses. sqlmap itself willdetermine the type of injection, DBMS and remove the data.
Themoment at which I regularly catch trainees: sqlmap is a tool forconfirmation, not a handmade replacement. First, find the potentialinjection point with your hands (or through Burp), then confirm withautomation. Run sqlmap blindly in all respects - noisy, slow andunprofessional.
XSS:from auto to understanding threat
In DVWA, we go toXSS (Reflected)”. Enter <script>alert(1)</script>.At the Low level, the script will be executed - a pop-up window. Thisis a reflective XSS: the entered script is returned in the serverresponse and is executed in the browser.
Why is itdangerous? Replace alert(1) ondocument.cookie - you will see thecookies of the current session. In a real attack, the attacker formsa link with a malicious script and sends the victim. Click - thescript steals session cookies and sends the attacker to the server.In terms of MITRE ATT&CK, it is JavaScript (T1059.007,Execution).
XSS is three types: reflected (reflected),stored (stored) and DOM-based. Stored more dangerous - the script isstored on the server (for example, in the comments) and is executedat each visitor. In DVWA there is a section "XSS (Stored)"- try to find it yourself using the same approach.
Web-PentyTest Tools: Minimum Set
OWASP ZAP deserves aseparate word. Unlike Burp Suite, ZAP is completely free (includingautomatic scanning) and is an official OWASP project. For starters:run ZAP, enter the URL of the target application in the field “URLto attack”, click “Attack”. ZAP will drive a spider (crawling)and active scanning, and then show a list of vulnerabilities foundwith description and recommendations.
The differencebetween manual testing and automatic scanning is something that anovice pentester should learn. Scanners find “low-hanging fruits”:standard XSS patterns, simple SQL injections, outdated libraries. Butthey don’t understand business logic. The vulnerability “you canchange the price of the goods in the basket by editing the hiddenparameter” – no scanner will find. Only a man with Burp Repeater.
Web Pentest: From Chaos to System
When the firsteuphoria from alert(1) the questionarises: how to test systemically, and not chaotically poke peyloades?Here is a simplified method of five steps that I give totrainees.
Step 1 - Exploration. Determine the stack: webserver, language, framework, CMS. Nmap for ports, Wappalyzerexpansion for stack in the browser, ffff for hiddendirectories.
Step 2 - App Map. Walk through all pages as aregular user. Fill every form, press each button, view each URL. Burpwill automatically record everything in the Site map (Target → Sitemap). Mark the points of entry: forms, URL settings, cookies,headers.
Step 3 - Automatic scanning. OWASP ZAP or BurpScanner (in Pro version) to detect obvious holes. Scanning results -the starting point, not the final report.
Step 4 - HandTesting. For each category of OWASP Top 10, check the input pointsfrom the second step. Injections - quotes and special symbols.Authentication - selection, reset password. Access control -substitution of ID in the request, an attempt to get into otherpeople's resources.
Step 5 - Documentation. Eachvulnerability found is fixed: URL, parameter, peload, screenshot,criticality assessment. Without documentation, your pentest is justfun.
Frequent mistakes are newcomers in web penistration
During my mentoring,I collected a collection of rakes that are all set. I'll figure outthe main ones.
Start with tools instead of basics. If youdo not understand what an HTTP request is, the GET/POST method andstate code - no tool will help. Spend the evening on the HTTPprotocol. Open DevTools (F12 → Network) and just look at whichrequests leave when you download any site. It sobers up.
Runscanners without manual analysis. sqlmap in all respects, Nikto onall hosts - noise without result. First, understand the structure ofthe application with your hands, find potentially vulnerable points,and only then confirm the automation.
Ignore thedifficulty levels. In DVWA levels Low, Medium, High do not exist fornothing. On Low you understand the mechanic. On Medium you see whatfilters have appeared, and learn to bypass them. High - approach toreal life. Jumping is more expensive for yourself.
Do notkeep notes. After a month, you will not remember what peload workedon a particular labe. Take notes in Obsidian, Notion or a regulartext file. Write down: task, tool, team, result, what I learned new.I still lead such a file - it has already grown to several megabytes,and I regularly look at it.
Testing without permission.Even scanning the ports of someone else's server without consent is aviolation. Practice on DVWA, Juice Shop, HackThebox, TryHackMe,PortSwigger Web Security Academy. The latter is particularly good: adetailed theory for every vulnerability and interactive lambs withstep-by-step solutions.
Where to go next
The first SQLinjection in DVWA is the starting point, not the finish. Here is aroute for those who decided to dig seriously:
Web applicationpenetration testing is a controlled imitation of an attack on awebsite or web service to find vulnerabilities before someone doeswith other intentions. According to Verizon DBIR, attacks on webapplications are consistently among the leading vectors of dataleaks.
