<aside> 📌 Table of content

</aside>

8 - Introduction to Web Application Attacks

1 - Web Application Assessment Methodology

White-box testing: Involves having access to the application's source code, infrastructure, and design documentation. Requires specific skills to identify vulnerabilities in the source code.

Black-box testing: Assumes no prior knowledge of the target application, requiring extensive enumeration efforts to discover vulnerabilities. A common approach in bug bounty engagements.

Grey-box testing: Involves having limited information about the target, such as authentication methods or framework details. Falls between white-box and black-box testing approaches.

2 - Web Application Assessment Tools

1 - Fingerprinting Web Servers with Nmap

sudo nmap -p80 --script=http-enum 192.168.50.20

2 - Technology Stack Identification with Wappalyzer

<aside> 💡 Just a reminder of this technology.

</aside>

3 - Directory Brute Force with Gobuster

gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5

python3 dirsearch.py -e php,html,js -u <https://target>
python3 dirsearch.py -e php,html,js -u <https://target> -w /path/to/wordlist

https://github.com/maurosoria/dirsearch

Also keep in mind other tools like :

• dirb
• dirbuster

4 - Security Testing with Burp Suite