Web App Pen Test Playbook

Scoping Questions / Rules of Engagement

1. What is the URL?

2. Is DoS needed?

3. Is API testing needed?

   1. How many APIs?

   2. What are the URLs?

4. How many user roles are tested (e.g., admin, standard, etc)?

5. Do you need after hours testing done (e.g., nights/weekends)?

6. Is a walkthrough of the application possible?

7. What environment is testing being done (prod, testing, etc)?

Web Application Penetration Testing Checklist

Recon Phase

Identify Technologies

• NMAP (http-enum script)

  • Use: nmap -p 80,443 --script=http-enum target.com

• WhatWeb

  • Command: whatweb -a 3 https://target.com

• BuiltWith (Web GUI)

  • Visit: https://builtwith.com/

Discover Subdomains

• Subfinder

  • Command: subfinder -d target.com -o subdomains.txt

• Amass

  • Command: amass enum -passive -d target.com

• crt.sh (Web GUI)

  • Visit: https://crt.sh/

API Endpoint Enumeration

• JS File Analysis

  • Manually inspect /robots.txt, /sitemap.xml, and JavaScript files (.js) for API endpoints

• LinkFinder

  • Command: python3 linkfinder.py -i https://target.com/script.js -o cli

• ParamSpider

  • Command: python3 paramspider.py -d target.com

Directory & File Enumeration (Burp Suite Pro & SecLists)

Step 1: Mapping the Application in Burp Suite

1. Ensure Burp Suite Pro is running and properly configured with the target application.

2. Spider the application using one of the following:

   • Manually browse the app while Burp captures traffic.

   • Use Burp's "Crawl and Audit" feature (Burp Suite Pro only).

   • Engage the Spider (if available in your version).

3. Check the Target tab:

   • Review discovered endpoints and directories.

   • Identify which directories are in scope.

4. Pro Tip: After mapping the site in Burp, export discovered paths to a file and use it as a custom wordlist for further fuzzing.

   • cat burp_paths.txt | sort -u > custom_wordlist.txt

Step 2: Automated Directory Fuzzing Using Burp Suite Pro

1. Send a request to Intruder.

2. Select payload position.

3. Use wordlist-based attack from SecLists.

Step 3: Selecting the Right Wordlist (SecLists)

• Common directories: /SecLists/Discovery/Web-Content/common.txt

• Large list for deeper scans: /SecLists/Discovery/Web-Content/big.txt

• PHP apps: /SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt

• API endpoints: /SecLists/Discovery/Web-Content/api/api-endpoints.txt

• JS-heavy apps: /SecLists/Discovery/Web-Content/JavaScript/js_common.txt

Authentication Testing

Bypass Authentication

• SQL Injection (SQLi)

  • Command: sqlmap -u "https://target.com/login.php?user=admin" --batch --dbs

• JWT Manipulation

  • Command: jwt_tool token.jwt -S

• Brute Force Login (Hydra)

  • Command: hydra -L users.txt -P passwords.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

Authorization Testing

IDOR (Insecure Direct Object Reference)

• Check URL Parameter Manipulation

  • Example: https://target.com/user?id=123 → Change to id=124

  • Access data/document from user1. Go to user2 and see if you can access the same data.

• Check API Authorization

  • Command: curl -X GET https://target.com/api/user/1234 -H "Authorization: Bearer token"

Role Privilege Escalation

• Check for Admin Access

  • Example: Change role=user to role=admin in requests (Burp Suite)

Input Validation & Injection Testing

SQL Injection (SQLi)

• Manual Testing

  • Example: https://target.com/login.php?id=1' OR '1'='1

• Automated Testing (SQLMap)

  • Command: sqlmap -u "https://target.com/product?id=5" --dbs --batch

Cross-Site Scripting (XSS)

• Reflected XSS

  • Example: https://target.com/search?q=<script>alert(1)</script>

• Stored XSS

  • Inject payload in comment fields: <img src=x onerror=alert(1)>

• DOM XSS (XSSHunter)

  • Use: https://xsshunter.com/

Command Injection

• Manual Testing

  • Example: https://target.com/ping?ip=127.0.0.1;whoami

• Automated Testing (Commix)

  • Command: commix --url="https://target.com/ping?ip=" --level=3

Security Misconfigurations

Check for Open Directories

• Manually Browse

  • Example: https://target.com/admin/

• Automated Scan

  • Command: gobuster dir -u https://target.com -w wordlist.txt

Identify Outdated Software (Nuclei)

• Automated Scan

  • Command: nuclei -u https://target.com -t cves/

Business Logic Flaws

• Check for Broken Access Control

  • Example: Use a regular user account to attempt admin actions

• Check for Rate Limiting

  • Command: ffuf -u https://target.com/login -w usernames.txt -H "X-Forwarded-For: 127.0.0.1"

Cryptographic Issues

Weak TLS/SSL Configurations

• SSLScan

  • Command: sslscan https://target.com

• Test TLS (testssl.sh)

  • Command: testssl.sh https://target.com

Broken JWT Token Security

• Decode JWT

  • Command: jwt_tool token.jwt -S

• Modify Algorithm to None

  • Modify alg: HS256 → alg: none in JWT header

Client-Side Security Testing

Content Security Policy (CSP) Bypass

• Check CSP Headers

  • Command: curl -I https://target.com | grep content-security-policy

• Check Misconfigured Headers

  • Command: curl -I https://target.com | grep X-Frame-Options

Sensitive Data in JavaScript

• Find API Keys and Secrets

  • Command: grep -E "apikey|secret|token" *.js

• Manually Inspect Local Storage

  • Open DevTools → Application → Local Storage

Exploiting Known Vulnerabilities

Check for Known CVEs (Nuclei)

• Run Nuclei

  • Command: nuclei -u https://target.com -t cves/

• Search Exploits (Exploit-DB)

  • Command: searchsploit software_version

Post-Exploitation

Extract Sensitive Information

• Look for Secrets in Response

  • Command: curl -s -D- https://target.com | grep -i "api_key"

Test for SSRF (Server-Side Request Forgery)

• Basic Test

  • Example: https://target.com/proxy?url=http://internal-system.local

Reporting

• Generate Findings Report

  • Use Markdown, OWASP Risk Rating, screenshots from Burp Suite

• Provide Mitigations

  • Reference OWASP Top 10, CVEs, or security best practices