Introduction
Revision Historyβ
| Date | Author | Summary |
|---|---|---|
| 21-MAR-2026 | CW2 Bernadotte | Initial draft |
Purposeβ
This document provides a comprehensive reference for web application penetration testing (WAPT) using Kali Linux. It covers the full testing lifecycle - from reconnaissance through exploitation - across all major web vulnerability classes, built around the OWASP Web Security Testing Guide (WSTG) methodology.
This AID is deliberately more than a tool reference. Web application testing requires operators to understand why vulnerabilities exist, what indicators to look for, and when to use one tool over another. An operator who only knows how to run sqlmap will miss everything sqlmap doesn't test for. The goal is to develop the pattern recognition that makes an effective web pentester.
Scopeβ
This AID covers the web application layer:
- Reconnaissance, fingerprinting, and content discovery
- Vulnerability identification and exploitation via the HTTP interface
- Authentication, session management, access control, and injection flaws
- API attack surfaces (REST, GraphQL, JWT)
Out of scope: Host-level post-exploitation after initial access (lateral movement, privilege escalation on the OS, credential dumping). Refer to HA-SOP-003 and CTE-AID-001/002 for those activities.
Framework Referenceβ
All procedures align to the OWASP Web Security Testing Guide (WSTG), the industry standard for structured web application security testing. WSTG test case IDs are referenced throughout (e.g., WSTG-INFO-01). The full guide is available at owasp.org/www-project-web-security-testing-guide.
Requirementsβ
- Kali Linux VM (tools assumed pre-installed)
- MEL-authorized scope confirming the target application(s) and host(s) are within the assessment boundary
- Target URL(s), any provided credentials (for authenticated testing), and network access to the target
OPSEC Considerationsβ
Automated web scanners (nikto, wapiti, sqlmap in aggressive modes) are loud. They generate high-volume, distinctly-patterned HTTP traffic that appears in web server logs, triggers WAF rules, and may cause rate limiting or IP blocking. Always confirm scope and assess detection risk before running automated tools.
| Technique Category | Traffic Generated | Visibility |
|---|---|---|
| Passive (whois, cert transparency, source review) | None to target | None |
| Active manual (curl, browser, targeted requests) | Low | Present in access logs |
| Directory brute force (gobuster, ffuf) | High volume | Highly visible |
| Vulnerability scanning (nikto, wapiti) | High volume + attack patterns | Triggers WAF/IDS |
| Exploitation (sqlmap, XSStrike) | Attack payloads | Certain detection on monitored targets |
- Use
--delay,--rate, or equivalent flags to throttle scan speed when stealth is required - If a WAF is detected, aggressive scanning will result in blocks - prefer manual testing or WAF evasion techniques
- Always test lowest-noise techniques first; escalate to automated tools only when manual probing confirms a valid attack surface