Web Application Testing Methodology

Overview

Web application penetration testing focuses on identifying vulnerabilities in web applications, APIs, and their supporting infrastructure. This methodology provides a structured approach based on the OWASP Testing Guide, covering reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.

Scope Definition

Before testing begins, confirm with the client:

  • In-scope URLs — specific domains, subdomains, and paths
  • Authenticated vs. unauthenticated — credentials for different user roles (admin, regular user, read-only)
  • API scope — REST endpoints, GraphQL, WebSocket connections
  • Exclusions — production databases with real data, payment processing, third-party integrations
  • Allowed test types — automated scanning, manual testing, brute-force, file upload testing, etc.
  • Testing environment — production, staging, or development

Reconnaissance

Technology Fingerprinting

Identify the web stack before diving into vulnerability testing:

  • Web server (Apache, Nginx, IIS)
  • Application framework (ASP.NET, Django, Laravel, Spring, Express)
  • Programming language (PHP, Python, Java, C#, Node.js)
  • CMS (WordPress, Drupal, Joomla)
  • JavaScript frameworks (React, Angular, Vue)
  • WAF presence (Cloudflare, Akamai, ModSecurity)
# WhatWeb — technology fingerprinting
# https://github.com/urbanadventurer/WhatWeb
whatweb -a 3 http://<target>

# Wappalyzer alternative via curl headers
curl -sI http://<target> | grep -iE "server:|x-powered-by:|x-aspnet"

Content Discovery

Map the application surface before testing:

# Gobuster — directory and file brute-force
# https://github.com/OJ/gobuster
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -x php,asp,aspx,jsp,html -o dirs.txt

# Ffuf — content discovery with filtering
# https://github.com/ffuf/ffuf
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -mc 200,301,302,403 -o ffuf.json -of json

# Check for common sensitive files
curl -s -o /dev/null -w "%{http_code}" http://<target>/robots.txt
curl -s -o /dev/null -w "%{http_code}" http://<target>/.git/HEAD
curl -s -o /dev/null -w "%{http_code}" http://<target>/wp-login.php
curl -s -o /dev/null -w "%{http_code}" http://<target>/.env

Subdomain Enumeration

# Ffuf — virtual host discovery
# https://github.com/ffuf/ffuf
ffuf -u http://<target> -H "Host: FUZZ.<domain>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <baseline-size>

Application Mapping

Before testing for vulnerabilities, understand the application:

Crawling

  • Walk through all pages manually, clicking every link
  • Identify all forms, input fields, and file upload points
  • Note hidden fields, JavaScript-generated content, and AJAX calls
  • Map all API endpoints (check JavaScript sources, network tab)

Authentication Flows

  • Login, logout, registration, password reset
  • Session management (cookies, tokens, headers)
  • Multi-factor authentication mechanisms
  • OAuth/SSO flows and callback URLs

Access Control Model

  • Identify all user roles (anonymous, user, admin, API)
  • Map which pages/endpoints are accessible to each role
  • Note authorization enforcement points

Vulnerability Testing

Injection

Test all input points for injection vulnerabilities:

  • SQL injection — single quotes, UNION queries, blind techniques (time-based, boolean-based); test GET/POST parameters, headers, and cookies
  • Command injection — pipe characters, semicolons, backticks in parameters that interact with the OS
  • SSTI — template expressions ({{7*7}}, ${7*7}) in user input rendered by server-side templates
  • XXE — XML payloads with external entity references in any endpoint accepting XML input
  • LDAP injection — special characters in login forms connected to LDAP backends
# SQLMap — automated SQL injection testing
# https://sqlmap.org/
sqlmap -u "http://<target>/page?id=1" --batch --level 3 --risk 2

# SQLMap — test POST parameters
sqlmap -u "http://<target>/login" --data "user=admin&pass=test" --batch

Authentication and Session Management

  • Default credentials — test admin:admin, admin:password, etc.
  • Brute-force — test rate limiting and lockout mechanisms
  • Password policy — verify minimum complexity requirements
  • Session fixation — check if session ID changes after login
  • Session timeout — verify sessions expire after inactivity
  • Cookie flags — check for Secure, HttpOnly, and SameSite attributes

Cross-Site Scripting (XSS)

  • Reflected XSS — inject payloads in URL parameters, test response
  • Stored XSS — inject in persistent fields (comments, profiles, etc.)
  • DOM-based XSS — audit client-side JavaScript for unsafe sinks (innerHTML, document.write, eval)
  • Test in all contexts: HTML body, attributes, JavaScript, URLs

Access Control

  • IDOR — manipulate object IDs in URLs and API requests to access other users' data
  • Privilege escalation — perform admin actions as a regular user (horizontal and vertical)
  • Forced browsing — access admin pages directly without authentication
  • HTTP method tampering — try PUT, DELETE, PATCH on restricted endpoints

File Upload

  • Upload files with executable extensions (.php, .asp, .jsp)
  • Test bypass techniques (double extensions, null bytes, content-type manipulation, magic bytes)
  • Check if uploaded files are directly accessible and executable

Business Logic

  • Test workflow bypasses (skip steps in multi-step processes)
  • Race conditions (concurrent requests to exploit timing windows)
  • Price manipulation, quantity manipulation in e-commerce flows
  • Test for improper input validation beyond standard injection checks

API-Specific Testing

  • Authentication — test API key, JWT, OAuth token validation
  • Rate limiting — verify API endpoints enforce request limits
  • Mass assignment — send extra parameters in POST/PUT requests
  • Excessive data exposure — check if API returns more data than the UI displays
  • GraphQL — introspection queries, nested query DoS, authorization bypass
# Ffuf — API endpoint fuzzing
# https://github.com/ffuf/ffuf
ffuf -u http://<target>/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,201,401,403

Security Headers Review

Check for missing or misconfigured security headers:

Header Expected Value
Content-Security-Policy Restrictive policy preventing inline scripts
X-Content-Type-Options nosniff
X-Frame-Options DENY or SAMEORIGIN
Strict-Transport-Security max-age=31536000; includeSubDomains
Referrer-Policy no-referrer or strict-origin-when-cross-origin
Permissions-Policy Restrict camera, microphone, geolocation 
# Check security headers
curl -sI https://<target> | grep -iE "content-security|x-content-type|x-frame|strict-transport|referrer-policy|permissions-policy"

Reporting

Web application findings should include:

  • Vulnerability name and CWE classification
  • Affected URL/endpoint and parameter
  • Request/response pairs demonstrating the issue
  • Impact — what an attacker could achieve
  • Severity — based on exploitability and impact (use CVSS)
  • Remediation — specific fix (not just "validate input")
  • Proof of concept — minimal reproduction steps

References

Frameworks and Standards