Vulnerability Analysis

Systematic identification and verification of security weaknesses based on the OWASP Top 10 and other common vulnerability classes.

Why Vulnerability Analysis Matters

Systematic Coverage: OWASP Top 10 ensures you test for the most critical web vulnerabilities
Industry Standard: Following OWASP methodology provides recognized, defensible results
Risk Prioritization: Categorization helps focus on vulnerabilities with highest business impact
Compliance Alignment: OWASP coverage satisfies many regulatory and compliance requirements

Pro Tip: This phase connects reconnaissance and scanning with exploitation. The goal is to identify and validate vulnerabilities before attempting to exploit them.

Essential Vulnerability Analysis Tools

Burp Suite

Industry-standard web proxy with active and passive scanning

Website

OWASP ZAP

Free open-source web app scanner

Website

Nuclei

Fast template-based vulnerability scanner

GitHub

Nikto

Web server scanner for misconfigurations

GitHub

SQLMap

Automatic SQL injection detection and exploitation

Website

Wapiti

Black-box web application vulnerability scanner

Website

Vulnerability Analysis Process

flowchart TD A[Enumeration Results] --> B[Identify Input Points] B --> C[Map to OWASP Categories] C --> D[Automated Scanning] D --> E[Manual Testing] E --> F[Validate Findings] F --> G[Document and Exploit] style A fill:#00ff00,stroke:#000,color:#000 style G fill:#ff6b6b,stroke:#000,color:#000

Interactive OWASP Top 10 Dashboard

Explore the OWASP Top 10 (2021) categories. Click on each to see testing techniques and common vulnerabilities.

OWASP Top 10 (2021)

Click any category for details, breach examples, and quick test checklists

Official OWASP β†’
OWASP Top 10 - 2021 Edition10 Categories β€’ 50 Quick Checks

What Vulnerability Am I Looking At?

Not sure what vulnerability you have found? Use this decision tree to identify it based on observed behavior.

Vulnerability Decision Tree

Answer questions to identify the vulnerability

Start→Current

What behavior are you observing?

Select the primary indicator you noticed during testing

Manual Testing Methodology

Systematic testing ensures comprehensive coverage. Test each input type against relevant vulnerability classes.

Testing Checklist by Input Type

URL Parameters

  • SQL injection
  • XSS (reflected)
  • Path traversal
  • IDOR
  • Open redirect
  • SSRF

Form Fields

  • SQL injection
  • XSS (stored/reflected)
  • Command injection
  • File upload bypass
  • CSRF
  • Input validation bypass

Headers

  • Host header injection
  • X-Forwarded-For manipulation
  • User-Agent injection
  • Referer injection

Cookies

  • Session hijacking
  • Cookie manipulation
  • Missing Secure/HttpOnly
  • Predictable session tokens

Automated Scanning Commands

bash 
# Nuclei - comprehensive vulnerability scan
nuclei -u https://example.com -t cves/ -t vulnerabilities/

# Nikto - web server misconfiguration
nikto -h https://example.com -o nikto_report.html -Format htm

# SQLMap - SQL injection detection
sqlmap -u "https://example.com/page?id=1" --batch --level=3

# Wapiti - black-box scanning
wapiti -u https://example.com -o wapiti_report -f html
# Nuclei - comprehensive vulnerability scan
nuclei -u https://example.com -t cves/ -t vulnerabilities/

# Nikto - web server misconfiguration
nikto -h https://example.com -o nikto_report.html -Format htm

# SQLMap - SQL injection detection
sqlmap -u "https://example.com/page?id=1" --batch --level=3

# Wapiti - black-box scanning
wapiti -u https://example.com -o wapiti_report -f html

DAST vs SAST vs Manual Testing

No single approach catches all vulnerabilities. A mature testing methodology combines automated and manual techniques.

