Lab 4: Web Application Reconnaissance

Week 4 graded lab. Burp Suite as proxy + directory enumeration. Local Docker targets only.

Learning objectives

• Configure Burp Suite Community as an intercepting proxy
• Passively map a web application's structure and input surface through proxied browsing
• Use directory enumeration tools to discover unlisted paths and endpoints
• Produce an attack surface map that the Week 8 exploitation lab will work from

Authorization

Both targets are Docker containers running on your local Kali VM. You are authorized to run any web reconnaissance technique against these local targets. Do not run these techniques against any external host.

Targets:

• Lab 4a: DVWA at http://127.0.0.1 (port 80, mapped from Docker)
• Lab 4b: WebGoat at http://127.0.0.1:8080/WebGoat

Pre-lab check: Verify both containers are running:

sudo docker ps
# Both vulnerables/web-dvwa and webgoat/webgoat should be listed as running
# If not: see SETUP.md

Lab 4a: DVWA

Step 1: Configure Burp Suite proxy

# Launch Burp Suite:
burpsuite &

# In Burp:
# 1. Proxy > Intercept > click "Intercept is on" to turn it OFF (let traffic flow)
# 2. Proxy > Options > confirm listener on 127.0.0.1:8080

# In Firefox:
# Settings > Network Settings > Manual proxy: HTTP Proxy 127.0.0.1, Port 8080
# Check "Use this proxy server for all protocols"

Install the Burp CA certificate (required for HTTPS traffic; not needed for HTTP-only targets, but build the habit):

1. Browse to http://burpsuite (this serves the CA cert download page)
2. Click "CA Certificate" to download cacert.der
3. In Firefox: Settings > Privacy & Security > View Certificates > Import > select cacert.der

Step 2: Passive browsing

Browse every page of DVWA while Burp is recording. Log in with admin / password. Navigate to every challenge category (SQL Injection, XSS, File Upload, CSRF, etc.). Do not attempt any attacks yet -- this is reconnaissance only.

As you browse, Burp's HTTP History tab records every request. After completing the full navigation:

• Open Burp's Site Map tab (Target > Site Map). How many distinct paths does Burp show for http://127.0.0.1?
• Note every unique URL path
• Note every form parameter and cookie name visible in HTTP History

Document: A Markdown table of DVWA's URL paths and their associated parameters, grouped by directory.

Step 3: Technology fingerprint

From the HTTP History responses, document:

• Server: header value (web server and version)
• X-Powered-By: header value (backend language)
• Session cookie name(s)
• Any PHP session ID format visible in cookies or URL parameters
• Any framework-specific patterns in response bodies (jQuery version from script includes, Bootstrap classes, etc.)

Step 4: Directory enumeration

# Install SecLists if not already installed:
sudo apt install seclists -y

# Run gobuster against DVWA:
gobuster dir \
  -u http://127.0.0.1 \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -x php,html,txt,bak,conf \
  -o gobuster-dvwa.txt \
  -t 20

# Review output:
cat gobuster-dvwa.txt

Document: Which paths did gobuster find that were NOT in Burp's site map from passive browsing? What types of files did gobuster find (.php, .bak, .conf, .txt)? What is the significance of backup files (.bak) in a web directory?

Lab 4b: WebGoat attack surface map

Step 1: Navigate WebGoat completely

Log in to WebGoat at http://127.0.0.1:8080/WebGoat (register for an account on first visit; the account is local to your Docker container). Navigate every lesson category. Do not complete the lesson challenges yet -- this is reconnaissance.

With Burp still running as a proxy, browse through all lesson categories. The Burp HTTP History will capture the API endpoints and request structures.

Step 2: Identify injection points

From the Burp HTTP History, identify three distinct injection points in WebGoat -- form fields, URL parameters, or HTTP headers where user-supplied input is accepted.

For each injection point, document:

This is reconnaissance, not exploitation. Do not submit attack payloads. The goal is the attack surface map.

Step 3: API endpoint enumeration

WebGoat uses a REST API. Run a targeted enumeration against the /WebGoat/ path:

gobuster dir \
  -u http://127.0.0.1:8080/WebGoat \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -o gobuster-webgoat-api.txt \
  -t 10

# Also try a general web content list:
gobuster dir \
  -u http://127.0.0.1:8080 \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -x html,jsp,do \
  -o gobuster-webgoat-general.txt \
  -t 10

Deliverable

A Markdown report with two sections (DVWA and WebGoat).

DVWA section:

1. Technology fingerprint (table: server, backend, session mechanisms)
2. URL/route summary: how many routes from passive Burp browsing vs. how many from gobuster? List the routes found only by gobuster.
3. Notable findings from passive browsing (visible parameters, cookie format, backup files)

WebGoat section:

1. Three-injection-point table (from Step 2 above)
2. API endpoint enumeration results (routes discovered by gobuster that are not in WebGoat's navigation)
3. Attack surface summary: which injection points are most interesting for Week 8 exploitation, and why?

Appendices:

• Burp HTTP History export for DVWA (right-click in HTTP History > Save Items)
• gobuster-dvwa.txt and gobuster-webgoat-general.txt raw output

Notes on Burp Community Edition

Burp Suite Community Edition has rate-limited Intruder and no Scanner. For this course:

• Proxy -- unlimited; core of Week 4 and Week 8
• Repeater -- unlimited; core of Week 8 manual attack work
• Decoder -- unlimited; useful for encoding/decoding payloads
• Intruder -- rate-limited (1 thread, ~1 request/second); adequate for small IDOR enumeration; too slow for large wordlists

The community edition is sufficient for all course labs. The professional edition removes these restrictions for production engagement use.