Skip to content
Security Handbook

OWASP for Penetration Testers

Moving beyond compliance checklists. A definitive guide to real-world exploitation, manual techniques, and the attacker mindset mapped to global security standards.

Offensive Focus

  • Manual exploitation flows
  • WAF evasion techniques
  • Logic & IDOR chaining
  • Cloud metadata pivoting

Business Value

  • Translate risk to executives
  • CVSS v4.0 scoring
  • MITRE ATT&CK mapping
  • Actionable remediation

The Core Philosophy

Understanding OWASP beyond the basic vulnerability checklist.

Compliance vs. Pentesting

Compliance frameworks (PCI-DSS, ISO 27001) are about proving due diligence and auditability. They mandate "what" needs to be done. OWASP, from a pentester's perspective, provides the granular "how-to" guidance for secure coding, architecture, and finding vulnerabilities. Pentesting is about finding exploitable flaws and demonstrating real-world impact, not just checking a box.

The Interconnected Ecosystem

  • ASVS (Application Security Verification Standard): The "How to Build Secure" blueprint. Used for architecture reviews and scoping depth.
  • WSTG (Web Security Testing Guide): The "How to Break" manual. The premier testing resource guiding the exploitation phase.
  • OWASP Top 10: The "What to Focus On" metric. Represents the most critical, real-world impact vulnerabilities.
  • Cheat Sheets: The "How to Fix" guide. Direct, practical guidance on effective remediation after a vulnerability is confirmed.
Prerequisites

Chapter 0:
Lab Environment Setup

Before diving into the intricacies of web application vulnerabilities, establishing a robust, isolated, and legally compliant testing environment is paramount. Here is how you build your practice arena.

0.1 The "Vulnerable by Design" Philosophy

Testing on live production systems without explicit authorization is illegal. Setting up localized, intentionally vulnerable applications ensures you can learn securely and effectively without causing unintended outages.

Deep Dive: Why Local Containerization?

Modern penetration testing heavily relies on containerization. Utilizing Docker for your lab environment provides several distinct advantages:

  • Isolation: Vulnerable applications remain sandboxed from your host machine.
  • Reproducibility: Easily reset environments to a clean state after destructive testing.
  • Portability: Run multiple vulnerable web applications side-by-side without port conflicts.

0.2 Standard Pentesting Architecture

Lab Topology
graph LR A[Kali Linux OS] --> B(Burp Suite Proxy) B -->|HTTP/HTTPS| C(Docker Daemon) C --> D[OWASP Juice Shop] C --> E[WebGoat] C --> F[bWAPP] class A danger; class B safe; class C warning; class D,E,F card;

0.3 Essential Arsenal Toolkit

Having the right tools is half the battle. Here are the indispensable components every penetration tester must configure.

  1. 1
    Proxy (Burp Suite / OWASP ZAP) Intercept and modify HTTP/HTTPS requests on the fly. This is your primary weapon for manipulating application logic.
  2. 2
    Browser Plugins (FoxyProxy) Easily toggle your browser's proxy settings to route traffic through Burp Suite or ZAP at the click of a button.
  3. 3
    Wordlists (SecLists) A comprehensive collection of payloads, passwords, and directories essential for fuzzing and enumeration.

Popular Vulnerable Apps

  • OWASP Juice Shop Modern web app vulnerabilities (Node.js, Angular).
  • DVWA Damn Vulnerable Web Application (PHP/MySQL).
  • WebGoat Java-based vulnerable application maintained by OWASP.

0.4 Installation Commands

OWASP Juice Shop Docker Deployment

Terminal
Bash 
docker run --rm -p 3000:3000 bkimminich/juice-shop

Accessing Juice Shop

Once the container is running, open your browser and navigate to http://localhost:3000.

DVWA Docker Deployment

Terminal
Bash 
docker run --rm -it -p 8080:80 vulnerables/web-dvwa

Access via http://localhost:8080. Log in with admin / password, and click "Create / Reset Database" at the bottom of the setup page.

bWAPP Docker Deployment

Terminal
Bash 
docker run -d -p 8081:80 hackersploit/bwapp-docker

Access via http://localhost:8081/install.php to initialize the database, then visit http://localhost:8081/login.php (bee / bug).

Configuring Burp Suite CA Certificate

The HTTPS Error

If you intercept HTTPS traffic without installing the Burp CA, your browser will reject the connection due to an invalid certificate.
  • Installation Steps
    1. Start Burp Suite and turn Proxy Intercept ON.
    2. Visit http://burp in your proxy-configured browser.
    3. Click "CA Certificate" in the top right to download cacert.der.
    4. Import this certificate into your browser's Trusted Root Certification Authorities.
OWASP Top 10 - A01:2025

Chapter 1:
Broken Access Control

The fundamental failure of an application to enforce policies restricting users to their intended permissions. Moving beyond "authenticated equals authorized."

1.1 Architectural Root Cause

Broken Access Control (BAC) isn't just a simple bug; it's a systemic architectural failure. It occurs when the server implicitly trusts client-side input regarding object identifiers or functional requests without performing a rigorous, contextual re-verification of privileges.

Deep Dive: The 'Trust' Fallacy

In a properly secured application, the processing flow must involve: Authentication (Who are you?), Authorization (Can you do this?), and Object-Level Validation (Can you do this to this specific object?). BAC occurs when step 3 is missing. For example, an API endpoint accepts an object ID and performs an action, but the server-side code neglects to check if the authenticated user actually owns that object.

  • Over-reliance on Client-Side State: Hiding admin buttons in React, but leaving the /api/admin/deleteUser endpoint unprotected.
  • Predictable Identifiers: Using sequential IDs (id=1) makes enumeration trivial.
  • Blind Trust in Input: Treating user-supplied parameters (like "isAdmin": true in a JSON body) as benign.

1.2 Request Lifecycle & IDOR Exploitation

IDOR Attack Flow Architecture
sequenceDiagram actor Attacker (User A) participant WebApp as Web Application participant Database Attacker->>WebApp: GET /api/profile?id=A_123 (Legitimate) WebApp->>Database: SELECT * FROM users WHERE id=A_123 Database-->>WebApp: Returns Data A WebApp-->>Attacker: 200 OK (Data A) Note over Attacker,Database: The IDOR Attack Phase Attacker->>WebApp: GET /api/profile?id=B_456 (Malicious) Note over WebApp: MISSING CHECK: Does User A own B_456? WebApp->>Database: SELECT * FROM users WHERE id=B_456 Database-->>WebApp: Returns Data B WebApp-->>Attacker: 200 OK (Data B Leaked)

1.3 Manual Exploitation Workflow

Automated scanners often miss nuanced logic vulnerabilities. The pentester's mindset must be "never trust the client."

  1. 1
    Recon & Mapping Explore the app as unauthenticated, low-privilege, and admin. Identify all IDs (numeric, UUIDs, strings in JWTs).
  2. 2
    Dual-Session Setup Establish two distinct sessions (User A and User B) in Burp Suite to easily swap contexts.
  3. 3
    Systematic Tampering Capture User A's request, swap the ID parameter to User B's ID, and observe the backend response.

Critical Vectors

  • Horizontal IDOR Accessing a peer's data.
  • Vertical Escalation Hitting admin endpoints.
  • Mass Assignment Injecting unauthorized JSON fields.

1.4 Practical Application

Real-World Request Modification

/api/v1/users/profile
Original Request 
PUT /api/v1/users/profile HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJhbGciOi...[User A Token]
Content-Type: application/json

{"{"}"email": "userA@test.com", "name": "User A"{"}"}

Attack Scenario (BOPLA)

Injecting privileged properties assuming the backend doesn't sanitize the JSON bind. By adding "isAdmin": true, we test if the server implicitly trusts the client object.
/api/v1/users/profile
Malicious Payload 
PUT /api/v1/users/profile HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJhbGciOi...[User A Token]
Content-Type: application/json

{"{"}"email": "userA@test.com", "name": "User A", "isAdmin": true, "role": 1{"}"}

Pentester Detection Methodology

  • Burp Suite Autorize: The most critical tool. Supply a low-privileged token, and Autorize automatically replays all captured high-privileged requests to test for authorization failures.
  • Burp Repeater: Manual, iterative modification of IDs. Crucial for analyzing complex error messages.
  • Param Miner: Discovers hidden or unlinked parameters that might control authorization state.

