Sign in Subscribe

Learning Web Application Pentesting

Learning Web Application Pentesting
Photo by Markus Spiske / Unsplash

Currently, in my retraining as an IT specialist for system integration, the official topic is Windows 10. Why, I honestly don't know. It feels like a strange choice, given that Windows 10 support is officially ending in October. Due to GDPR and general security requirements, companies will inevitably have to migrate to Windows 11, or else they won't be able to guarantee compliance and security. We all know what happened with outdated systems like Windows 7 and vulnerabilities such as EternalBlue. So yes, while the classroom content might feel outdated, I'm making good use of the spare time.

While Windows 10 runs in the background, I've shifted my focus to something far more engaging: Web Application Pentesting. I'm currently diving deep into the TryHackMe path focused on this topic, and it's turning out to be both challenging and incredibly rewarding. The plan is to continue working through this until at least May — it’s a big area, especially when you're still building up from foundational knowledge. But despite the complexity, it’s not discouraging at all — in fact, it’s quite fun. There's something exciting about learning to approach web apps like an attacker would. Every room is a puzzle, every exploit a new lesson. You slowly start to recognize patterns, learn how different layers of a web stack interact, and gain an appreciation for how creative attacks can be when things aren’t properly configured.

Here’s a quick overview of the areas I'm exploring right now:

Injection Attacks

This module covers a range of classic and modern injection techniques. It starts with Advanced SQL Injection, deep-diving into ways to extract, modify or bypass data via manipulated SQL queries. It also includes NoSQL Injection, focusing on attacks targeting MongoDB-style databases, and XXE Injection, which abuses XML parsers to access internal files or execute SSRF. One of the more fascinating parts is Server-Side Template Injection (SSTI), where template engines like Jinja2 or Handlebars can be manipulated to execute arbitrary code. Then there's LDAP Injection, a less common but powerful attack surface, and ORM Injection, which demonstrates how bad object-relational mapping can expose the backend. The section wraps with Injectics, a hands-on challenge to bring all injection techniques together.

The interesting part here is that each injection technique teaches you something not just about exploitation, but about the underlying technology too. You start to understand how databases process queries, how templates work under the hood, or how XML parsing is implemented — and that kind of technical insight is essential if you want to become good in this field.

Authentication

This track dives into how authentication systems can be broken. It begins with Enumeration & Brute Force, looking at how login interfaces can leak useful information or be forcefully bypassed. Session Management explores how insecure session tokens or poorly implemented logout processes can become a liability. JWT Security takes a closer look at JSON Web Tokens, including misconfigured algorithms and key flaws. The OAuth Vulnerabilities room explains how third-party authentication can be hijacked. There's also a module on Multi-Factor Authentication, showing how MFA can be bypassed under certain conditions. And finally, Hammer is a room where all the previous knowledge is needed to exploit an auth system and get remote code execution.

These rooms are especially interesting because they show how many different layers make up something as simple as a "Login" button. From rate-limiting and session expiry to token validation and cookie security, there's a lot to consider — and just as much that can go wrong. The more I learn about it, the more I realize how often real-world applications cut corners when implementing authentication.

Advanced Server-Side Attacks

This section gets even more technical. Starting with Insecure Deserialization, it teaches how seemingly harmless serialized data can be weaponized. SSRF (Server-Side Request Forgery) is another major highlight — it explains how internal networks can be accessed via manipulated server requests. Then there's File Inclusion & Path Traversal, a classic but still relevant vulnerability type. Race Conditions explores how timing issues in server logic can be exploited, and Prototype Pollution dives into a more JavaScript-specific vulnerability that's both niche and devastating. The section concludes with Include, a practical lab to apply what you’ve learned.

What stands out here is how these vulnerabilities often live just below the surface. They don't always rely on obvious misconfigurations — sometimes it's the subtle edge cases that become critical. Learning to spot them feels like learning to read between the lines of code and architecture. It’s a level of depth I really enjoy and want to master.

Advanced Client-Side Attacks

These rooms look at the frontend — where user input meets client logic. XSS is covered in depth, from reflected and stored types to DOM-based variants. CSRF (Cross-Site Request Forgery) explores how malicious requests can trick users into executing unwanted actions. There's a special focus on DOM-Based Attacks, which manipulate the page directly in the browser. Then, CORS & SOP introduces concepts like the Same-Origin Policy and Cross-Origin Resource Sharing, which are key to modern web security. The final room, What's Your Name?, is a client-side exploitation challenge to tie everything together.

Even though client-side might seem like the lighter side of web hacking, it's surprising how dangerous things can get when client-side protections are improperly enforced. Understanding how browsers interpret and process data adds a new dimension to thinking like an attacker. It's also fascinating to realize how many attacks rely purely on making the frontend behave differently than intended.

HTTP Request Smuggling

A more niche but fascinating area. This module introduces the idea of manipulating how HTTP requests are parsed by servers and proxies. CL.TE and TE.CL attacks form the foundation. The HTTP/2 Request Smuggling room continues this idea in modern contexts. Then there’s Request Smuggling via WebSockets and HTTP Browser Desync, which deal with increasingly complex scenarios. It all ends with El Bandito, a challenge-based room to test everything you've learned so far in this category.

I find this section especially technical — you're learning how HTTP requests flow through systems, how proxies and backends may interpret them differently, and how you can exploit those mismatches. It’s not easy, but when the pieces fall into place, it's incredibly satisfying. Definitely a more advanced part of the web hacking journey, but worth the effort.

This whole path on TryHackMe has been a shift into a different mindset. It’s one thing to know how to protect systems, but learning how to break into them — especially through web apps — really teaches you how fragile things can be when security is not done right. I'm looking forward to working through the remaining rooms and growing deeper into the world of offensive security.

My goal is to not only finish this path, but to internalize the logic behind each attack, understand the mitigation strategies, and be able to recognize patterns across different application stacks. By the time May rolls around, I want to be able to look at any login form, API, or HTTP header and have a good idea of what could go wrong. There's still a long way to go, but this challenge is exactly what keeps me motivated. There’s always more to learn — and that’s what makes it so compelling.