{"id":611,"date":"2026-01-14T22:54:10","date_gmt":"2026-01-14T22:54:10","guid":{"rendered":"https:\/\/yashinfosec.com\/?p=611"},"modified":"2026-01-14T22:57:56","modified_gmt":"2026-01-14T22:57:56","slug":"elementor-611","status":"publish","type":"post","link":"https:\/\/yashinfosec.com\/?p=611","title":{"rendered":"Web Application Fundamentals for Pentesters"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"611\" class=\"elementor elementor-611\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ca8dbc4 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"ca8dbc4\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e4a144c\" data-id=\"e4a144c\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3839cb8 elementor-widget elementor-widget-heading\" data-id=\"3839cb8\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Web_Application_Fundamentals_for_Pentesters\" >Web Application Fundamentals for Pentesters<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Day_1_%E2%80%93_Understanding_the_Web_Before_Breaking_It\" >Day 1 \u2013 Understanding the Web Before Breaking It<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/yashinfosec.com\/?p=611\/#1_What_Is_the_Internet_Pentester_Perspective\" >1. What Is the Internet? (Pentester Perspective)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/yashinfosec.com\/?p=611\/#2_What_Is_an_IP_Address\" >2. What Is an IP Address?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/yashinfosec.com\/?p=611\/#3_What_Is_DNS\" >3. What Is DNS?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/yashinfosec.com\/?p=611\/#4_Ports_and_Services\" >4. Ports and Services<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/yashinfosec.com\/?p=611\/#5_How_Websites_Work\" >5. How Websites Work<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Step_1_Client_Sends_a_Request\" >Step 1: Client Sends a Request<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Step_2_Server_Receives_and_Processes_Input\" >Step 2: Server Receives and Processes Input<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Step_3_Business_Logic_Execution\" >Step 3: Business Logic Execution<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Step_4_Database_Interaction\" >Step 4: Database Interaction<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Step_5_Response_Generation\" >Step 5: Response Generation<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/yashinfosec.com\/?p=611\/#6_Backend_vs_Frontend\" >6. Backend vs Frontend<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Frontend\" >Frontend<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Backend\" >Backend<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Common_Frontend_Trust_Mistakes\" >Common Frontend Trust Mistakes<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/yashinfosec.com\/?p=611\/#7_Web_Application_Infrastructure\" >7. Web Application Infrastructure<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Why_Pentesters_Care_About_Layers\" >Why Pentesters Care About Layers<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/yashinfosec.com\/?p=611\/#8_HTTP_Response_Codes\" >8. HTTP Response Codes<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Commonly_Abused_Codes\" >Commonly Abused Codes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Why_They_Matter\" >Why They Matter<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/yashinfosec.com\/?p=611\/#9_Making_Requests\" >9. Making Requests<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/yashinfosec.com\/?p=611\/#HTTP_Methods_and_Intent\" >HTTP Methods and Intent<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/yashinfosec.com\/?p=611\/#Why_Intercepting_Requests_Is_Critical\" >Why Intercepting Requests Is Critical<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Web_Application_Fundamentals_for_Pentesters\"><\/span>Web Application Fundamentals for Pentesters<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-abcfa9c elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"abcfa9c\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-765b2ab\" data-id=\"765b2ab\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b57d0df elementor-widget elementor-widget-heading\" data-id=\"b57d0df\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Day_1_%E2%80%93_Understanding_the_Web_Before_Breaking_It\"><\/span>Day 1 \u2013 Understanding the Web Before Breaking It<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0847e79 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"0847e79\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3d98e4f\" data-id=\"3d98e4f\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8d91880 elementor-widget elementor-widget-text-editor\" data-id=\"8d91880\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"458\" data-end=\"555\">Most people jump straight into payloads, tools, and exploit chains.<br data-start=\"525\" data-end=\"528\" \/>Professional testers don\u2019t.<\/p><p data-start=\"557\" data-end=\"701\">They start by understanding <strong data-start=\"585\" data-end=\"615\">how the web actually works<\/strong>, because <strong data-start=\"625\" data-end=\"690\">every OWASP Top 10 vulnerability is a failure of fundamentals<\/strong>\u2014not magic.<\/p><p data-start=\"703\" data-end=\"864\">This blog lays the <strong data-start=\"722\" data-end=\"746\">technical groundwork<\/strong> required before diving into practical exploitation aligned with the <strong data-start=\"815\" data-end=\"863\"><span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">OWASP<\/span><\/span> Top 10<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e3437c3 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"e3437c3\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-fba0c55\" data-id=\"fba0c55\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-46ec1eb elementor-widget elementor-widget-heading\" data-id=\"46ec1eb\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"1_What_Is_the_Internet_Pentester_Perspective\"><\/span>1. What Is the Internet? (Pentester Perspective)<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-331e860 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"331e860\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-01f7caa\" data-id=\"01f7caa\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8ebbc69 elementor-widget__width-initial elementor-widget elementor-widget-image\" data-id=\"8ebbc69\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img data-opt-id=320137023  data-opt-src=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:350\/h:250\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif\"   decoding=\"async\" width=\"350\" height=\"250\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%20350%20250%22%20width%3D%22350%22%20height%3D%22250%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%22350%22%20height%3D%22250%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" class=\"optimole-lazy-only  attachment-large size-large wp-image-612\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6718de4 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"6718de4\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a510a08\" data-id=\"a510a08\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-93f4166 elementor-widget elementor-widget-text-editor\" data-id=\"93f4166\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"968\" data-end=\"1273\">At its core, the Internet is a <strong data-start=\"999\" data-end=\"1052\">global system of interconnected computer networks<\/strong> that communicate using standardized protocols, primarily the <strong data-start=\"1114\" data-end=\"1130\">TCP\/IP stack<\/strong>. However, from a web application security standpoint, the Internet is not just \u201ca network\u201d \u2014 it is a <strong data-start=\"1232\" data-end=\"1272\">complex chain of trust relationships<\/strong>.