Web Application Pentest
Test web applications for OWASP Top 10 and beyond using ZAP, Nuclei, sqlmap, and Claude AI orchestration.
Prerequisites
- Valid authorization token from client
- Target URL confirmed in scope list
- Claude API key configured (Settings β AI Configuration)
- Environment type confirmed (avoid Live Production for aggressive scans)
- Application credentials available (for authenticated testing)
-
1
Select Web App Pentest from Home Screen
Click the π Web App Pentest card. This launches the Mission Control Wizard pre-configured for web application testing.
π‘ Keyboard shortcut: Ctrl+W opens Web Pentest wizard directly. -
2
Complete Mission Control Wizard
Step 1: Environment β Test/Lab / Pre-Production / Production Step 2: Mode β Automated AI Step 3: Surfaces β Web Application (check API if applicable) Step 4: Target β https://target.com (+ subdomains if in scope) Step 5: Auth Token β Paste authorization text or upload document Step 6: App Creds β Username/password for authenticated scan Step 7: AI Interviewβ Business logic questions (payment flows, roles, etc.) Step 8: Review β Confirm plan, select intensity, launch -
3
Review AI-Generated Test Plan
Claude generates a custom plan based on your wizard answers. Review the list of planned tests. Remove tests you want to exclude. Add custom instructions. Click Launch Scan.
-
4
Monitor Scan Dashboard
Watch the Infrastructure Graph update in real time. Findings appear as they are confirmed. Critical findings trigger immediate toast notifications.
-
5
Review Findings and Generate Report
Click any finding for full PoC, evidence, and AI-generated remediation. Click Reports β Generate β Select type β Download PDF.
What Claude Tests (Web Application)
- A1 Broken Access Control β IDOR, privilege escalation, path traversal
- A2 Cryptographic Failures β weak TLS, cleartext secrets, exposed backups
- A3 Injection β SQL, NoSQL, LDAP, OS command, template injection
- A4 Insecure Design β business logic flaws, rate limiting bypass
- A5 Security Misconfiguration β default creds, debug endpoints, CORS
- A6 Vulnerable Components β CVE matching on detected frameworks/libs
- A7 Auth Failures β weak passwords, session fixation, MFA bypass
- A8 Software Integrity Failures β subresource integrity, supply chain
- A9 Logging Failures β missing audit logs, verbose error messages
- A10 SSRF β internal network access via server-side request
Common Issues
Update Nuclei templates first: nuclei -update-templates. Also check if a WAF is blocking requests β add -H "User-Agent: Mozilla/5.0" or use the -random-agent flag. Try running with -severity info to confirm connectivity.
Increase --level (1β5) and --risk (1β3) for more thorough testing. Add --tamper=space2comment,between if a WAF is present. For JSON bodies use --data with the JSON payload. Ensure the target parameter actually reaches a database query.
Install the ZAP root CA certificate in your browser: ZAP β Tools β Options β Dynamic SSL Certificates β Save β Import in browser. For mobile apps, install on the device trust store. ZAP must be set as the system proxy (default: 127.0.0.1:8080).
Fixed in v44.32.54. The full end-to-end auth pipeline is now wired correctly. To set up authenticated scanning:
- In the scan wizard, reach the Auth Vault step
- Click + Add Credential Role and name it (e.g. "Admin", "Standard User")
- Choose your auth type: Bearer Token, API Key, Session Cookie, Basic Auth, TOTP, or SAML
- Fill in the required fields for that auth type
- Click Save & Continue
Your credentials are converted to HTTP headers and injected into Nuclei (-H flags), ZAP authentication configuration, the web crawler, DAST orchestrator, and OpenAPI tester β automatically. You do not need to configure each tool separately.
For session cookie auth: enter the cookie name (e.g. sessionid) and value. For OAuth/JWT: use Bearer Token and paste the token. For API gateways with custom headers: use API Key and set the header name (e.g. X-API-Key).