Essential Web Penetration Testing Q&A: From Recon to Exploit Techniques

1. What should you do first when you get a target site for testing?

Collect information such as WHOIS data, the site’s IP address, neighboring sites, C‑segment sites, server OS version, container version, application version, database type, sub‑domains, firewall details, and maintainer information.

2. Difference between MySQL injection on versions 5.0+ and below 5.0?

Versions below 5.0 lack the information_schema system table, so you cannot list table names and must brute‑force them. Versions below 5.0 support only single‑user single‑operation, while 5.0+ support multi‑user multi‑operation.

3. Value of collecting the target site’s registered email during penetration testing?

Check the email against leaked credential databases, use it as a keyword for search‑engine queries, discover related social accounts, infer password habits, generate custom wordlists, and identify non‑public sites the administrator visits for further footholds.

4. Why is identifying the target CMS important for penetration testing?

It allows you to search for known vulnerabilities of that CMS and, if the CMS is open‑source, download its source code for manual code review.

5. What is the purpose of scanning directories on a mature, relatively secure CMS?

To locate sensitive files and secondary directories, such as backup archives, README.txt, or other sites hosted in sub‑directories that may expose additional data.

6. Common web server containers.

IIS, Apache, Nginx, Lighttpd, Tomcat.

7. Conditions required for a MySQL injection tool to write directly to the target site.

Root privileges on the server and the absolute path of the web application.

8. Known container versions with parsing vulnerabilities (examples).

IIS 6.0 – /xx.asp/xx.jpg treats xx.asp as a folder name.

IIS 7.0/7.5 – Fast‑CGI enabled; appending /1.php after an image URL causes PHP execution.

Nginx ≤0.8.37 – similar Fast‑CGI behavior when Fast‑CGI is disabled.

Apache – files named test.php.x1.x2.x3 are parsed as PHP because Apache evaluates extensions from right to left.

Lighttpd – patterns like xx.jpg/xx.php can trigger execution (incomplete list, community contributions welcome).

9. Quick way to determine whether a target server runs Windows or Linux.

Linux file systems are case‑sensitive; Windows file systems are case‑insensitive.

10. Why might a MySQL‑based site only have port 80 open?

The MySQL port (3306) may be firewalled, the service could be running on a non‑standard port, or the site may be using a separate database server (site‑database separation).

11. Common reasons for RDP (port 3389) connection failures.

Port 3389 not opened.

Port has been changed.

Blocked by a firewall or security product.

Server resides in an internal network requiring port forwarding.

12. How to bypass character escaping in SQL injection.

Use wide‑character injection or hex‑encoding to evade filters.

13. First step when encountering an editor in a backend news management page.

Identify the editor’s name and version, then search public vulnerability databases for known exploits.

14. Actions after finding an .htaccess file in the web root.

Insert directives such as

<FilesMatch "xxx.jpg"> SetHandler application/x-httpd-php </FilesMatch>

to force the server to treat image files as PHP, enabling arbitrary code execution.

15. Are injection vulnerabilities limited to stealing credentials?

No – with sufficient privileges, attackers can dump entire databases, exfiltrate data, or achieve full system compromise.

16. Can security products that track variable usage detect one‑line webshells?

They rely on signature patterns, which can often be evaded with creative payloads; however, they are not foolproof.

17. How to exploit an .asp database file discovered by an access scan.

Download the file (e.g., via a direct link) and rename it to .mdb for local analysis.

18. Why avoid directories with spaces when selecting writable paths for privilege escalation?

Many exploit payloads split arguments on spaces, causing command parsing errors.

19. Why does creating a test user on site A also create it on site B?

Both sites share the same database backend.

20. Can you start a SQL injection with ORDER BY instead of logical operators?

If the injection point is already confirmed, the preliminary 1=1 or 1=2 checks can be omitted.

21. Bypassing a web application firewall that logs illegal injection attempts.

Inject a payload directly in the URL so the server logs the raw string; then search for configuration files or use known backdoors to gain a shell. See http://ytxiao.lofter.com/post/40583a_ab36540 for details.

22. Fixes for garbled output after uploading a webshell.

Change the browser’s character encoding to match the server’s response.

23. Why examine upload controls’ HTML elements?

Some sites enforce file‑type restrictions client‑side; modifying the HTML to allow additional types can bypass these checks.

24. How to exploit a password‑reset page that always returns “user does not exist”.

First brute‑force usernames, then use the discovered usernames to brute‑force passwords; any login form that reveals user existence can be leveraged similarly.

25. Exploiting a download endpoint like down.php?file=/upwdown/1.txt .

Attempt directory traversal or replace the file parameter with index.php to download the site’s source, then search for configuration files containing database credentials.

26. Approach when a target’s root contains /abc/ with an editor and admin directory.

Perform a deep scan of /abc/ for sensitive files and directories.

27. Using XSS for persistent control after obtaining a webshell.

Inject JavaScript into the admin login page to capture credentials and send them to an external server.

Place XSS payloads in files that are only accessible after authentication.

28. Revealing a masked password field in an admin panel.

Inspect the element and change the type="password" attribute to type="text" to view the plaintext password.

29. Why does uploading an image work but uploading a script returns 403?

Web server configuration may block execution of files in the upload directory; renaming the file extension can sometimes bypass this restriction.

30. Identifying a site’s protection software via HTML inspection.

Examine hidden HTML elements; for example, a product named “护卫神” may appear as <hws> in the source.

31. Purpose of creating a .zhongzi folder on a Windows 2003 server.

To hide tools from administrators.

32. Choose between demo.jsp?id=2+1 and demo.jsp?id=2-1 for SQL injection testing and explain.

Choose the second option because the plus sign ( +) is URL‑encoded as a space, which can cause ambiguity.

33. How to test the injection in demo.do?DATA=AjAxNg== .

The DATA parameter appears to be Base64‑encoded; decode it before testing, or encode your payload accordingly.

34. Strategies to obtain a webshell from demo.jsp?uid=110 injection point.

Use INTO OUTFILE to write a shell file if write permissions are available.

Run sqlmap –os-shell for an automated shell.

Extract admin credentials via UNION queries, then log in and upload a shell.

35. Differences and mitigations for CSRF, XSS, and XXE.

XSS injects malicious scripts; mitigate by escaping output, using HttpOnly cookies, and validating input. CSRF forces unwanted actions; mitigate with anti‑CSRF tokens, re‑authentication, and Referer checks. XXE exploits XML parsers; mitigate by disabling external entity resolution.

36. Differences among CSRF, SSRF, and replay attacks.

CSRF is a client‑side request forgery; SSRF is a server‑side request forgery; replay attacks resend captured network traffic to reuse authentication.

37. Three types of business‑logic vulnerabilities and their fixes.

Password‑reset flaws – enforce rate limiting, CAPTCHA, and multi‑factor verification.

Authentication bypass – implement proper session handling and token validation.

CAPTCHA bypass – use dynamic challenges and server‑side verification.

38. Identify potential issues in the provided HTTP request snippet.

Possible problems include malformed headers, missing spaces after the colon, and suspicious cookie values that could be leveraged for session hijacking.

39‑42. Open‑ended questions inviting discussion of personal expertise, preferred tools, notable CVEs/POCs, and security platforms.