Complete Guide
Intermediate

Web Penetration Testing Methodology

A comprehensive, step-by-step guide to conducting professional web application security assessments. Follows the PTES (Penetration Testing Execution Standard) and OWASP WSTG v4.2 frameworks.

🚀 New to Web Pentesting?

Before starting, make sure you're comfortable with these prerequisites:

  • Basic networking (TCP/IP, DNS, HTTP/HTTPS)
  • Command-line / terminal usage
  • How web applications work (HTML, cookies, sessions)
  • Using a web proxy (Burp Suite or OWASP ZAP)

Recommended reading order: Start with Phase 01 (Pre-Engagement), read through each phase sequentially, and practice in Phase 07 (Labs) before attempting real assessments. Each phase builds on the previous — reconnaissance output feeds into scanning, scanning output feeds into vulnerability analysis, and so on.

PTES Methodology Mapping

This guide maps to the Penetration Testing Execution Standard (PTES) phases:

PTES Phase Guide Section Est. Time
Pre-engagement Interactions Phase 01 1–2 days
Intelligence Gathering Phase 02 (Reconnaissance) 2–4 hours
Threat Modeling Phase 03–05 (Scanning → Analysis) 3–6 hours
Vulnerability Analysis Phase 05 4–8 hours
Exploitation Phase 06 (28+ attack guides) 3–7 days
Post-Exploitation Phase 08 1–2 days
Reporting Phase 09 2–3 days

What You'll Learn

  • Professional engagement setup
  • OSINT and reconnaissance techniques
  • Vulnerability scanning and analysis
  • OWASP Top 10 exploitation
  • Post-exploitation techniques
  • Professional reporting

Methodology Overview

Guide Sections

01

Pre-Engagement

Scope definition, legal authorization, rules of engagement, NDA templates

Beginner
↓ Signed authorization & scope document feeds into →
02

Reconnaissance

OSINT, DNS enumeration, subdomain discovery, Google dorking, WHOIS analysis

Beginner
↓ Discovered subdomains, IPs & tech stack feeds into →
03

Scanning

Port scanning, service detection, vulnerability scanning, web crawling

Intermediate
↓ Open ports, services & crawl map feeds into →
04

Enumeration

Directory brute-forcing, parameter discovery, API enumeration, tech fingerprinting

Intermediate
↓ Discovered endpoints, parameters & APIs feed into →
05

Vulnerability Analysis

OWASP Top 10 breakdown, CVE research, manual testing techniques

Intermediate
↓ Confirmed vulnerability candidates feed into →
06

Exploitation

SQL injection, XSS, CSRF, SSRF, file upload attacks, authentication bypass, and 30+ more

Advanced
↓ Exploitation evidence & access feeds into →
07

Practice Labs & CTF Exercises

Hands-on labs for web vulnerabilities. Filter by category or difficulty, reveal hints, and view solutions.
08

Post-Exploitation

Session hijacking, privilege escalation, lateral movement, evidence collection

Advanced
↓ All findings, evidence & artifacts feed into →
09

Reporting

Executive summary, technical findings, CVSS scoring, remediation guidance
10

Tools

Essential web pentesting tools, proxies, scanners, and automation frameworks

Quick Start Checklist

Minimum tests per phase — use as a pre-engagement sanity check or quick reference during assessments.

Reconnaissance
  • ☐ Subdomain enumeration (amass, subfinder)
  • ☐ Technology fingerprinting (Wappalyzer)
  • ☐ Directory/file brute-force (feroxbuster)
  • ☐ JavaScript file analysis for endpoints
Authentication
  • ☐ Default/weak credentials
  • ☐ Brute-force & lockout policy
  • ☐ Session token entropy & fixation
  • ☐ Password reset flow abuse
Injection & Input
  • ☐ SQLi on all parameters (manual + sqlmap)
  • ☐ XSS reflected, stored, DOM-based
  • ☐ SSRF on URL/file/webhook inputs
  • ☐ Command injection on OS-interaction points
Authorization
  • ☐ IDOR on all object references
  • ☐ Horizontal/vertical privilege escalation
  • ☐ Forced browsing to admin endpoints
  • ☐ API endpoint authorization matrix
Configuration
  • ☐ Security headers (CSP, HSTS, X-Frame)
  • ☐ CORS policy validation
  • ☐ TLS configuration (testssl.sh)
  • ☐ Error handling & stack trace leakage
Business Logic
  • ☐ Price/quantity manipulation
  • ☐ Workflow step skipping
  • ☐ Race conditions on critical actions
  • ☐ File upload type/size bypass

⚠️ Legal Disclaimer

Always obtain proper written authorization before conducting any penetration testing activities. Unauthorized access to computer systems is illegal. This guide is for educational purposes and authorized security assessments only.

Related Guides & Resources

API Penetration Testing

REST, GraphQL, and SOAP API security testing

OSINT Techniques

Open source intelligence for reconnaissance

Mobile App Testing

iOS and Android security assessment

Web Security Cheatsheet

Quick reference for common attacks

Reporting Templates

Professional pentest report formats

Remediation Guidance

How to fix common vulnerabilities