In the terminology of MITRE ATT&CK what we willdo, the technique ExploitPublic-Facing Application (T1190, Initial Access) - an attackersearches and exploits vulnerabilities in publicly available webapplications. Intelligence stage - Vulnerability Scanning (T1595.002,Reconnaissance) and Network Service Discovery (T1046,Discovery).
The difference between a pentester and anintruder is a permit. Before any testing, you must have the writtenconsent of the owner of the system. Therefore, we start with a localenvironment: you can break your own Docker container without anyone’sapproval.
Setting up the room for a pentest: what to install
This is where mostnewcomers stumble for the first time. I want to open the terminalimmediately and start “hacking”, but without the rightenvironment you will spend time fighting tools, not withvulnerabilities.
Kali Linux or regular system
Kali Linux is adistribution based on Debian with pre-installed pentest tools: Nmap,Burp Suite Community, sqlmap, fff, Metasploit Framework and hundredsmore utilities. If you start the site pentest from scratch, Kalisaves the clock on installation.
But Kali is notmandatory. All the same can be put on Ubuntu, Fedora and even macOS.I recommend Kali to beginners for one reason: don’t have to google“how to install sqlmap on Windows” instead of learning to useit.
Options for launching Kali:
- Virtual machine via VirtualBox or VMware is the safest way. Download the finished image with kali.org, import, launch. A minimum of 4 GB of RAM and 2 processor cores - to start with enough eyes.
- WSL2 on Windows - if you do not want to put a virtual. It works for most console instruments, but with GUI applications (the same Burp Suite) will have to tinker.
- Installation on iron - for those who are ready to allocate a separate laptop for a pentest.
Raising a vulnerable app through Docker
Testing otherpeople's sites without permission is a criminal offense. Testingspecially created vulnerable applications on your machine is a legaland effective practice.
DVWA (Damn Vulnerable WebApplication) is a classic simulator used in most ethical hackingcourses. Inside - vulnerabilities from OWASP Top 10 with three levelsof complexity: low, medium, high. Start to low and switch higher asyou grow.
Launch of one team: dockerrun --rm -it -p 80:80 vulnerables/web-dvwa. After that, openhttp://localhost in the browser, get tothe Setup page (/setup.php), click"Create / Reset Database". Login - admin,password - password. That's it, you canbreak.
Alternative - OWASP Juice Shop, a more modernapplication on Node.js with elements of gamification. Launch: dockerrun --rm -p 3000:3000 bkimminich/juice-shop. The Juice Shopbetter mitates the real online store and fits as the next step afterthe DVWA.
Why Docker and not to install on a host? Thecontainer is insulated: after stopping there are no traces, and whenthe configuration breaks, it is enough to recreate it in seconds.
BurpSuite: Training to Intercept Traffic from the Scratch
Burp Suite is themain tool for web pentest. According to HackerOne, it is used by thevast majority of baghunters and pentesters. The Community Edition isfree and already stands on Kali Linux.
Burp works as aproxy between the browser and the target application. Each requestpasses through it - you can view, change, send again. This is thefoundation of manual testing.
Configuring proxy and installing a certificate
Here is the sequencethat raises the most questions among the trainees:
- Run the Burp Suite, create a temporary project (Temporary Project) - enough to learn.
- Check the proxy settings: Settings → Tools → Proxy or Proxy settings button in the Proxy tab (versions 2023-2024), or Proxy → Options (until 2022). By default, Burp listens to 127.0.0.1:8080.
- Open the built-in browser Burp (Open browser button in the Proxy) tab). It is already set to work through a proxy - system settings do not need to be touched.
- If you prefer Firefox: Settings → Network Settings → Manual proxy configuration, HTTP Proxy 127.0.0.1, Port 8080. Then http://burpsuitein this browser - download the CA-certificate and import through Settings → Privacy & Security → Certificates → View Certificates → Import.
Without acertificate, HTTPS sites will be argued to be an error. With DVWA (itis default on HTTP) is not critical, but the habit of configured acertificate is better to work immediately - on a real project withoutit anywhere.
The first intracted request - what we see
Includesinterception: tab Proxy → InterceptThe “Intercept is on”button. Go to DVWA, try to log in. Burp intercepts the POST request:
Here beginnersusually light up their eyes. Login and password - in plain form.Headings, cookies, CSRF-token (user_token),which DVWA generates at each page loading - everything is like in thepalm of your hand. "Forward" - skip the request further,"Drop" - block.
Now Now Proxy → HTTP history -here all requests that have passed through the proxy are stored. Anyof them can be sent to Repeareter (right click → Send to Repeater)and modify as many times as you want.
