Reference
Web Pentesting Tools
A comprehensive toolkit covering every phase of web application penetration testing - from reconnaissance to exploitation to reporting. Master these tools to perform professional security assessments.
🛠️ Why the Right Tools Matter
Efficiency: Automated tools find vulnerabilities faster than manual testing alone
Coverage: Comprehensive scanners ensure no common issues are missed
Consistency: Repeatable methodologies with documented results
Depth: Specialized tools for deep exploitation and post-compromise
⚠️ Remember: Tools don't make the pentester - understanding the underlying vulnerabilities does. Always know what your tools are doing and verify results manually.
Tool Selection by Phase
📡 Reconnaissance
- • Amass
- • Subfinder
- • theHarvester
- • Shodan
🔍 Scanning
- • Nmap
- • Nikto
- • Nuclei
- • WhatWeb
🎯 Testing
- • Burp Suite
- • ffuf / Gobuster
- • Wfuzz
- • Feroxbuster
💥 Exploitation
- • SQLMap
- • XSStrike
- • Metasploit
- • Commix
🔄 Proxy & Interception Tools
HTTP proxies are the foundation of web pentesting - they let you intercept, analyze, and modify traffic between browser and server.
bash
# Burp Suite Pro - Quick Tips
# Configure browser proxy: 127.0.0.1:8080
# Export certificate for HTTPS interception:
# Proxy → Options → Import/Export CA Certificate
# Useful Burp extensions:
# - Autorize (authorization testing)
# - Logger++ (enhanced logging)
# - Param Miner (hidden parameter discovery)
# - JS Link Finder (extract URLs from JS)📡 Reconnaissance Tools
Gather information about your target before active testing - subdomains, technologies, exposed services.
bash
# Subdomain enumeration workflow
# Step 1: Passive enumeration
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com >> subs.txt
# Step 2: Remove duplicates
sort -u subs.txt > subs-unique.txt
# Step 3: Probe for live hosts
httpx -l subs-unique.txt -o live-hosts.txt
# Step 4: Screenshot live hosts
gowitness file -f live-hosts.txt -P screenshots/
# Step 5: Technology fingerprinting
httpx -l live-hosts.txt -tech-detect -o tech-stack.txt🔍 Scanning & Enumeration Tools
Active scanning to discover ports, services, and potential vulnerabilities.
bash
# Nmap comprehensive web scan
nmap -sC -sV -p 80,443,8080,8443 target.com -oA nmap-web
# Nikto scan
nikto -h https://target.com -output nikto-results.txt
# Nuclei vulnerability scan
nuclei -u https://target.com -t cves/ -t vulnerabilities/ -o nuclei-results.txt
# Nuclei with severity filter
nuclei -u https://target.com -severity critical,high -o critical-vulns.txt
# Full reconnaissance workflow
echo "target.com" | subfinder | httpx | nuclei -t technologies/🎯 Fuzzing & Content Discovery
Find hidden directories, files, parameters, and endpoints through intelligent fuzzing.
bash
# ffuf - Directory fuzzing
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -mc 200,301,302,403
# ffuf - Filter by response size (hide 404 pages that return same size)
ffuf -w wordlist.txt -u https://target.com/FUZZ -fs 1234
# ffuf - Parameter fuzzing
ffuf -w params.txt -u "https://target.com/api?FUZZ=test" -mc all -fc 400
# ffuf - POST data fuzzing
ffuf -w usernames.txt -u https://target.com/login -X POST -d "user=FUZZ&pass=test"
# ffuf - Subdomain fuzzing
ffuf -w subdomains.txt -u http://FUZZ.target.com -mc 200
# Gobuster directory scan
gobuster dir -u https://target.com -w wordlist.txt -x php,txt,html -t 50
# Feroxbuster recursive scan
feroxbuster -u https://target.com -w wordlist.txt --depth 3
# Parameter discovery with Arjun
arjun -u https://target.com/api/endpoint💥 Exploitation Tools
Specialized tools for exploiting specific vulnerability classes.
