| name | pentesting-web-apps |
| description | Web application pentesting guidance for URL-driven assessments. Use this skill when testing an authorized web app from a single starting URL to map endpoints, analyze authentication, probe for injection flaws, and check business-logic authorization issues. |
| license | MIT |
| metadata | {"author":"b12consulting","version":"1.0.0"} |
Web App Pentesting
Use this skill when the only provided input is the target web application's base URL and you are explicitly authorized to test it.
Input Contract
- Accept exactly one required input: the base URL of the web app under test.
- Derive scope from that URL unless the user explicitly expands it.
- Stay inside the target origin and closely related subpaths unless the user authorizes additional domains.
- Record every finding with the exact URL, request method, parameters, user role used, and observed impact.
Preferred Tooling
Prefer free tools, with an open-source-first approach:
| Tool | Primary Use |
|---|
| Playwright | Drive authenticated user flows, inspect forms, and replay logic checks in a real browser |
| OWASP ZAP | Spider/AJAX spider, passive analysis, request replay, and active checks |
| Burp Suite Community | Optional manual proxying and repeater workflows when a human-in-the-loop review helps |
| ffuf or feroxbuster | Content discovery for unlinked paths, files, and parameters |
| sqlmap | Targeted follow-up validation for suspected SQL injection points |
| Dalfox | Focused follow-up validation for reflected or stored cross-site scripting candidates |
| jwt-tool | JWT parsing, weak secret checks, and algorithm confusion review |
Start with Playwright and ZAP because they can cover most discovery and validation tasks from a single URL input.
Engagement Flow
- Normalize the provided URL and confirm the scheme, host, and reachable entrypoint.
- Crawl the application to build a route inventory of pages, APIs, forms, parameters, and client-side requests.
- Identify authentication surfaces such as login forms, session cookies, JWTs, password reset, magic links, and "remember me" behavior.
- Probe input points for common injection classes with safe, targeted payloads and confirm any suspicious behavior with a second method.
- Exercise business logic and authorization boundaries, especially object identifiers in paths, query strings, request bodies, and GraphQL variables.
- Summarize findings by severity, reproduction steps, evidence, and remediation guidance.
Crawler / Spider
Goal: map the application's reachable URL structure and likely hidden endpoints from the starting URL.
- Use Playwright to walk the visible UI, capture navigation paths, collect forms, and note XHR/fetch requests.
- Use OWASP ZAP spider and AJAX spider against the same origin to discover server-rendered and JavaScript-driven routes.
- Use ffuf or feroxbuster for low-noise content discovery against common directories, API prefixes, and backup file names when appropriate.
- Build an inventory that includes:
- Pages and API endpoints
- HTTP methods observed
- Query, body, and path parameters
- Authenticated versus unauthenticated reachability
- File upload surfaces
- Hidden or unlinked endpoints found via scripts, manifests, sitemaps, or robots.txt
Auth Analysis
Goal: test whether authentication and session handling can be bypassed, weakened, or reused incorrectly.
- Identify all state tokens: session cookies, JWTs, CSRF tokens, device tokens, and "remember me" cookies.
- For JWTs:
- Decode header and claims, verify algorithm choice, and check for weak secrets or insecure verification patterns.
- Review expiration, issuer, audience, subject, privilege claims, and token revocation behavior.
- Check whether modified claims are rejected server-side.
- For sessions:
- Test whether session identifiers rotate after login, privilege changes, and logout.
- Check whether old sessions remain valid after password reset or logout.
- Confirm cookies use secure attributes such as
HttpOnly, Secure, and appropriate SameSite.
- For "remember me":
- Determine whether the token behaves like a long-lived password substitute.
- Check revocation, device binding, expiration, and whether theft of the token grants full account access.
- For session hijacking risk:
- Reuse captured session material in a fresh browser context and confirm whether reauthentication is required for sensitive actions.
- Verify that elevated actions are protected by current-session checks and not only by possession of a stale cookie or token.
Injection Probes
Goal: run automated, targeted checks against discovered inputs and validate the highest-signal findings.
- Prioritize high-value input points:
- Search boxes
- Login and password reset fields
- Profile and settings forms
- Filter, sort, and export parameters
- JSON and GraphQL bodies
- File upload metadata
- Check for:
- SQL injection
- Cross-site scripting (stored and reflected)
- Server-side request forgery
- Use ZAP, Playwright-driven form submission, and focused follow-up tools such as sqlmap and Dalfox only on confirmed candidate parameters.
- Correlate results across at least two observations before reporting a confirmed vulnerability, such as:
- Application error behavior
- Response timing changes
- Out-of-band interaction evidence where authorized
- Rendered payload reflection or execution
Logic Tester
Goal: detect broken access control and business-logic flaws, especially IDOR-style issues.
- Enumerate object references in URLs, forms, JSON bodies, and client-side API calls:
user_id
org_id
project_id
- invoice, document, ticket, or report identifiers
- Replay the same request while changing one identifier at a time.
- Compare responses across:
- Unauthenticated context
- Low-privilege account
- Higher-privilege account when authorized for role testing
- Look for evidence of broken authorization:
- Access to another user's record
- Partial metadata leakage
- Writable actions on another tenant's resources
- Inconsistent authorization between UI and API
- Also test workflow flaws such as skipping required steps, reusing expired links, or performing state transitions out of order.
Reporting Expectations
For each finding, provide:
- Title and severity
- Affected URL or endpoint
- Preconditions and account role used
- Step-by-step reproduction from the supplied URL
- Evidence of the observed behavior
- Security impact
- Clear remediation guidance
Safety Rules
- Only assess systems you are explicitly authorized to test.
- Prefer low-impact checks first and avoid destructive actions unless the user explicitly requests them.
- Rate-limit aggressive crawling and fuzzing to reduce service disruption.
- Stop and ask for clarification if the discovered scope expands beyond the originally supplied URL.
Scripts
Ready-to-use helper scripts are in the scripts/ directory. They default to a safe dry-run mode that writes a plan and expected outputs; pass --execute to actually run the available tools.
| Script | Purpose |
|---|
scripts/crawl-surface.sh [--execute] <url> [output-dir] | Compose Playwright, OWASP ZAP, and feroxbuster/ffuf discovery steps from a single URL |
scripts/auth-analysis.sh [--execute] [--jwt-file token.txt] <url> [output-dir] | Capture auth-related headers, inspect cookie flags, and optionally audit a JWT with jwt-tool |
scripts/injection-probes.sh [--execute] <url> [output-dir] | Generate targeted SQLi, XSS, and SSRF probe URLs from query parameters and prepare sqlmap/Dalfox/ZAP follow-ups |
scripts/logic-tester.sh [--execute] [--cookie-header 'name=value'] <url> [output-dir] | Mutate identifier-like query/path values and compare responses for IDOR-style checks |
scripts/run-assessment.sh [--execute] <url> [output-root] | Run the crawl, auth, injection, and logic scripts as one composed workflow |
scripts/playwright-crawl.mjs <url> <output-dir> [max-pages] | Playwright helper used by crawl-surface.sh to inventory pages, forms, and requests |
Example workflow:
bash scripts/run-assessment.sh https://example.com ./findings
bash scripts/crawl-surface.sh --execute https://example.com ./findings/crawl
bash scripts/auth-analysis.sh --execute https://example.com ./findings/auth
bash scripts/injection-probes.sh https://example.com/search?q=test ./findings/injection
bash scripts/logic-tester.sh --cookie-header "session=..." https://example.com/api/users/42 ./findings/logic