Back to Blog

Web App Penetration Testing Methodology (2025)

Oct 26, 2025
pentestsecuritywebowasp
0

A repeatable pentest methodology improves outcomes and trust. This guide outlines a pragmatic, evidence-driven approach.

Phases

  1. Scoping and rules of engagement (ROE)
  2. Reconnaissance (OSINT, asset discovery)
  3. Threat modeling (STRIDE/kill chain)
  4. Exploitation (OWASP Top 10, business logic)
  5. Post-exploitation (impact, lateral movement)
  6. Reporting (risk, evidence, reproduction)
  7. Retest (verify fixes)

Tooling

  • Burp/ZAP, Nmap, nuclei, httpx, SSRF testers, SAST/DAST, Semgrep

Evidence

  • Screenshots, raw requests/responses, PoCs, timelines, affected assets

Reporting

  • Severity (CVSS/business impact), likelihood, fix guidance, root cause, SLAs

Common findings

  • IDOR/BOLA, broken auth, CSRF, SSRF, RCE via unsafe deserialization, misconfig

FAQ

Q: Automated vs manual?
A: Both—automate breadth, focus human effort on logic flaws, chaining, and impact demonstration.

  • API Security OWASP: /blog/api-security-owasp-top-10-prevention-guide-2025
  • Zero Trust Architecture: /blog/zero-trust-architecture-implementation-guide-2025
  • Compliance Automation: /blog/compliance-automation-sox-hipaa-gdpr-devops-2025
  • Incident Response: /blog/incident-response-playbook-security-breaches-2025
  • Supply Chain Security: /blog/supply-chain-security-sbom-slsa-sigstore-2025

Call to action

Need a pentest? Book a scoped engagement with remediation guidance.
Contact: /contact • Newsletter: /newsletter

Penetration Testing Web Applications: Methodology (2025)

A comprehensive, ethical, evidence-driven playbook for assessing and improving the security of modern web applications, APIs, and their surrounding platforms.

  • Do no harm: safety first, minimize impact, never exceed scope
  • Written authorization (Rules of Engagement, ROE) signed before any testing
  • Define scope: domains, APIs, environments, hours, accounts, third-parties
  • Data handling: PII minimization, encryption, retention, sanitization
  • Reporting timelines, escalation procedures, communication channels

2) Rules of Engagement (ROE) Template

- Scope: app.example.com, api.example.com (v1/v2), assets.examplecdn.com
- Out-of-scope: prod payments, third-party widgets except listed
- Testing windows: 02:00–06:00 UTC (Mon–Thu)
- Prohibited: DoS, data destruction, social engineering (unless approved)
- Allowed: password spraying with rate limits, test PII dummy accounts
- Contacts: IC, App Owner, Security, On-Call SRE
- Evidence handling: encrypted vault; WORM storage for final deliverables

3) Phases Overview

1. Recon and Threat Modeling
2. Mapping: content, endpoints, parameters, state machines
3. Discovery: vuln classes (OWASP Top 10 + beyond)
4. Exploitation: controlled, minimal impact
5. Post-exploitation: data exposure, pivot feasibility (respect ROE)
6. Validation: reproduce, minimize noise, capture PoC
7. Reporting: risk, impact, remediation, evidence
8. Fix Verification: retest, regression checks

4) Reconnaissance

- DNS and subdomains: passive (crt.sh, Amass), active (massdns as permitted)
- Tech fingerprint: Wappalyzer, HTTP headers, TLS, CDNs, WAFs
- Content discovery: robots.txt, sitemap.xml, dir brute-force (rate-limited)
- JS inspection: endpoints, tokens-in-code (no exfil), feature flags
- Source maps (if exposed): map bundle → source; sensitive strings (respect ROE)
- Enumerate tenants, locales, feature toggles, user roles

5) Threat Modeling (STRIDE/LINDDUN)

- Actors: users, admins, service accounts, partners, attackers
- Assets: PII, credentials, tokens, payment data, secrets
- Trust boundaries: browser↔API, internal services, 3rd parties
- Attack paths: auth bypass, access control, SSRF, CI/CD artifacts

6) Authentication and Session

- Password policy, MFA/2FA, recovery flows
- OAuth/OIDC: auth code + PKCE, refresh tokens, consent
- Session: cookie attributes (HttpOnly, Secure, SameSite), rotation
- Remember‑me, device binding, session fixation
- Brute force protections, lockouts, CAPTCHA, risk-based auth

7) Access Control (IDOR/BOLA)

- Object IDs: numeric, GUID, slug; attempt horizontal/vertical access
- Broken object property level authorization (BOPLA)
- GraphQL field-level auth, REST verbs consistency
- Multi-tenant isolation: orgId scoping, cross-tenant leaks

8) Input Validation and Output Encoding

- XSS: reflected, stored, DOM; CSP effectiveness; Trusted Types
- Template injection: SSR templating, sandbox escapes
- SQL/NoSQL/ORM injections; parameterization verification
- Command injection; server-side template injection (SSTI)
- Output encoding contexts: HTML, attribute, JS, URL

9) Business Logic Abuse

- Workflow bypass: cart→checkout steps
- Race conditions: coupon, credit, limit bypass
- Price manipulation; quantity overflow; negative values
- Re-entrancy-like multi-click issues in web contexts

10) SSRF and Deserialization

- SSRF via URL fetchers, webhooks, image importers
- Block link-local, metadata (169.254.169.254), RFC 1918 ranges
- Deserialization gadgets (Java/.NET/PHP): only if allowed by ROE

11) File Upload and Storage

- MIME/bypass, polyglots, parser confusion
- Image processing (Exif, ImageMagick) vulnerabilities
- Path traversal, overwrite; S3/Blob misconfig (public ACLs)
- Antivirus, content scanning, size/quota

12) API Testing — REST

- Enumerate methods; schema (OpenAPI) drift
- Rate limiting, pagination, filtering, projection
- HATEOAS and hidden endpoints; versioning
- ETag, cache, idempotency keys for PUT/POST

13) API Testing — GraphQL

- Introspection (prod disabled?), field auth, depth/cost limits
- Batch queries, aliasing abuse, persisted operations
- GraphQL file upload spec issues; error leaks

14) API Testing — gRPC/WebSockets/SSE

- gRPC reflection (disable in prod), auth metadata
- WS auth on upgrade; message schema validation; CSWSH
- SSE: token leakage in URLs, cache control

15) OAuth/OIDC/JWT

- Flows: code+PKCE preferred; implicit avoided
- JWT: alg=none, kid injection, key confusion, weak signing
- Token lifetimes, rotation, revocation; refresh token bound to client
- mTLS for confidential clients; dynamic client registration controls

16) Secrets and Crypto

- Secrets in code/bundles; source maps; env leaks
- TLS profiles, HSTS, cookie flags, modern ciphers
- Storage encryption (KMS); key rotation; password hashing (bcrypt/argon2)

17) Rate Limiting and Anti‑Automation

- Per IP/user/token; WAF integration; UA/device fingerprinting
- Challenge (hCaptcha/TOTP) gating high-risk flows
- Velocity checks; step-up auth triggers

18) Data Exposure and Privacy

- PII minimization; sensitive in logs; referer leakage
- Cache control; CDN behavior; ETag user tracking
- Download endpoints: signed URLs, TTL, scope

19) Cloud and Platform Targets

- S3/Blob ACLs; presigned URL scope; bucket listing
- IAM roles: least privilege; instance metadata access
- Serverless endpoints: auth, input validation, cold start abuse

20) CI/CD and Supply Chain

- Build secrets exposure; artifact signing; SBOM
- Dependency confusion/typosquatting; lockfiles; registry policies
- Environment promotion gates; test key rotation runbooks

21) SDLC Integration

- SAST/DAST/IAST in CI; pre-commit hooks; secret scanning
- Security champion program; threat modeling as code (TM notebooks)
- Security unit tests and contract tests for authz

22) Evidence and PoCs

- Repro steps with rate-limited, non-destructive payloads
- Screenshots, request/response, timelines; redact sensitive data
- Hash PoCs; store in encrypted vault; share minimal necessary

23) Risk Rating and Impact

- Use CVSS + business context; likelihood vs impact
- Consider data class, regulatory triggers, exploitability, compensating controls

24) Remediation Guidance

- Concrete fixes; code-level where possible; safe defaults
- Defense-in-depth: validation, encoding, authz, logging, alerts
- Verify with tests; add regression checks; monitor in prod

25) Report Structure Template

- Executive Summary: risk, impact, key findings, recommendations
- Scope and Methodology: ROE, tools, timelines
- Findings: per item (title, risk, evidence, impact, remediation)
- Appendices: PoCs, configs, checklists, references

26) Checklists (Condensed)

- Auth: MFA, recovery, brute-force, session rotation
- Access Control: IDOR/BOLA, field-level, tenant isolation
- Inputs/Outputs: XSS, SQLi/NoSQLi, encoding, SSTI
- APIs: rate limits, versioning, errors, cache, auth
- File Uploads: MIME, size, AV scan, path traversal, storage ACLs
- Secrets: code, env, source maps, storage
- Privacy: logs, referer, cache, downloads
- Cloud: buckets, metadata, roles
- CI/CD: secrets, SBOM, artifact signing

27) Dashboards (Sketch)

{
  "title": "Web App Security Overview",
  "panels": [
    {"type":"table","title":"Open Findings by Risk"},
    {"type":"graph","title":"Fix SLA Compliance"},
    {"type":"table","title":"Top Repeated Root Causes"}
  ]
}

28) Playbooks

- XSS found: sanitize/encode, CSP tighten, add tests, retro code scan
- IDOR: add checks server-side, deny by default, access logs review
- SSRF: block internal ranges, SSRF proxies, metadata IMDSv2 only
- JWT: enforce alg, verify kid source, rotate keys, short TTL

29) Tooling (Indicative)

- Recon: Amass, Subfinder, httpx, nuclei (safe templates)
- Web: Burp/ZAP (rate-limited), XSStrike, KXSS
- APIs: Postman/Insomnia, graphql-playground (staging), gqlmap
- Code: Semgrep, Trivy, Gitleaks, Snyk, Dependabot

30) Mega FAQ (1–200)

  1. Can we test in prod?
    Only with strict ROE, low-risk payloads, and approvals.

  2. Do you run DoS tests?
    Not unless explicitly authorized and in staging.

  3. Is SAST/DAST enough?
    They help; combine with manual testing and threat modeling.

  4. How do you avoid data exposure?
    Use dummy accounts, sanitize evidence, restrict handling.

  5. Do you exploit chains?
    Minimal viable PoC to prove risk; no lateral movement unless agreed.

Related posts