Walking An Application Writeup

Date: 04-02-2026 | Platform: TryHackMe | Difficulty: Easy | PT1 Exam Preparation

Overview

This room covers the methodology for exploring and understanding web applications through various techniques including source code analysis, developer tools, and network monitoring. Essential skills for web application security assessment.

Task 1: Walking An Application

Learn how to manually review a web application for security issues using only the in-built tools in your browser. More often than not, automated security tools and scripts will miss many potential vulnerabilities and useful information.

Browser Tools Covered:

Task 2: Exploring The Website

As a penetration tester, your role when reviewing a website or web application is to discover features that could potentially be vulnerable and attempt to exploit them to assess whether or not they are. These features are usually parts of the website that require some interactivity with the user.

Finding interactive portions of the website can be as easy as spotting a login form to manually reviewing the website's JavaScript. An excellent place to start is just with your browser exploring the website and noting down the individual pages/areas/features with a summary for each one.

Example Site Review for Acme IT Support:

Feature URL Summary
Home Page / This page contains a summary of what Acme IT Support does with a company photo of their staff.
Latest News /news This page contains a list of recently published news articles by the company, and each news article has a link with an id number, i.e. /news/article?id=1
News Article /news/article?id=1 Displays the individual news article. Some articles seem to be blocked and reserved for premium customers only.
Contact Page /contact This page contains a form for customers to contact the company. It contains name, email and message input fields and a send button.
Customers /customers This link redirects to /customers/login.
Customer Login /customers/login This page contains a login form with username and password fields.
Customer Signup /customers/signup This page contains a user-signup form that consists of a username, email, password and password confirmation input fields.
Customer Reset Password /customers/reset Password reset form with an email address input field.
Customer Dashboard /customers This page contains a list of the user's tickets submitted to the IT support company and a "Create Ticket" button.
Create Ticket /customers/ticket/new This page contains a form with a textbox for entering the IT issue and a file upload option to create an IT support ticket.
Customer Account /customers/account This page allows the user to edit their username, email and password.
Customer Logout /customers/logout This link logs the user out of the customer area.

Task 3: Viewing The Page Source

The page source is the human-readable code returned to our browser/client from the web server each time we make a request.

The returned code is made up of HTML (HyperText Markup Language), CSS (Cascading Style Sheets) and JavaScript, and it's what tells our browser what content to display, how to show it and adds an element of interactivity with JavaScript.

For our purposes, viewing the page source can help us discover more information about the web application.

How to View Page Source:

What to Look For:

Comments in HTML start with . These are messages left by the website developer that don't get displayed on the actual webpage. Comments can contain useful information about the application.

Links to different pages in HTML are written in anchor tags (), and the link that you'll be directed to is stored in the href attribute.

Example: Comments may describe temporary pages or development status, providing insights into the application's current state.

Hidden Links: Look for hidden links starting with "secr" or similar patterns that may reveal private areas.

Directory Listing: Check for configuration errors that enable directory listing, which may expose backup files, source code, or confidential information.

Framework Detection: Look for comments about frameworks and versions. Outdated frameworks may have known vulnerabilities.

TryHackMe Answers:

  • What is the flag from the HTML comment? THM{HTML_COMMENTS_ARE_DANGEROUS}
  • What is the flag from the secret link? THM{NOT_A_SECRET_ANYMORE}
  • What is the directory listing flag? THM{INVALID_DIRECTORY_PERMISSIONS}
  • What is the framework flag? THM{KEEP_YOUR_SOFTWARE_UPDATED}

Task 4: Developer Tools - Inspector

Every modern browser includes developer tools; this is a tool kit used to aid web developers in debugging web applications and gives you a peek under the hood of a website to see what is going on. As a pentester, we can leverage these tools to provide us with a much better understanding of the web application.

Opening Developer Tools:

The way to access developer tools is different for every browser. Common methods include F12, right-click → Inspect, or browser menu options.