<\/p><p data-start=\"1275\" data-end=\"1398\">When a user accesses a website, their request does not travel directly to the server. It traverses multiple intermediaries:<\/p><ul data-start=\"1399\" data-end=\"1555\"><li data-start=\"1399\" data-end=\"1422\"><p data-start=\"1401\" data-end=\"1422\">Local network devices<\/p><\/li><li data-start=\"1423\" data-end=\"1436\"><p data-start=\"1425\" data-end=\"1436\">ISP routers<\/p><\/li><li data-start=\"1437\" data-end=\"1463\"><p data-start=\"1439\" data-end=\"1463\">Internet exchange points<\/p><\/li><li data-start=\"1464\" data-end=\"1498\"><p data-start=\"1466\" data-end=\"1498\">Content Delivery Networks (CDNs)<\/p><\/li><li data-start=\"1499\" data-end=\"1515\"><p data-start=\"1501\" data-end=\"1515\">Load balancers<\/p><\/li><li data-start=\"1516\" data-end=\"1533\"><p data-start=\"1518\" data-end=\"1533\">Reverse proxies<\/p><\/li><li data-start=\"1534\" data-end=\"1555\"><p data-start=\"1536\" data-end=\"1555\">Application servers<\/p><\/li><\/ul><p data-start=\"1557\" data-end=\"1639\">Each hop introduces <strong data-start=\"1577\" data-end=\"1638\">latency, transformation, filtering, and trust assumptions<\/strong>.<\/p><p data-start=\"1641\" data-end=\"1685\">From an attacker\u2019s mindset, the Internet is:<\/p><ul data-start=\"1686\" data-end=\"1853\"><li data-start=\"1686\" data-end=\"1720\"><p data-start=\"1688\" data-end=\"1720\">A <strong data-start=\"1690\" data-end=\"1720\">distributed attack surface<\/strong><\/p><\/li><li data-start=\"1721\" data-end=\"1796\"><p data-start=\"1723\" data-end=\"1796\">A medium where <strong data-start=\"1738\" data-end=\"1796\">traffic can be observed, altered, replayed, or blocked<\/strong><\/p><\/li><li data-start=\"1797\" data-end=\"1853\"><p data-start=\"1799\" data-end=\"1853\">A system where <strong data-start=\"1814\" data-end=\"1853\">misplaced trust leads to compromise<\/strong><\/p><\/li><\/ul><p data-start=\"1855\" data-end=\"1867\">For example:<\/p><ul data-start=\"1868\" data-end=\"2071\"><li data-start=\"1868\" data-end=\"1953\"><p data-start=\"1870\" data-end=\"1953\">Applications often trust headers added by upstream proxies (like <code data-start=\"1935\" data-end=\"1952\">X-Forwarded-For<\/code>)<\/p><\/li><li data-start=\"1954\" data-end=\"2009\"><p data-start=\"1956\" data-end=\"2009\">Developers assume TLS terminates securely at the edge<\/p><\/li><li data-start=\"2010\" data-end=\"2071\"><p data-start=\"2012\" data-end=\"2071\">Internal services are assumed unreachable from the Internet<\/p><\/li><\/ul><p data-start=\"2073\" data-end=\"2123\">Pentesters routinely exploit these assumptions by:<\/p><ul data-start=\"2124\" data-end=\"2245\"><li data-start=\"2124\" data-end=\"2142\"><p data-start=\"2126\" data-end=\"2142\">Spoofing headers<\/p><\/li><li data-start=\"2143\" data-end=\"2171\"><p data-start=\"2145\" data-end=\"2171\">Bypassing CDN restrictions<\/p><\/li><li data-start=\"2172\" data-end=\"2207\"><p data-start=\"2174\" data-end=\"2207\">Accessing origin servers directly<\/p><\/li><li data-start=\"2208\" data-end=\"2245\"><p data-start=\"2210\" data-end=\"2245\">Leveraging exposed admin interfaces<\/p><\/li><\/ul><p data-start=\"2247\" data-end=\"2394\"><strong data-start=\"2247\" data-end=\"2263\">Key insight:<\/strong><br data-start=\"2263\" data-end=\"2266\" \/>The Internet is not secure by default. It is merely <em data-start=\"2318\" data-end=\"2342\">connected by agreement<\/em>. Security is layered on top \u2014 often inconsistently.<\/p><p data-start=\"2396\" data-end=\"2549\">Understanding this helps testers identify <strong data-start=\"2438\" data-end=\"2495\">where security controls are expected but not enforced<\/strong>, which is the root cause of many real-world breaches.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2499336 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"2499336\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-79929cd\" data-id=\"79929cd\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-bee7939 elementor-widget elementor-widget-heading\" data-id=\"bee7939\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"2_What_Is_an_IP_Address\"><\/span>2. What Is an IP Address?<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-421ee1e elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"421ee1e\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-343a6ce\" data-id=\"343a6ce\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7a30f21 elementor-widget__width-initial elementor-widget elementor-widget-image\" data-id=\"7a30f21\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img data-opt-id=423446681  data-opt-src=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:1024\/h:1024\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png\"  decoding=\"async\" width=\"1024\" height=\"1024\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%201024%201024%22%20width%3D%221024%22%20height%3D%221024%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%221024%22%20height%3D%221024%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" class=\"attachment-large size-large wp-image-613\" alt=\"\" old-srcset=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:1080\/h:1080\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 2560w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:300\/h:300\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 300w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:1024\/h:1024\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 1024w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:150\/h:150\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 150w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:768\/h:768\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 768w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:1080\/h:1080\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 1536w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:1080\/h:1080\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 2048w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:900\/h:900\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 900w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:500\/h:500\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0236-ipv4-vs-ipv6-scaled.png 500w\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-450039f elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"450039f\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2951e7b\" data-id=\"2951e7b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-876c0da elementor-widget elementor-widget-text-editor\" data-id=\"876c0da\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"2630\" data-end=\"2775\">An IP address is a <strong data-start=\"2649\" data-end=\"2671\">logical identifier<\/strong> assigned to a device participating in a network. It enables routing, communication, and identification.<\/p><p data-start=\"2777\" data-end=\"2805\">There are two main versions:<\/p><ul data-start=\"2806\" data-end=\"2888\"><li data-start=\"2806\" data-end=\"2846\"><p data-start=\"2808\" data-end=\"2846\"><strong data-start=\"2808\" data-end=\"2816\">IPv4<\/strong> (32-bit, e.g., <code data-start=\"2832\" data-end=\"2845\">192.168.1.1<\/code>)<\/p><\/li><li data-start=\"2847\" data-end=\"2888\"><p data-start=\"2849\" data-end=\"2888\"><strong data-start=\"2849\" data-end=\"2857\">IPv6<\/strong> (128-bit, e.g., <code data-start=\"2874\" data-end=\"2887\">2001:db8::1<\/code>)<\/p><\/li><\/ul><p data-start=\"2890\" data-end=\"2945\">From a security perspective, IP addresses are used for:<\/p><ul data-start=\"2946\" data-end=\"3018\"><li data-start=\"2946\" data-end=\"2962\"><p data-start=\"2948\" data-end=\"2962\">Access control<\/p><\/li><li data-start=\"2963\" data-end=\"2978\"><p data-start=\"2965\" data-end=\"2978\">Rate limiting<\/p><\/li><li data-start=\"2979\" data-end=\"2992\"><p data-start=\"2981\" data-end=\"2992\">Geo-fencing<\/p><\/li><li data-start=\"2993\" data-end=\"3018\"><p data-start=\"2995\" data-end=\"3018\">Logging and attribution<\/p><\/li><\/ul><p data-start=\"3020\" data-end=\"3070\">However, these controls are <strong data-start=\"3048\" data-end=\"3069\">frequently flawed<\/strong>.