Day 1: Web Application Hacking 101: Setup, Targets & Recon Tools

Introduction to Web Pentesting

Web application penetration testing is a critical discipline in cybersecurity, aimed at identifying vulnerabilities in web-based systems to prevent exploitation by malicious actors. Parrot OS, a Debian-based Linux distribution tailored for security professionals, provides an ideal platform for learning and practicing web pentesting. On Day 1 of this 7-day series on web application hacking, we establish the foundation for effective penetration testing. This article guides you through setting up a test lab using Damn Vulnerable Web Application (DVWA) or OWASP Juice Shop, understanding basic HTTP/HTTPS concepts, headers, and cookies, and performing reconnaissance with tools like WhatWeb, theHarvester, Nmap, Dirb, Gobuster, and dnsenum. All commands use example.com as the target for illustrative purposes, but you should test only on systems you own or have permission to assess. By mastering these fundamentals, you will be prepared to conduct ethical and effective web reconnaissance.

Setting Up a Test Lab

A controlled test lab is essential for practicing web pentesting safely and ethically. We will set up two popular vulnerable web applications: Damn Vulnerable Web Application (DVWA) and OWASP Juice Shop, both running on a local LAMP (Linux, Apache, MySQL, PHP) stack in Parrot OS.

Installing the LAMP Stack

The LAMP stack provides the necessary environment for hosting web applications.

1. Update Parrot OS:

   sudo apt update && sudo apt upgrade

   Ensures the system is current.
2. Install LAMP Components:

   sudo apt install apache2 mysql-server php php-mysql libapache2-mod-php

   Installs Apache, MySQL, and PHP.
3. Start Services:

   sudo systemctl start apache2
   sudo systemctl start mysql
   sudo systemctl enable apache2
   sudo systemctl enable mysql

   Starts and enables services for automatic startup.
4. Verify Apache: Open a browser and navigate to http://localhost to see the Apache default page.

Setting Up DVWA

DVWA is a deliberately vulnerable web application designed for learning penetration testing.

1. Download DVWA:

   git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa

   Clones DVWA into Apache’s web directory.
2. Configure DVWA:
   • Copy the configuration file:

     cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php

   • Edit /var/www/html/dvwa/config/config.inc.php to set database credentials (default: root, no password).
3. Configure MySQL:

   sudo mysql
   CREATE DATABASE dvwa;
   GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';
   FLUSH PRIVILEGES;
   EXIT;

4. Set Permissions:

   sudo chown -R www-data:www-data /var/www/html/dvwa
   sudo chmod -R 755 /var/www/html/dvwa

5. Access DVWA: Navigate to http://localhost/dvwa, click “Create / Reset Database,” and log in with admin/password.

Setting Up OWASP Juice Shop

OWASP Juice Shop is another vulnerable web application, simulating a modern e-commerce platform with diverse vulnerabilities.

1. Install Node.js:

   sudo apt install nodejs npm

2. Download Juice Shop:

   git clone https://github.com/juice-shop/juice-shop.git /var/www/html/juice-shop

3. Install Dependencies:

   cd /var/www/html/juice-shop
   npm install

4. Start Juice Shop:

   npm start

   Access at http://localhost:3000.
5. Run as a Service (optional):
   • Create a systemd service file:

     sudo nano /etc/systemd/system/juiceshop.service

     Add:

     [Unit]
     Description=OWASP Juice Shop
     After=network.target
     
     [Service]
     ExecStart=/usr/bin/npm start --prefix /var/www/html/juice-shop
     Restart=always
     
     [Install]
     WantedBy=multi-user.target

   • Enable and start:

     sudo systemctl enable juiceshop
     sudo systemctl start juiceshop

Outcome: You have a fully functional test lab with DVWA and Juice Shop for practicing web pentesting.

Basic HTTP/HTTPS Concepts, Headers, and Cookies

Understanding the mechanics of web communication is essential for effective reconnaissance and exploitation. This section covers HTTP/HTTPS, headers, and cookies.

HTTP and HTTPS

HyperText Transfer Protocol (HTTP) is the foundation of web communication, enabling data exchange between clients (e.g., browsers) and servers.

• HTTP: Unencrypted protocol using port 80. Requests and responses are sent in plaintext, making them vulnerable to interception.
• HTTPS: Secure version of HTTP using TLS/SSL encryption on port 443, protecting data confidentiality and integrity.
• Request Methods:
  • GET: Retrieves data (e.g., loading a webpage).
  • POST: Submits data (e.g., form submissions).
  • PUT, DELETE: Used for updating or deleting resources.

HTTP Headers

Headers provide metadata about HTTP requests and responses, influencing how data is processed.

