🌐

Web Application Pentest

Test web applications for OWASP Top 10 and beyond using PhantomYerra's vulnerability scan engine, web application proxy, injection engine, and Claude AI orchestration.

Prerequisites

  • Valid authorization token from client
  • Target URL confirmed in scope list
  • Claude API key configured (Settings β†’ AI Configuration)
  • Environment type confirmed (avoid Live Production for aggressive scans)
  • Application credentials available (for authenticated testing)
  1. 1

    Select Web App Pentest from Home Screen

    Click the 🌐 Web App Pentest card. This launches the Mission Control Wizard pre-configured for web application testing.

    πŸ’‘ Keyboard shortcut: Ctrl+W opens Web Pentest wizard directly.
  2. 2

    Complete Mission Control Wizard

    Step 1: Environment → Test/Lab / Pre-Production / Production Step 2: Mode → Automated AI Step 3: Surfaces → Web Application (check API if applicable) Step 4: Target → https://target.com (+ subdomains if in scope) Step 5: Auth Token → Paste authorization text or upload document Step 6: App Creds → Username/password for authenticated scan Step 7: AI Interview→ Business logic questions (payment flows, roles, etc.) Step 8: Review → Confirm plan, select intensity, launch
  3. 3

    Review AI-Generated Test Plan

    Claude generates a custom plan based on your wizard answers. Review the list of planned tests. Remove tests you want to exclude. Add custom instructions. Click Launch Scan.

  4. 4

    Monitor Scan Dashboard

    Watch the Infrastructure Graph update in real time. Findings appear as they are confirmed. Critical findings trigger immediate toast notifications.

  5. 5

    Review Findings and Generate Report

    Click any finding for full PoC, evidence, and AI-generated remediation. Click Reports β†’ Generate β†’ Select type β†’ Download PDF.

What Claude Tests (Web Application)

OWASP Web Top 10 (2021) is the baseline, not the ceiling. Web Pentest exercises 14 vulnerability families spanning 120+ distinct classes via 25+ scanner modules including the cross-scanner correlator and adaptive payload engine.

OWASP Top 10 baseline
  • A01 Broken Access Control β€” IDOR, BOLA, BFLA, vertical/horizontal privilege escalation, path traversal, forced browsing, mass assignment
  • A02 Cryptographic Failures β€” weak TLS/cipher suites, cleartext secrets, exposed backups, weak hashing, padding oracle, ECB mode, IV reuse, hardcoded keys
  • A03 Injection β€” SQL, NoSQL (Mongo/Couch/Redis), LDAP, XPath, OS command, template (SSTI: Jinja/Twig/Velocity/Freemarker/ERB), header, log, CRLF, HTML, ORM
  • A04 Insecure Design β€” business logic flaws, rate-limiting bypass, workflow bypass, race conditions, TOCTOU, atomicity failures
  • A05 Security Misconfiguration β€” default creds, debug endpoints, verbose errors, CORS misconfig, security header gaps, clickjacking, MIME sniffing, directory listing
  • A06 Vulnerable Components β€” CVE matching on detected frameworks/libs/CMS plugins, end-of-life software, known-vulnerable component versions
  • A07 Auth Failures β€” weak passwords, password reset poisoning, session fixation, session hijack, MFA bypass, OAuth flow abuse, SAML signature wrapping
  • A08 Software Integrity Failures β€” missing SRI, unsigned updates, supply-chain (npm/pypi/maven typosquats), insecure deserialization (Java/Python/Ruby/Node/PHP/.NET)
  • A09 Logging Failures β€” missing audit logs, verbose error messages leaking PII/stack traces, log injection, log forging
  • A10 SSRF β€” internal network access, cloud metadata IMDS abuse (AWS/Azure/GCP), DNS rebinding, gopher/file/dict scheme abuse, blind SSRF
Beyond OWASP β€” additional vuln families tested
  • JWT & Token Attacks β€” alg=none, key confusion (HS↔RS), kid path traversal, JKU/JWK forgery, weak HMAC secret bruteforce, claim manipulation, expired token replay
  • HTTP Request Smuggling β€” CL.TE, TE.CL, TE.TE, HTTP/2 downgrade smuggling, h2c smuggling, ZIP-bomb smuggling
  • Prototype Pollution β€” client-side and server-side (Node.js, lodash gadgets, jQuery extend chains)
  • XSS β€” Reflected, Stored, DOM-based, mutation XSS, postMessage XSS, polyglot payloads, CSP bypass via JSONP/AngularJS sandbox/script gadgets, trusted-type bypass
  • XXE / XML attacks β€” entity expansion (billion laughs), out-of-band XXE, blind XXE via DTD, SOAP/SAML XXE, XSLT injection
  • CSRF / SameSite β€” classic CSRF, SameSite=Lax bypass, GET-based state changes, CSRF token leak, CSRF on JSON endpoints
  • WebSocket attacks β€” Cross-Site WebSocket Hijacking (CSWSH), message tampering, auth bypass on upgrade
  • Cache attacks β€” Web cache poisoning, cache deception, Vary header abuse, CDN edge confusion
  • OAuth / SAML / OIDC β€” open redirect in redirect_uri, state parameter omission, PKCE downgrade, SAML signature wrapping, XSW1–XSW8, audience confusion
  • File Upload β€” MIME confusion, polyglot files, magic-byte bypass, path traversal in filename, double-extension, null-byte injection, race-on-upload, archive extraction (zip slip)
  • API/Endpoint Discovery β€” directory bruteforce, JS source-map mining, Wayback Machine recall, robots.txt/sitemap.xml mining, .git/.svn/.env exposure, Swagger/OpenAPI leak
  • Race & Concurrency β€” single-packet attack, request bursting, atomicity bypass, double-spend, idempotency-key reuse
  • Subdomain takeover β€” dangling DNS (S3/GitHub Pages/Heroku/Azure/CloudFront/Fastly/Shopify/Tumblr/etc), wildcard cert misissuance
  • Open redirect chains β€” redirect-as-SSRF, OAuth-redirect-to-XSS, CRLF in Location header

