---

name: Pentesting from Beginner to Advanced description: | The assistant provides a structured web application penetration testing learning path from fundamentals to advanced techniques. Activate when users ask about "learning pentesting," "web security training," "OWASP vulnerabilities," "BurpSuite tutorial," "penetration testing roadmap," or "web app security course." version: "1.0.0" tags:

• training
• web-security
• owasp
• burpsuite
• learning-path

---

Pentesting from Beginner to Advanced

Purpose

Provide a structured learning path for web application penetration testing, progressing from foundational concepts through advanced exploitation techniques. Guide learners through each phase of the web security assessment process.

Inputs/Prerequisites

• Basic computer and networking knowledge
• Kali Linux or security-focused OS
• BurpSuite installed and configured
• Lab environment (bWAPP, DVWA, or similar)
• Web browser with developer tools

Outputs/Deliverables

• Foundational web security knowledge
• Practical exploitation skills
• Understanding of OWASP Top 10
• Ability to conduct web application assessments
• Vulnerability identification and reporting skills

Core Workflow

Phase 1: History and Fundamentals

Understanding the Internet:

• Learn how the internet was developed
• Understand client-server architecture
• Grasp basic web communication models

Key Concepts:

• HTTP protocol fundamentals
• Request/response structure
• Client vs server-side processing

Phase 2: Web and Server Technology

HTTP Protocol Basics:

CopyHTTP Request Structure:
GET /page HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Cookie: session=abc123

HTTP Response Structure:
HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: session=xyz789

<html>...</html>

Essential Concepts:

Encoding Types:

Copy# URL Encoding
Space -> %20
< -> %3C
> -> %3E
" -> %22

# HTML Encoding
< -> &lt;
> -> &gt;
& -> &amp;

# Base64 Encoding
echo "text" | base64
echo "dGV4dAo=" | base64 -d

Phase 3: Lab Setup with BurpSuite

Install BurpSuite:

Copy# Download from PortSwigger
# Configure browser proxy: 127.0.0.1:8080
# Import Burp CA certificate

Configure Browser:

1. Set proxy to 127.0.0.1:8080
2. Import BurpSuite CA certificate
3. Disable certificate validation for testing

BurpSuite Modules:

Set Up Practice Lab:

Copy# Install Docker
apt install docker.io

# Run bWAPP
docker run -d -p 80:80 raesene/bwapp

# Run DVWA
docker run -d -p 80:80 vulnerables/web-dvwa

# Access at http://localhost

Phase 4: Application Mapping

Discovery Techniques:

Copy# Robots.txt analysis
curl http://target/robots.txt

# Directory brute forcing
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
dirbuster -u http://target -l /usr/share/wordlists/dirb/common.txt

# Spidering with Burp
# Use Target > Site Map > Spider

Entry Point Identification:

• Forms and input fields
• URL parameters
• Hidden fields
• Cookies
• HTTP headers

Technology Fingerprinting:

Copy# Whatweb
whatweb http://target

# Wappalyzer (browser extension)

# Nmap fingerprinting
nmap -sV --script http-enum target

# Banner grabbing
curl -I http://target

Phase 5: OWASP Top 10 Vulnerabilities

1. Injection (A03:2021)

Copy# SQL Injection
' OR 1=1--
" OR ""="
'; DROP TABLE users;--

# Command Injection
; ls -la
| cat /etc/passwd
&& whoami

# LDAP Injection
*)(uid=*))(|(uid=*

2. Broken Authentication (A07:2021)

Copy- Weak passwords
- Session fixation
- Credential stuffing
- Missing MFA
- Insecure password recovery

3. Cross-Site Scripting (A03:2021)

Copy<!-- Reflected XSS -->
<script>alert('XSS')</script>

<!-- Stored XSS -->
<img src=x onerror="alert('XSS')">

<!-- DOM-based XSS -->
<svg onload="alert('XSS')">

<!-- Filter bypass -->
<ScRiPt>alert('XSS')</ScRiPt>
<img src="x" onerror="alert('XSS')">

4. Insecure Direct Object Reference (A01:2021)

Copy# IDOR Examples
/api/user/123    -> /api/user/124
/download?id=1   -> /download?id=2
/invoice/10001   -> /invoice/10002

5. Security Misconfiguration (A05:2021)

Copy- Default credentials
- Unnecessary features enabled
- Error messages revealing info
- Missing security headers
- Outdated software

6. Sensitive Data Exposure (A02:2021)

Copy- Unencrypted transmission
- Weak encryption
- Exposed API keys
- Hardcoded credentials
- Information in error messages

7. Missing Access Controls (A01:2021)

Copy- Horizontal privilege escalation
- Vertical privilege escalation
- Forced browsing to admin pages
- API without authentication

8. Cross-Site Request Forgery (A01:2021)

Copy<!-- CSRF Attack Form -->
<form action="http://target/transfer" method="POST">
  <input type="hidden" name="amount" value="10000">
  <input type="hidden" name="to" value="attacker">
  <input type="submit" value="Click Me!">
</form>

9. Components with Known Vulnerabilities (A06:2021)

Copy# Check for CVEs
searchsploit apache 2.4
searchsploit wordpress 5.0

# Retire.js for JavaScript
retire --path /path/to/js

10. Insufficient Logging (A09:2021)

Copy- Failed login attempts not logged
- No audit trail
- Logs not monitored
- Logs stored insecurely

Phase 6: Session Management Testing

Session Analysis:

Copy# Burp Sequencer
# Analyze token randomness and predictability

# Check for:
- Session fixation
- Session hijacking
- Weak session tokens
- Missing timeout
- Insecure transmission

Cookie Security Flags:

CopySet-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict

Phase 7: Bypassing Client-Side Controls

Hidden Field Manipulation:

Copy<!-- Original -->
<input type="hidden" name="price" value="100">

<!-- Modified in Burp -->
<input type="hidden" name="price" value="1">

JavaScript Validation Bypass:

• Disable JavaScript in browser
• Intercept and modify with Burp
• Replay requests with modified values

Phase 8: Authentication Attacks

Common Techniques:

Copy# Brute force
hydra -l admin -P passwords.txt target http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# Username enumeration
# Different responses for valid/invalid users

# Password reset flaws
# Predictable tokens, no rate limiting

Phase 9: Access Control Testing

IDOR Testing:

Copy# Increment IDs
/user/1 -> /user/2

# Change parameters
?role=user -> ?role=admin

# Use Burp Intruder for automation

Phase 10: Input Validation Testing

Injection Points:

Copy# All user input
# URL parameters
# Form fields
# Headers (User-Agent, Referer)
# Cookies
# File uploads

Fuzzing with Burp:

1. Send request to Intruder
2. Mark injection points
3. Select payload list
4. Analyze responses

Phase 11: Error Code Analysis

Copy# Force errors for information
- Invalid input types
- Long strings
- Special characters
- SQL syntax errors

# Look for:
- Stack traces
- Database errors
- Path disclosure
- Version information

Phase 12: Cryptography Testing

Copy# Check for:
- Weak algorithms (MD5, SHA1, DES)
- ECB mode usage
- Hardcoded keys
- Missing encryption

# SSL/TLS testing
sslscan target:443
testssl.sh target

Phase 13: Business Logic Vulnerabilities

Common Issues:

• Price manipulation
• Skipping workflow steps
• Race conditions
• Abuse of functionality

Testing Approach:

1. Understand normal workflow
2. Attempt to skip steps
3. Modify values mid-process
4. Test race conditions

Quick Reference

Essential Tools

Testing Checklist

Copy□ Map application and entry points
□ Test authentication mechanisms
□ Check authorization controls
□ Test input validation
□ Analyze session management
□ Check for injection flaws
□ Test business logic
□ Review error handling
□ Assess cryptographic implementation

Constraints

• Only test authorized systems
• Lab environments are essential for learning
• Real-world applications may differ from labs
• Tools require understanding, not just execution

Examples

Example 1: Quick XSS Test

Copy<script>alert(document.domain)</script>

Example 2: SQLi Detection

Copy' OR '1'='1

Troubleshooting