Forem

Cover image for As a Developer, I did my first Web Penetration Testing
fadilxcoder
fadilxcoder

Posted on

4

As a Developer, I did my first Web Penetration Testing

Hello Dev peeps,

I was on Facebook, scrolling on my News Feed and I came across an Ads regarding an online music web application that was just released. So I decided to visit the website and explored it. There were some free tracks & some premium tracks.

While exploring, something came across my mind, "Is this site really secured ?". This is where my journey started..

A journey of a thousand miles begins with a single step

I did not know exactly how to proceed but the first step was to examine the website through Google Chrome - DevTools.

So I click on a random premium song to see what is going on in the Network tab in the DevTools.

Music App URL

Music App URL

When clicking on the play icon, I was checking the Network and I found 2 interesting URL,

Network tab in DevTools

Network tab in DevTools
  • get-song-info?hash_id=40f65e3dad2b5d1....
  • get-track.php?id=I6OTPf15O79FuKg&hash=b28ee5...

Eventually I clicked on both URL, The first one redirect me to a JSON formatted webpage where all the data of the particular song were displayed.

JSON data

JSON data

Whereas the second URL show only Access denied

Access denied

Access denied

After spending sometime analyzing the situation, I said let's figure out a way to download one premium song without buying it.

My guess was that the Music App Developer use a call to action that trigger a PHP script via an API, when a user click the play icon and this script was returning a "content-type: audio/mpeg".

In other words, the URL that was showing Access denied web page cannot be called directly by copying & pasting the URL in your web browser. It should be called by an API.

I used API TESTER to simulate the test and as expected..

It did not work !

Bad news ! It did not work !

I noticed that in the Network tab in the DevTools, there were other parameters sent as Request Header.

Request Header

Request Header

After many trials and errors, I was able to simulate it by adding some of those Request Header

API TESTER - simulation

API TESTER - simulation

And 💥, I got the Response.. BUT in an unexpected format 😖

Response Body

Response Body

But it was not a big deal, I clicked on the eye icon on top-right and the premium song open in another tab in my browser and I was able to listen to it freely without having to buy it.

Congratulation

For your info, I got into contact with the Owner of the Online Music Application to report the issue. I don't know if they fixed it yet

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more →

Top comments (1)

Collapse
 
lewisblakeney profile image
lewisblakeney

Wow, congrats on diving into web penetration testing! It's essential to stay updated with Penetration Testing Companies for insights and best practices. Your journey will surely make a significant impact in the cybersecurity landscape. Keep it up! 💻🛡️

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay