How to Pentest Your Web App Step-by-Step

Penetration testing is the practice of testing a system's security by simulating real attacks. Unlike vulnerability scanning, which identifies potential weaknesses, pentesting proves they are exploitable. The difference matters: a vulnerability scanner might flag a theoretical SQL injection; a pentest shows you the exact query that extracts your user database.

This guide walks through the methodology we use. It is simplified — a full pentest engagement involves more depth — but it covers the process well enough to test your own application.

Phase 1: Reconnaissance

Before you attack anything, you need to understand what you are testing. Recon is about mapping the attack surface.

Passive Recon

• DNS records: subdomains, MX records, TXT records (dig, subfinder, amass)
• Technology stack: what framework, server, CDN? (Wappalyzer, WhatWeb)
• Public information: GitHub repos, error messages indexed by search engines, exposed .env files
• Certificate transparency logs: find subdomains via crt.sh

Active Recon

• Port scanning: what services are exposed? (nmap)
• Directory and file discovery: hidden endpoints, admin panels, backup files (ffuf, gobuster)
• API discovery: undocumented endpoints, GraphQL introspection, OpenAPI specs

Phase 2: Vulnerability Scanning

Automated scanners identify potential vulnerabilities at scale. They are fast but produce false positives and miss complex issues.

• OWASP ZAP: free, open source, good for beginners. Run the automated scan and review the alerts.
• Burp Suite: industry standard. The free Community edition does passive scanning; the Pro edition adds active scanning.
• Nuclei: template-based scanner with thousands of community-contributed checks. Excellent for known CVEs and misconfigurations.

Run all three against your staging environment. Each catches things the others miss.

Phase 3: Manual Testing

This is where real findings come from. Scanners find the obvious stuff. Manual testing finds the business logic issues that automated tools cannot understand.

Authentication Testing

• Can you bypass login by manipulating tokens or cookies?
• Does password reset work correctly, or can you reset another user's password?
• Are sessions invalidated on logout?
• Can you enumerate valid usernames via error messages or timing differences?

Authorization Testing

• Change IDs in URLs and API calls. Can user A access user B's resources?
• Can a regular user access admin endpoints?
• Are there horizontal privilege escalation paths?

Injection Testing

• SQL injection: add single quotes, UNION SELECT, and boolean-based payloads to every input
• XSS: inject script tags and event handlers into every input that is reflected in the page
• Command injection: if any input is used in system commands, test with semicolons and pipe characters
• SSRF: if the app makes requests to user-supplied URLs, test with internal IP addresses

Business Logic

• Can you buy something for a negative price?
• Can you apply a discount code multiple times?
• Can you skip steps in a multi-step process?
• What happens if you send the same request twice simultaneously?

Phase 4: Reporting

Every finding should include:

1. Description: what the vulnerability is
2. Severity: critical, high, medium, low, or informational
3. Proof of concept: exact steps to reproduce
4. Impact: what an attacker could do with this
5. Remediation: how to fix it

When Manual Is Not Enough

Manual pentesting is thorough but slow, expensive, and does not scale. A professional pentest costs $5,000 to $50,000 and takes one to four weeks. You cannot run one every sprint.

This is where automated breach simulation fits. NeuroStrike's autonomous agents follow the same methodology — recon, scanning, exploitation — but they do it continuously, at machine speed. They do not replace manual testing for complex business logic, but they cover everything else at a fraction of the cost and time.

Sign up and run your first scan. See what an autonomous agent finds in your application. You might be surprised.