Practical Web Application Security

Photo cred – Markus Spiske

For these Days of Hacking I wanted to take a break from the Bug Bounty Job Role path on HTB and turn my attention to a curse that had dropped over on TCM Security called Practical Web Application Security and Testing. This course was loaded with both fundamental and advanced concepts. Overall, what I particularly loved about the course was the hands-on activities with docker containers and OWASP Zap. I completed the course and again, the following are from the Days of Hacking while working on it.

The first lab was setting up a web server running nginx inside of a docker container. 

After setting up the lab, we then made a few requests from our Kali machine to the web server. Our first set of requests were made using curl. The image on the left is a web server access log. Looking at the last line we can see source ip, timestamp, http method, the uri, the protocol, the response and size of the response.

Next, we try making the same request as above but with a utility called netcat.

And then moving along, we demonstrate making a request the most common way requests are made and that’s with a web browser.

Enumerating and Fuzzing with Zap

Next we start our intro to using Zap by examining the Spider feature. Naturally, as we know from our fundamental web security skills, we must examine the source code (or view source) of our pages. What we’re doing is looking for comments that devs have left behind.

We also explored using wordlists to do Fuzzing with Zap.

That’s about as far as I got on those days. Hopefully, it was enough of a preview that someone reading this will take interest in the course. It’s a very awesome course that I highly recommend to anyone looking to get into Bug Bounty or Web App Security and seasoned vets who’ve been away from their craft for some time and needing to vamp up.

As always, it’s been Real. Hack On, Ladz & Gentz!