返回 Skill 列表
extension
分类: 开发与工程无需 API Key

Pentesting from Beginner to Advanced

该助手提供了一个从基础到高级技术的结构化Web应用程序渗透测试学习路径。当用户询问“学习渗透测试”、“Web安全培训”、“OWASP漏洞”、“BurpSuite教程”、“渗透测试路线图”或“Web应用程序安全课程”时激活。

person作者: jakexiaohubgithub

Pentesting from Beginner to Advanced

Purpose

Provide a structured learning path for web application penetration testing, progressing from foundational concepts through advanced exploitation techniques. Guide learners through each phase of the web security assessment process.

Inputs/Prerequisites

  • Basic computer and networking knowledge
  • Kali Linux or security-focused OS
  • BurpSuite installed and configured
  • Lab environment (bWAPP, DVWA, or similar)
  • Web browser with developer tools

Outputs/Deliverables

  • Foundational web security knowledge
  • Practical exploitation skills
  • Understanding of OWASP Top 10
  • Ability to conduct web application assessments
  • Vulnerability identification and reporting skills

Core Workflow

Phase 1: History and Fundamentals

Understanding the Internet:

  • Learn how the internet was developed
  • Understand client-server architecture
  • Grasp basic web communication models

Key Concepts:

  • HTTP protocol fundamentals
  • Request/response structure
  • Client vs server-side processing

Phase 2: Web and Server Technology

HTTP Protocol Basics:

HTTP Request Structure:
GET /page HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Cookie: session=abc123

HTTP Response Structure:
HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: session=xyz789

<html>...</html>

Essential Concepts:

| Topic | Description | |-------|-------------| | HTTP Methods | GET, POST, PUT, DELETE, OPTIONS | | Status Codes | 200 OK, 301 Redirect, 403 Forbidden, 404 Not Found, 500 Error | | Headers | Request and response metadata | | Cookies | Session management, tracking | | Sessions | Server-side state management | | URLs | Structure and parameters | | REST APIs | Resource-based web services |

Encoding Types:

# URL Encoding
Space -> %20
< -> %3C
> -> %3E
" -> %22

# HTML Encoding
< -> &lt;
> -> &gt;
& -> &amp;

# Base64 Encoding
echo "text" | base64
echo "dGV4dAo=" | base64 -d

Phase 3: Lab Setup with BurpSuite

Install BurpSuite:

# Download from PortSwigger
# Configure browser proxy: 127.0.0.1:8080
# Import Burp CA certificate

Configure Browser:

  1. Set proxy to 127.0.0.1:8080
  2. Import BurpSuite CA certificate
  3. Disable certificate validation for testing

BurpSuite Modules:

| Module | Purpose | |--------|---------| | Proxy | Intercept and modify traffic | | Repeater | Manually modify and resend requests | | Intruder | Automated attacks and fuzzing | | Scanner | Automated vulnerability detection | | Decoder | Encode/decode data | | Comparer | Compare responses | | Sequencer | Analyze session token randomness |

Set Up Practice Lab:

# Install Docker
apt install docker.io

# Run bWAPP
docker run -d -p 80:80 raesene/bwapp

# Run DVWA
docker run -d -p 80:80 vulnerables/web-dvwa

# Access at http://localhost

Phase 4: Application Mapping

Discovery Techniques:

# Robots.txt analysis
curl http://target/robots.txt

# Directory brute forcing
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
dirbuster -u http://target -l /usr/share/wordlists/dirb/common.txt

# Spidering with Burp
# Use Target > Site Map > Spider

Entry Point Identification:

  • Forms and input fields
  • URL parameters
  • Hidden fields
  • Cookies
  • HTTP headers

Technology Fingerprinting:

# Whatweb
whatweb http://target

# Wappalyzer (browser extension)

# Nmap fingerprinting
nmap -sV --script http-enum target

# Banner grabbing
curl -I http://target

Phase 5: OWASP Top 10 Vulnerabilities

1. Injection (A03:2021)

# SQL Injection
' OR 1=1--
" OR ""="
'; DROP TABLE users;--

# Command Injection
; ls -la
| cat /etc/passwd
&& whoami

# LDAP Injection
*)(uid=*))(|(uid=*

2. Broken Authentication (A07:2021)

- Weak passwords
- Session fixation
- Credential stuffing
- Missing MFA
- Insecure password recovery

3. Cross-Site Scripting (A03:2021)

<!-- Reflected XSS -->
<script>alert('XSS')</script>

<!-- Stored XSS -->
<img src=x onerror="alert('XSS')">

<!-- DOM-based XSS -->
<svg onload="alert('XSS')">

<!-- Filter bypass -->
<ScRiPt>alert('XSS')</ScRiPt>
<img src="x" onerror="alert('XSS')">

