Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 60: Penetration Testing a Web Server Using Burp Suite

by | Jul 20, 2025 | 0 comments

Objective

Perform a penetration test on a web server using Burp Suite to identify and exploit common web vulnerabilities such as SQL Injection (SQLi) and Cross-Site Scripting (XSS). Learn how to interpret Burp Suite’s findings and apply security best practices to mitigate these vulnerabilities.

Scenario

Web applications are frequent targets of cyberattacks due to poor coding practices and misconfigurations. In this exercise, you’ll simulate a penetration test on a vulnerable web server using Burp Suite, uncover vulnerabilities, and suggest mitigation strategies.

⚠️ Important: This exercise must be conducted in a legal and controlled environment using intentionally vulnerable applications (e.g., DVWA or WebGoat). Unauthorized penetration testing is illegal and unethical.

Lab Instructions

Step 1: Set Up the Vulnerable Web Application

a. Install DVWA (Damn Vulnerable Web Application)

sudo apt update
sudo apt install apache2 mysql-server php php-mysqli php-gd php-curl -y
sudo git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa
sudo chown -R www-data:www-data /var/www/html/dvwa
sudo systemctl restart apache2

b. Configure the DVWA Database

sudo mysql -u root -p

CREATE DATABASE dvwa;
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';
FLUSH PRIVILEGES;
EXIT;
  • Edit config.inc.php:
sudo nano /var/www/html/dvwa/config/config.inc.php

$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
  • Set the DVWA security level to Low in the web interface.

Step 2: Configure Burp Suite as a Proxy

a. Launch Burp Suite

  • Open Burp Suite and select Temporary ProjectNextStart Burp.

b. Set Proxy Listener

  • Go to ProxyOptions → Confirm that 127.0.0.1:8080 is listed.

c. Configure Browser Proxy Settings

  • Open Firefox/Chrome and configure the proxy:
    • Manual Proxy Configuration:
      • HTTP Proxy: 127.0.0.1
      • Port: 8080
    • Install Burp CA Certificate to avoid SSL errors.

Step 3: Intercept and Analyze Web Traffic

a. Enable Burp Proxy Interception

  • Go to ProxyInterceptIntercept is on.

b. Browse the DVWA Application

  • Visit http://127.0.0.1/dvwa and interact with the site.
  • Expected Result: Burp Suite intercepts HTTP requests.

Step 4: Identify and Exploit Vulnerabilities

a. Perform Active Scanning

  • Target → Right-click on the DVWA site → ScanScan full site.
  • Expected Result: Burp Suite lists identified vulnerabilities.

b. Test for SQL Injection (SQLi)

  • Go to SQL Injection page in DVWA.
  • In the input field, enter:
1' OR '1'='1 --
  • Intercept the Request: Send to Intruder.
  • Set payload positions and launch the attack.
  • Expected Result: Unauthorized data access.

c. Test for Cross-Site Scripting (XSS)

  • Go to the XSS (Reflected) page in DVWA.
  • Input payload:
<script>alert('XSS')</script>
  • Expected Result: Alert pop-up appears, confirming XSS.

Step 5: Suggest Mitigation Strategies

  1. Prevent SQL Injection:
    • Use prepared statements and parameterized queries.
    • Example (PHP): $stmt = $conn->prepare("SELECT * FROM users WHERE id = ?"); $stmt->bind_param("i", $id); $stmt->execute();
  2. Prevent XSS:
    • Implement input validation and output encoding.
    • Use Content Security Policy (CSP) to restrict script execution.
  3. Enable Web Application Firewall (WAF):
    • Protect against automated exploitation.
  4. Least Privilege Principle:
    • Limit database permissions.
  5. Regular Security Audits:
    • Perform routine penetration tests.

Solution & Explanation

How Burp Suite Works

  • Proxy: Captures and manipulates web traffic.
  • Scanner: Identifies common web vulnerabilities.
  • Intruder: Automates custom attacks.
  • Repeater: Manually modifies and resends requests.

Key Vulnerabilities Exploited

  1. SQL Injection: Allows attackers to manipulate database queries.
  2. Cross-Site Scripting (XSS): Injects malicious scripts into web pages.

Prevention Techniques

  • Prepared Statements: Secure database queries.
  • Input Validation: Sanitize user input.
  • Content Security Policy: Limits allowed content sources.

Testing & Verification

  1. Before Mitigation:
    • Burp Suite identifies exploitable SQLi and XSS.
    • Vulnerabilities are confirmed through successful attacks.
  2. After Mitigation:
    • SQLi and XSS payloads are blocked.
    • Burp Suite scans return no critical vulnerabilities.

Verify with Burp Suite

  • Repeater: Test payloads after applying mitigations.
  • Scanner: Re-scan for vulnerabilities.

Security Best Practices

  1. Use Secure Coding Practices (Prepared Statements, Input Validation).
  2. Deploy Security Headers (CSP, X-Content-Type-Options).
  3. Regularly Update Web Applications and Dependencies.
  4. Enable Web Application Firewalls (WAF).
  5. Conduct Regular Penetration Testing.

Additional Script (Optional)

Automate SQLi Detection:

#!/bin/bash
# Simple SQLi Testing Script
URL=$1
curl -s "$URL?id=1' OR '1'='1" | grep -i "error"

Run the script:

chmod +x sqli_test.sh
./sqli_test.sh "http://127.0.0.1/dvwa/vulnerable_page.php"

Conclusion

In this exercise, you performed a web server penetration test using Burp Suite to uncover vulnerabilities like SQL Injection and XSS. You learned how to intercept and analyze traffic, exploit vulnerabilities, and implement best practices to secure web applications.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *