You don't need a pentest budget or a lab full of tools to start testing your own application. Your browser's DevTools and curl cover most manual testing, and the rest is method. One ground rule before anything else: test staging, not production, so a payload that works doesn't take down something real or corrupt live data.
Work through the app in a consistent order rather than poking at random, because random poking misses the same things every time.
Authentication
The login surface is where a lot of the easy wins are:
- Default credentials. Try
admin/adminandadmin/passwordon the login form and any admin panel. - Username enumeration. Do valid and invalid usernames produce different error messages? That difference is a gift to an attacker.
- Brute force. Fire 50 failed attempts. Does anything lock, throttle, or rate-limit?
- Sessions. Is the cookie
HttpOnlyandSecure? Does logout actually invalidate it server-side?
Authorisation
This is where the highest-impact bugs usually hide, because it's the hardest thing to get right.
IDOR. Log in as User A and try to reach User B's data:
GET /api/orders/1002 # With User A's token, this should be a 403
Vertical escalation. As a regular user, call the admin endpoints and see what answers.
Mass assignment. Add {"role": "admin"} to an update request. Does it get accepted?
Injection
Probe every input, because "every input" is exactly where injection lives:
- SQLi. Does
' OR '1'='1change the response? - XSS. Does
<script>alert(1)</script>come back reflected and unescaped? - SSRF. Drop
http://169.254.169.254/into any field that takes a URL.
File upload
Try to upload a .php, a double extension like shell.php.jpg, a filename with ../ in it, and something oversized. Each tests a different assumption in your upload handler.
Let the scanners sweep
Once you've done the thinking by hand, automated tools cover ground quickly and catch the routine stuff:
docker run -t zaproxy/zap-stable zap-baseline.py -t https://staging.example.com
nuclei -u https://staging.example.com -severity medium,high,critical
A repeatable order
Run the same sequence every time so nothing gets skipped: map the app, then test authentication, then authorisation, then injection, then file upload, then the business logic, then sweep with automation, then write it up. When you find something, document it the way you'd want it reported to you: clear reproduction steps, the real-world impact, and a suggested fix.
