HomePenetration Testing in 5 DaysDay 2
Day 2 of 5
⏱ ~60 minutes
Penetration Testing in 5 Days — Day 2

Web Application Testing

Web applications are the most common attack surface in modern engagements. Today you work through OWASP Top 10 vulnerabilities using Burp Suite, the industry's most powerful web proxy.

Burp Suite Fundamentals

Burp Suite intercepts HTTP/HTTPS traffic between your browser and the target. The Proxy tab captures requests you can modify and replay. The Repeater sends manual requests. The Scanner (Pro) automates vulnerability detection. The Intruder runs fuzzing attacks. Set your browser to use Burp as a proxy (127.0.0.1:8080) and install the Burp CA certificate to inspect HTTPS.

SQL Injection

SQL injection exploits improper input sanitization to manipulate database queries. Test for it by injecting a single quote (') and observing errors. SQLmap automates detection and exploitation — it can dump databases, bypass authentication, and even get a shell if the DB user has FILE privileges. OWASP's DVWA and WebGoat provide safe practice targets.

Cross-Site Scripting (XSS)

XSS injects malicious scripts into pages viewed by other users. Reflected XSS returns your payload in the same request. Stored XSS persists in the database and affects every user who visits the page. DOM-based XSS manipulates client-side JavaScript. XSS can steal session cookies, redirect users, and perform actions on their behalf.

bash
# SQLmap basic usage
sqlmap -u 'http://192.168.1.100/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit' \
  --cookie='PHPSESSID=abc123; security=low' \
  --dbs

# SQLmap dump a specific table
sqlmap -u '[url]' --cookie='[cookie]' -D dvwa -T users --dump

# XSS test payload
# <script>alert('XSS')</script>
# <img src=x onerror=alert(1)>

# Burp Suite CLI scanner (Pro)
java -jar burpsuite_pro.jar --project-file=scan.burp

# OWASP ZAP CLI alternative (free)
zap-cli --zap-path /usr/share/zaproxy quick-scan \
  --self-contained --start-options '-config api.disablekey=true' \
  http://192.168.1.100
💡
Always test SQLi with manual confirmation before running SQLmap — automated tools can be noisy and trigger WAFs. A single quote and Boolean-based tests tell you if injection is viable.
📝 Day 2 Exercise
Find SQLi and XSS in DVWA
  1. Set up DVWA in your Metasploitable VM or as a standalone Docker container
  2. Configure Burp Suite as your browser proxy and capture a login request
  3. Test the DVWA SQL injection page manually with a single quote payload
  4. Run SQLmap against the vulnerable URL and dump the users table
  5. Find the stored XSS vulnerability in DVWA and inject a persistent alert payload

Day 2 Summary

  • Burp Suite is the primary tool for web application penetration testing
  • SQLmap automates SQL injection detection and exploitation
  • XSS (reflected, stored, DOM) allows script injection into web pages
  • OWASP Top 10 is the baseline checklist for every web engagement
  • Test manually first, automate second — understand what your tools are doing
Challenge

Complete the OWASP WebGoat SQL Injection module and the XSS module. Screenshot all successful exploits and write a 2-sentence finding for each.

← Previous
Day 1: Pen-Test Methodology & Setup
Next →
Day 3: Network Penetration Testing
Finished this lesson?