Web Application Assessment
Kill chain for web application security testing. Covers reconnaissance through exploitation with structured reporting.
Full Config
target:
type: web-application
host: 192.168.1.50
label: target-env
url: https://192.168.1.50
scope:
networks:
- 192.168.1.0/24
exclude: []
engagement:
purpose: |
Web application security assessment.
Identify injection points, authentication flaws, and access control issues.
rules:
- No denial of service
- No data destruction
- No credential stuffing against production accounts
- Rate limit all automated requests
operator: your-name
kill_chain:
name: webapp-assessment
stages:
# Stage 1: Map the application
- name: recon
plugins:
- recon
- web-enum
gate: any_pass
# Stage 2: Identify attack surface
- name: discovery
plugins:
- id: web-enum
config:
wordlist: /usr/share/wordlists/dirb/big.txt
extensions: php,asp,aspx,jsp,html,js
threads: 20
- id: web-exploit
config:
mode: passive
crawl_depth: 3
gate: any_pass
depends_on: recon
# Stage 3: Test for vulnerabilities
- name: exploitation
plugins:
- id: web-exploit
config:
mode: active
tests:
- sqli
- xss
- ssrf
- lfi
- rce
rate_limit: 10
- id: sqli
config:
technique: union,blind,time
gate: any_pass
depends_on: discovery
# Stage 4: Test authentication
- name: auth-testing
plugins:
- id: credential-access
config:
protocols:
- http
targets:
- login_forms
- id: web-exploit
config:
tests:
- session-management
- csrf
- idor
gate: always
depends_on: discovery
model:
provider: ollama
model: blackrainbow
host: http://localhost:11434
temperature: 0.3
output:
report: ./reports/
capture: ./captures/
format: markdown
Stage Breakdown
Stage 1: Recon
recon -- network-level reconnaissance. Port scans to identify all web services (HTTP, HTTPS on standard and non-standard ports).
web-enum -- web-specific enumeration. Technology fingerprinting, header analysis, robots.txt, sitemap parsing.
Stage 2: Discovery
web-enum (with config) -- directory and file brute-forcing with a larger wordlist. Discovers hidden endpoints, admin panels, backup files, configuration leaks.
web-exploit (passive mode) -- spidering and passive analysis. Crawls the application to map endpoints, parameters, and input fields without sending attack payloads.
Stage 3: Exploitation
web-exploit (active mode) -- injection testing against discovered endpoints. SQL injection, cross-site scripting, server-side request forgery, local file inclusion, remote code execution. Rate-limited to avoid triggering WAF blocks.
sqli -- dedicated SQL injection testing with multiple techniques (UNION-based, blind boolean, time-based).
Stage 4: Auth Testing
credential-access -- tests login forms for default credentials, weak passwords, and brute-force resistance.
web-exploit (auth-specific) -- session management testing (fixation, prediction, expiration), CSRF protection validation, and IDOR checks.
The gate is always because authentication testing provides value even when no credentials are cracked.
Running It
br run --config webapp-assessment.yaml
Skip to exploitation (you already mapped the app):
br run --config webapp-assessment.yaml --start-stage exploitation
Preview the attack plan:
br run --config webapp-assessment.yaml --dry-run
Expected Findings
| Technique | What It Means |
|---|---|
| T1190 | Exploit Public-Facing Application |
| T1059 | Command and Scripting Interpreter |
| T1083 | File and Directory Discovery |
| T1110 | Brute Force |
| T1539 | Steal Web Session Cookie |
| T1071 | Application Layer Protocol |
Customization
API-only assessment
Replace web-enum with API-specific discovery:
- name: discovery
plugins:
- id: web-enum
config:
mode: api
spec_url: https://192.168.1.50/api/docs
wordlist: /usr/share/wordlists/api-endpoints.txt
gate: any_pass
depends_on: recon
Add rate limiting
Control request rates to avoid triggering defenses:
- id: web-exploit
config:
rate_limit: 5
delay_between_tests: 2
Focus on OWASP Top 10
Restrict testing to specific vulnerability categories:
- id: web-exploit
config:
mode: active
tests:
- sqli
- xss
- ssrf
- broken-auth
- security-misconfig