Web App Pentest

get the web-app-pentest context

​

Summary

• Phase 1 covers passive and active reconnaissance: subdomain enumeration, JS file analysis, directory brute-force, and technology fingerprinting
• Phase 2 tests authentication: default credentials, brute-force protection, password reset flaws, MFA bypass, OAuth misconfiguration, and JWT attacks
• Phase 3 tests authorization: IDOR, privilege escalation, HTTP method bypass, and parameter tampering
• Phase 4 covers all injection classes: SQLi, XSS, SSTI, command injection, XXE, and SSRF
• Phases 5–6 assess session management and business logic flaws
• Phase 7 produces structured findings referencing OWASP Top 10

​

CONTEXT.md

​

When to Use This Context

• Starting a web application pentest engagement
• Testing authentication, session management, or authorization
• Looking for injection vulnerabilities (SQLi, XSS, SSTI, etc.)
• Testing business logic flaws
• Reviewing API endpoints exposed by a web app

​

Phase 1 Reconnaissance

• Enumerate subdomains: subfinder -d target.com, amass enum -d target.com
• Check robots.txt, sitemap.xml, .well-known/
• Google dorks: site:target.com filetype:pdf, site:target.com inurl:admin
• Check Wayback Machine for old endpoints
• Review JS files for hardcoded secrets, API keys, internal endpoints

• Directory brute-force: ffuf -w wordlist.txt -u https://target.com/FUZZ
• Technology fingerprinting: whatweb, wappalyzer, response headers
• Port scan: nmap -sV -p 80,443,8080,8443 target.com

​

Phase 2 Authentication Testing

• Default credentials (admin/admin, admin/password)
• Username enumeration via response timing or error messages
• Brute-force protection test rate limiting, account lockout
• Password reset flaws token predictability, host header injection
• MFA bypass code reuse, response manipulation, backup codes
• OAuth misconfiguration state parameter, redirect_uri bypass
• JWT attacks use jwt-cracker skill if available

​

Phase 3 Authorization Testing

• IDOR access other users’ objects by changing IDs (use idor-hunter skill if available)
• Privilege escalation access admin functions with low-privilege account
• Horizontal escalation access another user’s data with same role
• Path-based access control bypass: /admin/../user/profile
• HTTP method bypass: GET blocked → try POST, HEAD, OPTIONS
• Parameter tampering: role=user → role=admin

​

Phase 4 Injection Testing

# Manual probes
' OR '1'='1
'; DROP TABLE users;--

# Automated
sqlmap -u "https://target.com/page?id=1" --dbs

• Reflected: inject <script>alert(1)</script> in every input
• Stored: comment fields, profile names, file names
• DOM: check JS for innerHTML, document.write, eval

• SSTI: {{7*7}}, ${7*7}, <%= 7*7 %> use ssti-hunter skill if available
• Command injection: ; id, | whoami
• XXE: inject <!ENTITY xxe SYSTEM "file:///etc/passwd">
• SSRF: replace URLs with http://169.254.169.254/ (AWS metadata)

​

Phase 5 Session Management

• Session token entropy is it predictable?
• Session fixation can attacker set a known session ID?
• Session after logout does the token still work?
• Cookie flags missing HttpOnly, Secure, SameSite
• CSRF test state-changing requests without CSRF token

​

Phase 6 Business Logic

• Skip steps in multi-step flows (checkout, onboarding)
• Negative values in quantity/price fields
• Race conditions on limited resources (coupons, transfers)
• Mass assignment send extra fields in JSON body
• File upload bypass extension checks, upload webshells

​

Phase 7 Reporting

​

Related contexts