In this chapter, we discussed the challenging topic of web application testing; we could fill an entire book with this topic. We have chosen to provide a number of examples, so you can explore the topic on your own.

We explored the Burp Suite and OWASP-zap tools; using these tools we scanned a number of sites. With the Burp Suite tool, we introduced the attack components Intruder and Sequencer. Both tools can work as a proxy and intercept requests to and from applications; this is one of the areas that we use to determine how well the developer does input validation.

Following this, we looked at the challenges that a Web Application Firewall (WAF) can add to our testing. We explored the deployment of the dotDefender tool and attempted to detect it.

We closed the chapter with a discussion on the topic of evasion of a WAF. We used the ModSecurity site to create obfuscated input and attempted to evade detection. We successfully identified a way to avoid detection with SQL Injection, as well as Cross Site Scripting (XSS).

Finally, we closed the chapter with a discussion on the need for tools when it comes to web testing, especially web application testing.

We provided a challenge to you the reader to enhance and hone your skills in the testing of Web Services, as well as deployment of the ModSecurity WAF.

This concludes the chapter. You have now practiced web application attacks and methods of detecting and evading a firewall.

In the next chapter, we will look at the testing of flat and internal networks.