Introduction
Web applications are one of the most commonly attacked assets on the internet today. From small blogs to enterprise-level platforms, all face the risk of cyber threats. That’s where Web Application Penetration Testing (WAPT) comes into play — a process to simulate real-world attacks and identify vulnerabilities before malicious actors do.
Kali Linux, the premier penetration testing distribution, comes preloaded with a comprehensive suite of tools ideal for web app pentesting. This article provides a detailed Web App Pentest Methodology using Kali Linux, suitable for both beginners and seasoned professionals.
Why Perform Web Application Penetration Testing?
Web penetration testing helps to:
-
Discover and fix vulnerabilities
-
Comply with industry standards (e.g., OWASP, PCI-DSS)
-
Improve application security posture
-
Identify misconfigurations, logic flaws, and weak security controls
Web Application Pentest Phases (Methodology)
A well-structured WAPT consists of the following phases:
-
Reconnaissance and Information Gathering
-
Mapping and Attack Surface Analysis
-
Vulnerability Identification
-
Exploitation
-
Post-Exploitation & Lateral Movement (if allowed)
-
Reporting and Remediation Advice
Phase 1: Reconnaissance and Information Gathering
This is the most crucial phase where you collect as much information as possible about the target application.
Tools to Use:
-
Whois – Find domain registration details.
-
Dig/Nslookup – DNS information.
-
theHarvester – Email addresses, subdomains, hosts.
-
Wappalyzer (Burp plugin) – Identify technologies in use (CMS, frameworks).
-
WhatWeb
Phase 2: Mapping the Application
In this phase, the goal is to understand the structure of the web app, available features, input fields, forms, and more.
Techniques:
-
Spidering – Auto-crawling the application.
-
Manual browsing – For hidden and dynamic endpoints.
-
Parameter discovery – Identify GET/POST parameters.
Tools:
-
Burp Suite Spider
-
OWASP ZAP
-
Dirb / Gobuster – Brute-force directory and file discovery.
Phase 3: Vulnerability Identification
Now that the structure is known, time to identify common vulnerabilities.
Areas to Test:
-
Input validation (XSS, SQLi)
-
Authentication mechanisms
-
Session management
-
Authorization logic
-
File upload flaws
-
Security misconfigurations
Tools:
-
Nikto – Web server vulnerability scanner.
-
Burp Suite (Pro/Community) – For active and passive scanning.
-
Wapiti – Web vulnerability scanner.
-
OWASP ZAP – Ideal for automated scanning.
Phase 4: Exploitation
Once vulnerabilities are discovered, attempt exploitation to demonstrate impact.
Example Attacks:
-
SQL Injection (SQLi):
-
Tool:
sqlmap
-
-
Cross-Site Scripting (XSS):
-
Reflected, Stored, DOM-based XSS
-
Tool: Manual + Burp Repeater
-
-
CSRF:
-
Craft malicious requests
-
Tool: Burp Suite CSRF POC Generator
-
-
Authentication Bypass
-
Weak passwords, logic flaws
-
Tool: Hydra (brute-force)
-
Phase 5: Post-Exploitation
This phase is optional and only applicable if permission is granted to simulate deeper access.
Activities:
-
Steal session tokens
-
Privilege escalation
-
Access restricted functionalities
-
Inject persistent payloads
Use Burp’s session manipulation features and browser developer tools to explore.
Phase 6: Reporting and Remediation
An often overlooked but critical phase. A good pentest report must include:
-
Executive summary
-
List of vulnerabilities (with CVSS scores)
-
Technical description
-
Proof of concepts (PoC)
-
Risk levels
-
Remediation recommendations
Tools for Report Creation:
-
Markdown editors
-
Serpico– Vulnerability reporting platform -
Dradis– Collaborative reporting tool
Common Vulnerabilities to Look for
| Vulnerability | Description |
|---|---|
| SQL Injection | Database access through unfiltered input |
| XSS (Cross-Site Scripting) | JavaScript injection |
| CSRF | Unauthorized actions via forged requests |
| IDOR | Insecure Direct Object Reference |
| File Upload | Arbitrary file execution |
| Broken Auth | Weak login/session mechanisms |
| Security Misconfig | Headers, permissions, services |
Essential Kali Linux Tools for Web Pentesting
| Tool | Purpose |
|---|---|
| Burp Suite | Intercept, modify, and replay requests |
| OWASP ZAP | Automated and manual scanning |
| sqlmap | SQL injection exploitation |
| Dirb / Gobuster | File and directory enumeration |
| Nikto | Web server scanning |
| WhatWeb | Tech stack fingerprinting |
| Wapiti | Web vulnerability scanner |
| Hydra | Password brute-forcing |
| wfuzz | Fuzzing parameters |
| XSStrike | Advanced XSS testing |
| Sublist3r | Subdomain enumeration |
Pentest Best Practices
-
Always get written permission before testing.
-
Create scoped targets – don’t touch production.
-
Use VPNs and proxies when necessary.
-
Log everything – timestamps, tools, payloads.
-
Respect the law and ethics of security testing.
-
Stay updated with the latest OWASP Top 10.
Conclusion
Web application penetration testing is a dynamic, multi-step process that requires a mix of creativity, skill, and the right tools. Kali Linux provides a complete arsenal of open-source and commercial tools that support every step of a robust WAPT methodology.
Whether you're testing for SQL injection, scanning for misconfigurations, or crafting CSRF payloads — Kali makes it possible to simulate real-world attacks in a controlled, efficient, and effective manner.
By following the methodology outlined above, security professionals can conduct thorough, structured, and impactful assessments that help developers and businesses improve their overall security.