This methodology covers the basics of conducting a web application pentest. It is aimed at beginners and those who want a refresher on the basics of conducting such an assessment.
It assumes a scoping exercise has been conducted prior to the engagement beginning proper. The methodology covers most common web application vulnerabilities and provides guidance for approaching the relevant part of the test. Optional comments include further information on exploits and common incorrect approaches to securing applications from select vulnerabilities.
This methodology works for any type of pentest; regardless of whether you have access to the source code for the application. The methodology aims to focus thinking on the business-side of cyber security by ensuring word conducted is contextualised for the relevant client.
Large parts of the methodology are derived from the OWASP Web Security Testing Guide, supplemented with my own knowledge and experience.
The docx folder contains the methodology as a .docx file.
The pdf folder contains the methodology as a .pdf file, with separate versions which include and do not include the extra comments.
Simply fill in the document as you proceed! There is no right or wrong way to document your findings.
- v0.5 - Initial draft
Upcoming versions: extra comments and proofreading