Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

README.md

Web Exploitation — Session 01: Introduction

Summary

This repository contains notes and the Session 1 plan for a workshop series on web exploitation. The goal of Session 1 is to give participants a solid foundation in how web applications communicate, the tools used to inspect those communications, and the basic architecture of the web.

Duration: 45–60 minutes (adjustable)

Prerequisites

  • Your Motivation

Learning Objectives

By the end of this session, participants will understand the fundamental concepts of the Web, how web applications function, and the structure of HTTP requests and responses. They will also understand the difference between HTTP and HTTPS, the importance of encryption, and how to distinguish between Front-end and Back-end components as well as different web architectures. Additionally, participants will learn to differentiate between Blackbox, Whitebox, and Greybox security testing methodologies and understand the purpose of essential tools like Browser DevTools, cURL, and Burp Suite.


Table of Contents


0. What are to Web Applications

0.1 What is the Web

The Web is a system that lets users access and share information over the internet through websites and web applications using protocols like HTTP and HTTPS.

What Happens When You Visit a Website

Here's a simplified overview of the process (we'll dive into more details later):

  1. Browser sends a request → The user's browser creates and sends a request to a server
  2. Server processes and responds → The server receives the request and sends back data (HTML, CSS, JavaScript, images, etc.)
  3. Browser renders the page → The browser interprets the received data and displays it as a web page

0.2 What Are Web Applications?

Web applications are interactive applications that run on web browsers. Web applications use a client-server architecture where:

  • Front-end components (the website interface - "what the user sees") run in the browser
  • Back-end components (application logic and data) run on remote servers

0.3 Security Risks and Importance of Web Application Security

Why Web Applications Are Targeted

  • Globally Accessible: Available to attackers worldwide 24/7
  • Large Attack Surface: Multiple entry points (forms, APIs, authentication)
  • Valuable Data: Often connected to databases with sensitive information
  • Complexity: Modern apps have many components that can contain flaws

Why Web Security Matters

Web application testing is critical because:

  • Applications evolve constantly with new features
  • Each update can introduce new vulnerabilities
  • Many apps connect to sensitive backend systems

1. HTTP Protocol Fundamentals

1.1 Overview

HTTP (HyperText Transfer Protocol) is the application-layer protocol used to access resources on the Web. It defines how clients (usually browsers) request resources from servers and how servers respond.

1.2 HTTP Request/Response Flow

  1. DNS Resolution: Browser resolves domain to IP (checks /etc/hosts first, then DNS servers)
  2. HTTP Request: Client sends request line, headers, and optional body
  3. Server Processing: Web server and application process the request
  4. HTTP Response: Server returns status line, headers, and body
  5. Browser Rendering: Browser interprets response and may make additional requests

1.3 URL Structure

Resources are identified by URLs with the following components:

http://example.test.com:80/dashboard?login=true#status
Component Example Description
Scheme http:// or https:// Protocol identifier
Subdomain example Optional prefix to the main domain (e.g., www, api, admin)
Second-Level Domain (SLD) test The main domain name, located directly left of the TLD
Top-Level Domain (TLD) com Highest level of the domain hierarchy (e.g., com, org, net, io)
Full Domain / Hostname example.test.com Complete domain including subdomain, SLD, and TLD
Port :80 Defaults: 80 (HTTP), 443 (HTTPS)
Path /dashboard Resource location on server
Query ?login=true Parameters for server-side processing
Fragment #status Client-side navigation (not sent to server)

2. HTTPS and Security

2.1 Overview

HTTPS (Hypertext Transfer Protocol Secure) is HTTP layered over TLS (Transport Layer Security), which adds three critical protections for web communication:

Encryption

All data exchanged between the client (browser) and server is encrypted, preventing attackers from reading sensitive information such as passwords, tokens, or personal data.

Integrity

TLS ensures that data cannot be tampered with or altered while in transit. Any modification by an attacker will be detected by the browser or server.

Authentication

HTTPS verifies the identity of the server using a digital certificate issued by a trusted Certificate Authority (CA), ensuring that the user is connecting to the legitimate site and not a malicious impostor.


3. Tools Overview

Essential tools every web security tester should know:

3.1 Browser Developer Tools

Primary Tool: Chrome/Firefox DevTools

  • Access: Ctrl+Shift+I or F12
  • Network Tab: View all HTTP requests, inspect headers, copy as cURL
  • Console Tab: Run JavaScript, view errors and logs
  • Elements Tab: Inspect and modify DOM/HTML
  • Application Tab: View cookies, localStorage, session data
  • Sources Tab: Debug JavaScript, set breakpoints

3.2 cURL

HTTP client for terminal-based testing

# Common flags
curl -I        # Headers only
curl -v        # Verbose (full details)
curl -X POST   # Specify method
curl -d        # Send data
curl -H        # Custom headers
curl -b        # Send cookies

3.3 Burp Suite

Industry-standard proxy for web security testing

  • Intercept and modify requests/responses
  • Repeater for manual testing
  • Intruder for automated fuzzing
  • Scanner for vulnerability detection

3.4 FFUF

Fast web fuzzer (directories, parameters, vhosts)

ffuf -u https://example.com/FUZZ -w wordlist.txt

Similar tools: gobuster, dirb, etc.


4. HTTP Requests and Responses

4.1 HTTP Request Structure

An HTTP request consists of:

  1. Request Line: Method, Path, Version
  2. Headers: Key-value metadata pairs
  3. Blank Line: Separates headers from body
  4. Body: Optional data (for POST, PUT, etc.)

Example:

POST /api/users/update-password HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
Cookie: session_id=a7f3d9e2c8b4a1f6e9d3c7b2a5f8e1d4
Content-Type: application/json
Content-Length: 60

{
  "old_password": "oldpass",
  "new_password": "newpass"
}

Common HTTP Methods:

Method Purpose
GET Retrieve resource
POST Submit data/create resource
PUT/PATCH Update resource
DELETE Remove resource
HEAD Get headers only
OPTIONS Get allowed methods

4.2 HTTP Response Structure

An HTTP response consists of:

  1. Status Line: Version, Status Code, Reason Phrase
  2. Headers: Response metadata
  3. Blank Line
  4. Body: Response content (HTML, JSON, etc.)

Example:

HTTP/1.1 200 OK
Date: Thu, 02 Jan 2026 14:35:22 GMT
Server: nginx/1.24.0
Set-Cookie: session_id=b9e4f7a3d6c2e8f1a7b5d9c3e6f2a8d1; HttpOnly; Secure; SameSite=Strict
Content-Type: application/json; charset=UTF-8
Content-Length: 89

{
  "success": true,
  "message": "Password updated successfully",
  "user_id": 12345
}

Common Status Codes:

Code Range Category Examples
1xx Informational 100 Continue, 101 Switching Protocols
2xx Success 200 OK, 201 Created, 204 No Content
3xx Redirection 301 Moved Permanently, 302 Found, 304 Not Modified
4xx Client Error 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found
5xx Server Error 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable

5. HTTP Headers

HTTP headers pass metadata between client and server. They are key-value pairs that provide context about the message, entity, or connection.

5.1 Header Categories

General Headers

Apply to both requests and responses; describe the message itself.

  • Date: Wed, 16 Feb 2022 10:38:44 GMT — Message timestamp
  • Connection: keep-alive — Connection persistence (keep-alive/close)

Entity Headers

Describe the content being transferred.

  • Content-Type: text/html; charset=UTF-8 — Media type of entity
  • Content-Length: 1234 — Size in bytes
  • Content-Encoding: gzip — Applied transformations (compression)

Request Headers

Sent by client to provide context about the request.

Header Example Purpose
Host Host: www.example.com Target host (required in HTTP/1.1)
User-Agent User-Agent: Mozilla/5.0 Client software identifier
Referer Referer: https://google.com Origin of request
Accept Accept: application/json Acceptable response formats
Cookie Cookie: session=abc123 Client-stored data
Authorization Authorization: Bearer token Authentication credentials
Content-Type Content-Type: application/json Body format (for POST/PUT)

Response Headers

Sent by server to provide metadata about the response.

Header Example Purpose
Server Server: Apache/2.4.41 Server software info
Set-Cookie Set-Cookie: id=abc; Secure Instruct client to store cookie
Location Location: /new-url Redirect target
Cache-Control Cache-Control: max-age=3600 Caching directives

5.2 Security Headers

Critical headers that enhance security:

Header Example Purpose
Content-Security-Policy script-src 'self' Restrict resource loading (XSS mitigation)
X-Frame-Options DENY Prevent clickjacking
X-Content-Type-Options nosniff Prevent MIME sniffing
Referrer-Policy no-referrer Control referrer information
Access-Control-Allow-Origin https://trusted-site.com Specify allowed origins for CORS requests
Access-Control-Allow-Credentials true Allow credentials (cookies, auth) in CORS requests

6. Web Application Architecture

Understanding web application architecture helps identify attack surface, data flows, and potential security weaknesses.

6.1 Architecture Components

  • Client: Browser or mobile app (UI/UX layer)
  • Web Server: Handles HTTP connections (Nginx, Apache, IIS)
  • Application Server: Business logic and request processing
  • Database: Persistent data storage (MySQL, PostgreSQL, MongoDB)
  • Services: Microservices, APIs, third-party integrations

6.2 Three-Tier Architecture

Tier Components Responsibilities
Presentation HTML, CSS, JS, Mobile Apps User interface and client-side logic
Application Web frameworks, APIs Business logic, authorization, validation
Data Databases, File storage Data persistence and retrieval

Benefits:

  • Clear separation of concerns
  • Independent scaling of each tier
  • Easier to maintain and secure

6.3 Common Web Application Architectures

Monolithic Architecture

  • Single unified codebase with all components tightly integrated
  • Traditional approach where UI, business logic, and data access are packaged together
  • Example: A blog platform where user management, post creation, comments, and media uploads all run in a single application. When you deploy or update, the entire application restarts.

Client-Server Architecture

  • Clear separation between client (frontend) and server (backend)
  • Client handles presentation, server handles logic and data
  • Example: A todo list app with a React frontend that sends HTTP requests to a Node.js API backend. The frontend handles UI rendering while the backend manages database operations, authentication, and business logic.

Microservices Architecture

  • Application divided into small, independent services
  • Each service handles a specific business function (auth, payments, search)
  • Services communicate via APIs (REST, gRPC, message queues)
  • Example: An e-commerce platform split into: User Service (authentication/profiles), Product Service (catalog/inventory), Order Service (cart/checkout), Payment Service (transactions), Notification Service (emails/SMS). Each service has its own database and can be deployed independently.

6.4 Security Flaws in Different Architectures

Monolithic Architecture

  • Single Point of Failure: A compromise in one module can impact the entire application
  • Difficult to Patch: Updates require redeploying the full application, increasing downtime and risk
  • No Isolation: Vulnerabilities in one feature can expose the entire system and all data

Client-Server Architecture

  • API Exposure: Backend APIs may lack proper authentication or authorization checks
  • Client-Side Trust: Validation done on the client can be bypassed, leading to manipulation of requests
  • Session Management Risks: Susceptible to session hijacking, replay attacks, or unauthorized session access

Microservices Architecture

  • Expanded Attack Surface: Many independent services mean more endpoints and potential vulnerabilities
  • Inter-Service Trust: Services may implicitly trust each other, creating risks if one service is compromised
  • Distributed Authorization: Inconsistent access control across services can allow unauthorized access to data or functionality

7. Front End vs Back End

7.1 Front End

Definition: Client-side components that run in the user's browser.

Technologies:

  • HTML: Structure and content
  • CSS: Styling and layout
  • JavaScript: Interactivity and dynamic behavior
  • Frameworks: React, Vue, Angular, Svelte

Responsibilities:

  • Rendering user interface
  • Client-side validation
  • User experience (UX)
  • Local storage and cookies

7.2 Back End

Definition: Server-side components that process requests and manage data.

Components:

Layer Technology Examples Purpose
Operating System Linux, Windows Server Host environment
Web Server Nginx, Apache, IIS Handle HTTP connections
Application Framework Django, Laravel, Express, Spring Business logic
Database MySQL, PostgreSQL, MongoDB Data persistence

Responsibilities:

  • Business logic execution
  • Authentication and authorization
  • Data processing and validation
  • API endpoints
  • Session management
  • Database operations

8. Security Testing Approaches

Understanding different testing methodologies helps you choose the right approach based on available information and testing goals.

8.1 Testing Approaches

Blackbox Testing

  • Access Level: No source code or internal documentation
  • Approach: Test through public interface only
  • Perspective: Simulate real external attacker
  • Tools: Web scanners, fuzzing, manual testing
  • Limitations: Limited visibility into logic, may miss complex vulnerabilities
  • Best For: External penetration testing, compliance assessments

Whitebox Testing

  • Access Level: Full source code and documentation access
  • Approach: Code review combined with testing
  • Perspective: Complete understanding of architecture
  • Tools: Static analysis tools (SAST), code review, manual testing
  • Advantages: Find logic flaws, understand root causes, verify fixes
  • Best For: Pre-release security audits, comprehensive assessments

Greybox Testing

  • Access Level: Partial information (credentials, documentation, some code)
  • Approach: Authenticated testing with limited internal knowledge
  • Perspective: Insider threat or authenticated user perspective
  • Tools: Mix of dynamic and static analysis
  • Common Scenarios: User credentials provided, API documentation available
  • Best For: Most professional security assessments

8.2 Use Cases

Scenario Recommended Approach Reason
External penetration test Blackbox Mimics real attacker without inside knowledge
Pre-release security audit Whitebox Maximum vulnerability coverage
Post-authentication testing Greybox Test authenticated user attack surface
Bug bounty programs Most of the time Blackbox Limited access, public perspective
SDLC integration Whitebox Early detection in development

9. Challenge

i made a small challenge you can find it here challenge

10. Resources and Next Steps

10.1 Learning and Practice Resources

  • MDN Web Docs — Comprehensive documentation for HTTP, HTML, CSS, and JavaScript
  • PortSwigger Web Security Academy — Learn about vulnerabilities and practice exploitation techniques (arguably the best resource)
  • TryHackMe — Interactive learning platform with numerous hands-on labs
  • HackTheBox Academy — Structured learning paths with practical exercises

10.2 Homework for Attendees (Optional)

  1. Practice using cURL to fetch pages and inspect headers
  2. Use Browser DevTools to analyze different websites
  3. Install and explore Burp Suite Community Edition
  4. Install and explore FFUF
  5. https://academy.hackthebox.com/module/details/35
  6. https://academy.hackthebox.com/module/details/110
  7. https://tryhackme.com/room/websecurityessentials
  8. https://tryhackme.com/room/httpindetail
  9. https://play.picoctf.org/practice/challenge/142?category=1&page=1&search=who%20are

End of Session 01 Content

Stay curious, and keep working hard!