<\/p><p data-start=\"3072\" data-end=\"3121\">Key distinctions every pentester must understand:<\/p><ul data-start=\"3122\" data-end=\"3359\"><li data-start=\"3122\" data-end=\"3185\"><p data-start=\"3124\" data-end=\"3185\"><strong data-start=\"3124\" data-end=\"3138\">Public IPs<\/strong> \u2192 Internet-accessible, external attack surface<\/p><\/li><li data-start=\"3186\" data-end=\"3273\"><p data-start=\"3188\" data-end=\"3273\"><strong data-start=\"3188\" data-end=\"3203\">Private IPs<\/strong> \u2192 Internal networks (<code data-start=\"3225\" data-end=\"3237\">10.0.0.0\/8<\/code>, <code data-start=\"3239\" data-end=\"3254\">172.16.0.0\/12<\/code>, <code data-start=\"3256\" data-end=\"3272\">192.168.0.0\/16<\/code>)<\/p><\/li><li data-start=\"3274\" data-end=\"3316\"><p data-start=\"3276\" data-end=\"3316\"><strong data-start=\"3276\" data-end=\"3290\">Static IPs<\/strong> \u2192 Long-term exposure risk<\/p><\/li><li data-start=\"3317\" data-end=\"3359\"><p data-start=\"3319\" data-end=\"3359\"><strong data-start=\"3319\" data-end=\"3334\">Dynamic IPs<\/strong> \u2192 Attribution challenges<\/p><\/li><\/ul><p data-start=\"3361\" data-end=\"3404\">Common vulnerabilities tied to IP handling:<\/p><ul data-start=\"3405\" data-end=\"3569\"><li data-start=\"3405\" data-end=\"3437\"><p data-start=\"3407\" data-end=\"3437\">IP-based authentication bypass<\/p><\/li><li data-start=\"3438\" data-end=\"3486\"><p data-start=\"3440\" data-end=\"3486\">Trusting internal IP ranges without validation<\/p><\/li><li data-start=\"3487\" data-end=\"3528\"><p data-start=\"3489\" data-end=\"3528\">Leaking internal IPs via error messages<\/p><\/li><li data-start=\"3529\" data-end=\"3569\"><p data-start=\"3531\" data-end=\"3569\">SSRF exploiting access to internal IPs<\/p><\/li><\/ul><p data-start=\"3571\" data-end=\"3759\">For example, many applications restrict admin functionality to \u201cinternal IPs.\u201d<br data-start=\"3649\" data-end=\"3652\" \/>Through SSRF or proxy misconfigurations, attackers can <strong data-start=\"3707\" data-end=\"3758\">appear internal without actually being internal<\/strong>.<\/p><p data-start=\"3761\" data-end=\"3872\"><strong data-start=\"3761\" data-end=\"3784\">Pentester takeaway:<\/strong><br data-start=\"3784\" data-end=\"3787\" \/>IP addresses are identifiers, not identities. Trusting them blindly is a design flaw.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-742e559 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"742e559\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6a66285\" data-id=\"6a66285\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-41edaa8 elementor-widget elementor-widget-heading\" data-id=\"41edaa8\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"3_What_Is_DNS\"><\/span>3. What Is DNS?<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bd3b770 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"bd3b770\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d873b32\" data-id=\"d873b32\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-943302e elementor-widget__width-initial elementor-widget elementor-widget-image\" data-id=\"943302e\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img data-opt-id=2106792174  data-opt-src=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/Domain-name-resolution-process-with-DNS.png\"  decoding=\"async\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%20100%%20100%%22%20width%3D%22100%%22%20height%3D%22100%%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%22100%%22%20height%3D%22100%%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" title=\"\" alt=\"\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d8db888 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"d8db888\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-17960cd\" data-id=\"17960cd\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-644c1af elementor-widget elementor-widget-text-editor\" data-id=\"644c1af\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"3943\" data-end=\"4078\">DNS (Domain Name System) translates <strong data-start=\"3979\" data-end=\"4010\">human-readable domain names<\/strong> into IP addresses. Without DNS, the web would be unusable at scale.<\/p><p data-start=\"4080\" data-end=\"4116\">The DNS resolution process involves:<\/p><ol data-start=\"4117\" data-end=\"4250\"><li data-start=\"4117\" data-end=\"4133\"><p data-start=\"4120\" data-end=\"4133\">Browser cache<\/p><\/li><li data-start=\"4134\" data-end=\"4162\"><p data-start=\"4137\" data-end=\"4162\">Operating system resolver<\/p><\/li><li data-start=\"4163\" data-end=\"4184\"><p data-start=\"4166\" data-end=\"4184\">Recursive resolver<\/p><\/li><li data-start=\"4185\" data-end=\"4205\"><p data-start=\"4188\" data-end=\"4205\">Root name servers<\/p><\/li><li data-start=\"4206\" data-end=\"4220\"><p data-start=\"4209\" data-end=\"4220\">TLD servers<\/p><\/li><li data-start=\"4221\" data-end=\"4250\"><p data-start=\"4224\" data-end=\"4250\">Authoritative name servers<\/p><\/li><\/ol><p data-start=\"4252\" data-end=\"4321\">From a security standpoint, DNS is a <strong data-start=\"4289\" data-end=\"4320\">goldmine for reconnaissance<\/strong>.<\/p><p data-start=\"4323\" data-end=\"4352\">Why attackers care about DNS:<\/p><ul data-start=\"4353\" data-end=\"4479\"><li data-start=\"4353\" data-end=\"4380\"><p data-start=\"4355\" data-end=\"4380\">It reveals infrastructure<\/p><\/li><li data-start=\"4381\" data-end=\"4404\"><p data-start=\"4383\" data-end=\"4404\">It exposes subdomains<\/p><\/li><li data-start=\"4405\" data-end=\"4443\"><p data-start=\"4407\" data-end=\"4443\">It leaks internal naming conventions<\/p><\/li><li data-start=\"4444\" data-end=\"4479\"><p data-start=\"4446\" data-end=\"4479\">It enables takeover opportunities<\/p><\/li><\/ul><p data-start=\"4481\" data-end=\"4507\">Common DNS-related issues:<\/p><ul data-start=\"4508\" data-end=\"4663\"><li data-start=\"4508\" data-end=\"4530\"><p data-start=\"4510\" data-end=\"4530\">Dangling DNS records<\/p><\/li><li data-start=\"4531\" data-end=\"4588\"><p data-start=\"4533\" data-end=\"4588\">Orphaned subdomains pointing to decommissioned services<\/p><\/li><li data-start=\"4589\" data-end=\"4625\"><p data-start=\"4591\" data-end=\"4625\">Overly permissive wildcard records<\/p><\/li><li data-start=\"4626\" data-end=\"4663\"><p data-start=\"4628\" data-end=\"4663\">Split-horizon DNS misconfigurations<\/p><\/li><\/ul><p data-start=\"4665\" data-end=\"4706\">Subdomain takeover is a direct result of:<\/p><blockquote data-start=\"4707\" data-end=\"4793\"><p data-start=\"4709\" data-end=\"4793\">DNS pointing to a resource that no longer exists, but can be claimed by an attacker.<\/p><\/blockquote><p data-start=\"4795\" data-end=\"4975\">DNS is often neglected because it is considered \u201cinfrastructure,\u201d not \u201capplication.\u201d<br data-start=\"4879\" data-end=\"4882\" \/>That assumption is wrong \u2014 DNS weaknesses frequently lead to <strong data-start=\"4943\" data-end=\"4974\">full application compromise<\/strong>.<\/p><p data-start=\"4977\" data-end=\"5057\"><strong data-start=\"4977\" data-end=\"4999\">Pentester mindset:<\/strong><br data-start=\"4999\" data-end=\"5002\" \/>If DNS is wrong, everything above it is already broken.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-325bfe6 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"325bfe6\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d861a55\" data-id=\"d861a55\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-552933c elementor-widget elementor-widget-heading\" data-id=\"552933c\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"4_Ports_and_Services\"><\/span>4. Ports and Services<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6f6cd9b elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"6f6cd9b\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-99dca69\" data-id=\"99dca69\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-cb6f5ee elementor-widget__width-initial elementor-widget elementor-widget-image\" data-id=\"cb6f5ee\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img data-opt-id=1648177240  data-opt-src=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:1024\/h:538\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/ports.png\"  decoding=\"async\" width=\"1024\" height=\"538\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%201024%20538%22%20width%3D%221024%22%20height%3D%22538%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%221024%22%20height%3D%22538%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" class=\"attachment-large size-large wp-image-615\" alt=\"\" old-srcset=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:1024\/h:538\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/ports.png 1024w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:300\/h:158\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/ports.png 300w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:768\/h:404\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/ports.png 768w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:900\/h:473\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/ports.png 900w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:500\/h:263\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/ports.png 500w\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-efbd469 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"efbd469\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6db1cf2\" data-id=\"6db1cf2\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2b4b46f elementor-widget elementor-widget-text-editor\" data-id=\"2b4b46f\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"5134\" data-end=\"5277\">Ports are <strong data-start=\"5144\" data-end=\"5165\">logical endpoints<\/strong> that allow multiple services to operate on a single IP address. Services listen on ports to accept connections.<\/p><p data-start=\"5279\" data-end=\"5288\">Examples:<\/p><ul data-start=\"5289\" data-end=\"5340\"><li data-start=\"5289\" data-end=\"5300\"><p data-start=\"5291\" data-end=\"5300\">80 \u2192 HTTP<\/p><\/li><li data-start=\"5301\" data-end=\"5314\"><p data-start=\"5303\" data-end=\"5314\">443 \u2192 HTTPS<\/p><\/li><li data-start=\"5315\" data-end=\"5325\"><p data-start=\"5317\" data-end=\"5325\">22 \u2192 SSH<\/p><\/li><li data-start=\"5326\" data-end=\"5340\"><p data-start=\"5328\" data-end=\"5340\">3306 \u2192 MySQL<\/p><\/li><\/ul><p data-start=\"5342\" data-end=\"5391\">In web application testing, ports matter because:<\/p><ul data-start=\"5392\" data-end=\"5541\"><li data-start=\"5392\" data-end=\"5432\"><p data-start=\"5394\" data-end=\"5432\">Exposed services expand attack surface<\/p><\/li><li data-start=\"5433\" data-end=\"5487\"><p data-start=\"5435\" data-end=\"5487\">Non-standard ports often host forgotten admin panels<\/p><\/li><li data-start=\"5488\" data-end=\"5541\"><p data-start=\"5490\" data-end=\"5541\">Development services sometimes leak into production<\/p><\/li><\/ul><p data-start=\"5543\" data-end=\"5570\">Security issues arise when:<\/p><ul data-start=\"5571\" data-end=\"5701\"><li data-start=\"5571\" data-end=\"5609\"><p data-start=\"5573\" data-end=\"5609\">Services are exposed unintentionally<\/p><\/li><li data-start=\"5610\" data-end=\"5645\"><p data-start=\"5612\" data-end=\"5645\">Authentication is weak or missing<\/p><\/li><li data-start=\"5646\" data-end=\"5677\"><p data-start=\"5648\" data-end=\"5677\">Version information is leaked<\/p><\/li><li data-start=\"5678\" data-end=\"5701\"><p data-start=\"5680\" data-end=\"5701\">Services are outdated<\/p><\/li><\/ul><p data-start=\"5703\" data-end=\"5732\">A common real-world scenario:<\/p><blockquote data-start=\"5733\" data-end=\"5818\"><p data-start=\"5735\" data-end=\"5818\">Application secured on port 443, but admin panel exposed on port 8080 with no auth.<\/p><\/blockquote><p data-start=\"5820\" data-end=\"5921\"><strong data-start=\"5820\" data-end=\"5844\">Rule for pentesters:<\/strong><br data-start=\"5844\" data-end=\"5847\" \/>Every open port is a question. Every listening service deserves an answer.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0bfb6b3 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"0bfb6b3\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b3d5937\" data-id=\"b3d5937\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3d07c91 elementor-widget elementor-widget-heading\" data-id=\"3d07c91\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"5_How_Websites_Work\"><\/span>5. How Websites Work<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5a12c54 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"5a12c54\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3a4bc75\" data-id=\"3a4bc75\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-830b1e8 elementor-widget elementor-widget-text-editor\" data-id=\"830b1e8\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"452\" data-end=\"629\">At a technical level, every website operates on a <strong data-start=\"502\" data-end=\"528\">request\u2013response model<\/strong>. While this sounds simple, nearly <strong data-start=\"563\" data-end=\"628\">all web vulnerabilities exist somewhere inside this lifecycle<\/strong>.<\/p><p data-start=\"631\" data-end=\"660\">Let\u2019s break it down properly.<\/p><h5 data-start=\"662\" data-end=\"698\"><span class=\"ez-toc-section\" id=\"Step_1_Client_Sends_a_Request\"><\/span>Step 1: Client Sends a Request<span class=\"ez-toc-section-end\"><\/span><\/h5><p data-start=\"699\" data-end=\"795\">When a user visits a website or submits a form, the browser sends an HTTP request that includes:<\/p><ul data-start=\"796\" data-end=\"922\"><li data-start=\"796\" data-end=\"810\"><p data-start=\"798\" data-end=\"810\">URL and path<\/p><\/li><li data-start=\"811\" data-end=\"842\"><p data-start=\"813\" data-end=\"842\">HTTP method (GET, POST, etc.)<\/p><\/li><li data-start=\"843\" data-end=\"882\"><p data-start=\"845\" data-end=\"882\">Headers (cookies, tokens, user-agent)<\/p><\/li><li data-start=\"883\" data-end=\"922\"><p data-start=\"885\" data-end=\"922\">Parameters (query strings, body data)<\/p><\/li><\/ul><p data-start=\"924\" data-end=\"1099\">From a pentester\u2019s perspective, <strong data-start=\"956\" data-end=\"1004\">this request is fully under attacker control<\/strong>. Anything the client sends must be treated as untrusted \u2014 yet many applications fail to do so.<\/p><h5 data-start=\"1101\" data-end=\"1150\"><span class=\"ez-toc-section\" id=\"Step_2_Server_Receives_and_Processes_Input\"><\/span>Step 2: Server Receives and Processes Input<span class=\"ez-toc-section-end\"><\/span><\/h5><p data-start=\"1151\" data-end=\"1194\">The server parses the request and extracts:<\/p><ul data-start=\"1195\" data-end=\"1253\"><li data-start=\"1195\" data-end=\"1207\"><p data-start=\"1197\" data-end=\"1207\">User input<\/p><\/li><li data-start=\"1208\" data-end=\"1229\"><p data-start=\"1210\" data-end=\"1229\">Session identifiers<\/p><\/li><li data-start=\"1230\" data-end=\"1253\"><p data-start=\"1232\" data-end=\"1253\">Authorization context<\/p><\/li><\/ul><p data-start=\"1255\" data-end=\"1415\">This is where <strong data-start=\"1269\" data-end=\"1289\">input validation<\/strong> and <strong data-start=\"1294\" data-end=\"1310\">sanitization<\/strong> should occur. When it doesn\u2019t, vulnerabilities such as SQL Injection, XSS, and command injection emerge.<\/p><h5 data-start=\"1417\" data-end=\"1455\"><span class=\"ez-toc-section\" id=\"Step_3_Business_Logic_Execution\"><\/span>Step 3: Business Logic Execution<span class=\"ez-toc-section-end\"><\/span><\/h5><p data-start=\"1456\" data-end=\"1521\">Business logic defines <em data-start=\"1479\" data-end=\"1508\">how the application behaves<\/em>.<br data-start=\"1509\" data-end=\"1512\" \/>Examples:<\/p><ul data-start=\"1522\" data-end=\"1595\"><li data-start=\"1522\" data-end=\"1543\"><p data-start=\"1524\" data-end=\"1543\">Who can access what<\/p><\/li><li data-start=\"1544\" data-end=\"1570\"><p data-start=\"1546\" data-end=\"1570\">How money transfers work<\/p><\/li><li data-start=\"1571\" data-end=\"1595\"><p data-start=\"1573\" data-end=\"1595\">How roles are enforced<\/p><\/li><\/ul><p data-start=\"1597\" data-end=\"1689\">Most <strong data-start=\"1602\" data-end=\"1630\">critical vulnerabilities<\/strong> are not syntax issues \u2014 they are <strong data-start=\"1664\" data-end=\"1679\">logic flaws<\/strong>, such as:<\/p><ul data-start=\"1690\" data-end=\"1771\"><li data-start=\"1690\" data-end=\"1720\"><p data-start=\"1692\" data-end=\"1720\">Missing authorization checks<\/p><\/li><li data-start=\"1721\" data-end=\"1753\"><p data-start=\"1723\" data-end=\"1753\">Incorrect workflow enforcement<\/p><\/li><li data-start=\"1754\" data-end=\"1771\"><p data-start=\"1756\" data-end=\"1771\">Race conditions<\/p><\/li><\/ul><p data-start=\"1773\" data-end=\"1929\">These flaws cannot be detected by scanners alone. They require understanding <strong data-start=\"1850\" data-end=\"1893\">how the application is intended to work<\/strong> versus <strong data-start=\"1901\" data-end=\"1928\">how it actually behaves<\/strong>.<\/p><h5 data-start=\"1931\" data-end=\"1965\"><span class=\"ez-toc-section\" id=\"Step_4_Database_Interaction\"><\/span>Step 4: Database Interaction<span class=\"ez-toc-section-end\"><\/span><\/h5><p data-start=\"1966\" data-end=\"1986\">The application may:<\/p><ul data-start=\"1987\" data-end=\"2044\"><li data-start=\"1987\" data-end=\"2004\"><p data-start=\"1989\" data-end=\"2004\">Fetch user data<\/p><\/li><li data-start=\"2005\" data-end=\"2021\"><p data-start=\"2007\" data-end=\"2021\">Update records<\/p><\/li><li data-start=\"2022\" data-end=\"2044\"><p data-start=\"2024\" data-end=\"2044\">Validate credentials<\/p><\/li><\/ul><p data-start=\"2046\" data-end=\"2077\">Security failures here include:<\/p><ul data-start=\"2078\" data-end=\"2178\"><li data-start=\"2078\" data-end=\"2107\"><p data-start=\"2080\" data-end=\"2107\">Improper query construction<\/p><\/li><li data-start=\"2108\" data-end=\"2139\"><p data-start=\"2110\" data-end=\"2139\">Excessive database privileges<\/p><\/li><li data-start=\"2140\" data-end=\"2178\"><p data-start=\"2142\" data-end=\"2178\">Trusting client-supplied identifiers<\/p><\/li><\/ul><h5 data-start=\"2180\" data-end=\"2213\"><span class=\"ez-toc-section\" id=\"Step_5_Response_Generation\"><\/span>Step 5: Response Generation<span class=\"ez-toc-section-end\"><\/span><\/h5><p data-start=\"2214\" data-end=\"2253\">The server sends a response containing:<\/p><ul data-start=\"2254\" data-end=\"2292\"><li data-start=\"2254\" data-end=\"2267\"><p data-start=\"2256\" data-end=\"2267\">Status code<\/p><\/li><li data-start=\"2268\" data-end=\"2277\"><p data-start=\"2270\" data-end=\"2277\">Headers<\/p><\/li><li data-start=\"2278\" data-end=\"2292\"><p data-start=\"2280\" data-end=\"2292\">Body content<\/p><\/li><\/ul><p data-start=\"2294\" data-end=\"2346\">Information leakage often happens at this stage via:<\/p><ul data-start=\"2347\" data-end=\"2399\"><li data-start=\"2347\" data-end=\"2371\"><p data-start=\"2349\" data-end=\"2371\">Verbose error messages<\/p><\/li><li data-start=\"2372\" data-end=\"2386\"><p data-start=\"2374\" data-end=\"2386\">Stack traces<\/p><\/li><li data-start=\"2387\" data-end=\"2399\"><p data-start=\"2389\" data-end=\"2399\">Debug data<\/p><\/li><\/ul><p data-start=\"2401\" data-end=\"2546\"><img data-opt-id=1706163123  data-opt-src=\"https:\/\/s.w.org\/images\/core\/emoji\/17.0.2\/svg\/1f511.svg\"  decoding=\"async\" class=\"optimole-lazy-only  emoji\" role=\"img\" draggable=\"false\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%20100%%20100%%22%20width%3D%22100%%22%20height%3D%22100%%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%22100%%22%20height%3D%22100%%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" alt=\"\ud83d\udd11\" \/> <strong data-start=\"2404\" data-end=\"2427\">Pentester takeaway:<\/strong><br data-start=\"2427\" data-end=\"2430\" \/>A vulnerability is rarely a single mistake. It is usually a <strong data-start=\"2490\" data-end=\"2545\">chain of small trust failures across this lifecycle<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a8ac100 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"a8ac100\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-55dc3a2\" data-id=\"55dc3a2\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9d49004 elementor-widget elementor-widget-heading\" data-id=\"9d49004\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"6_Backend_vs_Frontend\"><\/span>6. Backend vs Frontend<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2af9315 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"2af9315\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c52ff57\" data-id=\"c52ff57\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c57a191 elementor-widget elementor-widget-image\" data-id=\"c57a191\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img data-opt-id=1816999212  data-opt-src=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:800\/h:343\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/architecture.webp\"  loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"343\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%20800%20343%22%20width%3D%22800%22%20height%3D%22343%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%22800%22%20height%3D%22343%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" class=\"attachment-large size-large wp-image-616\" alt=\"\" old-srcset=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:800\/h:343\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/architecture.webp 800w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:300\/h:129\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/architecture.webp 300w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:768\/h:329\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/architecture.webp 768w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:500\/h:214\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/architecture.webp 500w\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2656269 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"2656269\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-60c314a\" data-id=\"60c314a\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2e0f4e9 elementor-widget elementor-widget-text-editor\" data-id=\"2e0f4e9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"2654\" data-end=\"2736\">Understanding the separation between frontend and backend is foundational to WAPT.<\/p><h5 data-start=\"2738\" data-end=\"2750\"><span class=\"ez-toc-section\" id=\"Frontend\"><\/span>Frontend<span class=\"ez-toc-section-end\"><\/span><\/h5><ul data-start=\"2751\" data-end=\"2858\"><li data-start=\"2751\" data-end=\"2779\"><p data-start=\"2753\" data-end=\"2779\">Runs in the user\u2019s browser<\/p><\/li><li data-start=\"2780\" data-end=\"2814\"><p data-start=\"2782\" data-end=\"2814\">Written in HTML, CSS, JavaScript<\/p><\/li><li data-start=\"2815\" data-end=\"2858\"><p data-start=\"2817\" data-end=\"2858\">Controls presentation and user experience<\/p><\/li><\/ul><h5 data-start=\"2860\" data-end=\"2871\"><span class=\"ez-toc-section\" id=\"Backend\"><\/span>Backend<span class=\"ez-toc-section-end\"><\/span><\/h5><ul data-start=\"2872\" data-end=\"2975\"><li data-start=\"2872\" data-end=\"2892\"><p data-start=\"2874\" data-end=\"2892\">Runs on the server<\/p><\/li><li data-start=\"2893\" data-end=\"2949\"><p data-start=\"2895\" data-end=\"2949\">Handles authentication, authorization, and data access<\/p><\/li><li data-start=\"2950\" data-end=\"2975\"><p data-start=\"2952\" data-end=\"2975\">Enforces security rules<\/p><\/li><\/ul><p data-start=\"2977\" data-end=\"3011\">Here\u2019s the <strong data-start=\"2988\" data-end=\"3010\">core security rule<\/strong>:<\/p><blockquote data-start=\"3012\" data-end=\"3079\"><p data-start=\"3014\" data-end=\"3079\">The frontend can be manipulated. The backend must never trust it.<\/p><\/blockquote><p data-start=\"3081\" data-end=\"3121\">Yet many applications violate this rule.<\/p><h5 data-start=\"3123\" data-end=\"3157\"><span class=\"ez-toc-section\" id=\"Common_Frontend_Trust_Mistakes\"><\/span>Common Frontend Trust Mistakes<span class=\"ez-toc-section-end\"><\/span><\/h5><ul data-start=\"3158\" data-end=\"3319\"><li data-start=\"3158\" data-end=\"3207\"><p data-start=\"3160\" data-end=\"3207\">Hiding buttons instead of enforcing permissions<\/p><\/li><li data-start=\"3208\" data-end=\"3265\"><p data-start=\"3210\" data-end=\"3265\">Disabling form fields instead of validating server-side<\/p><\/li><li data-start=\"3266\" data-end=\"3319\"><p data-start=\"3268\" data-end=\"3319\">Relying on JavaScript checks for security decisions<\/p><\/li><\/ul><p data-start=\"3321\" data-end=\"3359\">Attackers bypass frontend controls by:<\/p><ul data-start=\"3360\" data-end=\"3458\"><li data-start=\"3360\" data-end=\"3389\"><p data-start=\"3362\" data-end=\"3389\">Modifying requests directly<\/p><\/li><li data-start=\"3390\" data-end=\"3413\"><p data-start=\"3392\" data-end=\"3413\">Calling APIs manually<\/p><\/li><li data-start=\"3414\" data-end=\"3458\"><p data-start=\"3416\" data-end=\"3458\">Replaying requests with altered parameters<\/p><\/li><\/ul><p data-start=\"3460\" data-end=\"3532\">This is why <strong data-start=\"3472\" data-end=\"3497\">Broken Access Control<\/strong> consistently ranks as the #1 risk.<\/p><p data-start=\"3534\" data-end=\"3657\"><strong data-start=\"3537\" data-end=\"3559\">Pentester mindset:<\/strong><br data-start=\"3559\" data-end=\"3562\" \/>If a feature exists in the frontend, assume the backend endpoint exists \u2014 and test it directly.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1c5d883 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"1c5d883\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1d70c70\" data-id=\"1d70c70\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a7f4347 elementor-widget elementor-widget-heading\" data-id=\"a7f4347\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"7_Web_Application_Infrastructure\"><\/span>7. Web Application Infrastructure<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-615bfca elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"615bfca\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-720df16\" data-id=\"720df16\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-984a61a elementor-widget elementor-widget-text-editor\" data-id=\"984a61a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"3772\" data-end=\"3846\">Modern web applications are <strong data-start=\"3800\" data-end=\"3825\">multi-layered systems<\/strong>, not single servers.<\/p><p data-start=\"3848\" data-end=\"3884\">A typical production setup includes:<\/p><ul data-start=\"3885\" data-end=\"4042\"><li data-start=\"3885\" data-end=\"3903\"><p data-start=\"3887\" data-end=\"3903\">Browser (client)<\/p><\/li><li data-start=\"3904\" data-end=\"3936\"><p data-start=\"3906\" data-end=\"3936\">CDN (caching, DDoS protection)<\/p><\/li><li data-start=\"3937\" data-end=\"3965\"><p data-start=\"3939\" data-end=\"3965\">WAF (rule-based filtering)<\/p><\/li><li data-start=\"3966\" data-end=\"3981\"><p data-start=\"3968\" data-end=\"3981\">Load balancer<\/p><\/li><li data-start=\"3982\" data-end=\"3994\"><p data-start=\"3984\" data-end=\"3994\">Web server<\/p><\/li><li data-start=\"3995\" data-end=\"4015\"><p data-start=\"3997\" data-end=\"4015\">Application server<\/p><\/li><li data-start=\"4016\" data-end=\"4026\"><p data-start=\"4018\" data-end=\"4026\">Database<\/p><\/li><li data-start=\"4027\" data-end=\"4042\"><p data-start=\"4029\" data-end=\"4042\">External APIs<\/p><\/li><\/ul><p data-start=\"4044\" data-end=\"4066\">Each layer introduces:<\/p><ul data-start=\"4067\" data-end=\"4138\"><li data-start=\"4067\" data-end=\"4093\"><p data-start=\"4069\" data-end=\"4093\">Configuration complexity<\/p><\/li><li data-start=\"4094\" data-end=\"4113\"><p data-start=\"4096\" data-end=\"4113\">Trust assumptions<\/p><\/li><li data-start=\"4114\" data-end=\"4138\"><p data-start=\"4116\" data-end=\"4138\">Potential bypass paths<\/p><\/li><\/ul><h5 data-start=\"4140\" data-end=\"4176\"><span class=\"ez-toc-section\" id=\"Why_Pentesters_Care_About_Layers\"><\/span>Why Pentesters Care About Layers<span class=\"ez-toc-section-end\"><\/span><\/h5><p data-start=\"4177\" data-end=\"4220\">Security controls applied at one layer may:<\/p><ul data-start=\"4221\" data-end=\"4292\"><li data-start=\"4221\" data-end=\"4243\"><p data-start=\"4223\" data-end=\"4243\">Be absent at another<\/p><\/li><li data-start=\"4244\" data-end=\"4268\"><p data-start=\"4246\" data-end=\"4268\">Be bypassed internally<\/p><\/li><li data-start=\"4269\" data-end=\"4292\"><p data-start=\"4271\" data-end=\"4292\">Behave inconsistently<\/p><\/li><\/ul><p data-start=\"4294\" data-end=\"4303\">Examples:<\/p><ul data-start=\"4304\" data-end=\"4470\"><li data-start=\"4304\" data-end=\"4360\"><p data-start=\"4306\" data-end=\"4360\">WAF blocking payloads, but backend APIs accepting them<\/p><\/li><li data-start=\"4361\" data-end=\"4418\"><p data-start=\"4363\" data-end=\"4418\">CDN hiding origin server, but origin IP exposed via DNS<\/p><\/li><li data-start=\"4419\" data-end=\"4470\"><p data-start=\"4421\" data-end=\"4470\">Authentication enforced on UI but missing on APIs<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7afc130 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"7afc130\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8c12f05\" data-id=\"8c12f05\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2b27a27 elementor-widget elementor-widget-heading\" data-id=\"2b27a27\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"8_HTTP_Response_Codes\"><\/span>8. HTTP Response Codes<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e965957 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"e965957\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6de5cbb\" data-id=\"6de5cbb\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-58bf8fc elementor-widget__width-initial elementor-widget elementor-widget-image\" data-id=\"58bf8fc\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img data-opt-id=509894709  data-opt-src=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:670\/h:1024\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png\"  loading=\"lazy\" decoding=\"async\" width=\"670\" height=\"1024\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%20670%201024%22%20width%3D%22670%22%20height%3D%221024%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%22670%22%20height%3D%221024%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" class=\"attachment-large size-large wp-image-617\" alt=\"\" old-srcset=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:706\/h:1080\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png 1308w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:196\/h:300\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png 196w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:670\/h:1024\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png 670w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:706\/h:1080\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png 768w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:706\/h:1080\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png 1005w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:706\/h:1080\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png 900w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:500\/h:765\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/HTTP-Status-Codes-Cheat-Sheet.png 500w\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-94baa40 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"94baa40\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-26f1336\" data-id=\"26f1336\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-705211a elementor-widget elementor-widget-text-editor\" data-id=\"705211a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"4684\" data-end=\"4823\">HTTP response codes communicate how the server handled a request.<br data-start=\"4749\" data-end=\"4752\" \/>For pentesters, they reveal <strong data-start=\"4780\" data-end=\"4822\">application logic and security posture<\/strong>.<\/p><h5 data-start=\"4825\" data-end=\"4850\"><span class=\"ez-toc-section\" id=\"Commonly_Abused_Codes\"><\/span>Commonly Abused Codes<span class=\"ez-toc-section-end\"><\/span><\/h5><ul data-start=\"4851\" data-end=\"5045\"><li data-start=\"4851\" data-end=\"4880\"><p data-start=\"4853\" data-end=\"4880\"><code data-start=\"4853\" data-end=\"4861\">200 OK<\/code> \u2192 Action succeeded<\/p><\/li><li data-start=\"4881\" data-end=\"4911\"><p data-start=\"4883\" data-end=\"4911\"><code data-start=\"4883\" data-end=\"4894\">302 Found<\/code> \u2192 Redirect logic<\/p><\/li><li data-start=\"4912\" data-end=\"4957\"><p data-start=\"4914\" data-end=\"4957\"><code data-start=\"4914\" data-end=\"4932\">401 Unauthorized<\/code> \u2192 Authentication missing<\/p><\/li><li data-start=\"4958\" data-end=\"4997\"><p data-start=\"4960\" data-end=\"4997\"><code data-start=\"4960\" data-end=\"4975\">403 Forbidden<\/code> \u2192 Authorization check<\/p><\/li><li data-start=\"4998\" data-end=\"5045\"><p data-start=\"5000\" data-end=\"5045\"><code data-start=\"5000\" data-end=\"5027\">500 Internal Server Error<\/code> \u2192 Backend failure<\/p><\/li><\/ul><h5 data-start=\"5047\" data-end=\"5066\"><span class=\"ez-toc-section\" id=\"Why_They_Matter\"><\/span>Why They Matter<span class=\"ez-toc-section-end\"><\/span><\/h5><p data-start=\"5067\" data-end=\"5111\">By observing how response codes change when:<\/p><ul data-start=\"5112\" data-end=\"5176\"><li data-start=\"5112\" data-end=\"5136\"><p data-start=\"5114\" data-end=\"5136\">Parameters are removed<\/p><\/li><li data-start=\"5137\" data-end=\"5155\"><p data-start=\"5139\" data-end=\"5155\">IDs are modified<\/p><\/li><li data-start=\"5156\" data-end=\"5176\"><p data-start=\"5158\" data-end=\"5176\">Tokens are altered<\/p><\/li><\/ul><p data-start=\"5178\" data-end=\"5196\">Testers can infer:<\/p><ul data-start=\"5197\" data-end=\"5265\"><li data-start=\"5197\" data-end=\"5218\"><p data-start=\"5199\" data-end=\"5218\">Authorization logic<\/p><\/li><li data-start=\"5219\" data-end=\"5237\"><p data-start=\"5221\" data-end=\"5237\">Validation rules<\/p><\/li><li data-start=\"5238\" data-end=\"5265\"><p data-start=\"5240\" data-end=\"5265\">Hidden application states<\/p><\/li><\/ul><p data-start=\"5267\" data-end=\"5347\">A subtle difference between <code data-start=\"5295\" data-end=\"5300\">401<\/code> and <code data-start=\"5305\" data-end=\"5310\">403<\/code> can reveal <strong data-start=\"5322\" data-end=\"5346\">privilege boundaries<\/strong>.<\/p><p data-start=\"5349\" data-end=\"5473\"><strong data-start=\"5352\" data-end=\"5371\">Pentester rule:<\/strong><br data-start=\"5371\" data-end=\"5374\" \/>Always test the same request under different roles and states. Compare responses, not just content.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-48a50f2 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"48a50f2\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-57e3d41\" data-id=\"57e3d41\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-09f716b elementor-widget elementor-widget-heading\" data-id=\"09f716b\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"9_Making_Requests\"><\/span>9. Making Requests<span class=\"ez-toc-section-end\"><\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ff8d434 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"ff8d434\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-64f84e7\" data-id=\"64f84e7\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e50366c elementor-widget elementor-widget-image\" data-id=\"e50366c\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img data-opt-id=1411025979  data-opt-src=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:808\/h:469\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0_4cr558pnMNKvA2s4.png\"  loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"469\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%20808%20469%22%20width%3D%22808%22%20height%3D%22469%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%22808%22%20height%3D%22469%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" class=\"attachment-large size-large wp-image-618\" alt=\"\" old-srcset=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:808\/h:469\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0_4cr558pnMNKvA2s4.png 808w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:300\/h:174\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0_4cr558pnMNKvA2s4.png 300w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:768\/h:446\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0_4cr558pnMNKvA2s4.png 768w, https:\/\/mlefs6wcwvfi.i.optimole.com\/w:500\/h:290\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/0_4cr558pnMNKvA2s4.png 500w\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-60004a7 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no\" data-id=\"60004a7\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-40911b8\" data-id=\"40911b8\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8b1676c elementor-widget elementor-widget-text-editor\" data-id=\"8b1676c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"5573\" data-end=\"5648\">Everything in web application pentesting revolves around <strong data-start=\"5630\" data-end=\"5647\">HTTP requests<\/strong>.<\/p>\n<h5 data-start=\"5650\" data-end=\"5677\"><span class=\"ez-toc-section\" id=\"HTTP_Methods_and_Intent\"><\/span>HTTP Methods and Intent<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<ul data-start=\"5678\" data-end=\"5769\"><li data-start=\"5678\" data-end=\"5699\">\n<p data-start=\"5680\" data-end=\"5699\">GET \u2192 Retrieve data<\/p>\n<\/li><li data-start=\"5700\" data-end=\"5720\">\n<p data-start=\"5702\" data-end=\"5720\">POST \u2192 Submit data<\/p>\n<\/li><li data-start=\"5721\" data-end=\"5746\">\n<p data-start=\"5723\" data-end=\"5746\">PUT\/PATCH \u2192 Modify data<\/p>\n<\/li><li data-start=\"5747\" data-end=\"5769\">\n<p data-start=\"5749\" data-end=\"5769\">DELETE \u2192 Remove data<\/p>\n<\/li><\/ul>\n<p data-start=\"5771\" data-end=\"5800\">Security failures occur when:<\/p>\n<ul data-start=\"5801\" data-end=\"5912\"><li data-start=\"5801\" data-end=\"5838\">\n<p data-start=\"5803\" data-end=\"5838\">Methods are not properly restricted<\/p>\n<\/li><li data-start=\"5839\" data-end=\"5881\">\n<p data-start=\"5841\" data-end=\"5881\">Authorization checks are method-specific<\/p>\n<\/li><li data-start=\"5882\" data-end=\"5912\">\n<p data-start=\"5884\" data-end=\"5912\">APIs accept unintended verbs<\/p>\n<\/li><\/ul>\n<h5 data-start=\"5914\" data-end=\"5955\"><span class=\"ez-toc-section\" id=\"Why_Intercepting_Requests_Is_Critical\"><\/span>Why Intercepting Requests Is Critical<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<p data-start=\"5956\" data-end=\"5995\">Tools like Burp Suite allow testers to:<\/p>\n<ul data-start=\"5996\" data-end=\"6081\"><li data-start=\"5996\" data-end=\"6018\">\n<p data-start=\"5998\" data-end=\"6018\">Observe raw requests<\/p>\n<\/li><li data-start=\"6019\" data-end=\"6038\">\n<p data-start=\"6021\" data-end=\"6038\">Modify parameters<\/p>\n<\/li><li data-start=\"6039\" data-end=\"6055\">\n<p data-start=\"6041\" data-end=\"6055\">Replay actions<\/p>\n<\/li><li data-start=\"6056\" data-end=\"6081\">\n<p data-start=\"6058\" data-end=\"6081\">Change roles and tokens<\/p>\n<\/li><\/ul>\n<p data-start=\"6083\" data-end=\"6096\">This exposes:<\/p>\n<ul data-start=\"6097\" data-end=\"6162\"><li data-start=\"6097\" data-end=\"6116\">\n<p data-start=\"6099\" data-end=\"6116\">Hidden parameters<\/p>\n<\/li><li data-start=\"6117\" data-end=\"6136\">\n<p data-start=\"6119\" data-end=\"6136\">Trust assumptions<\/p>\n<\/li><li data-start=\"6137\" data-end=\"6162\">\n<p data-start=\"6139\" data-end=\"6162\">Inconsistent validation<\/p>\n<\/li><\/ul>\n<p data-start=\"6164\" data-end=\"6286\"><strong data-start=\"6167\" data-end=\"6185\">Reality check:<\/strong><br data-start=\"6185\" data-end=\"6188\">\nIf you can modify it in a request, you can test it.<br data-start=\"6239\" data-end=\"6242\">\nIf you can test it, you can likely break it.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Web Application Fundamentals for Pentesters Day 1 \u2013 Understanding the Web Before Breaking It Most people jump straight into payloads, tools, and<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":319,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-611","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","col-md-12"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Web Application Fundamentals for Pentesters - yashinfosec.com<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/yashinfosec.com\/?p=611\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Web Application Fundamentals for Pentesters - yashinfosec.com\" \/>\n<meta property=\"og:description\" content=\"Web Application Fundamentals for Pentesters Day 1 \u2013 Understanding the Web Before Breaking It Most people jump straight into payloads, tools, and\" \/>\n<meta property=\"og:url\" content=\"https:\/\/yashinfosec.com\/?p=611\" \/>\n<meta property=\"og:site_name\" content=\"yashinfosec.com\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-14T22:54:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-14T22:57:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif\" \/>\n<meta name=\"author\" content=\"cyaswanthsurya@gmail.com\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"cyaswanthsurya@gmail.com\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/yashinfosec.com\/?p=611#article\",\"isPartOf\":{\"@id\":\"https:\/\/yashinfosec.com\/?p=611\"},\"author\":{\"name\":\"cyaswanthsurya@gmail.com\",\"@id\":\"https:\/\/yashinfosec.com\/#\/schema\/person\/bed735a207318046f8035adf83f1dff3\"},\"headline\":\"Web Application Fundamentals for Pentesters\",\"datePublished\":\"2026-01-14T22:54:10+00:00\",\"dateModified\":\"2026-01-14T22:57:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/yashinfosec.com\/?p=611\"},\"wordCount\":1404,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/yashinfosec.