In this section, we will discuss attacking a website. We have two approaches for attacking websites:

• We can use the methods that we've learned so far about attacking a website. Because we know a website is installed on a computer, we can try to attack and hack it just like any another computer. We can also try to use server-side attacks to see which web server, operating system, or other applications are installed, and, if we find any vulnerabilities, to see if we can use any of them to gain access to the computer.
• Another way to attack is to use client-side attacks. Because websites are managed by humans, there must be humans managing and maintaining these websites. This means that, if we manage to hack any of the site's administrators, we will probably be able to get their username and password, and from there log in to their admin panel or to the Secure Socket Shell (SSH). Then we will be able to access any of the services that they use to manage the website.

If both of these methods fail, we can try to test the web application, because it is just an application installed on that website. Therefore, our target might not actually be the web application—maybe our target is just a person using that website, but whose computer is inaccessible. Instead, we can go to the website, hack into the website, and from there go to our target person.

All of these applications and devices are interconnected, and we can use one of them to our advantage and then make our way to another place or to another computer. In this section, we won't be focusing on server and client-side attacks any further. Instead, we'll be learning about testing the security of the web application itself.

Our target will be a Metasploitable machine, and if we run the ifconfig command on Metasploitable, we will see that its IP is 10.0.2.4, as shown in the following screenshot:

If we look inside the /var/www folder, we'll see all the website files stored, as shown in the following screenshot:

In the preceding screenshot, we can see that we have our phpinfo.php page, and we have mutillidae, dvwa, and phpMyAdmin. If we go to the Kali machine, or to any machine on the same network, and try to open the browser and go to 10.0.2.4, we will see that we have a website made for Metasploitable, as shown in the following screenshot. A website is just an application installed on the web browser, and we can access any of the Metasploitable websites and use them to test their security:

Another thing to look at is the DVWA page. It requires a username and a password to log in; the Username is admin and the Password is password. Once we enter these credentials, we can log in to it, as shown in the following screenshot:

Once logged in, we can modify the security settings by using the DVWA Security tab:

Under the DVWA Security tab, we will set Script Security to low and click on Submit:

We will keep it set to low in the upcoming sections. Because this is just an introductory course, we'll only be talking about the basic ways of discovering web application vulnerabilities in both DVWA and the Mutillidae web application.

If we go to the Mutillidae web application in the same way that we accessed the DVWA web application, we should make sure that our Security Level is set to 0, as shown in the following screenshot:

We can toggle Security Level by clicking the Toggle Security option on the page: