Web App Penetration Testing Cheat Sheet

🎯 Web Application Security Testing

Comprehensive toolkit for identifying vulnerabilities, misconfigurations, and security weaknesses in web applications through systematic enumeration and targeted exploitation techniques.

15+

Tools

⚠️ Legal and Ethical Guidelines

Authorization Required: Only test applications you own or have explicit written permission to assess
Scope Boundaries: Stay within defined testing scope and avoid impacting production systems
Data Protection: Never access, modify, or exfiltrate sensitive data during testing
Responsible Disclosure: Report findings through proper channels and allow time for remediation
Documentation: Maintain detailed logs of all testing activities for compliance and reporting

🔄 Testing Methodology

Follow this systematic approach for comprehensive web application security assessment:

Reconnaissance & Enumeration (whatweb, feroxbuster)

Directory & File Discovery (feroxbuster, dirb)

Vulnerability Scanning (nikto, wapiti, nmap NSE)

Authentication Testing (hydra, cewl)

Injection Testing (sqlmap, XSStrike)

Configuration Analysis (davtest, SSL testing)

🔍

Web App Enumeration

Fingerprint technologies, frameworks, and plugins

whatweb

Fingerprint frameworks & plugins

whatweb http://192.168.1.XX/

Identifies web technologies, CMS, frameworks, JavaScript libraries, and server information

💡 Pro Tips:
• Use -v for verbose output
• Try --aggression 3 for more thorough detection
• Use --log-brief for clean output

wapiti

Automated web vulnerability scanner

wapiti -u http://192.168.1.XX/ -f txt -o wapiti_report.txt

Similar to Nikto but broader coverage - scans for XSS, SQL injection, file disclosure, etc.

💡 Advanced Options:
• -m "all,-backup" - exclude backup file detection
• --scope domain - limit to specific domain
• -v 2 - increase verbosity

🚪

Authentication / Login Tests

Brute force attacks and credential testing

hydra

Brute-force login forms

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.XX http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login"

Customize the form parameters and failure message based on the target application

💡 Common Variations:
• http-get for basic auth
• -L userlist.txt for multiple users
• -t 10 to control thread count
• -f to stop after first valid credential

cewl

Custom wordlist from target site

cewl http://192.168.1.XX/ -w webnode_words.txt

Creates targeted wordlists based on content found on the website

💡 Advanced Usage:
• -d 2 - spider depth
• -m 5 - minimum word length
• -e - include email addresses
• --lowercase - convert to lowercase

💉

Injection Testing

SQL injection and XSS vulnerability detection

sqlmap

Automated SQL injection testing

sqlmap -u "http://192.168.1.XX/workflow/search.php?q=test" --batch

Requires real query parameters - look in /workflow, /survey, or other dynamic pages

💡 Advanced Options:
• --dbs - enumerate databases
• --tables -D database_name - enumerate tables
• --dump -T table_name -D database_name - dump data
• --risk 3 --level 5 - aggressive testing

XSStrike

Advanced XSS detection tool

xsstrike -u "http://192.168.1.XX/workflow/search.php?q=test"

Finds XSS payload spots with context-aware testing

💡 Usage Tips:
• --crawl - automatically crawl for parameters
• --blind - test for blind XSS
• --fuzzer - use built-in fuzzer
• Test forms with --data "param=value"

📂

File & Directory Discovery

Enumerate hidden files, directories, and endpoints

feroxbuster

Fast, recursive directory brute-forcer

feroxbuster -u http://192.168.1.XX/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o ferox.txt

Faster than Gobuster with recursive scanning capabilities

💡 Useful Flags:
• -x php,html,txt - specify extensions
• -t 50 - increase threads
• -d 2 - recursion depth
• --filter-status 404 - filter responses

🛡️

Config & Server Checks

Server configuration and security analysis

nikto

Web server vulnerability scanner

nikto -h http://192.168.1.XX -Plugins apache,cookies,headers,vuln

Enhanced Nikto scan with specific plugins for detailed analysis

💡 Plugin Options:
• -Plugins auth - authentication bypasses
• -Plugins paths - interesting paths
• -o report.txt - save output
• -Format txt - specify output format

davtest

WebDAV vulnerability testing

davtest -url http://192.168.1.XX/

Checks if WebDAV is enabled and tests file upload vulnerabilities

💡 Advanced Testing:
• -directory /webdav - specify WebDAV path
• -sendbd auto - auto detect file upload
• Look for PUT/MOVE/COPY methods in HTTP responses

⚡

Network / Protocol Testing

Network-level analysis and protocol testing

nmap NSE

HTTP-specific Nmap scripts

nmap -p80,443 --script=http-enum,http-vuln*,http-headers 192.168.1.XX

Enumerates paths, headers, and CVEs using Nmap's scripting engine

💡 Useful HTTP Scripts:
• http-methods - enumerate HTTP methods
• http-robots.txt - check robots.txt
• http-title - extract page titles
• http-backup-finder - find backup files

testssl.sh

Comprehensive SSL/TLS testing

testssl.sh https://192.168.1.XX

More detailed SSL analysis than sslscan - checks protocols, ciphers, vulnerabilities

💡 Specific Checks:
• -U - check for vulnerabilities only
• -p - check protocols only
• -S - check server defaults
• --htmlfile report.html - HTML output

📋

Posture Auditing

System hardening and configuration assessment

lynis

System security auditing

sudo lynis audit system

Run on the target system (if owned) for hardening advice and security misconfigurations

💡 Audit Options:
• --check-all - run all available tests
• --report-file /tmp/report.dat - custom report location
• --verbose - detailed output
• Review suggestions in /var/log/lynis-report.dat

🕸️

Spidering & Advanced Scanning

Comprehensive application crawling and analysis

arachni

Advanced web application scanner

arachni http://192.168.1.XX/ --output-only-positives

More advanced scanner than basic tools - includes smart crawling and vulnerability detection

💡 Advanced Features:
• --scope-include-pattern - limit scope
• --report-save-path=/tmp/report - save report
• --checks=xss,sql_injection - specific checks
• --browser-cluster-pool-size=2 - performance tuning

📋 Example Target Formats

Single Host

192.168.1.XX

With Protocol

http://192.168.1.XX/

With Port

http://192.168.1.XX:8080/

Specific Path

http://192.168.1.XX/app/

WebApp PenTest