Web application penetration testing is the phase where we exploit the vulnerabilities that we have discovered during vulnerability assessment.

The success of penetration testing depends on how much information and vulnerabilities have been discovered so far. It may not be necessary that all the vulnerabilities that we have discovered can be exploited.

Web application exploitation is not dependent on what tools you use. It is an exercise of finding security issues in web applications. A web application is nothing but a software that runs on the web instead of locally on your operating system. It is meant to perform specific tasks and for specific users. The best way to exploit a web application is to understand what the application is about and what tasks it accomplishes and focus more on the logical working flow of the application. Web applications can be of different types and architectures; take, for example, dynamic web pages using PHP/Java/.NET and MySQL/MSSQL/Postgress or single page application using Web APIs. It would be far more comprehensive to test web applications when you understand the architecture of web applications, their underlying technology, and their purpose.

However, in this chapter, we have several tools available in Kali Linux that can be used for the exploitation of vulnerabilities found in web applications.