My Modern interpretation of The Web Application Hackers Handbook

10 minute read

Based on The Web Application Hackers Handbook2 and modern toolset



This blog post is intended to summary my reading of “The Web Application Hackers Handbook2”.

I will assemble a modern methodology with present trending tools based on Chapter 21.


Tools summary:

  1. ffuf - content discovery fuzzing tool written in go -
  2. dirsearch - Python content discovery fuzzing tool -
  3. OWASP Amass - Asset Discovery tool -
  4. Sublist3r - Asset Discovery enumerating subdomains using OSINT -
  5. subfinder - Subdomain discovery tool -
  6. BurpSuite - Web Proxy tool -
  7. Wappalyzer - Web extension to identify technology on websites -
  8. aquatone - tool for visual inspection of websites across a large amount of hosts -
  9. httprobe - Take a list of domains and probe for working http and https servers -
  10. assetfinder - Finding domains and subdomains tool written in go -
  11. waybackurls - fetch known URLs from the Wayback Machine for *.domain -
  12. SecLists - multiple types of lists used during security assessments -
  13. fprobe - probe for working http/https server -
  14. sqlmap - Automatic SQL injection and database takeover tool -
  15. subjack - Subdomain Takeover tool written in Go -
  16. gau - Fetch known URLs from multiple resources -
  17. ZDNS - Fast CLI DNS Lookup Tool -
  18. hakrawler - Simple, fast web crawler -
  19. anti-burl - probe Urls for 200 OK response code -
  20. jq - jq is a lightweight and flexible command-line JSON processor -
  21. gf - A wrapper around grep, to help you grep for things -
  22. Paramspider - Mining parameters from dark corners of Web Archives -
  23. getJS - A tool to fastly get all javascript sources/files -
  24. LiveTargetsFinder - automating the usage of Massdns, Masscan and nmap -
  25. OpenRedireX - Open redirect Fuzzer -
  26. SSRFire - An automated SSRF finder using gau, ffuf, qsreplace and OpenRedirex -
  27. XSRFProbe - Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit -
  28. XSStrike - advanced XSS scanner -
  29. LFI Suite - Automatic LFI Exploiter (+ Reverse Shell) and Scanner -
  30. OneForAll - Powerful subdomain integration tool -
  31. lazyrecon - automate some tedious tasks of reconnaissance and information gathering
  32. Nikto - web server scanner -
  33. reflector - Burp plugin able to find reflected XSS on page in real-time while browsing on site
  34. GitHound - GitHound pinpoints exposed API keys on GitHub -
  35. Firefox Multi-Account Containers extension - use the web with multiple identities or accounts simultaneously -
  36. Nuclei - fast tool for configurable targeted scanning -
  37. XSSHunter - Website which helps exploring all kinds of XSS vulnerabillities -
  38. dotdotslash - Search for Directory Traversal Vulnerabilities -

    Mapping The Application Content


Running your reconnaissance

Creating a bash script which will create eventually a list of possible-alive subdomains, using Amass, Sublist3r,subfinder,assetfinder. Example :

  • python -d -t 50 -p 80,443 -o subdomains1.txt
  • amass enum -passive -d -o subdomains2.txt
  • subfinder -d -o subdomains3.txt
  • assetfinder [–subs-only] -o subdomains4.txt
  • cat subdomains1.txt subdomains2.txt subdomains3.txt subdomains4.txt > subdomains.txt

Another option - Automating the recon procces with one-liner’s such as OneForAll and lazyrecon:

  • OneForAll - python3 –target run oneforall
  • lazyrecon - ./ -d

Now, we have a list of possible alive subdomains of our target at subdomains.txt. We have to sanitize the list to working subdomains, there are several methods to do so.

  • httprobe - cat subdomains.txt httprobe
  • aquatone - cat subdomains.txt aquatone
  • LiveTargetsFinder - python3 –target-list subdomains.txt
  • fprobe - cat subdomains.txt fprobe
  • anti-burl - cat subdomains.txt anti-burl

  • Test for subdomain takeover using subjack - ./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl

Explore Visible Content

  • Configuring BurpSuite with your browser, passively spider the site by monitoring and parsing web content processed by the proxy.
  • Install Wappalyzer to fingerprint the website foundations (CMS/Languages) etc..
  • Browse the entire application in the normal way, visiting every link and URL, Making sure Burp is open.
  • Review the site map generated by the passive spidering.
  • Actively crawl the application - using hakrawler/Burp scan.

Consult Public Resources

Discover Hidden Content

  • Review all client-side code to identify any clues about hidden server-side content, including HTML comments and disabled form elements.
  • Use Fuzzing techniques recursively - ffuf, dirsearch with SecLists content-discovery text files.

Discover Default Content

  • Running nikto against our target to detect any default or well-known content that is present - perl -host
  • Verify any potentially interesting findings manually to eliminate any false positives within the results.

Test for Debug Parameters

  • Use listings of common debug parameter names (such as debug, test, hide, and source) and common values (such as true, yes, on, and 1).
  • Review the application’s responses for any anomalies that may indicate that the added parameter has had an effect on the application’s processing.

Analyze the Application


Identify Functionality

  • Test the authentication mechanism, map the actions which are available for the user when interacting with the web application.

    Identify Data Entry Points

  • run ParamSpider - python3 –domain –exclude php,jpg,svg –output targetparams.txt

    Identify the Technologies Used

  • Manually with WAPPALYZER / running nikto on the target domain.
  • Check and inspect the headers returned on burpsuite.
  • Map any third-party modules which are been integrated with the target domain.

    Map the Attack Surface

  • Assembling a list of interesting locations which might be vulnerable such as File upload/Contact/Search pages and etc…

Test Client-Side Controls


Test Transmission of Data Via the Client

  • Check for instances within the web application where data is transmitted via hidden form fields, cookies and URL Parameters. Modify the values in order to exploit relevent functionality.

Test Client-Side Controls Over User Input

  • Walk through the application source page to identify cases of client-side controls, which could get bypassed easily.

Test the Authentication Mechanism


Understand the Mechanism

  • Register to the Web application as a regular user would, inspect the requests of the proccess within burpsuite.

    Test Password Quality

  • Make manipulations on the input so it will bypass the site restrictions, such as using NULL BYTE or using only “SPACE” chars as the password, it might bypass the password by assigning these combinations: “Gal 1234 56 78” and “Gal12345678” to act the same way.
  • Enter long and complex password, and check if the Authentication mechanisem truncates characters from the password.

    Test for Username Enumeration

  • There are several ways to test for usernames already registered within the web application, mostly through error messages presented by the authentication mechanism, this article from owasp includes several useful methods to do so:

Test Resilience to Password Guessing

  • Try brute-forcing with burp intruder on the login page, check whether there is rate-limiting block implemented.

    Test Any Account Recovery Function

  • Testing the password reset functionality, check if there is a way to manipulate the mechanism in order to takeover the account requesting for password reset. additionally, you can use the password reset page for Mass-Spam into legitimate emails by brute-force when there is no rate-limiting blocks implemented. combining the brute force attack with unrestricted length input from the user, could even lead to Application DOS. This can be easily tested by burp intruder.

    Test Any Remember Me Function

  • Check if there are any special cookies asserted to the user by choosing the “Remember me” function, if so, try to change the value of those cookies to take over other accounts.

    Test Any Impersonation Function

  • While testing for passwords by brute-forcing, inspect if there are several users with the same password, which could indicate that the password is being used as “Backdoor password” by the administrators.

    Test Username Uniqueness

  • Try to sign-up with the same username twice, if it succeeds, try to manipulate any password reset/account deletion by inserting the username value, you might takeover the account you impersonated.

    Check for Unsafe Transmission of Credentials

  • Check within burp if there is a login page without HTTPS, if so - it is reportable as P4 Bug, because if there is wire-shark enabled on the same network, the password are being captured on HTTP (Clear-Text) to anyone inspecting the network flow.

    Check for Unsafe Distribution of Credentials

  • Determine whether account activation/registeration link sent via-email is randomly generated, and not time-based.

    Test for Insecure Storage

  • If there is access to hashed passwords, determine whether there are salted.

    Test Any Multistage Mechanisms

  • Try to proceed the authentication stages out of the original order, check for any modification which could bypass the next stage of the proccess.

    Exploit Any Vulnerabilities to Gain Unauthorized Access

  • Use the information gathered on previous steps to try and takeover accounts on the web application.


Understand the Mechanism

Test Tokens for Meaning

Test Tokens for Predictability

Check for Insecure Transmission of Tokens

Check for Disclosure of Tokens in Logs

Check Mapping of Tokens to Sessions

Test Session Termination

Check for Session Fixation

Check for CSRF

Test Access Controls


Understand the Access Control Requirements

  • Re-use the directory fuzzing in previous stages as authenticated user, and as administrator (if presented), determine the functionalities which require you to be authenticated, and try bypassing those by manipulating parameters / going straight into a specific file/page location.

    Test with Multiple Accounts

  • Use Firefox Multi-Account Containers extension - register with several users and try to access data which should be presented only locally to the specific user. focus on pages where there are numbers as parameters, such as userid/picture id, which might get manipulated by changing it’s value. this test could be fruitful for IDOR vulnerabilities.

Test for Insecure Access Control Methods

  • Search for access controls based on request parameters such as url/blabla&admin=true, find those endpoints by looking at the crawling results from previous steps.

Test for Input-Based Vulnerabilities


Fuzz All Request Parameters

  • Fuzz recursively using ffuf/dirsearch/Burp intruder urls which had returned 401/403 response code, in order to find broken access controls and sensitive/hidden information. ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 3

    SQL Injection

  • Make inputs in order to find error messages which might indicate that SQL injection vulnerabillity exist such as: ‘


  • Blind SQLI :

‘; waitfor delay ‘0:30:0’–

1; waitfor delay ‘0:30:0’–

  • Automation using SQLMAP : python3 -u “” –batch –banner

XSS and Header Injection

  • Check for input areas where the text is displayed back as output manually, or from the ParamSpider txt file.
  • Inject unique word (like your first name) with the following characters ‘”<>;, in order to determine if there is encoding/sanitization of those characters.
  • Use burp reflector extension at the crawling stages, you will recieve alerts where there are reflected parameters which allow the special escape characters mentioned above. reflector
  • Automate the injection process by using XSStrike on the specific url.
  • Use features in order to test for Blind XSS aswell.

Path Traversal

  • Check up the ParamSpider txt file, use gf to find the parameters which ends with “file=”
  • try Path traversal payloads manually.
  • Automate the proccess with dotdotslah - [-h] –url URL –string STRING [–cookie COOKIE] [–depth DEPTH] [–verbose] dotdotslash

Script Injection

File Inclusion

Open Redirection

  • Check up the ParamSpider txt file, use gf to find the parameters which ends with “redirect_url”,”url”
  • Use OpenredirectX on thos urls - python3.7 -l urls.txt -p payloads.txt –keyword FUZZ openredirex

    Test for Function-Specific Input Vulnerabilities


Test for SMTP Injection

Test for Native Software Vulnerabilities

Test for Integer Vulnerabilities

Test for Format String Vulnerabilities

Test for SOAP Injection

Test for LDAP Injection

Test for XPath Injection

Test for Back-End Request Injection

Test for XXE Injection

Test for Logic Flaws


Identify the Key Attack Surface

Test Multistage Processes

Test Handling of Incomplete Input

Test Trust Boundaries

Test Transaction Logic

Test for Shared Hosting Vulnerabilities


Test Segregation in Shared Infrastructures

Test Segregation Between ASP-Hosted Applications

Test for Application Server Vulnerabilities


Test for Default Credentials

Test for Default Content

Test for Dangerous HTTP Methods

Test for Proxy Functionality

Test for Virtual Hosting Misconfi guration

Test for Web Server Software Bugs

Test for Web Application Firewalling

Miscellaneous Checks


Check for DOM-Based Attacks

Check for Local Privacy Vulnerabilities

Check for Weak SSL Ciphers

Check Same-Origin Policy Confi guration

Follow Up Any Information Leakage

Thanks for Reading!


  1. The Web Application Hackers Handbook 2 -