50 Web Penetration Testing Scenarios: A Complete Hands-On Guide to OWASP Top 10 Vulnerabilities + Video

By /

Listen to this Post

Featured Image

Introduction:

In today’s threat landscape, secure software development doesn’t end with code reviews or automated scanners. Regular web penetration testing remains one of the most effective ways to identify vulnerabilities before attackers do. The OWASP Top 10 provides a standardized catalog of the most critical security risks to web applications, and structured testing checklists significantly improve assessment quality and consistency. This practical guide presents 50 essential penetration testing scenarios covering the most common and critical web application security risks, with step-by-step instructions, verified commands, and real-world testing methodologies.

Learning Objectives:

  • Master systematic web penetration testing methodology based on OWASP Top 10 and WSTG frameworks
  • Execute hands-on vulnerability identification and exploitation across 10 critical security categories
  • Deploy industry-standard tools including SQLMap, Burp Suite, jwt_tool, and Autorize for comprehensive security assessments
  • Develop repeatable testing processes that improve application resilience throughout the SDLC

You Should Know:

  1. Broken Access Control & IDOR — The 1 Threat

Broken Access Control has replaced Injection as the most critical web application security risk, with 34 CWEs mapped to this category and over 318,000 occurrences in applications tested. Insecure Direct Object References (IDORs) occur when an application uses user-supplied input to access objects such as files, directories, or database records directly.

Step-by-Step IDOR Testing with Burp Suite:

  1. Identify Parameters: Log in as a low-privilege user and identify URL parameters containing object references (e.g., id=wiener, user_id=123)
  2. Forward to Burp Intruder: Send the request to Intruder and select Sniper attack
  3. Set Payload Positions: Highlight the parameter and click Add § to set as payload position
  4. Load Test Values: Add a list of usernames or object IDs to test
  5. Analyze Responses: Study responses for 200 OK status codes indicating unauthorized access

Automated IDOR Detection with Autorize Extension:

Install Autorize from Burp BApp Store. Log in as a high-privilege user and browse the application — Autorize silently replays each request with a victim’s token to identify authorization bypasses.

  1. SQL Injection & NoSQL Injection — The Classic Threat

Injection remains a persistent threat, falling to third place in the OWASP Top 10 but still representing 33 CWEs. SQL injection occurs when malicious data is sent to a database interpreter, performing unintended actions by manipulating execution logic.

SQLMap Commands for SQL Injection Testing:

 Basic target scan
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query"

Enumerate databases
sqlmap -u "http://target.com/page?id=1" --dbs

List tables in a specific database
sqlmap -u "http://target.com/page?id=1" -D database_name --tables

Dump table contents
sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump

Increase scan intensity (level 1-5) and risk (1-3)
sqlmap -u "http://target.com/page?id=1" --level 3 --risk 2

SQLMap automatically tests parameters by injecting payloads like `id=1 AND 1=1` and can detect Boolean-based, UNION-based, error-based, and time-based blind injection types.

3. Cross-Site Scripting (XSS) — Client-Side Code Execution

Cross-Site Scripting has merged into the Injection category in OWASP Top 10 2021. XSS allows attackers to inject malicious scripts into web pages viewed by other users.

XSS Testing Methodology:

  1. Recon & Target Mapping: Inventory all inputs — forms, search fields, URL parameters, headers, and cookies

2. Basic XSS Test (Baseline):

<SCRIPT SRC=https://cdn.jsdelivr.net/gh/Moksh45/host-xss.rocks/index.js></SCRIPT>

3. Polyglot XSS Payload (executes in HTML, script strings, JavaScript, and URLs):

javascript:/--></title></style></textarea></script></xmp><svg/onload='+/"`/+/onmouseover=1/+/[/[]/+alert(42);//'

4. Event Handler Testing:

<a onmouseover="alert(document.cookie)">xss link</a>

5. Manual Testing with Burp Repeater: Manipulate HTTP requests directly to test whether reflected input is adequately sanitized

4. JWT Security & Authentication Issues

JWTs are cryptographically signed JSON tokens frequently used for authentication on REST APIs. They are a common source of vulnerabilities in implementation and underlying libraries.

JWT Security Testing with jwt_tool:

 Decode and analyze JWT
python3 jwt_tool.py <JWT_TOKEN>

Test "None" algorithm bypass
python3 jwt_tool.py <JWT_TOKEN> -X a

Test algorithm confusion (RS256 to HS256)
python3 jwt_tool.py <JWT_TOKEN> -X k -pk <public_key.pem>

Test Key ID (kid) parameter injection
python3 jwt_tool.py <JWT_TOKEN> -X i

Crack weak secret with wordlist
python3 jwt_tool.py <JWT_TOKEN> -C -d /path/to/wordlist.txt

Critical JWT Test Objectives:

  • Determine whether JWTs expose sensitive information in the payload
  • Test signature validation bypass (the most serious vulnerability occurs when applications fail to validate signatures)
  • Verify tokens are always sent over encrypted HTTPS connections
  • Test for `alg:none` and algorithm confusion attacks

5. SSRF — Server-Side Request Forgery

SSRF allows attackers to induce the server-side application to make requests to unintended locations, potentially communicating with back-end systems not normally publicly accessible.