WAF & Filter Bypass Techniques

WAFs cannot generally stop IDOR because they lack application context (they don't know who owns ID 456). However, parameter pollution can bypass simple checks.

HTTP Parameter Pollution (HPP)

If the WAF checks the first parameter (MY_ID) but the backend Node/Express server processes the last parameter (VICTIM_ID), the attack succeeds.
/api/get_receipt
HPP Payload 
GET /api/get_receipt?user_id=MY_ID&user_id=VICTIM_ID

Developer Remediation

Common Developer Mistake

Assuming that using a UUID instead of a sequential integer ID prevents Broken Access Control. A UUID only prevents enumeration. If an attacker discovers a UUID (e.g., via a leaked link or another API), the authorization check is still missing.
  • Centralized Server-Side Enforcement All access decisions must occur on the server. Implement robust ABAC/RBAC mechanisms in a unified middleware layer.
  • Ownership Verification: For every request using an object ID, query the database ensuring the owner_id matches the session.
  • Avoid Implicit Binding: Do not automatically map JSON request body properties to internal database models to prevent Mass Assignment. Explicitly whitelist allowed properties.
OWASP Top 10 - A03:2025

Chapter 2:
Injection & Execution

Breaking the boundary between data and instruction. Forcing the application to interpret malicious input as executable code.

2.1 Architectural Root Cause

Injection vulnerabilities arise from a fundamental architectural breakdown: the failure to rigorously separate data from executable instructions. Instead of treating input as inert data, the application directly concatenates user-controlled input into a string that forms an executable statement for a downstream interpreter.

Deep Dive: Interpreter Processing

The interpreter cannot distinguish between the legitimate command logic written by the developer and the malicious input injected by the attacker. Because it's all processed as a single string, the entire statement is executed.

  • Database (SQL/NoSQL): Leads to data exfiltration or modification.
  • Operating System Shell: Leads to Remote Code Execution (RCE) via command injection.
  • Template Engine (SSTI): Leads to server-side code execution if the template evaluates untrusted syntax.

2.2 The SQLi Data Exfiltration Chain

SQL Injection Execution Path
flowchart LR A[Attacker]:::danger -->|Injects Payload| B(Web Form / API) B -->|String Concatenation| C[(Database Server)]:::safe C -->|Syntax Error| D[Application Error] C -->|Union Select| E[Exfiltrate Data]:::safe C -->|Sleep Command| F[Time Delay]:::warning E --> A F -.->|Observes Delay| A

2.3 Manual Exploitation Workflow

Automated scanners catch the obvious errors. Senior pentesters find blind, out-of-band, and logic-based injections manually.

  1. 1
    Input Mapping Identify every single input vector (URL params, JSON fields, custom headers like X-Forwarded-For).
  2. 2
    Syntax Breaking Send single quotes ', double quotes ", or template syntax {{7*7}} to induce backend errors.
  3. 3
    Blind Identification If errors are hidden, use boolean logic (AND 1=1) or time delays (pg_sleep(10)).

Critical Injection Types

  • Time-Based Blind Measuring response time to extract data bit by bit.
  • Out-Of-Band (OOB) Forcing a DNS request to an attacker server.
  • SSTI Injecting Jinja2/Twig syntax to execute code.

2.4 Practical Application

Real-World Payloads

Time-Based Blind SQLi (PostgreSQL)
Payload 
1' AND (SELECT 1 FROM (SELECT(sleep(10)))a)--

Server-Side Template Injection

SSTI in Jinja2 allows attackers to escape the template sandbox. We use Python's built-in __globals__ to access the `os` module and execute arbitrary system commands, bypassing the web application entirely.
SSTI (Jinja2) resulting in Remote Code Execution
Payload 
{"{"}{"{"} self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() {"}"}{"}"}
Command Injection (Bypassing Space Filters)
Payload 
127.0.0.1;cat$IFS/etc/passwd

Pentester Detection Methodology

  • Burp Intruder: Fuzzing parameters with specialized wordlists (e.g., SecLists) designed to trigger specific database errors or time delays.
  • sqlmap: Highly automated database takeover tool. Pentesters use it after manually confirming an injection point to speed up exfiltration.
  • Burp Collaborator: Essential for Out-of-Band (OOB) injections. Generates unique domain names to detect if a backend system executes a DNS lookup payload.

