it

Web Pentesting Beginner Roadmap (2026): From Recon to Server-Side Attacks

Published: (March 19, 2026 at 09:26 AM EDT)
2 min read
Source: Dev.to

Source: Dev.to

Web Pentesting Mindmap

After completing the Hacksmarter Web Pentesting course, I wanted to consolidate the methodology into a single source of truth. Whether you are preparing for a bug bounty or just securing your own apps, this is the mental framework you need.

1. Reconnaissance (The Foundation)

Pro‑Tip

  • Always check robots.txt and sitemap.xml before running heavy scans. You’d be surprised what developers “hide” in plain sight.

Fingerprinting

  • Use curl, Burp/​Caido, or the Wappalyzer extension to identify the tech stack.

Directory Brute Forcing

  • Tools: dirsearch, dirb, or gobuster to find hidden endpoints.

Subdomains & Vhosts

  • Use FFUF (with custom scripts) and gobuster.

Business Logic Prep

  • Become a user! Map out the site functionalities. What can a standard user do vs. an admin?

OSINT

  • Google dorks, Shodan, and Nmap for port scanning.

2. Authentication Assessment

  • Credential Attacks: Test for weak passwords and credential stuffing.
  • MFA Bypass: Attempt to skip the 2FA step by manipulating the URL or response.
  • Password Resets: Look for predictable tokens or Host Header Injection in reset links.
  • OAuth: Check for misconfigured redirect URIs.

3. Session Management

  • Cookie Security: Ensure HttpOnly and Secure flags are set.
  • Session Fixation: Verify the session ID changes after login (it shouldn’t stay the same).
  • JWT (JSON Web Tokens): Test for weak secrets or the infamous alg: none vulnerability.

4. Authorization (The “Permission” Gap)

  • IDOR (Insecure Direct Object Reference): Change id=123 to id=124 to see someone else’s data.
  • Broken Access Control: Attempt to access /admin as a guest.
  • Mass Assignment: Try adding "is_admin": true to a profile‑update JSON payload.

5. Client‑Side Vulnerabilities

  • XSS: Reflected, stored, and DOM‑based attacks.
  • CSRF: Forcing users to perform actions without consent (e.g., changing an email).
  • Other Issues: Open redirects, CORS misconfigurations, HTML injection, and clickjacking.

6. Server‑Side Vulnerabilities

  • Injections: SQLi and NoSQLi.
  • SSRF: Forcing the server to make requests to internal metadata services (e.g., AWS/GCP).
  • File Uploads: Bypassing filters to upload a web shell (PHP/JSP).
  • Execution & Traversal: Path traversal, SSTI (template injection), and OS command injection.
0 views
#web pentesting #bug bounty #reconnaissance #server-side attacks #ethical hacking #security roadmap #web security
View source
Share:
Back to Blog

Related posts

Read more »