Inspector Usage:

The page source doesn't always represent what's shown on a webpage; this is because CSS, JavaScript and user interaction can change the content and style of the page, which means we need a way to view what's been displayed in the browser window at this exact time. Element inspector assists us with this by providing us with a live representation of what is currently on the website.

As well as viewing this live view, we can also edit and interact with the page elements, which is helpful for web developers to debug issues.

Practical Example - Paywall Bypass:

On the Acme IT Support website news section, the third article is blocked by a floating notice (paywall) stating you have to be a premium customer to view it.

Steps to Bypass:

  • Locate the DIV element with the class premium-customer-blocker
  • Click on it in the inspector
  • Find the display: block style in the styles box
  • Change "block" to "none" to make the box disappear
  • This reveals the content underneath and any hidden information

If the element didn't have a display field, you could add your own style to hide it.

TryHackMe Answer:

  • What is the flag behind the paywall? THM{NOT_SO_HIDDEN}

Task 5: Developer Tools - Debugger

This panel in the developer tools is intended for debugging JavaScript, and again is an excellent feature for web developers wanting to work out why something might not be working. But as penetration testers, it gives us the option of digging deep into the JavaScript code. In Firefox and Safari, this feature is called Debugger, but in Google Chrome, it's called Sources.

Practical Example - Red Flash Analysis:

On the Acme IT Support website contact page, there's a rapid flash of red on the screen each time the page loads. We can use the Debugger to work out what this red flash is and if it contains anything interesting.

Steps to Analyze JavaScript:

1. Locate JavaScript Files:

  • In both browsers, on the left-hand side, you see a list of all the resources the current webpage is using
  • Click into the assets folder to see JavaScript files like flash.min.js

2. Handle Minified Code:

  • Many JavaScript files are on one line because they've been minimized (tabs, spacing, and newlines removed)
  • Use the "Pretty Print" option (two braces { }) to restore some formatting
  • Note: Some files are also obfuscated, making them purposely difficult to read

3. Set Breakpoints:

  • Find the line of code that removes the red popup (e.g., flash['remove']())
  • Click the line number to insert a breakpoint (it turns blue)
  • Breakpoints force the browser to stop processing JavaScript and pause execution

4. Analyze Execution:

  • Refresh the page with the breakpoint active
  • The red box stays on the page instead of disappearing
  • This reveals hidden content or flags that would normally be removed

TryHackMe Answer:

  • What is the flag in the red box? THM{CATCH_ME_IF_YOU_CAN}

Task 6: Developer Tools - Network

The network tab on the developer tools can be used to keep track of every external request a webpage makes. If you click on the Network tab and then refresh the page, you'll see all the files the page is requesting.

Practical Example - Contact Form Analysis:

1. Monitor Network Activity:

  • Click on the Network tab and refresh the page to see all file requests
  • Use the trash can icon to clear the list if it gets overpopulated

2. Analyze Form Submissions:

  • With the network tab open, fill in the contact form and press "Send Message"
  • You'll notice an event in the network tab - this is the form being submitted using AJAX
  • AJAX is a method for sending and receiving network data in the background without changing the current web page

3. Examine Network Requests:

  • Examine the new entry on the network tab that the contact form created
  • View the page the data was sent to in order to reveal hidden information
  • This can expose flags, sensitive data, or reveal the actual endpoint handling the form

TryHackMe Answer:

  • What is the flag shown on the contact-msg network request? THM{GOT_AJAX_FLAG}

PT1 Exam Relevance

This room covers essential web application analysis skills for PT1 certification:

  • Application Understanding: Foundation for all web security assessments
  • Source Code Analysis: Identifying potential vulnerabilities
  • Developer Tools Proficiency: Essential for manual testing
  • Network Analysis: Understanding data flow and communication
  • Information Gathering: Critical for comprehensive security testing

Key Takeaways

  • Systematic exploration is essential for understanding web applications
  • Page source analysis reveals application structure and potential issues
  • Developer tools provide powerful capabilities for manual testing
  • Network monitoring helps understand application behavior
  • Combining multiple analysis techniques provides comprehensive coverage
  • Always document findings for reporting and further analysis