Pentesting 101 – How to pentest a web app

Rhythm Jain
May 6, 2021

Being very honest, it is not possible for everyone to pentest a web application! You have to hire a Cyber Security Professional or skilled Penetration Tester for this job. Although there are some automated tools (discussed later below) that can do the work for you, it is not recommended to rely on them because you need to have special skills and they are not able to perform as efficiently as a human can.

Being in the Penetration Testing field for quite some time now, I have figured out a proper roadmap that helps to perform a penetration test on a web application:

5 Steps to Conduct a Pentest on a Web App

1. Gather information about your target

2. Check the tech stack of the application

3. Check for subdomains

4. Look for OWASP TOP 10 vulnerabilities

5. Make your final checks

Gather information about your target

There is a term known as “Reconnaissance”, which means, collecting data about your target. I consider this step, as the most important one of all, because the more information you have the easier it gets to find a vulnerability.

In this attack, a wordlist of the most commonly used usernames and passwords are attached to the tool and the tool adds the credential to the login page. If an attacker is successfully able to log in as an administrator, the authorised admin of the website will not have any access to the admin panel. Hence, the person won’t be the owner of the website anymore.

Check the tech stack of the application

You have to check for all the technologies that the web app is using and the version of the technology. It might be possible that the application is using a component with an outdated version which contains an exploit available on This can be directly used to attack the technology.

Check for subdomains

Do not stick to the parent domain of a website, it might be possible that it contains subdomains as well. Search for all the subdomains of a website using a tool written in python called “Sublist3r”. It might be possible that there is an orphan subdomain that can be hijacked by a hacker.


Use “Burpsuite Pro”, it is a local proxy tool, which can be easily integrated with any browser and all the requests and responses traveling between browser and server can be intercepted and modified.

Try to read the requests and responses and start playing with the headers of the requests. Try to inject some additional header in the request that can retrieve some sensitive information about the web app. Use Burpsuite’s crawler to crawl on all the pages of the website which can give you some juicy information. Try some useful Burpsuite’s extensions to pentest the site more efficiently.

Look for OWASP TOP 10 vulnerabilities

Test, test, test! These are the most commonly found vulnerabilities on a web app. Vulnerabilities that come under OWASP TOP 10 are:

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access control
  • Security misconfigurations
  • Cross-Site Scripting (XSS)
  • Insecure Deserialization
  • Using Components with known vulnerabilities
  • Insufficient logging and monitoring

Make your final checks

Finally, check for some business logic flaws and 2FA bypasses like Captcha bypass or OTP bypass as these vulnerabilities can result in account hijacking.

Tools for automated pentest 🔎

When it comes to automated web application penetration testing tools and software such as Acunetix, Tenable, Nessus and Netsparker, these tools are quite famous in automated pentesting and are widely used by enterprises, but even then, it is highly recommended to go for manual penetration testing! No machine or tool is as intelligent as a human being is.

There are various vulnerabilities other than these which you may need to test for in a web application. To know more about Web Application Penetration Testing leave your comment below.

written by
Rhythm Jain
Ethical Hacker

Compare and find the pentesting company you trust

No credit card required.
Oops! Something went wrong while submitting the form.