WAF Bypass & Filter Evasion

WAFs rely on signature matching. Pentesters evade them by altering the payload signature while maintaining its executable logic.

Evasion Strategy

Never rely on a single payload. If a WAF blocks `SELECT`, try `S%45LECT` or `SEL/**/ECT`. The database parser will often reconstruct the obfuscated string before execution.
  • Encoding: Using URL encoding, Hex encoding, or Unicode variations to hide keywords.
  • Obfuscation: Inserting SQL comments inside keywords (e.g., SEL/**/ECT) to break WAF regex.
  • sqlmap --tamper: Utilizing built-in tamper scripts (e.g., space2comment.py) to automatically encode payloads on the fly.

Developer Remediation

  • Parameterized Queries (Prepared Statements) The absolute best defense against SQLi. It forces the database to treat input strictly as data, never as executable code, regardless of the characters it contains.
  • Strict Allow-listing: Validate all input against a strict whitelist of allowed characters or formats.
  • Avoid Shell Execution: Never use exec() or system() functions with user-supplied data. Use built-in language APIs instead.
OWASP API Top 10 & Cloud Pivot

Chapter 3:
Modern Battlegrounds

APIs expose business logic directly. Cloud environments rely on metadata. Exploiting the modern architecture.

3.1 Architectural Root Cause

Insecure Design (OWASP A06:2025) and API-specific flaws manifest when applications expose internal workflows directly via REST or GraphQL endpoints without traditional front-end safety nets. Furthermore, cloud architectures implicitly trust internal network boundaries, making Server-Side Request Forgery (SSRF) a critical pivot point.

Deep Dive: SSRF & Cloud Metadata

SSRF occurs when an application fetches a remote resource without validating the user-supplied URL. In a cloud environment (AWS, GCP, Azure), virtual machines have a special non-routable IP address (169.254.169.254) that hosts instance metadata. If an attacker can force the web application to make an HTTP request to this IP, they can extract temporary IAM credentials, completely bypassing the application layer.

3.2 The SSRF to Cloud Pivot Chain

AWS IAM Extraction via SSRF
sequenceDiagram actor Attacker participant App as Web Application (AWS EC2) participant Metadata as AWS IMDS (169.254.169.254) Attacker->>App: POST /fetch_image (url=http://169.254.169.254/.../s3-admin-role) Note over App: App fails to validate internal IP App->>Metadata: GET /latest/meta-data/iam/security-credentials/s3-admin-role Metadata-->>App: Returns JSON with AccessKeyId, SecretAccessKey, Token App-->>Attacker: Displays JSON as "Image Data" Note over Attacker: Attacker configures local AWS CLI with stolen creds

3.3 Manual Exploitation Workflow

API testing requires a methodical analysis of endpoints, parameters, and expected data types. It's about breaking business logic.

  1. 1
    Schema Extraction Attempt to find Swagger docs, OpenAPI specs, or use GraphQL Introspection (__schema) to map all endpoints.
  2. 2
    Parameter Fuzzing Look for parameters like url=, path=, or webhook= that might trigger outbound requests (SSRF).
  3. 3
    Logic Manipulation Attempt to call multi-step processes out of order, or batch hundreds of GraphQL queries in a single request to test rate limits.

Critical API Vectors

  • BOLA (API1:2023) The API equivalent of IDOR. Manipulating object IDs in REST paths.
  • Unrestricted Resource Sending deeply nested GraphQL queries to exhaust server memory (DoS).
  • SSRF (API7:2023) Forcing the server to make requests to internal networks.

