🛡️ How the Web Works (for Web Application Pentesters)
Your Foundation for Hacking the Modern Web, One Request at a Time Before exploiting web applications, you must understand how they are built, behave, and break. This guide walks through key web technologies—like HTTP, sessions, REST APIs, and architectures—with a strong focus on how attackers manipulate them. 📑 Table of Contents Section Description 1️⃣ Understanding…
Your Foundation for Hacking the Modern Web, One Request at a Time
Before exploiting web applications, you must understand how they are built, behave, and break. This guide walks through key web technologies—like HTTP, sessions, REST APIs, and architectures—with a strong focus on how attackers manipulate them.
📑 Table of Contents
| Section | Description |
|---|---|
| 1️⃣ Understanding the Web & the Internet | Networking basics for attackers |
| 2️⃣ Request/Response Cycle for Attackers | Identifying attack entry points |
| 3️⃣ HTTP, HTTP/2, and HTTPS for Pentesters | Header tampering, encryption, and protocol downgrade attacks |
| 4️⃣ Session Management Vulnerabilities | Session fixation, hijacking, JWT cracking |
| 5️⃣ REST APIs in the Crosshairs | API enumeration, broken object level auth |
| 6️⃣ Web App Architecture for Recon & Exploits | Mapping assets and understanding attack surface |
| 7️⃣ Examples, Tools, and Payloads | Fuzzers, proxies, scanners |
| 🧠 Conclusion & Lab Resources | Practice environments and next steps |
1️⃣ Understanding the Web & the Internet
Pentesters must distinguish between network layers to know where to inject payloads.
💡 Focus Points:
- OSI model (especially Layers 3–7)
- TCP/IP stack
- Ports and protocols (e.g., port 80/443 for HTTP/HTTPS)
🔎 Recon Tip:
- Use
nmapwith service detection:
nmap -sV -p 1-1000 target.com
2️⃣ Request/Response Cycle for Attackers
Every web exploit happens in the HTTP request/response loop. Understanding this is critical.
🔍 Key Attack Vectors in HTTP Requests:
| Component | Vulnerabilities |
|---|---|
| Method | Verb tampering (e.g., DELETE /users) |
| URL | IDOR (Insecure Direct Object Reference), path traversal |
| Headers | Host header attacks, header injection |
| Body | XSS, SQLi, CSRF payloads |
🛠️ Tools:
- Burp Suite → Intercept and manipulate requests
- OWASP ZAP → Passive and active scanning
3️⃣ HTTP, HTTP/2, and HTTPS for Pentesters
📡 HTTP
Plaintext, easy to intercept and modify. Vulnerable to MITM if no HTTPS.
⚡ HTTP/2
Better performance, multiplexed requests—but few tools support exploitation (yet). Check for misconfigurations.
🔐 HTTPS
Encrypted using TLS. Still vulnerable if:
- Misconfigured TLS (check with
ssllabs.com) - Downgrade attacks (e.g., SSLStrip)
🧪 Test:
curl -I http://target.com -H "Host: malicious.com"
4️⃣ Session Management Vulnerabilities
Web sessions are gold for attackers.
💣 Common Flaws:
| Issue | Attack |
|---|---|
| Session Fixation | Force session ID pre-login |
| Weak Tokens | Brute-force or predict session IDs |
| Missing HttpOnly/Secure flags | JS-accessible tokens or sent over HTTP |
| JWT Misuse | None algorithm abuse, key disclosure |
🧰 Tools:
- jwt.io for decoding
ffuforburp intruderfor brute-force- Check cookies in DevTools or Burp Proxy
🧪 Attack Example:
httpCookie: session=admin
5️⃣ REST APIs in the Crosshairs
Modern web apps are API-driven—and APIs often lack security parity with UIs.
🚨 Common API Vulnerabilities:
- BOLA (Broken Object Level Authorization)
- Mass Assignment
- Rate Limiting Bypass
- Leaky Metadata in Swagger/OpenAPI
🛠️ Tools:
- Postman: for crafting raw API calls
- Burp Repeater: for parameter manipulation
- Amass / Subfinder for subdomain enumeration
🔎 Try:
curl -X GET https://target/api/users/1
Then test for users/2, ../admin, etc.
6️⃣ Web App Architecture for Recon & Exploits
Pentesters map out the architecture to identify:
- Hidden endpoints
- Broken authentication
- Unprotected admin panels
- Misconfigured frontend/backend separation
🧱 Common Architectures:
| Layer | Tech Stack | Common Flaws |
|---|---|---|
| Frontend | React, Angular | DOM-based XSS |
| Backend | Node.js, Django | Logic bugs, RCE |
| APIs | REST/GraphQL | IDOR, injection |
| DB | SQL/Mongo | SQLi, NoSQLi |
📸 Recon Tools:
7️⃣ Examples, Tools, and Payloads
| Category | Tool | Use |
|---|---|---|
| Proxy | Burp Suite | Intercept, modify requests |
| Fuzzer | ffuf / wfuzz | Bruteforce params, directories |
| Scanner | Nikto / Nuclei | Vulnerability scanning |
| Recon | Sublist3r / Amass | Subdomain discovery |
| Payloads | PayloadAllTheThings | Exploits and fuzz strings |
| Testing | HTTPBin / RequestBin | Observe request behavior |
🔫 Payload Example for XSS:
html<script>alert('XSS')</script>
💣 CSRF Proof of Concept:
html<img src="http://target.com/delete?id=1">
🧠 Conclusion & Lab Resources
🚀 Ready to Practice?
| Resource | Purpose |
|---|---|
| PortSwigger Labs | Real-world web vulnerabilities |
| Hack The Box | CTF-style web challenges |
| DVWA | Deliberately vulnerable web app |
| OWASP Juice Shop | Full-stack app to exploit |
| bWAPP | Hundreds of web flaws |
See also
- 🔎 HTTP Request Smuggling — for advanced attacks on HTTP/1.1 & HTTP/2
- 🧬 JWT Hacking Techniques — decode, forge, and abuse tokens
- 🕳️ Broken Access Control — #1 OWASP Top 10 vulnerability
- 🧠 Web CTF Challenges — gamify your learning
You may also enjoy
- 🛠️ Building Your Own Test Lab — isolate, simulate, exploit
- 📚 Deep Dive into HTTP Headers — secure and exploit them
- 🧪 Learn Burp Suite Tricks — maximize your proxy power