It is in theRepeater that the main work takes place: change the parameters,substitute the pace, observe the reaction of the server. Remember
roxy - interception, Repeater - experiments, Intruder - automatedtoo much.Intelligence: what we can learn about the web application
Before you look forvulnerabilities, you need to understand what we are working with.This phase is reconnaissance (intelligence), and is divided intopassive and active.
Scanningports and services with Nmap
Nmap is the industrystandard for discovering open ports and defining service versions. Inthe web-based test, we are interested in ports 80 (HTTP), 443(HTTPS), 8080, 8443 and others on which web servers can beplayed.
For our DVWA container nmap-sV -sC localhost show the open port 80 with Apache. MySQLworks inside the container and out of the outside is not thrown out -Nmap will not see it. Flag -sVDetermines the versions of the services, -sCRuns standard NSE scripts for basic security checks.
Addedon a real project nmap -sS -p- target_ip- scanning of all 65535 ports. Sometimes developers leave the adminon some 9090 or 4443, and here begins the most interesting. Flag -sS- SYN scanning, fast and relatively quiet method.
Why knowthe version? Outdated Apache or PHP is a potential attack vector.Remember CVE-2021-44228(Log4Shell)? CVSS 10.0, one log entry - and arbitrary code on theserver. Knowledge of the component version is the first step todetecting such problems.
Rebounding directories and hidden files
Web applicationsoften contain hidden pages: administration panels, backups ofconfiges, forgotten test files. Tools for their detection - fff,gobuster, diserarch.
I prefer fff for speed andflexibility. Typical launch: ffuf -uhttp://localhost/FUZZ -w /usr/share/wordlists/dirb/common.txt.FUZZ - a marker, instead of which fffsubstitutes words from the dictionary. In the results you will seedirectories like /admin, /config,/backup - if they exist.
Ingobster, a similar task: gobuster dir -uhttp://localhost -w /usr/share/wordlists/dirb/common.txt. Bothdo the same thing - choose which is more comfortable.
Whatto look at in the results: 200 - page is, 301/302 - redirection(often on the login), 403 - access is prohibited, but the resourceexists. 403 is especially interesting: sometimes the prohibition isby adding slash, changing the track registry or headlineX-Forwarded-For: 127.0.0.1. On oneproject, we found the forgotten phpMyAdmin so much - it gave 403 on/phpmyadmin, but 200 on /phpmyadmin/.
OWASPTop 10 in practice: search for vulnerabilities in webapplications
OWASP Top 10 is alist of the most critical categories of web applicationvulnerabilities updated by the OWASP community. It is not aninstrument or a scanner, it is a framework of thinking. When you testthe application, mentally pass by category and check each.
Forthe first practical experience, focus on two things that are easiestto find and understand: SQL injection (category A03:2021 - Injection)and reflected XSS (ibid., A03:2021).
SQL injection: Your first vulnerability found
Open DVWA, set thelevel of safety Low (DVWA Security → Low), go to the "SQLInjection" section. field "User ID" - enter 1,squeeze Submit. The application shows user data.
Now weintroduce 1' OR '1'='1. The applicationis vulnerable (on Low - guaranteed), and you see the data of allusers. What happened? The server code substitutes input directly tothe SQL request. Instead of SELECT FROMusers WHERE id='1' The server has completed SELECT FROM users WHERE id='1' OR '1'='1' - the condition isalways true, all records are back.
Fix the moment: youjust found a vulnerability. This is the Expressoit Public-FactingApplication (T1190) technique by injection into user input.
Let'smove on. Send a request to Burp Repeater (right click in HTTP history→ Send to Repeater). In the Repeater tab you can change theparameter id and instantly see theanswer. First, determine the number of columns: 1'ORDER BY 2-- - (working), 1' ORDER BY3-- - (mistake) - so, the column two. Now Peyload 1'UNION SELECT user, password FROM users-- -. A short comment:comment # also works in MySQL, but whensending through the browser form, the symbol #interpreted as a piece of URL and does not fly to the server - itneeds to be URLed as %23. Through BurpRepeater # It works without coding. Inthe answer, you get MD5-heshi passwords (for example,5f4dcc3b5aa765d61d8327deb882cf99 - it'spassword)
Confirmation of vulnerability through sqlmap
Manual operation isneeded to understand mechanics, but on a real project, sqlmap saves awatch. Save a request from Burp (right click → Save item → filerequest.txt) and feed sqlmap:
-rrequest.txt downloads a request from the file, --dbslists available databases, --batchautomatically selects the default responses. sqlmap itself willdetermine the type of injection, DBMS and remove the data.
Themoment at which I regularly catch trainees: sqlmap is a tool forconfirmation, not a handmade replacement. First, find the potentialinjection point with your hands (or through Burp), then confirm withautomation. Run sqlmap blindly in all respects - noisy, slow andunprofessional.
XSS:from auto to understanding threat
In DVWA, we go toXSS (Reflected)”. Enter <script>alert(1)</script>.At the Low level, the script will be executed - a pop-up window. Thisis a reflective XSS: the entered script is returned in the serverresponse and is executed in the browser.
Why is itdangerous? Replace alert(1) ondocument.cookie - you will see thecookies of the current session. In a real attack, the attacker formsa link with a malicious script and sends the victim. Click - thescript steals session cookies and sends the attacker to the server.In terms of MITRE ATT&CK, it is JavaScript (T1059.007,Execution).
XSS is three types: reflected (reflected),stored (stored) and DOM-based. Stored more dangerous - the script isstored on the server (for example, in the comments) and is executedat each visitor. In DVWA there is a section "XSS (Stored)"- try to find it yourself using the same approach.
Web-PentyTest Tools: Minimum Set
OWASP ZAP deserves aseparate word. Unlike Burp Suite, ZAP is completely free (includingautomatic scanning) and is an official OWASP project. For starters:run ZAP, enter the URL of the target application in the field “URLto attack”, click “Attack”. ZAP will drive a spider (crawling)and active scanning, and then show a list of vulnerabilities foundwith description and recommendations.
The differencebetween manual testing and automatic scanning is something that anovice pentester should learn. Scanners find “low-hanging fruits”:standard XSS patterns, simple SQL injections, outdated libraries. Butthey don’t understand business logic. The vulnerability “you canchange the price of the goods in the basket by editing the hiddenparameter” – no scanner will find. Only a man with Burp Repeater.
Web Pentest: From Chaos to System
When the firsteuphoria from alert(1) the questionarises: how to test systemically, and not chaotically poke peyloades?Here is a simplified method of five steps that I give totrainees.
Step 1 - Exploration. Determine the stack: webserver, language, framework, CMS. Nmap for ports, Wappalyzerexpansion for stack in the browser, ffff for hiddendirectories.
Step 2 - App Map. Walk through all pages as aregular user. Fill every form, press each button, view each URL. Burpwill automatically record everything in the Site map (Target → Sitemap). Mark the points of entry: forms, URL settings, cookies,headers.
Step 3 - Automatic scanning. OWASP ZAP or BurpScanner (in Pro version) to detect obvious holes. Scanning results -the starting point, not the final report.
Step 4 - HandTesting. For each category of OWASP Top 10, check the input pointsfrom the second step. Injections - quotes and special symbols.Authentication - selection, reset password. Access control -substitution of ID in the request, an attempt to get into otherpeople's resources.
Step 5 - Documentation. Eachvulnerability found is fixed: URL, parameter, peload, screenshot,criticality assessment. Without documentation, your pentest is justfun.
Frequent mistakes are newcomers in web penistration
During my mentoring,I collected a collection of rakes that are all set. I'll figure outthe main ones.
Start with tools instead of basics. If youdo not understand what an HTTP request is, the GET/POST method andstate code - no tool will help. Spend the evening on the HTTPprotocol. Open DevTools (F12 → Network) and just look at whichrequests leave when you download any site. It sobers up.
Runscanners without manual analysis. sqlmap in all respects, Nikto onall hosts - noise without result. First, understand the structure ofthe application with your hands, find potentially vulnerable points,and only then confirm the automation.
Ignore thedifficulty levels. In DVWA levels Low, Medium, High do not exist fornothing. On Low you understand the mechanic. On Medium you see whatfilters have appeared, and learn to bypass them. High - approach toreal life. Jumping is more expensive for yourself.
Do notkeep notes. After a month, you will not remember what peload workedon a particular labe. Take notes in Obsidian, Notion or a regulartext file. Write down: task, tool, team, result, what I learned new.I still lead such a file - it has already grown to several megabytes,and I regularly look at it.
Testing without permission.Even scanning the ports of someone else's server without consent is aviolation. Practice on DVWA, Juice Shop, HackThebox, TryHackMe,PortSwigger Web Security Academy. The latter is particularly good: adetailed theory for every vulnerability and interactive lambs withstep-by-step solutions.
Where to go next
The first SQLinjection in DVWA is the starting point, not the finish. Here is aroute for those who decided to dig seriously:
- Go through all DVWA modules at all levels of complexity. This will give an understanding of the basic types of vulnerabilities and protection mechanisms - from "no filtration" to "almost as in the market."
- PortSwigger Web Security Academy is a free resource from the creators of Burp Suite. Dozens of laboratory for each category: from basic XSS to HTTP Request Smuggling and Server-Side Template Injection.
- HackTheBox and TryHackMe are platforms with virtual machines. TryHackMe is better for starting (step-by-step guides), HackTheBox - for those who are ready to understand themselves.
- Bug bounty - after several months of practice on labs, try programs on HackerOne or Bugcrowd. Start with those that take the reports from beginners and have a wide scump.
