My penetration testing journey begins.

The first chapter in this journey, Web Hacking! Now, I’m warming up the cold engine here, before starting anything hasty. The process of ‘Walking Applications’ is to physically — ‘Manually’, that’s the better choice of word — To manually review a web application on your browser for any vulnerabilities, and security issues. Though only using my developer tools.

Now I can recall days smashing and clicking on my browser, and miraculously ending up on a page that looked like a bunch of obfuscated content. Now I’m not going to sit here and tell you how, “Coming across this content, it opened a whole new world of wonder, and mystery to solve and explore”… No. Closed it and went on with my browsing actually XD.

Well, I was given a couple of tasks, requiring me to review a website, to discover and examine any features that are potentially vulnerable, or not. The features are usually parts of a website that require some interactivity with the user. Getting that information is as easy as spotting a ‘Give us a review form’, to manually reviewing the website’s JavaScript.

The in-built browser tools I utilised — Page Source, Inspector, Debugger, and Network. To avoid sounding like an AI, and explaining all the intricacies of each tool and my process for each task, I’ll talk about the tool I’m intrigued by the most — The page source. It’s the human readable code returned to our browser from the web server each time a request is made. Unfortunately the code is made up of HTML, CSS, and JavaScript. Why do I use the word ‘unfortunately’? Well. Cause I absolutely despise web development! Now, the idea of creating a fully immersive experience on the internet is cool, but for a job. I’ve had a friend tell me their everyday task as a web developer.

The man went on about having an important meeting on what the colour of a button should be on their website, and his sole task was to change the colour to whatever his employers demanded. Bruh! That’s purgatory on Earth! Maybe the fact that he was an intern is the reason for such a soul draining task. Though that was one of the reasons which threw me off the languages, and I’ve never really thought of getting into web development as a Game Developer graduate. Though, If I have to learn the language to hack websites, rather than making them… I don’t see a problem in that XD.

The Page Source could provide you with hidden links to secret pages that developers won’t really want users gaining access to. Also giving us ideas of the framework used for the website. A framework is a collection of premade code. So figuring out the framework, and especially the version utilised. That can help narrow down efficient ways to exploiting the website.

The tasks were pretty simple as the secret link within the source page was literally named ‘secr’… Short for secret… Figuring out the framework was pretty simple too. As it was an all caps comment at the bottom of the page…

The tasks given did no good in making the page source an intriguing tool — The idea of making a language/tool I’ve never been interested in (JavaScript, CSS, HTML), into a tool that can be utilised, or ‘EXPLOITED’! (Pun intended!) For something I enjoy doing, is the sole reason I enjoyed using the page source tool. I’m literally learning to exploit the tools that bored me to death. It helped me ignore the bad, and see all the good. Well using it to hack isn’t morally ‘the good’, but you know what I mean.

Obviously, real-world applications won’t be this simple - no dev is naming secret panels ‘secretadminpanel.php’. But the principles remain — look at the source, understand the structure, find what’s hidden. Automated scanners do a good job, but the human eye can spot human flaws far better and easier. The value of the skill doesn’t waver!

The next post I want to discuss Subdomain Enumeration, and Content Discovery.