Want the complete enumeration? See the Coverage Matrix for the full per-surface vuln-class list with scanner module names (264 modules across 30+ surface domains).

⏱️ Typical duration: 30–120 minutes depending on target size and intensity level.

Common Issues

Update scan templates first: go to Settings β†’ Tools β†’ Update Templates. Also check if a WAF is blocking requests - try setting a custom User-Agent header in the scan configuration. Run with the Info severity level enabled to confirm connectivity against the target.

Increase scan depth (level 1–5) and risk tolerance (1–3) in the injection engine settings for more thorough testing. Enable WAF tamper techniques if a WAF is present. For JSON request bodies, ensure the body content is passed correctly to the engine. Verify the target parameter actually reaches a database query in the application.

Install the PhantomYerra Web Proxy root CA certificate in your browser: go to Settings β†’ Proxy β†’ Export CA Certificate, then import it into your browser's trusted certificate store. For mobile apps, install the certificate on the device trust store. The proxy must be set as the system proxy (default: 127.0.0.1:8080).

Fixed in v44.32.54. The full end-to-end auth pipeline is now wired correctly. To set up authenticated scanning:

  1. In the scan wizard, reach the Auth Vault step
  2. Click + Add Credential Role and name it (e.g. "Admin", "Standard User")
  3. Choose your auth type: Bearer Token, API Key, Session Cookie, Basic Auth, TOTP, or SAML
  4. Fill in the required fields for that auth type
  5. Click Save & Continue

Your credentials are converted to HTTP headers and injected into the vulnerability scan engine, web application proxy authentication configuration, the web crawler, DAST orchestrator, and OpenAPI tester - automatically. You do not need to configure each component separately.

For session cookie auth: enter the cookie name (e.g. sessionid) and value. For OAuth/JWT: use Bearer Token and paste the token. For API gateways with custom headers: use API Key and set the header name (e.g. X-API-Key).

Related Topics

πŸ”Œ API Pentest ⚑ Automated AI Mode πŸ“Š Reports πŸ” DAST / SBOM
Β© Ravi Yerra. All Rights Reserved.
Full Disclosure

264 modules Β· 30+ surfaces Β· 14 vuln families Β· 120+ classes

The sections above describe what this surface tests. For the complete enumeration of every vulnerability class PhantomYerra covers across all surfaces β€” with scanner module names β€” see the Coverage Matrix.

View Full Coverage Matrix →