Hacking Web

Applications
Lab Manual

Hacking with

THE DOCUMENT INCLUDES ADDITIONAL

PRACTICALS WHICH MAY OR MAY NOT BE COVERED
IN THE COURSE
 INDEX
S. No. Practical Name Page No.
1 Extracting Web Server details using whatweb 1
2 Identifying web application firewall (WAF) using wafw00f 2
3 Web Application Vulnerability Scanning using Vega 3
4 Web application Scanning using OWASP-ZAP (Passive and Active) 7
5 Web Application Scanning using Netsparker 13
6 XSS (Cross Site Scripting) Attack 20
7 Web Parameter tampering using Burp Suite 22
8 Command Execution on vulnerable web application 25
9 Directory Traversal or Path Traversal Attack 27
 Practical 1: Extracting Web Server details using whatweb
whatweb tool is used to identify technologies used in building the website. Results of this tool
include details related to content management system, name of the webserver, web page
statistics, JavaScript libraries. It also identifies versions of softwares running on web server.
Execute the following command
whatweb <domain address> <options>

Page | 1
Practical 2: Identifying web application firewall (WAF) using wafw00f
Execute wafw00f command followed by target domain name (website address) to gather
fingerprint of WAF running on the target.
wafw00f <domain address>

In the above result it is identified that example.com is behind a WAF or running some sort of
security solution to detect malicious activities.

Page | 2
 Practical 3: Web Application Vulnerability Scanning using Vega
Vega Vulnerability Scanner installation
apt-get install vega –y

among them the first command will update your Kali Linux and the second one will install the Vega
vulnerability scanner.

Page | 3
Start new scan and select the Enter base URI for scan option and provide your target website
address and then click on next button

In the next step you need to select whatever vulnerability tests you want to perform on the target,
these are categorized as injection modules and response processing modules.

Page | 4
You can click on the plus button to expand the sections, and you can choose whatever you want to
test but for this practical make sure you select all of them. Once you have selected all the modules
click on next button to proceed.

If you want to exclude any kind of specific parameters enable this option

Click on the finish button to launch the scan.

Page | 5
Scanner will start finding vulnerabilities on the target website.

Select severity under scan alerts section for detailed information related to identified
vulnerabilities.

Page | 6
 Practical 4: Web application Scanning using OWASP-ZAP
(Passive and Active)
Passive Scanning:
Configure a manual proxy in Firefox browser as shown in below image.

Launch OWASP-ZAP from application menu

By visiting different pages on www.altoromutual.com website OWASP-ZAP starts performing

passive scan on each and every page that we visited.

Page | 7
As we start visiting pages, we can observe a list of crawled pages under sites tab (on the left
panel). In the bottom panel we can see list of vulnerabilities identified on previously visited pages.

Page | 8
Active scanning:
To perform active scan, select Active Scan option as shown in below image.

Page | 9
Under Active Scan, select New Scan and provide necessary details and click on start scan

Page | 10
Page | 11
Select Report options on top left corner and export results a HTML document.

Page | 12
 Practical 5: Web Application Scanning using Netsparker
Install and run Netsparker web application scanner on Windows OS.
Select Scan Policy Editor and configure required options as shown below

Select New and add policy details. Follow below images.

Page | 13
Page | 14
Page | 15
Page | 16
Select Start New Scan and add website details, choose name of the policy created before and click
on Start Scan
Page | 17
Page | 18
After completing scan, select Reporting option on top left corner to generate report

Page | 19
 Practical 6: XSS (Cross Site Scripting) Attack
In this practical we will test reflected XSS vulnerability on web application (altoromutual.com). Let
us start by creating some JavaScript payloads.
<script>alert(“Hello”)</script> this script will pop alert message.
<script>alert(document.cookie)</script> this script will display existing browser cookies.
We can test XSS on input fields in any website. We can find an input field (search bar) on top right
corner of www.altormutual.com. Paste the above scripts in that input field to trigger reflected XSS
as shown in the below images.

We can also test reflected XSS with the help of HTML tags
<iframe src=’http://espncricinfo.com/’></iframe>

Test reflected XSS in Feedback page which contains input fields.

Paste the above iframe tag in the input field to test reflected XSS as shown in the below images.
Page | 20
Page | 21
 Practical 7: Web Parameter tampering using Burp Suite.
In this practical, we will perform parameter tampering on www.altoromutual.com using proxy to
test security of web application.
Open www.altoromutual.com in Firefox browser and sign in to one of the user accounts with
username jsmith and password demo1234

In user’s profile, we can observe that account have been pre-approved for an Altoro Gold Visa with
a credit limit of $10000. Let us modify those card details and credit limit to fool the web server. To
perform this job, launch Burp Proxy and capture the web request to modify the content.
Start Burp Suite and configure proxy in firefox browser to capture web request as shown in the
below images

Page | 22
After configuration, reload the website to allow burp interceptor to capture the request.

Under params tab modify the above highlighted values according to your interest and click on
forward to see the modified value on web page.

Page | 23
Page | 24
 Practical 8: Command Execution on vulnerable web application
In this practical, we will test command execution vulnerability on DVWA web application running
on Metasploitable2 OS. Set security to low, before starting execution of below steps.
Now click on command execution button to load that page.

Most of the command execution vulnerable sites will have these kinds of input field. If you closely
observe this webpage allows, execution of ping command. If this input field is not validating the
user input then we can execute any command feeling like it is a terminal.

What if execute the command pwd along with the ping

Page | 25
Attacker can execute any commands like wget to download Trojans, nc to start netcat etc.

Page | 26
 Practical 9: Directory Traversal or Path Traversal Attack
To test directory traversal attack, visit different links on website www.altoromutual.com and
observe URL’s in the browser.

In URL if we observe something?something=something we can start testing directory traversal. In

the above image the url contains default.aspx?content=personal.htm remove personal.htm and
add ../ to look for contents stored on directories in web server.

Add ../boot.ini.htm to read details related to web server.

Page | 27
Page | 28