bash
# SQLMap - Basic injection test
sqlmap -u "https://target.com/page?id=1" --batch --dbs
# SQLMap - POST request
sqlmap -u "https://target.com/login" --data="user=admin&pass=test" --batch
# SQLMap - With cookies and specific DBMS
sqlmap -u "https://target.com/api?id=1" --cookie="session=abc123" --dbms=mysql
# XSStrike - XSS testing
xsstrike -u "https://target.com/search?q=test"
# Commix - Command injection
commix -u "https://target.com/ping?ip=127.0.0.1"
# tplmap - SSTI testing
python tplmap.py -u "https://target.com/page?name=test"🔐 Authentication & Password Tools
Tools for testing authentication mechanisms, brute forcing, and credential attacks.
bash
# Hydra - HTTP POST form brute force
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
# Hydra - HTTP Basic Auth
hydra -L users.txt -P passwords.txt target.com http-get /admin
# John - Crack password hashes
john --wordlist=/path/to/rockyou.txt hashes.txt
# Hashcat - MD5 hashes (mode 0)
hashcat -m 0 -a 0 hashes.txt wordlist.txt
# Hashcat - bcrypt (mode 3200)
hashcat -m 3200 -a 0 hashes.txt wordlist.txt
# CeWL - Generate custom wordlist from target site
cewl https://target.com -d 2 -m 5 -w custom-wordlist.txt
# jwt_tool - Analyze JWT
jwt_tool <token> -T
# jwt_tool - Test for vulnerabilities
jwt_tool <token> -M at🌐 API Testing Tools
Specialized tools for REST API, GraphQL, and web service security testing.
📚 Essential Wordlists
Quality wordlists are crucial for effective fuzzing and enumeration.
| Wordlist | Use Case | Source |
|---|---|---|
SecLists | Comprehensive collection - directories, passwords, usernames, fuzzing | GitHub |
rockyou.txt | Password cracking - 14 million common passwords | SecLists/Passwords/ |
raft-medium-directories.txt | Directory fuzzing - balanced speed/coverage | SecLists/Discovery/Web-Content/ |
common-api-endpoints.txt | API endpoint discovery | SecLists/Discovery/Web-Content/ |
subdomains-top1million-5000.txt | Subdomain enumeration | SecLists/Discovery/DNS/ |
fuzz.txt | Fuzzing for common vulnerabilities | SecLists/Fuzzing/ |
bash
# Install SecLists
git clone https://github.com/danielmiessler/SecLists.git /opt/SecLists
# Alternative: Install via package manager
brew install seclists
# Common wordlist paths (after installation)
/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
/opt/SecLists/Discovery/Web-Content/common.txt
/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
/opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt💻 Installation by Platform
Tip
Recommended: Use Kali Linux or Parrot OS for pentesting - most tools come pre-installed.
For macOS, Homebrew is the easiest package manager. For Windows, use WSL2 with Kali.
| Tool | macOS (Homebrew) | Linux (apt) | Windows |
|---|---|---|---|
| Nmap | brew install nmap | sudo apt install nmap | Download from nmap.org |
| Nikto | brew install nikto | sudo apt install nikto | WSL recommended |
| SQLMap | pip install sqlmap | sudo apt install sqlmap | pip install sqlmap |
| Hydra | brew install hydra | sudo apt install hydra | WSL recommended |
| ffuf | brew install ffuf | go install | Download binary from GitHub |
| Nuclei | brew install nuclei | go install | Download binary from GitHub |
| Burp Suite | Download from portswigger.net (all platforms) | ||
| Metasploit | Use official installer script (all platforms) | ||
✅ Tool Setup Checklist
🔧 Essential Setup
📡 Reconnaissance Tools
🎯 Fuzzing Tools
💥 Exploitation Tools
🎮 Practice Labs & Training
Practice using these tools ethically on intentionally vulnerable applications:
PortSwigger Web Security Academy
Free labs for all OWASP categories. Best for Burp Suite practice.
Hack The Box
Vulnerable machines and web challenges. Real-world exploitation practice.
TryHackMe
Guided learning paths with hands-on labs. Great for beginners.
OWASP WebGoat
Deliberately insecure application for learning web security.