SSRF Testing with Burp Suite:

  1. Identify Attack Vector: Find parameters containing full or partial URLs
  2. Send to Intruder: Forward the request to Burp Intruder
  3. Add Payload Position: For internal IP enumeration, add payload to IP octet: `192.168.0.§0§:8080`
    4. Configure Payloads: Set Payload type to Numbers, From 1, To 255, Step 1
  4. Analyze Results: Look for payloads returning different status codes or response lengths

SSRF Payload Examples:

  • Internal IP addresses: 127.0.0.1, `169.254.169.254` (AWS metadata), `192.168.0.1`
    – Cloud metadata endpoints: AWS, GCP, Azure metadata services
  • Protocol abuse: gopher://, dict://, `ldap://`

6. Security Misconfigurations

Security Misconfiguration is the most common Top 10 risk, often caused by exposed administrative functionality, default accounts, or insecure cloud storage. In cloud environments, the dominant vector becomes misconfiguration plus identity — an exposed bucket, excessive role permissions, or a leaked token can lead to total account compromise.

Configuration Testing Checklist:

  • Verify default credentials and default administrative interfaces are disabled
  • Test cloud storage permissions (AWS S3 buckets, Azure Blob Storage)
  • Review IAM role configurations for excessive permissions
  • Check for exposed administrative functionality and debug endpoints
  • Validate TLS/SSL configuration (HTTP3 with properly configured TLSv1.3 reduces misconfigurations)

7. Business Logic Flaws

Business logic flaws require security professionals to think differently, developing abuse and misuse cases and using testing techniques embraced by functional testers. Automated tools often fail to identify logic errors.

Business Logic Testing Approach:

  1. Model Intended State Transitions: Map out normal application workflows before adversarial testing
  2. Identify Assumptions: Look for sequencing, concurrency, and cross-system coordination assumptions
  3. Test Workflow Bypasses: Attempt to skip steps, repeat actions, or manipulate state
  4. Test Financial Logic: Verify discount abuse, price manipulation, and transaction integrity
  5. Test Race Conditions: Submit concurrent requests to exploit timing vulnerabilities

8. Insecure Deserialization

Insecure deserialization occurs when applications deserialize data from untrusted sources without proper validation. Look for serialized data in HTTP requests, cookies, and parameters.

Deserialization Testing:

  • Identify serialized data patterns (Java serialized objects, PHP serialized strings, JSON with type information)
  • Use DNS resolution for safe detection (URLDNS-style payloads)
  • Test for polymorphic deserialization that allows arbitrary class instantiation

9. Logging & Monitoring Weaknesses

Without logging and monitoring, attacks and breaches cannot be detected. Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test.

Logging & Monitoring Testing:

  • Verify auditable events (logins, failed logins, high-value transactions) are logged
  • Check that logs are monitored for suspicious activity
  • Test for CRLF injection in logs that could create fake log entries
  • Verify log data is correctly encoded to prevent injection attacks

10. Sensitive Data Exposure & Cryptographic Failures

Cryptographic Failures (formerly Sensitive Data Exposure) can lead to compromise of sensitive information including credit card numbers, passwords, health records, and business secrets.

Cryptographic Testing:

  • Verify sensitive data is encrypted at rest and in transit
  • Check for weak TLS configurations and deprecated protocols
  • Test that export functions don’t automatically decrypt sensitive data
  • Review JWT payloads for sensitive information exposure

What Undercode Say:

  • Broken Access Control remains the most underestimated vulnerability — 3.81% of applications tested had one or more CWEs in this category, with over 318,000 occurrences. Organizations continue to assume authentication equals authorization, but IDOR and privilege escalation vulnerabilities persist because developers forget that knowing who a user is doesn’t mean knowing what they should access.

  • Security testing must be continuous, not one-time — automated scanners alone cannot catch logic flaws, misconfigurations, or business logic vulnerabilities. A structured, repeatable process combining manual testing with automated tools provides the most comprehensive coverage. Organizations should integrate OWASP penetration testing into CI/CD pipelines for continuous coverage. The OWASP Testing Guide (v5) provides the framework for this systematic approach across reconnaissance, configuration review, authentication testing, input validation, and business logic testing.

Prediction:

  • +1 The OWASP Top 10 2025 release consolidates SSRF into Broken Access Control and introduces new categories for Software Supply Chain Failures. This reflects the industry’s growing recognition that access control failures and supply chain risks are the most critical threats to modern applications.

  • +1 OWASP ASVS 5.0 (released May 2025) modernizes the application security verification framework to address today’s security challenges. Organizations adopting ASVS requirements as a baseline for security test cases will achieve more structured, measurable, and scalable security verification.

  • -1 Cloud misconfigurations continue to expose organizations to total account compromise. Researchers discovered nearly 1,000 cloud environments vulnerable to exploitation due to misconfigurations exposing security testing applications to the internet. Without continuous cloud security testing, these exposures will persist.

  • +1 The OWASP API Security Testing Framework (ASTF) is under development with Phase 1 (Q2 2025) focusing on core framework development and basic test cases for top 5 API vulnerabilities. This specialized framework will address the growing API security challenge as APIs increasingly expose endpoints with object identifiers, creating a wide attack surface.

  • -1 Business logic flaws remain difficult to detect with automated tools. As applications grow increasingly complex, security testing must evolve to match the sophistication of potential attacks. Organizations must invest in manual penetration testing and creative thinking to identify logic errors that automated scanners miss.

▶️ Related Video (80% Match):

https://www.youtube.com/watch?v=7ZDPKqR2mwk

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Yildiz Yasemin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: