A web application penetration test requires more than experience—it needs the precise use of the right tooling. At binsec GmbH, we combine established open-source utilities, commercial solutions, and our own in-house tools to assess the security of web applications end-to-end.
Information Gathering
dig
– DNS queries and initial target infrastructure analysis.- binsec.tools – our in-house utilities:
SubDomainFinder
– mapping external attack surface via subdomains.CertWatch
– certificate transparency and issuance monitoring.
nmap
– port and service discovery with version and script-based analysis.
Detection & Documentation
gowitness
andeyewitness
– automated screenshots and inventory of discovered hosts and endpoints.wappalyzer
and binsec.toolsWebCompScan
– detection of frameworks, libraries, and CMS components.
Web Application Testing
curl
– targeted requests and reproducible minimal test cases.- Burp Suite Professional – our primary testing platform with extensions like
Autorize
,Upload Scanner
, and customPython
scripts. ffuf
– fuzzing of paths, parameters, and hidden endpoints.nikto
– classic vulnerability scanner as a complementary check.
API Testing
- Postman and Bruno – structured collections and reproducible API workflows.
jwt_tool
– analysis and manipulation of JSON Web Tokens.sqlmap
andsstimap
– automated testing for SQL and SSTI injection vulnerabilities.
Cryptography & Transport
- binsec.tools
SSLCheck
(plus the standalone CLIsslcheck
) – in-depth TLS configuration review. - binsec.tools
HTTPHeaderCheck
– analysis of security-relevant HTTP headers.
Scripting & Automation
Python
– tailor-made scripts, proofs of concept, and automation for specific test cases.
Conclusion
A successful web application pentest does not rely on a single tool but on the coordinated combination of multiple approaches. This ensures realistic coverage of all relevant attack vectors—from infrastructure and APIs to application-specific logic.
Penetration Testing
FAQ
Our FAQ provides clear answers to common questions – straight from pentesting experts and completely ad-free.
Introduction to Pentesting
What is a penetration test? What types of penetration tests are there? What is the difference between a vulnerability scan and a penetration test? Read more.
Commissioning a Penetration Test
How often should a penetration test be conducted? What data protection regulations are necessary for a penetration test? Read more.
Career Goal: Penetration Tester
How to become a Penetration Tester? Should I Learn Kali Linux to Become a Penetration Tester? Read more.
Web Application Testing
Which Tools Does binsec GmbH Use in a Web Application Penetration Test? Read more.
Penetration Testing
Since 2013 we conduct professional penetration test, based on international industry standards and years of experience in penetration testing, red teaming and hacking.
As a company for professional penetration testing, we do some things differently than other pentest provider: As a penetration test firm, we do not sell vulnerability scans as pentest. We do also focus on business security risks. You are looking for a professionally conducted penetration tests? Get the binsec team for your Pentest. Read more about our pentest service.
Contact us