This cheat sheet is intended to run down the typical steps performed when conducting a web application penetration test. I will break these steps down into sub-tasks and describe the tools I recommend using at each level.

Many of the ideas presented in this sheet come from the fantastic teachings of Tim “lanmaster53” Tomes, who has kindly allowed me to share them with you here. If you or anyone you know is interested in web application penetration testing Training I highly recommend that you or your company consider Tim.

Please bear in mind that these steps are iterative so in a typical engagement you can expect to do them multiple times. This is particularly true if you manage to traverse different levels of access in an application (e.g. elevate from a regular user to an admin).

Finally, throughout this sheet, I will heavily discuss tools included in PortSwigger’s Burp Suite Professional which is a paid product intended for professional use. I apologize if this dissuades you, but at the price they offer the tool for I consider it a bargain.

/via JDow.io/