How To Do Web Application Penetration Testing

Our penetration test services deliver instant ROI with an agile, efficient solution testing resilience to the latest attacks and APT methods.

While there are many ways to perform a penetration testing that evaluates a company’s security posture, this article will focus on web applications.

The four steps of web application penetration testing include information gathering, research, exploitation, reporting, recommendations, and remediation along with ongoing support. These tests are used to ensure that software code is secure throughout its entire lifecycle. This type of penetration test is used to identify code mistakes, requirements specific or lack of knowledge about cyber attack vectors.

This article will show you how to do security testing on a website application. It also includes popular tools that can be used for a penetration test of a web-application.

Types Of Penetration Testing
Internal VS ExternalNetworkSocial Engineering

What is Web Application Penetration Testing?

Web application penetration testing is a series of steps that aims to gather information about the target system, find vulnerabilities or faults, and then search for exploits that can defeat those faults or vulnerabilities, and compromise the web app.

The Open Web Application Security Project (OWASP), is a community that focuses on reporting and discovering web application security flaws.

The reputable list of the top 10 security flaws they have published is updated each year to reflect current trends in web application security. OWASP publishes security tools and articles that are the most widely used.

Why Web Application Pen Testing Are Performed

Because of the rapid growth in web applications, more internet resources are being used to develop and configure the software to work on the new environment.

However, this new frontier has opened up another avenue for malicious hackers to use for their personal gain.

Some web applications may contain sensitive data. It is crucial to protect them at all costs, especially as many of them are publically available on the internet.

The best and most cost-effective way to combat web application vulnerabilities is to include web app penetration testing in your Software Development Life Cycle (SDLC) process.

Software Development Lifecycle

The Software Development Lifecycle (SDLC) is an overall set of guidelines that aim to increase the success of software being developed for future uses.

SDLC is a series of steps that can be taken to create a better product. It also considers the best cost-effective method of doing it.

Software testing is an important part of the SDLC process. It involves many key parameters or events.

Engineers and project managers have the opportunity to work with clients at various stages of the development process. This includes brainstorming, coding, and finally, delivery of the application.

Programming Mistakes

Programmers often make mistakes. Faults can be distinguished from defects because they could enable a malicious attacker exploit the application to create dangerous conditions or scenarios where personal information could be compromised or access could be granted to unauthorized users.


Technical Debt is the time developers spend getting back to their code to fix bugs or implement updates. This is especially true when security is a secondary concern. This occurs when code is rushed to production without being thoroughly tested.

Therefore, defect testing in the early stages is often less costly than testing later in the SDLC process.

If there are any vulnerabilities or faults in the web application configuration, the SDLC will patch the software.

What Methodologies and Steps Are Used To Perform A Web Application Pen Test?

Penetration testing a web app focuses primarily on the environment and setup. This helps to highlight the differences between an application (or web application) and a website application.

Testing the web application involves gathering information about the app, and then mapping out the network that hosts it. The actual learning and managing of the application is done later, while we investigate possible injection tampering.

Step 1 – Information Gathering

The reconnaissance phase of any penetration testing process is the most crucial step. It provides you with the information you need to quickly identify and exploit vulnerabilities.

This phase can be thought of as the foundation for the pyramid you are building.

There is a choice of two types of reconnaissance, depending on what type of interaction you are looking to have with the target system.

  1. Active Reconnaissance
  2. Passive Reconnaissance

Passive Reconnaissance

passive reconnaissance is the act of gathering information from the internet without actually interacting with the target systems.

This phase involves a lot of research online, starting with Google. Google syntax is often used to identify subdomains of websites, link information, and other steps.

To narrow down Google search results, you could use the following syntax: site:*

Wayback Machine can be used to see how a website looked years ago. This website can allow you to interact with the website’s target without actually coming in contact with it.

You can explore the older version of the website to find any features that could be useful later on in your research and exploitation phases.

Active Reconnaissance

Active reconnaissance , in contrast to passive reconnaissance directly probes and retrieves an output.

Active reconnaissance can include fingerprinting the website application, using Shodan’s network scanner, performing a DNS forward/reverse lookup, a DNZ Zone transfer and many other activities.

Fingerprinting A Web Application Using Nmap

Fingerprinting a website app involves collecting information such as the scripting language, version and server software, as well the OS. This can be done largely with the Nmap network scanner.

Run Nmap against the target IP, or range of target IPs. Note down any open ports and services. Also include information about the OS version.

Shodan Network Scanner

If the web app is publicly accessible, the Shodan network scanner will identify any additional information.

Shodan scans all publicly available IPs and provides extensive information. The information includes geolocation, port numbers, software used, and other useful details.

DNS Forward and Reverse Lookup

Forward dns lookup and ping are all useful tools to associate subdomains with IP addresses.

DNS Zone Transfer

Use “nslookup” command for DNS server identification to perform DNS zone transfer. Websites specifically designed for DNS server identification are another option. Once you have identified all DNS servers, you can use the “dig” command to attempt DNS zone transfer.

Search for Related External Sites

This is an important step during the information gathering stage, as traffic flows between the target site and external sites. Burp Suite is the best tool for this, which we’ll discuss in greater detail later.

Inspect HEAD, OPTIONS HTTP requests

The web server software version and HEAD responses will be revealed by OPTION and HEAD requests. Sometimes, the responses include even more valuable information.

This information can be easily intercepted by visiting the target site while Burp Suite’s “intercept On” feature is turned on.

Get information about your web app via error pages

An error page can give you valuable feedback about the server version and type that the website runs on. This information can be used to visualize the environment for the web application.

Modify the URL of your desired website to get rid of the 404_ not found error. The forum page below reveals the server’s version (ngnix/1.12.2).

Examining the source code

You can also use source code to get a lot more information, which you can then use later to discover a vulnerability.

You can determine the application environment by carefully examining the code.

The screenshot below shows that the website runs on Apache server version 2.2.14.

Documentation during the Reconnaissance Phase

It is important to keep track of everything during the investigation phase.

This baseline will allow you to continue your research on the target and possibly find weaknesses in the system that you can later exploit.

Next, we’ll introduce you to some of the most common tools for application penetration testing. We will also demonstrate techniques such as security scanning, sql injections and password brute force cracking.

Step 2 – Research and Exploitation

You have a lot of security tools available to you when performing web app penetration tests. Most of them are open-source.

It can be difficult to narrow down your options to just a few tools. Reconnaissance is crucial.

You not only find all the information you need to discover vulnerabilities and exploits later, but you also narrow down attack vectors and the tools that you can use to achieve your goal.

What Tools Can Be Used To Penetrate Web Application Testing?

The reconnaissance phase and discovered vulnerabilities are the most important factors in the penetration testing process. A thorough investigation is essential to find the right exploit and gain access to the system.

Online scanners and search engines are great tools to passively gather information about your target. Nmap can be used to identify live ports and enumerate target systems.

The most popular tools used in website penetration testing are:

  • W3af
  • Burp Suite
  • SQLMap
  • Metasploit
  • Hydra
  • John Ripper
  • Skipfish
  • Ratproxy
  • Wfuzz
  • Watcher

You can use W3af scanner and Burp Suite Toolkit to automate web app vulnerability scanning, sniffing, and exploitation.

There are many other tools that are available in the Metasploit project, but they are beyond the scope of this article.

The Kali Linux Metasploit framework will be your best choice. However, you can supplement it with the best tools in the market specifically designed for web application penetration testing.

This list will provide an overview of the tools available and their capabilities.

Web Application Framework (W3af ) 300

Web Application Framework, also known as is a security scanner that’s primarily used to find vulnerabilities. W3af can be used in any web app penetration testing engagement. It allows you to quickly probe the target site and its hosting server.

Open the W3af console and type “cd w3af” to get started. To open the W3af console, enter “./w3af_console” once you have reached the correct directory.

Next, type “target”, then “set target.x.x.x.x.” and hit the enter key. To jump to a directory, type “back” and the configuration will be saved.

To select the preferred scanning options, you can finally type “set plugins”. To return one directory, you can choose all by entering “audit all” Run the scan by typing “start”

W3af will provide a report detailing the vulnerabilities found after the scan is completed. W3af discovered that the target system was running Apache server version 2.2.8, PHP 5.2.4.

Both versions are susceptible to a CSS attack or Cross Side Scripting attack, as reported by W3af.

W3af offers more features in relation to exploitation, but they are too numerous to be covered here. It is fast and easy to gather information about the target system.

Burp Suite

Burp Suite The open-source web application penetration test tool comes in two versions. Although the open-source version can be used by anyone, it lacks certain features.

Burp Suite’s commercial version offers more automation and capabilities, and is licensed to many penetration testing firms.

Burp Suite is a web application security tool that can be used in all phases of penetration testing. Burp Suite makes it easy to gather http traffic and there are many options for exploitation.

Below is an example of Burp Suite capturing http traffic and then performing an SQL injection attack with Sqlmap.

Open Burp Suite from the Kali Linux desktop. Navigate to the left and search for Burp Suite under the “Web Application Analysis” category. Make sure you have the “intercept tab” selected after loading.

Next, you will need to set Burp Suite up as your proxy web browser. Click on “preferences”, then click “advanced Settings” and choose “connection settings”. Fill in your IP address and port numbers, and 880.

Once everything is set up, navigate to the target website using Firefox and add a 1 to the URL.

In this instance, we were able to insert a “1” in the title section of the PHP vulnerable version and confirm that SQL injections are possible.

Burp Suite can be shut down and the “intercept on” button can be disabled with the captured traffic. Save captured traffic to a file, and exit Burp Suite.

To perform actual SQL injection, you will need to open SQLMap. First, let’s talk about SQLMap. This will help you to appreciate the utility of this tool.


SQLmap - web application penetration testing SQLMap are some of the most powerful open-source tools available. It makes it easy to perform SQL injection attacks, and gives you access to compromised databases servers.

One of the most important features is fingerprinting the database, scanning to detect vulnerabilities, and possibly exploit.

We will continue from the already captured http traffic in Burp Suite and demonstrate how to perform a successful SQL injection attack with SQLMap.

SQLMap will report on the version of the application and the database after the scan is completed. It also includes details about all injection attempts.

Finally, we’ll try to launch a SQL Shell and gain access the backend database. Type “sqlmap -r nameOfTheSavedFile.txt -p title -sql-shell” and hit enter.

If you have the right access to the database that allows you to perform actions like read, write, or delete, this method can prove very efficient.

You can also use SQLMap to attack the target IP to try to access the database. We have selected the BWAPP web app that is most vulnerable to attacks for demonstration purposes.

Next, run the following command to try to inject SQL code in the URL provided for web app target URL.

SQLMap will start and prompt you to confirm that the database version has been detected.

Continue the scan by entering “yes”

Then, add the “–dbs” after the target to continue looking for databases.

SQLMap will detect the available databases. Now, you can list the tables from one database by adding “— tables -D” to the end and specifying the table’s name.

We will continue to gather as much information possible, since our exploit was successful. More sensitive information might be found in the “users” table of the “bwapp” database.

Enter the target URL, the action and the table name, and hit the enter key to dump the “users” table.

SQLMap will detect password hashes in the “users” table and ask you to save them for a dictionary brute force password attack.

Save the hashes in a file, choose the default dictionary option, and run the brute force scanner.

SQLMap will then display the cracked results.

To achieve the same result, you don’t need to use SQLMap’s default password cracking function. Hydra and John Ripper are two of the most well-known password cracking tools.

Cross-Site Skating (XSS).

Many online scanners can provide you with an automatic security scan of any website. This is a quick way to verify vulnerabilities.

W3af framework can also be used to achieve the same results. This attack is usually detected by penetration testers who intercept http communication between the client and server, and then use that traffic to exploit the target system.

Identify 3 rd Partie Software Vendors

For certain functions, applications may use 3 rd party tool . This puts the entire application at risk just like the 3 rd tool.

Find and test vulnerabilities and exploits that are publicly available in the software vendors used by your application.

There are many possible attacks that can be used to exploit databases, servers, and applications.

Session fixation attacks, session hijacking and binary attacks are also common attacks that should be mentioned.

Step 3 Reporting and Recommendations

Web application reports can be written in the same way as any penetration test report.

Your report structure should be concise and contain sufficient data to support your findings. Be as specific as possible and stick to the methods that worked.

You will assist the client company in focusing its efforts on fixing the most critical areas of the system by writing down successful actions and categorizing them according to criticality.

Companies make it a point to always create a report for business-oriented employees so that clients IT staff and management can understand the report and how they are affected by the risk.

4: Remediation and Ongoing Support

Many companies are unable to fix all vulnerabilities discovered by a penetration test. It is best to focus on medium and low vulnerabilities first, and then mitigate the high-risk and critical vulnerabilities.

Prioritization is important as each vulnerability can be exploited at different rates.

While some vulnerabilities can be detected, they are not necessarily possible without prior access to the internal systems. Some vulnerabilities could lead to remote code execution. It is important to prioritize these vulnerabilities to minimize the impact and likelihood of occurrence.

Many penetration testing companies offer a free re-test and provide you with a second penetration test to confirm the mitigations found in the first test.

You can collaborate closely with your IT and Security teams to fix any vulnerabilities discovered after the initial testing.


Web applications are a far better option than the traditional applications. They offer both commercial and practical benefits. Web applications bring functionality to the internet, but at a price.

These systems are often publicly accessible and therefore available to everyone on the internet. Web applications are increasingly popular and accessible online. This means that they often have vulnerabilities in their design and configuration, which can be exploited by malicious hackers.

These systems, which are almost always web-facing, pose a greater risk and should be considered a priority for penetration testing.

It would be in the best interests of a company to conduct annual web application penetration testing if the application has credit card information, personal information, or health records. This will ensure that the company meets all regulatory requirements.

If penetration testing is not necessary, it is strongly recommended. This is the best way to ensure security standards are met, and to avoid unnecessary work.

Web application penetration testing offers a more structured way to automate and manually test applications. There are many tools available. It is highly recommended to choose open-source security solutions, as there are commercial versions with enhanced capabilities.

End of the day, web application penetration testing is testing the environment, database connectivity and source code to discover and exploit vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *