Web Application Testing

By Davy Rogers

Find the vulns in your own app before someone else does, with tools you already have.

You don't need a pentest budget or a lab full of tools to start testing your own application. Your browser's DevTools and curl cover most manual testing, and the rest is method. One ground rule before anything else: test staging, not production, so a payload that works doesn't take down something real or corrupt live data.

Work through the app in a consistent order rather than poking at random, because random poking misses the same things every time.

Authentication

The login surface is where a lot of the easy wins are:

  • Default credentials. Try admin/admin and admin/password on the login form and any admin panel.
  • Username enumeration. Do valid and invalid usernames produce different error messages? That difference is a gift to an attacker.
  • Brute force. Fire 50 failed attempts. Does anything lock, throttle, or rate-limit?
  • Sessions. Is the cookie HttpOnly and Secure? Does logout actually invalidate it server-side?

Authorisation

This is where the highest-impact bugs usually hide, because it's the hardest thing to get right.

IDOR. Log in as User A and try to reach User B's data:

GET /api/orders/1002  # With User A's token, this should be a 403

Vertical escalation. As a regular user, call the admin endpoints and see what answers.

Mass assignment. Add {"role": "admin"} to an update request. Does it get accepted?

Injection

Probe every input, because "every input" is exactly where injection lives:

  • SQLi. Does ' OR '1'='1 change the response?
  • XSS. Does <script>alert(1)</script> come back reflected and unescaped?
  • SSRF. Drop http://169.254.169.254/ into any field that takes a URL.

File upload

Try to upload a .php, a double extension like shell.php.jpg, a filename with ../ in it, and something oversized. Each tests a different assumption in your upload handler.

Let the scanners sweep

Once you've done the thinking by hand, automated tools cover ground quickly and catch the routine stuff:

docker run -t zaproxy/zap-stable zap-baseline.py -t https://staging.example.com
nuclei -u https://staging.example.com -severity medium,high,critical

A repeatable order

Run the same sequence every time so nothing gets skipped: map the app, then test authentication, then authorisation, then injection, then file upload, then the business logic, then sweep with automation, then write it up. When you find something, document it the way you'd want it reported to you: clear reproduction steps, the real-world impact, and a suggested fix.