A web application penetration test requires more than experience—it needs the precise use of the right tooling. At binsec GmbH, we combine established open-source utilities, commercial solutions, and our own in-house tools to assess the security of web applications end-to-end.
Information Gathering
dig
– DNS queries and initial target infrastructure analysis.- binsec.tools – our in-house utilities:
SubDomainFinder
– mapping external attack surface via subdomains.CertWatch
– certificate transparency and issuance monitoring.
nmap
– port and service discovery with version and script-based analysis.
Detection & Documentation
gowitness
andeyewitness
– automated screenshots and inventory of discovered hosts and endpoints.wappalyzer
and binsec.toolsWebCompScan
– detection of frameworks, libraries, and CMS components.
Web Application Testing
curl
– targeted requests and reproducible minimal test cases.- Burp Suite Professional – our primary testing platform with extensions like
Autorize
,Upload Scanner
, and customPython
scripts. ffuf
– fuzzing of paths, parameters, and hidden endpoints.nikto
– classic vulnerability scanner as a complementary check.
API Testing
- Postman and Bruno – structured collections and reproducible API workflows.
jwt_tool
– analysis and manipulation of JSON Web Tokens.sqlmap
andsstimap
– automated testing for SQL and SSTI injection vulnerabilities.
Cryptography & Transport
- binsec.tools
SSLCheck
(plus the standalone CLIsslcheck
) – in-depth TLS configuration review. - binsec.tools
HTTPHeaderCheck
– analysis of security-relevant HTTP headers.
Scripting & Automation
Python
– tailor-made scripts, proofs of concept, and automation for specific test cases.
Conclusion
A successful web application pentest does not rely on a single tool but on the coordinated combination of multiple approaches. This ensures realistic coverage of all relevant attack vectors—from infrastructure and APIs to application-specific logic.
Penetration Testing
FAQ
Our FAQ provides clear answers to common questions – straight from pentesting experts and completely ad-free.
What is a penetration test? What types of penetration tests are there? What is the difference between a vulnerability scan and a penetration test?
How often should a penetration test be conducted? What data protection regulations are necessary for a penetration test?
How to become a Penetration Tester? Should I Learn Kali Linux to Become a Penetration Tester?
Which Tools Does binsec GmbH Use in a Web Application Penetration Test?
Penetration Testing
Since 2013 we conduct professional penetration test, based on international industry standards and years of experience in penetration testing, red teaming and hacking.
As a company for professional penetration testing, we do some things differently than other pentest provider: As a penetration test firm, we do not sell vulnerability scans as pentest. We do also focus on business security risks. You are looking for a professionally conducted penetration tests? Get the binsec team for your Pentest. Read more about our pentest service.
Contact us