Reference

Web Pentesting Tools

A comprehensive toolkit covering every phase of web application penetration testing - from reconnaissance to exploitation to reporting. Master these tools to perform professional security assessments.

🛠️ Why the Right Tools Matter

Efficiency: Automated tools find vulnerabilities faster than manual testing alone
Coverage: Comprehensive scanners ensure no common issues are missed
Consistency: Repeatable methodologies with documented results
Depth: Specialized tools for deep exploitation and post-compromise

⚠️ Remember: Tools don't make the pentester - understanding the underlying vulnerabilities does. Always know what your tools are doing and verify results manually.

Tool Selection by Phase

📡 Reconnaissance

  • • Amass
  • • Subfinder
  • • theHarvester
  • • Shodan

🔍 Scanning

  • • Nmap
  • • Nikto
  • • Nuclei
  • • WhatWeb

🎯 Testing

  • • Burp Suite
  • • ffuf / Gobuster
  • • Wfuzz
  • • Feroxbuster

💥 Exploitation

  • • SQLMap
  • • XSStrike
  • • Metasploit
  • • Commix

🔄 Proxy & Interception Tools

HTTP proxies are the foundation of web pentesting - they let you intercept, analyze, and modify traffic between browser and server.

Burp Suite Pro — Quick Tips

  • Browser Proxy: Configure your browser to proxy through 127.0.0.1:8080
  • HTTPS Interception: Export the CA certificate via Proxy → Options → Import/Export CA Certificate and install it in your browser's trust store
  • Essential Extensions:
    • Autorize — authorization testing (IDOR, privilege escalation)
    • Logger++ — enhanced request/response logging
    • Param Miner — hidden parameter discovery
    • JS Link Finder — extract URLs from JavaScript

📡 Reconnaissance Tools

Gather information about your target before active testing - subdomains, technologies, exposed services.

recon-workflow.sh
bash 
# Subdomain enumeration workflow
# Step 1: Passive enumeration
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com >> subs.txt

# Step 2: Remove duplicates
sort -u subs.txt > subs-unique.txt

# Step 3: Probe for live hosts
httpx -l subs-unique.txt -o live-hosts.txt

# Step 4: Screenshot live hosts
gowitness file -f live-hosts.txt -P screenshots/

# Step 5: Technology fingerprinting
httpx -l live-hosts.txt -tech-detect -o tech-stack.txt
# Subdomain enumeration workflow
# Step 1: Passive enumeration
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com >> subs.txt

# Step 2: Remove duplicates
sort -u subs.txt > subs-unique.txt

# Step 3: Probe for live hosts
httpx -l subs-unique.txt -o live-hosts.txt

# Step 4: Screenshot live hosts
gowitness file -f live-hosts.txt -P screenshots/

# Step 5: Technology fingerprinting
httpx -l live-hosts.txt -tech-detect -o tech-stack.txt

🔍 Scanning & Enumeration Tools

Active scanning to discover ports, services, and potential vulnerabilities.

scanning.sh
bash 
# Nmap comprehensive web scan
nmap -sC -sV -p 80,443,8080,8443 target.com -oA nmap-web

# Nikto scan
nikto -h https://target.com -output nikto-results.txt

# Nuclei vulnerability scan
nuclei -u https://target.com -t cves/ -t vulnerabilities/ -o nuclei-results.txt

# Nuclei with severity filter
nuclei -u https://target.com -severity critical,high -o critical-vulns.txt

# Full reconnaissance workflow
echo "target.com" | subfinder | httpx | nuclei -t technologies/
# Nmap comprehensive web scan
nmap -sC -sV -p 80,443,8080,8443 target.com -oA nmap-web

# Nikto scan
nikto -h https://target.com -output nikto-results.txt

# Nuclei vulnerability scan
nuclei -u https://target.com -t cves/ -t vulnerabilities/ -o nuclei-results.txt

# Nuclei with severity filter
nuclei -u https://target.com -severity critical,high -o critical-vulns.txt

# Full reconnaissance workflow
echo "target.com" | subfinder | httpx | nuclei -t technologies/

🎯 Fuzzing & Content Discovery

Find hidden directories, files, parameters, and endpoints through intelligent fuzzing.