Approach Strengths Weaknesses Best For
DAST (Dynamic) Finds runtime issues, no source needed, tests real deployment Slow, noisy, misses logic flaws, coverage depends on crawling SQLi, XSS, misconfigurations, header issues
SAST (Static) Fast, finds code-level flaws early, good coverage of codebase High false-positive rate, can't find runtime/config issues Hardcoded secrets, insecure patterns, injection sinks
IAST (Interactive) Combines runtime + code context, lower false positives Requires agent in app, complex setup CI/CD integration, complex data flows
Manual Testing Finds logic flaws, chained attacks, understands context Time-intensive, depends on tester skill, not scalable Business logic, auth bypass, complex attack chains

Information

Recommended approach: Start with automated DAST scanning to find low-hanging fruit, then focus manual testing on authentication, authorization, and business logic β€” areas where scanners fail. If source code is available, complement with SAST/IAST (see Source Code Review).

SAST & Modern Analysis Tools

When source code or CI/CD pipeline access is available, integrate these tools for deeper coverage:

Semgrep

Lightweight SAST with 2,000+ community rules for injection, auth flaws, secrets, and more.

semgrep --config=auto . Website β†’

CodeQL

Semantic code analysis engine by GitHub; ideal for tracing taint flows from source to sink.

codeql database analyze GitHub β†’

Snyk Code

Real-time SAST with IDE integration; catches vulnerabilities during development.

snyk code test Website β†’

AI-Assisted Analysis

Modern tools like GitHub Copilot and AI-powered Burp extensions can accelerate vulnerability discovery by suggesting attack payloads and identifying suspicious code patterns. Use them as force-multipliers alongside manual testingβ€Šβ€”β€Šnever as a replacement.

Threat Modeling Primer

Before diving into testing, a brief threat model helps prioritize where to spend time. Ask these questions:

1. What are we protecting?

  • β€’ User PII, credentials, financial data
  • β€’ Business logic integrity (transactions, pricing)
  • β€’ Infrastructure access (admin panels, APIs)

2. What can go wrong? (STRIDE)

  • β€’ Spoofing β€” impersonate users/services
  • β€’ Tampering β€” modify data in transit/at rest
  • β€’ Repudiation β€” deny performing an action
  • β€’ Information Disclosure β€” leak sensitive data
  • β€’ Denial of Service β€” disrupt availability
  • β€’ Elevation of Privilege β€” gain unauthorized access

3. Who are the threat actors?

  • β€’ Anonymous external attacker
  • β€’ Authenticated low-privilege user
  • β€’ Malicious insider / partner
  • β€’ Automated bot / script kiddie

4. Where are the trust boundaries?

  • β€’ Client β†’ Server (never trust the client)
  • β€’ Frontend β†’ API (authorization enforcement)
  • β€’ App β†’ Database (parameterized queries)
  • β€’ Internal β†’ External services (SSRF surface)

OWASP Category β†’ Exploitation Guides

Once you identify a potential vulnerability class, jump to the relevant exploitation guide:

OWASP Category Exploitation Guides
A01: Broken Access Control IDOR Β· Privilege Escalation Β· CORS
A02: Cryptographic Failures JWT Attacks Β· Session Attacks
A03: Injection SQLi Β· XSS Β· Command Injection Β· SSTI Β· XXE Β· LDAP
A04: Insecure Design Business Logic Β· Race Conditions
A05: Security Misconfiguration Security Headers Β· CORS Β· WAF Bypass
A06: Vulnerable Components Deserialization Β· Dependency Confusion
A07: Auth Failures Auth Bypass Β· CSRF Β· Client-Side Attacks
A08: Data Integrity Deserialization Β· Supply Chain
A09: Logging/Monitoring Addressed in Reporting (detection gap analysis)
A10: SSRF SSRF Β· Lateral Movement

Next Steps

Once you have identified and validated vulnerabilities, proceed to the Exploitation phase to demonstrate real-world impact, or practice your skills in the Practice Labs.

Related Topics

Enumeration

Directory and parameter discovery

Exploitation

Vulnerability exploitation techniques

Practice Labs

Hands-on CTF exercises

Tools Reference

Complete tools listing