Step-by-step web application penetration testing tutorial

Practical Tutorials: Web Application Penetration Testing: Step-by-Step Walkthrough

We’ve discussed the theory, the tools, and the common mistakes. Now, it’s time to put it all together. The best way to learn is by doing, and in this tutorial, we will perform a mini-penetration test from start to finish on a live (but safe and legal) target.

Our target will be the OWASP Juice Shop, a modern and deliberately insecure web application created by the Open Web Application Security Project (OWASP) for the sole purpose of security training. It’s the perfect digital playground for us to practice our skills without breaking any laws.

This guide will walk you through setting up your lab and then cover the core phases of a pen test: reconnaissance, scanning, and exploiting some of the most common web vulnerabilities.

Important Disclaimer: The techniques described here are for educational purposes only. They should ONLY be performed on applications you own or on dedicated, legal training platforms like the OWASP Juice Shop in a controlled lab environment. Performing these actions on any other website is illegal.

Setting Up Your Hacking Lab

Before we begin, we need to set up our environment. This will consist of our “attacker” machine (Kali Linux) and our “target” machine (the OWASP Juice Shop application).

Step 1: Install a Virtual Machine Player

If you haven’t already, download and install virtualization software. Oracle VirtualBox is free and excellent for beginners.

Step 2: Install Kali Linux

Download the latest Kali Linux image for virtual machines from the official Offensive Security website and import it into VirtualBox. This will be your attacker machine, pre-loaded with all the tools we need.

Step 3: Install and Run OWASP Juice Shop

The easiest way to run Juice Shop is using Docker inside your Kali Linux VM. Open a terminal in Kali and run the following two commands:

  1. Pull the Juice Shop image:
    bash docker pull bkimminich/juice-shop
  2. Run the Juice Shop container:
    bash docker run --rm -p 3000:3000 bkimminich/juice-shop
    This command will start the application. You can now access it by opening the Firefox browser inside Kali and navigating to http://127.0.0.1:3000.

The Walkthrough: A Mini Pen Test

With our lab ready, let’s begin the test.

Step 1: Reconnaissance (Mapping the Application)

The first goal is to understand our target. We need to explore the application to understand its features, technology, and overall structure.

  • Manual Exploration: Open http://127.0.0.1:3000 in your browser. Click on every link you can find. Create a user account, log in, browse the products, use the search bar, and visit the “About Us” and “Customer Feedback” pages. As you do this, pay attention to the URLs. You are getting a feel for how the application works.
  • View Page Source: Right-click on the homepage and select “View Page Source.” Look at the code. You can often find comments, links to JavaScript files, and clues about the frameworks being used.
  • Browser Developer Tools: Press F12 to open the Developer Tools. Go to the Network tab and refresh the page. You can see all the files the site loads and, more importantly, any API calls it makes in the background. This is crucial for understanding modern web apps.

Step 2: Scanning & Enumeration (Finding Hidden Doors)

Now that we have a feel for the visible parts of the site, let’s find what’s hidden. We will use Gobuster, a tool for brute-forcing directories and file names.

Open a new terminal in Kali Linux and run the following command:

gobuster dir -u http://127.0.0.1:3000 -w /usr/share/wordlists/dirb/common.txt
  • dir: Specifies that we are doing directory/file brute-forcing.
  • -u http://127.0.0.1:3000: Sets our target URL.
  • -w /usr/share/wordlists/dirb/common.txt: Specifies the wordlist to use. This is a default list of common directory names included in Kali.

Gobuster will start guessing names. In the output, you will see a list of directories it found, such as /ftp. If you navigate to http://127.0.0.1:3000/ftp, you’ll find a publicly exposed folder containing files—our first finding!

Step 3: Exploitation (Finding and Exploiting Vulnerabilities)

This is where we actively try to break things. We’ll find two of the most critical vulnerabilities from the OWASP Top 10.

Vulnerability #1: SQL Injection (Authentication Bypass)

  1. Find the Target: Navigate to the Login page (/#/login).
  2. The Payload: In the email field, instead of a real email, type the following classic SQL Injection payload:
    ' OR 1=1 --
  3. The Action: Type anything in the password field (it doesn’t matter what) and click “Log in.”

Result: You are now logged in as the administrator!

  • Why it worked: The application’s backend code was likely using a vulnerable SQL query like SELECT * FROM users WHERE email = '[USER_INPUT]' AND password = '[PASSWORD]'. By injecting our payload, the query became SELECT * FROM users WHERE email = '' OR 1=1 --' AND password = '...'. The OR 1=1 is always true, and the -- comments out the rest of the query, so the database returns the first user in the table (often the admin) and logs you in.

Vulnerability #2: Reflected Cross-Site Scripting (XSS)

  1. Find the Target: Click on the magnifying glass icon at the top of the page to use the search bar.
  2. The Payload: In the search bar, instead of a real product, type the following simple XSS payload and press Enter:

Result: A pop-up alert box will appear on your screen.

  • Why it worked: The application took whatever you typed in the search bar and “reflected” it back onto the page without properly cleaning or “sanitizing” it. Your browser saw the <script> tags and, thinking it was legitimate code, executed it. An attacker could use this to steal user cookies or redirect them to a malicious site.

Conclusion and Next Steps

Congratulations! You have just successfully completed a basic web application penetration test. You performed reconnaissance, enumerated hidden directories, and exploited two of the most critical vulnerabilities in cybersecurity: SQL Injection and Cross-Site Scripting.

This is just the beginning of the journey. The OWASP Juice Shop has dozens of other vulnerabilities for you to find. Your next steps should be:

  • Explore the Scoreboard: The Juice Shop has a built-in scoreboard (/#/score-board) that lists all the challenges for you to try.
  • Use Burp Suite: Repeat this entire process, but this time, intercept the requests with Burp Suite to see exactly what is being sent to and from the server.
  • Write a Report: Practice your communication skills by writing a simple report detailing the two vulnerabilities you found, the risk they pose, and how to fix them.

Keep practicing, stay curious, and continue building on these foundational skills.

Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *