The Web Pentesting Beginner’s Roadmap: From Recon to Server-Side
A structured reference guide for anyone who just finished their first web security course.
After completing the Hacksmarter Web Pentesting course, I wanted to consolidate the methodology into a single source of truth. Whether you are preparing for a bug bounty or just securing your own apps, this is the mental framework you need.
1. Reconnaissance (The Foundation)
Pro-Tip: Always check robots.txt and sitemap.xml before running heavy scans. You’d be surprised what developers "hide" in plain sight.
Fingerprinting: Use Curl, Burp/Caido, or the Wappalyzer extension to identify the tech stack.
Directory Brute Forcing: Dirsearch, dirb, or gobuster to find hidden endpoints.
Subdomains & Vhosts: FFUF (with custom scripts) and gobuster.
Business Logic Prep: Become a user! Map out the site functionalities. What can a standard user do vs. an Admin?
OSINT: Google Dorks, Shodan, and Nmap for port scanning.
2. Authentication Assessment
Credential Attacks: Testing for weak passwords and credential stuffing.
MFA Bypass: Can you skip the 2FA step by manipulating the URL or response?
Password Resets: Testing for predictable tokens or Host Header Injection in reset links.
OAuth: Checking for misconfigured redirect URIs.
3. Session Management
Cookie Security: Ensure HttpOnly and Secure flags are set.
Session Fixation: Does the session ID stay the same after login? (It shouldn't).
JWT (JSON Web Tokens): Test for weak secrets or the infamous alg: none vulnerability.
4. Authorization (The "Permission" Gap)
IDOR (Insecure Direct Object Reference): Changing id=123 to id=124 to see someone else's data.
Broken Access Control: Accessing /admin as a guest.
Mass Assignment: Can you add "is_admin": true to a profile update JSON?
5. Client-Side Vulnerabilities
XSS: Reflected, Stored, and DOM-based attacks.
CSRF: Forcing users to perform actions without their consent (e.g., changing an email).
The Rest: Open Redirects, CORS misconfigurations, HTML Injection, and Clickjacking.
6. Server-Side Vulnerabilities
Injections: SQLi and NoSQLi.
SSRF: Forcing the server to make requests to internal metadata services (e.g., AWS/GCP).
File Uploads: Bypassing filters to upload a Web Shell (PHP/JSP).
Execution & Traversal: Path Traversal, SSTI (Template Injection), and OS Command Injection.
Top comments (0)