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/yashinfosec.com\/?p=611#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif\",\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/yashinfosec.com\/?p=611#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/yashinfosec.com\/?p=611\",\"url\":\"https:\/\/yashinfosec.com\/?p=611\",\"name\":\"Web Application Fundamentals for Pentesters - yashinfosec.com\",\"isPartOf\":{\"@id\":\"https:\/\/yashinfosec.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/yashinfosec.com\/?p=611#primaryimage\"},\"image\":{\"@id\":\"https:\/\/yashinfosec.com\/?p=611#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif\",\"datePublished\":\"2026-01-14T22:54:10+00:00\",\"dateModified\":\"2026-01-14T22:57:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/yashinfosec.com\/?p=611#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/yashinfosec.com\/?p=611\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/yashinfosec.com\/?p=611#primaryimage\",\"url\":\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif\",\"contentUrl\":\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif\",\"width\":350,\"height\":250},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/yashinfosec.com\/?p=611#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/yashinfosec.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Web Application Fundamentals for Pentesters\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/yashinfosec.com\/#website\",\"url\":\"https:\/\/yashinfosec.com\/\",\"name\":\"yashinfosec.com\",\"description\":\"Explore Security In-depth\",\"publisher\":{\"@id\":\"https:\/\/yashinfosec.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/yashinfosec.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/yashinfosec.com\/#organization\",\"name\":\"yashinfosec.com\",\"url\":\"https:\/\/yashinfosec.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/yashinfosec.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2023\/03\/cropped-logo-1.png\",\"contentUrl\":\"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2023\/03\/cropped-logo-1.png\",\"width\":250,\"height\":250,\"caption\":\"yashinfosec.com\"},\"image\":{\"@id\":\"https:\/\/yashinfosec.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/yashinfosec.com\/#\/schema\/person\/bed735a207318046f8035adf83f1dff3\",\"name\":\"cyaswanthsurya@gmail.com\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/yashinfosec.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/47c41ba1e8b552436c6945effc63d9f982f86400a71dc3c6d8cf37cb518a3425?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/47c41ba1e8b552436c6945effc63d9f982f86400a71dc3c6d8cf37cb518a3425?s=96&d=mm&r=g\",\"caption\":\"cyaswanthsurya@gmail.com\"},\"sameAs\":[\"http:\/\/yashinfosec.com\"],\"url\":\"https:\/\/yashinfosec.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Web Application Fundamentals for Pentesters - yashinfosec.com","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/yashinfosec.com\/?p=611","og_locale":"en_US","og_type":"article","og_title":"Web Application Fundamentals for Pentesters - yashinfosec.com","og_description":"Web Application Fundamentals for Pentesters Day 1 \u2013 Understanding the Web Before Breaking It Most people jump straight into payloads, tools, and","og_url":"https:\/\/yashinfosec.com\/?p=611","og_site_name":"yashinfosec.com","article_published_time":"2026-01-14T22:54:10+00:00","article_modified_time":"2026-01-14T22:57:56+00:00","og_image":[{"url":"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif","type":"","width":"","height":""}],"author":"cyaswanthsurya@gmail.com","twitter_card":"summary_large_image","twitter_misc":{"Written by":"cyaswanthsurya@gmail.com","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/yashinfosec.com\/?p=611#article","isPartOf":{"@id":"https:\/\/yashinfosec.com\/?p=611"},"author":{"name":"cyaswanthsurya@gmail.com","@id":"https:\/\/yashinfosec.com\/#\/schema\/person\/bed735a207318046f8035adf83f1dff3"},"headline":"Web Application Fundamentals for Pentesters","datePublished":"2026-01-14T22:54:10+00:00","dateModified":"2026-01-14T22:57:56+00:00","mainEntityOfPage":{"@id":"https:\/\/yashinfosec.com\/?p=611"},"wordCount":1404,"commentCount":0,"publisher":{"@id":"https:\/\/yashinfosec.com\/#organization"},"image":{"@id":"https:\/\/yashinfosec.com\/?p=611#primaryimage"},"thumbnailUrl":"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif","articleSection":["Cybersecurity"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/yashinfosec.com\/?p=611#respond"]}]},{"@type":"WebPage","@id":"https:\/\/yashinfosec.com\/?p=611","url":"https:\/\/yashinfosec.com\/?p=611","name":"Web Application Fundamentals for Pentesters - yashinfosec.com","isPartOf":{"@id":"https:\/\/yashinfosec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/yashinfosec.com\/?p=611#primaryimage"},"image":{"@id":"https:\/\/yashinfosec.com\/?p=611#primaryimage"},"thumbnailUrl":"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif","datePublished":"2026-01-14T22:54:10+00:00","dateModified":"2026-01-14T22:57:56+00:00","breadcrumb":{"@id":"https:\/\/yashinfosec.com\/?p=611#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/yashinfosec.com\/?p=611"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/yashinfosec.com\/?p=611#primaryimage","url":"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif","contentUrl":"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2026\/01\/internet-diagram.gif","width":350,"height":250},{"@type":"BreadcrumbList","@id":"https:\/\/yashinfosec.com\/?p=611#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/yashinfosec.com\/"},{"@type":"ListItem","position":2,"name":"Web Application Fundamentals for Pentesters"}]},{"@type":"WebSite","@id":"https:\/\/yashinfosec.com\/#website","url":"https:\/\/yashinfosec.com\/","name":"yashinfosec.com","description":"Explore Security In-depth","publisher":{"@id":"https:\/\/yashinfosec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/yashinfosec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/yashinfosec.com\/#organization","name":"yashinfosec.com","url":"https:\/\/yashinfosec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/yashinfosec.com\/#\/schema\/logo\/image\/","url":"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2023\/03\/cropped-logo-1.png","contentUrl":"https:\/\/mlefs6wcwvfi.i.optimole.com\/w:auto\/h:auto\/q:mauto\/ig:avif\/https:\/\/yashinfosec.com\/wp-content\/uploads\/2023\/03\/cropped-logo-1.png","width":250,"height":250,"caption":"yashinfosec.com"},"image":{"@id":"https:\/\/yashinfosec.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/yashinfosec.com\/#\/schema\/person\/bed735a207318046f8035adf83f1dff3","name":"cyaswanthsurya@gmail.com","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/yashinfosec.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/47c41ba1e8b552436c6945effc63d9f982f86400a71dc3c6d8cf37cb518a3425?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/47c41ba1e8b552436c6945effc63d9f982f86400a71dc3c6d8cf37cb518a3425?s=96&d=mm&r=g","caption":"cyaswanthsurya@gmail.com"},"sameAs":["http:\/\/yashinfosec.com"],"url":"https:\/\/yashinfosec.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/yashinfosec.com\/index.php?rest_route=\/wp\/v2\/posts\/611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yashinfosec.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yashinfosec.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yashinfosec.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/yashinfosec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=611"}],"version-history":[{"count":4,"href":"https:\/\/yashinfosec.com\/index.php?rest_route=\/wp\/v2\/posts\/611\/revisions"}],"predecessor-version":[{"id":624,"href":"https:\/\/yashinfosec.com\/index.php?rest_route=\/wp\/v2\/posts\/611\/revisions\/624"}],"wp:attachment":[{"href":"https:\/\/yashinfosec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yashinfosec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yashinfosec.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}