3.4 Practical Application

Real-World Payloads

/graphql
Recon Payload 
{"{"} __schema {"{"} types {"{"} name fields {"{"} name {"}"} {"}"} {"}"} {"}"}

AWS IMDS Extraction

Using SSRF to hit AWS IMDSv1 to extract highly privileged IAM roles from the EC2 instance. This immediately escalates a web vulnerability into full Cloud Account Compromise.
?url=
Malicious Payload 
http://169.254.169.254/latest/meta-data/iam/security-credentials/
?url=
Malicious Payload 
dict://127.0.0.1:6379/info

Pentester Detection Methodology

  • Postman & Burp API Client: Directly interacting with REST endpoints based on discovered documentation.
  • InQL (Burp Extension): Essential for GraphQL security testing. Automatically issues introspection queries and generates all possible queries/mutations for testing.
  • Burp Collaborator: Used to confirm blind SSRF. Inject a Collaborator URL into an input; if a DNS/HTTP request is received by the Collaborator server, the SSRF is confirmed.

SSRF Filter Evasion

Developers often implement blacklists to block 169.254.169.254 or 127.0.0.1. Pentesters use alternative representations.

DNS Rebinding

Setting up a custom domain that initially resolves to a safe IP (passing the WAF check), but its TTL is 0. By the time the backend logic actually makes the HTTP request, the DNS lookup resolves to an internal IP like `127.0.0.1`.
  • Decimal Encoding: http://2852039166 (resolves to 169.254.169.254).
  • Octal Encoding: http://0251.0376.0251.0376.

Developer Remediation

  • SSRF Fix & IMDSv2 Implement a strict URL whitelist. Do not use blacklists. If fetching external resources is required, resolve the DNS name and verify the target IP is not within an internal subnet before establishing the connection. For AWS, enforce IMDSv2 (requires session tokens) and disable IMDSv1.
  • GraphQL Fix Disable Introspection in production. Implement strict query depth and complexity limits to prevent Denial of Service via recursive queries.
Methodology & Workflow

Chapter 4:
The Practical Pentest Flow

Mapping the OWASP Web Security Testing Guide (WSTG) directly to the Penetration Testing Execution Standard (PTES).

4.1 The Engagement Cycle

PTES Standard Execution Flow
flowchart LR A[Reconnaissance & Enumeration]:::card -->|Map Attack Surface| B(Threat Modeling & Vuln Analysis):::card B -->|Identify Weaknesses| C([Active Exploitation]):::danger C -->|Gain Foothold| D[Post-Exploitation & Pivoting]:::danger D -->|Assess Impact| E[Reporting & Translation]:::safe

Phase 1: Recon & Enumeration

Systematically mapping the external attack surface. (WSTG-INFO)

  • Passive OSINT & Fingerprinting

    Using theHarvester, Shodan, and Google Dorks. Analyzing HTTP headers (`Server`, `X-Powered-By`) with Wappalyzer.

  • Active Directory/File Fuzzing

    Discovering unlinked admin panels, `.git` folders, or `.env` files.

    Terminal
    Bash 
    ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200,401,403
  • Application Mapping

    Intercepting all traffic in Burp Suite, mapping all inputs, parameters, and API endpoints before sending a single payload.

Phase 2: Exploitation to Reporting

Manual execution of payloads and business risk translation.

The Penetration Tester's Core Value

Exploitation is only half the job. Translating complex technical vulnerabilities into clear, actionable business risks is what separates a script kiddie from a professional red team operator.
  • Manual Exploitation

    Using Burp Repeater to heavily tweak payloads. Testing complex IDORs, Blind SQLi, and multi-step Business Logic Flaws.

  • Post-Exploitation (Pivoting)

    If RCE or SSRF is achieved, pivot to internal networks. Query AWS metadata for IAM credentials or dump database hashes for offline cracking.

  • Reporting (Translation)

    A finding is useless if management doesn't understand its business impact.

    • Taxonomy: Map to OWASP Top 10.
    • Scoring: Calculate severity using CVSS v4.0.
    • SOC Context: Map to MITRE ATT&CK (e.g., T1190) to aid the defensive teams.

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.

New Cyber Alert