4. Insecure Direct Object Reference (A01:2021)

# IDOR Examples
/api/user/123    -> /api/user/124
/download?id=1   -> /download?id=2
/invoice/10001   -> /invoice/10002

5. Security Misconfiguration (A05:2021)

- Default credentials
- Unnecessary features enabled
- Error messages revealing info
- Missing security headers
- Outdated software

6. Sensitive Data Exposure (A02:2021)

- Unencrypted transmission
- Weak encryption
- Exposed API keys
- Hardcoded credentials
- Information in error messages

7. Missing Access Controls (A01:2021)

- Horizontal privilege escalation
- Vertical privilege escalation
- Forced browsing to admin pages
- API without authentication

8. Cross-Site Request Forgery (A01:2021)

<!-- CSRF Attack Form -->
<form action="http://target/transfer" method="POST">
  <input type="hidden" name="amount" value="10000">
  <input type="hidden" name="to" value="attacker">
  <input type="submit" value="Click Me!">
</form>

9. Components with Known Vulnerabilities (A06:2021)

# Check for CVEs
searchsploit apache 2.4
searchsploit wordpress 5.0

# Retire.js for JavaScript
retire --path /path/to/js

10. Insufficient Logging (A09:2021)

- Failed login attempts not logged
- No audit trail
- Logs not monitored
- Logs stored insecurely

Phase 6: Session Management Testing

Session Analysis:

# Burp Sequencer
# Analyze token randomness and predictability

# Check for:
- Session fixation
- Session hijacking
- Weak session tokens
- Missing timeout
- Insecure transmission

Cookie Security Flags:

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict

| Flag | Purpose | |------|---------| | Secure | HTTPS only | | HttpOnly | No JavaScript access | | SameSite | CSRF protection |

Phase 7: Bypassing Client-Side Controls

Hidden Field Manipulation:

<!-- Original -->
<input type="hidden" name="price" value="100">

<!-- Modified in Burp -->
<input type="hidden" name="price" value="1">

JavaScript Validation Bypass:

  • Disable JavaScript in browser
  • Intercept and modify with Burp
  • Replay requests with modified values

Phase 8: Authentication Attacks

Common Techniques:

# Brute force
hydra -l admin -P passwords.txt target http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# Username enumeration
# Different responses for valid/invalid users

# Password reset flaws
# Predictable tokens, no rate limiting

Phase 9: Access Control Testing

IDOR Testing:

# Increment IDs
/user/1 -> /user/2

# Change parameters
?role=user -> ?role=admin

# Use Burp Intruder for automation

Phase 10: Input Validation Testing

Injection Points:

# All user input
# URL parameters
# Form fields
# Headers (User-Agent, Referer)
# Cookies
# File uploads

Fuzzing with Burp:

  1. Send request to Intruder
  2. Mark injection points
  3. Select payload list
  4. Analyze responses

Phase 11: Error Code Analysis

# Force errors for information
- Invalid input types
- Long strings
- Special characters
- SQL syntax errors

# Look for:
- Stack traces
- Database errors
- Path disclosure
- Version information

Phase 12: Cryptography Testing

# Check for:
- Weak algorithms (MD5, SHA1, DES)
- ECB mode usage
- Hardcoded keys
- Missing encryption

# SSL/TLS testing
sslscan target:443
testssl.sh target

Phase 13: Business Logic Vulnerabilities

Common Issues:

  • Price manipulation
  • Skipping workflow steps
  • Race conditions
  • Abuse of functionality

Testing Approach:

  1. Understand normal workflow
  2. Attempt to skip steps
  3. Modify values mid-process
  4. Test race conditions

Quick Reference

Essential Tools

| Tool | Purpose | |------|---------| | BurpSuite | Web proxy and testing | | OWASP ZAP | Open source alternative | | sqlmap | SQL injection automation | | Nikto | Web server scanning | | Gobuster | Directory enumeration |

Testing Checklist

□ Map application and entry points
□ Test authentication mechanisms
□ Check authorization controls
□ Test input validation
□ Analyze session management
□ Check for injection flaws
□ Test business logic
□ Review error handling
□ Assess cryptographic implementation

Constraints

  • Only test authorized systems
  • Lab environments are essential for learning
  • Real-world applications may differ from labs
  • Tools require understanding, not just execution

Examples

Example 1: Quick XSS Test

<script>alert(document.domain)</script>

Example 2: SQLi Detection

' OR '1'='1

Troubleshooting

| Issue | Solution | |-------|----------| | Burp not intercepting | Check proxy settings, CA certificate | | Lab not loading | Verify Docker is running | | Payloads blocked | Try encoding, alternative syntax | | Tool errors | Check dependencies, permissions |