• Common Request Headers:
  • Host: Specifies the target domain (e.g., Host: example.com).
  • User-Agent: Identifies the client (e.g., User-Agent: Mozilla/5.0).
  • Cookie: Sends stored cookies to the server.
• Common Response Headers:
  • Server: Identifies the server software (e.g., Server: Apache/2.4.41).
  • Content-Type: Specifies the response format (e.g., Content-Type: text/html).
  • Set-Cookie: Instructs the client to store a cookie.

Cookies

Cookies are small data files stored by browsers to maintain stateful information, such as session IDs or user preferences.

• Types:
  • Session Cookies: Temporary, deleted after the session ends.
  • Persistent Cookies: Stored for a set duration.
• Security Implications: Cookies can be stolen via XSS or intercepted over HTTP, leading to session hijacking.

Outcome: You understand HTTP/HTTPS, headers, and cookies, enabling you to analyze web traffic during reconnaissance.

Reconnaissance Tools

Reconnaissance gathers information about a target to identify potential vulnerabilities. Parrot OS includes powerful tools for web reconnaissance, all demonstrated with example.com as the target.

WhatWeb

WhatWeb identifies technologies, frameworks, and CMS used by a website.

• Basic Scan:

  whatweb http://example.com

  Detects server software, CMS, and plugins.
• Aggressive Scan:

  whatweb -a 3 http://example.com

  Performs a deeper analysis for detailed results.
• Output to File:

  whatweb http://example.com -o whatweb_results.txt

theHarvester

theHarvester collects emails, subdomains, and hosts associated with a domain for OSINT.

• Basic Search:

  theharvester -d example.com -b google

  Queries Google for data related to example.com.
• Multiple Sources:

  theharvester -d example.com -b all

  Searches across multiple engines.
• Save Output:

  theharvester -d example.com -b google -f results.html

Nmap

Nmap (Network Mapper) scans networks to discover hosts, ports, and services.

• Ping Scan:

  nmap -sP example.com

  Identifies live hosts associated with example.com.
• TCP SYN Scan:

  sudo nmap -sS example.com

  Scans for open ports stealthily.
• Service/Version Detection:

  sudo nmap -sV example.com

  Identifies services and versions.
• Save Output:

  sudo nmap -sV example.com -oN nmap_results.txt

Dirb

Dirb brute-forces directories and files on web servers to uncover hidden resources.

• Basic Scan:

  dirb http://example.com /usr/share/dirb/wordlists/common.txt

  Scans for common directories.
• Output to File:

  dirb http://example.com -o dirb_results.txt

Gobuster

Gobuster is another directory brute-forcing tool with enhanced speed and flexibility.

• Basic Scan:

  gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt

• Include Extensions:

  gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

dnsenum

dnsenum enumerates DNS records to discover subdomains and infrastructure details.

• Basic Enumeration:

  dnsenum example.com

  Lists DNS records for example.com.
• Brute-Force Subdomains:

  dnsenum --enum -f /usr/share/dnsenum/dns.txt example.com

• Save Output:

  dnsenum example.com -o dns_results.xml

Ethical Note: Only perform reconnaissance on systems you own or have explicit permission to test. Unauthorized scanning of example.com or other live systems is illegal and unethical.

Outcome: You can use a suite of reconnaissance tools to gather critical information about web targets.

Practical Exercise

1. Install and configure DVWA and OWASP Juice Shop on your LAMP stack.
2. Inspect HTTP headers and cookies for http://example.com and http://localhost/dvwa using browser developer tools.
3. Run WhatWeb against http://example.com and http://localhost/juice-shop to identify technologies.
4. Use theHarvester to collect OSINT for example.com and save the results.
5. Perform an Nmap service/version scan on example.com (or localhost in your lab).
6. Enumerate directories on http://example.com and http://localhost/dvwa using Dirb and Gobuster.
7. Run dnsenum to discover subdomains for example.com.

Conclusion

Day 1 of this 7-day web application hacking series has laid the foundation for effective penetration testing using Parrot OS. By setting up a test lab with DVWA and OWASP Juice Shop, understanding HTTP/HTTPS, headers, and cookies, and mastering reconnaissance tools like WhatWeb, theHarvester, Nmap, Dirb, Gobuster, and dnsenum, you are equipped to gather critical information about web targets. These skills are essential for identifying vulnerabilities and planning attacks in a controlled, ethical environment. Continue practicing in your lab, and prepare for Day 2, where you will explore web vulnerability scanning with tools like Nikto and Burp Suite.

Next Steps:

• Experiment with additional Juice Shop challenges to understand web vulnerabilities.
• Explore other Parrot OS reconnaissance tools like Recon-ng.
• Engage with cybersecurity communities on platforms like X to share insights and learn best practices.