fuzzing.sh
bash 
# ffuf - Directory fuzzing
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -mc 200,301,302,403

# ffuf - Filter by response size (hide 404 pages that return same size)
ffuf -w wordlist.txt -u https://target.com/FUZZ -fs 1234

# ffuf - Parameter fuzzing
ffuf -w params.txt -u "https://target.com/api?FUZZ=test" -mc all -fc 400

# ffuf - POST data fuzzing
ffuf -w usernames.txt -u https://target.com/login -X POST -d "user=FUZZ&pass=test"

# ffuf - Subdomain fuzzing
ffuf -w subdomains.txt -u http://FUZZ.target.com -mc 200

# Gobuster directory scan
gobuster dir -u https://target.com -w wordlist.txt -x php,txt,html -t 50

# Feroxbuster recursive scan
feroxbuster -u https://target.com -w wordlist.txt --depth 3

# Parameter discovery with Arjun
arjun -u https://target.com/api/endpoint
# ffuf - Directory fuzzing
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -mc 200,301,302,403

# ffuf - Filter by response size (hide 404 pages that return same size)
ffuf -w wordlist.txt -u https://target.com/FUZZ -fs 1234

# ffuf - Parameter fuzzing
ffuf -w params.txt -u "https://target.com/api?FUZZ=test" -mc all -fc 400

# ffuf - POST data fuzzing
ffuf -w usernames.txt -u https://target.com/login -X POST -d "user=FUZZ&pass=test"

# ffuf - Subdomain fuzzing
ffuf -w subdomains.txt -u http://FUZZ.target.com -mc 200

# Gobuster directory scan
gobuster dir -u https://target.com -w wordlist.txt -x php,txt,html -t 50

# Feroxbuster recursive scan
feroxbuster -u https://target.com -w wordlist.txt --depth 3

# Parameter discovery with Arjun
arjun -u https://target.com/api/endpoint

💥 Exploitation Tools

Specialized tools for exploiting specific vulnerability classes.

exploitation.sh
bash 
# SQLMap - Basic injection test
sqlmap -u "https://target.com/page?id=1" --batch --dbs

# SQLMap - POST request
sqlmap -u "https://target.com/login" --data="user=admin&pass=test" --batch

# SQLMap - With cookies and specific DBMS
sqlmap -u "https://target.com/api?id=1" --cookie="session=abc123" --dbms=mysql

# XSStrike - XSS testing
xsstrike -u "https://target.com/search?q=test"

# Commix - Command injection
commix -u "https://target.com/ping?ip=127.0.0.1"

# tplmap - SSTI testing
python tplmap.py -u "https://target.com/page?name=test"
# SQLMap - Basic injection test
sqlmap -u "https://target.com/page?id=1" --batch --dbs

# SQLMap - POST request
sqlmap -u "https://target.com/login" --data="user=admin&pass=test" --batch

# SQLMap - With cookies and specific DBMS
sqlmap -u "https://target.com/api?id=1" --cookie="session=abc123" --dbms=mysql

# XSStrike - XSS testing
xsstrike -u "https://target.com/search?q=test"

# Commix - Command injection
commix -u "https://target.com/ping?ip=127.0.0.1"

# tplmap - SSTI testing
python tplmap.py -u "https://target.com/page?name=test"

🔐 Authentication & Password Tools

Tools for testing authentication mechanisms, brute forcing, and credential attacks.

auth-testing.sh
bash 
# Hydra - HTTP POST form brute force
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# Hydra - HTTP Basic Auth
hydra -L users.txt -P passwords.txt target.com http-get /admin

# John - Crack password hashes
john --wordlist=/path/to/rockyou.txt hashes.txt

# Hashcat - MD5 hashes (mode 0)
hashcat -m 0 -a 0 hashes.txt wordlist.txt

# Hashcat - bcrypt (mode 3200)
hashcat -m 3200 -a 0 hashes.txt wordlist.txt

# CeWL - Generate custom wordlist from target site
cewl https://target.com -d 2 -m 5 -w custom-wordlist.txt

# jwt_tool - Analyze JWT
jwt_tool <token> -T

# jwt_tool - Test for vulnerabilities
jwt_tool <token> -M at
# Hydra - HTTP POST form brute force
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# Hydra - HTTP Basic Auth
hydra -L users.txt -P passwords.txt target.com http-get /admin

# John - Crack password hashes
john --wordlist=/path/to/rockyou.txt hashes.txt

# Hashcat - MD5 hashes (mode 0)
hashcat -m 0 -a 0 hashes.txt wordlist.txt

# Hashcat - bcrypt (mode 3200)
hashcat -m 3200 -a 0 hashes.txt wordlist.txt

# CeWL - Generate custom wordlist from target site
cewl https://target.com -d 2 -m 5 -w custom-wordlist.txt

# jwt_tool - Analyze JWT
jwt_tool <token> -T

# jwt_tool - Test for vulnerabilities
jwt_tool <token> -M at

🌐 API Testing Tools

Specialized tools for REST API, GraphQL, and web service security testing.

📚 Essential Wordlists

Quality wordlists are crucial for effective fuzzing and enumeration.

Wordlist Use Case Source
SecLists Comprehensive collection - directories, passwords, usernames, fuzzing GitHub
rockyou.txt Password cracking - 14 million common passwords SecLists/Passwords/
raft-medium-directories.txt Directory fuzzing - balanced speed/coverage SecLists/Discovery/Web-Content/
common-api-endpoints.txt API endpoint discovery SecLists/Discovery/Web-Content/
subdomains-top1million-5000.txt Subdomain enumeration SecLists/Discovery/DNS/
fuzz.txt Fuzzing for common vulnerabilities SecLists/Fuzzing/
wordlists.sh
bash 
# Install SecLists
git clone https://github.com/danielmiessler/SecLists.git /opt/SecLists

# Alternative: Install via package manager
brew install seclists

# Common wordlist paths (after installation)
/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
/opt/SecLists/Discovery/Web-Content/common.txt
/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
/opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
# Install SecLists
git clone https://github.com/danielmiessler/SecLists.git /opt/SecLists

# Alternative: Install via package manager
brew install seclists

# Common wordlist paths (after installation)
/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
/opt/SecLists/Discovery/Web-Content/common.txt
/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
/opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

💻 Installation by Platform

Tip

Recommended: Use Kali Linux or Parrot OS for pentesting - most tools come pre-installed. For macOS, Homebrew is the easiest package manager. For Windows, use WSL2 with Kali.
Tool macOS (Homebrew) Linux (apt) Windows
Nmap brew install nmap sudo apt install nmap Download from nmap.org
Nikto brew install nikto sudo apt install nikto WSL recommended
SQLMap pip install sqlmap sudo apt install sqlmap pip install sqlmap
Hydra brew install hydra sudo apt install hydra WSL recommended
ffuf brew install ffuf go install Download binary from GitHub
Nuclei brew install nuclei go install Download binary from GitHub
Burp Suite Download from portswigger.net (all platforms)
Metasploit Use official installer script (all platforms)

✅ Tool Setup Checklist

🔧 Essential Setup

📡 Reconnaissance Tools

🎯 Fuzzing Tools

💥 Exploitation Tools

🎮 Practice Labs & Training

Practice using these tools ethically on intentionally vulnerable applications:

PortSwigger Web Security Academy

Free labs for all OWASP categories. Best for Burp Suite practice.

Hack The Box

Vulnerable machines and web challenges. Real-world exploitation practice.

TryHackMe

Guided learning paths with hands-on labs. Great for beginners.

OWASP WebGoat

Deliberately insecure application for learning web security.

📖 Additional Resources

HackTricks

Comprehensive pentesting wiki with tool usage examples

PayloadsAllTheThings

Payloads and bypasses for web application security

PentestMonkey

Cheat sheets and tool guides for penetration testing

ProjectDiscovery Tools

Modern reconnaissance and scanning tools ecosystem

🎯 Tool Selection Guidance

When multiple tools serve similar purposes, choose based on your specific context:

Purpose Speed Winner Accuracy Winner When to Use Each
Subdomain Enum Subfinder Amass Subfinder for quick scans; Amass for thorough enumeration with DNS brute force
Dir/File Brute ffuf Feroxbuster ffuf for speed + flexibility; Feroxbuster for recursive crawling; Gobuster for simplicity
Web Proxy Caido Burp Suite Pro Burp for full professional workflow; ZAP for free alternative; Caido for modern performance
Vuln Scanning Nuclei Burp Scanner Nuclei for template-based mass scanning; Burp Scanner for in-depth per-app scanning
Password Attack Hydra Hashcat Hydra for online brute force; Hashcat for offline hash cracking; John for versatility

💳 Cost & Licensing Matrix

Tool License Cost Key Limitation (Free)
Burp Suite ProCommercial$449/yrCommunity: no scanner, throttled Intruder
OWASP ZAPOpen Source (Apache 2.0)FreeNone — fully featured
CaidoFreemiumFree / $8+/moFree: limited features
NucleiOpen Source (MIT)FreeNone
SQLMapOpen Source (GPLv2)FreeNone
MetasploitDualFree / $5K+/yr ProFree: no automated exploit, limited scan
NessusCommercial$3,590/yrEssentials: 16 IP limit
HashcatOpen Source (MIT)FreeNone
DradisDualFree / $$$Free: limited integrations

🎯 Post-Exploitation & C2 Tools

C2 Frameworks

  • Sliver — Modern, open-source C2 with implant generation, mTLS/HTTP(S)/WireGuard support
  • Mythic — Web-based C2 with modular agents (Python, C#, Go), collaborative operations
  • Cobalt Strike — Industry standard commercial C2 ($3,500/yr), Beacon payloads
  • Havoc — Modern post-exploitation C2 framework with demon agents

Lateral Movement

  • CrackMapExec — Swiss army knife for network pentesting (SMB, LDAP, WinRM)
  • Impacket — Python collection for working with network protocols (psexec, wmiexec, smbexec)
  • Evil-WinRM — WinRM shell for Windows remote management exploitation
  • Chisel — TCP/UDP tunnel over HTTP, used for pivoting into internal networks

🧩 Essential Burp Suite Extensions

Extension Purpose Guide Phase
AutorizeAutomated authorization testing — detects IDOR/broken access controlExploitation (IDOR, Auth Bypass)
Logger++Enhanced request/response logging with regex filtersAll phases
JS Link FinderExtracts endpoints and links from JavaScript filesRecon, Enumeration
Param MinerDiscovers hidden parameters and cache poisoning vectorsCache Poisoning, HPP
Turbo IntruderHigh-speed request sending for race conditions and brute forceRace Conditions, Auth
InQLGraphQL endpoint testing and introspection analysisGraphQL Security
JWT EditorView, edit, sign, and verify JWT tokens inlineJWT Attacks, OAuth
Active Scan++Enhanced active scanning with additional checksVulnerability Analysis
HackvertorTag-based encoding/decoding for payload manipulationWAF Bypass, All injection

🗺️ Tool to Phase Mapping

Information

Use this reference to quickly identify which tools to use in each phase of your engagement. Click through to the respective guide section for detailed usage.
Phase Primary Tools Guide Link
1. ScopingNmap, Masscan, whoisScoping
2. ReconAmass, Subfinder, theHarvester, httpx, GAURecon
3. ScanningNmap, Nuclei, Nikto, WhatWebScanning
4. Enumerationffuf, Gobuster, Arjun, ParamSpider, Burp SpiderEnumeration
5. Vuln AnalysisBurp Scanner, ZAP Active Scan, Nuclei templatesVuln Analysis
6. ExploitationSQLMap, XSStrike, Commix, tplmap, MetasploitExploitation
7. Post-ExploitSliver, CrackMapExec, Impacket, ChiselPost-Exploit
8. ReportingDradis, Ghostwriter, PwnDoc, CVSS CalculatorReporting

Related Topics

Reconnaissance

Information gathering phase

Scanning

Active scanning and enumeration

Vulnerability Analysis

Finding and analyzing vulnerabilities

Exploitation

All exploitation techniques

Burp Suite Cheatsheet

Complete Burp Suite reference

Nmap Cheatsheet

Nmap scanning reference