FAQ
Web Application Testing

A web application penetration test requires more than experience—it needs the precise use of the right tooling. At binsec GmbH, we combine established open-source utilities, commercial solutions, and our own in-house tools to assess the security of web applications end-to-end.

Information Gathering

  • dig – DNS queries and initial target infrastructure analysis.
  • binsec.tools – our in-house utilities:
    • SubDomainFinder – mapping external attack surface via subdomains.
    • CertWatch – certificate transparency and issuance monitoring.
  • nmap – port and service discovery with version and script-based analysis.

Detection & Documentation

  • gowitness and eyewitness – automated screenshots and inventory of discovered hosts and endpoints.
  • wappalyzer and binsec.tools WebCompScan – detection of frameworks, libraries, and CMS components.

Web Application Testing

  • curl – targeted requests and reproducible minimal test cases.
  • Burp Suite Professional – our primary testing platform with extensions like Autorize, Upload Scanner, and custom Python scripts.
  • ffuf – fuzzing of paths, parameters, and hidden endpoints.
  • nikto – classic vulnerability scanner as a complementary check.

API Testing

  • Postman and Bruno – structured collections and reproducible API workflows.
  • jwt_tool – analysis and manipulation of JSON Web Tokens.
  • sqlmap and sstimap – automated testing for SQL and SSTI injection vulnerabilities.

Cryptography & Transport

  • binsec.tools SSLCheck (plus the standalone CLI sslcheck) – in-depth TLS configuration review.
  • binsec.tools HTTPHeaderCheck – analysis of security-relevant HTTP headers.

Scripting & Automation

  • Python – tailor-made scripts, proofs of concept, and automation for specific test cases.

Conclusion

A successful web application pentest does not rely on a single tool but on the coordinated combination of multiple approaches. This ensures realistic coverage of all relevant attack vectors—from infrastructure and APIs to application-specific logic.

Penetration Testing
FAQ

Our FAQ provides clear answers to common questions – straight from pentesting experts and completely ad-free.

binsec FAQ logo

Introduction to Pentesting

What is a penetration test? What types of penetration tests are there? What is the difference between a vulnerability scan and a penetration test? Read more.

Commissioning a Penetration Test

How often should a penetration test be conducted? What data protection regulations are necessary for a penetration test? Read more.

Career Goal: Penetration Tester

How to become a Penetration Tester? Should I Learn Kali Linux to Become a Penetration Tester? Read more.

Web Application Testing

Which Tools Does binsec GmbH Use in a Web Application Penetration Test? Read more.

Penetration Testing

Since 2013 we conduct professional penetration test, based on international industry standards and years of experience in penetration testing, red teaming and hacking.

As a company for professional penetration testing, we do some things differently than other pentest provider: As a penetration test firm, we do not sell vulnerability scans as pentest. We do also focus on business security risks. You are looking for a professionally conducted penetration tests? Get the binsec team for your Pentest. Read more about our pentest service.

Contact us

Pentest Knowledge and Tools

Free pentest tools for your security analysis.

Pentest Tools

Take a look at our wiki page about pentesting.

Pentest WIKI

Straight answers to common pentesting questions.

Pentest FAQ

News about pentesting and the binsec universe.

Pentest News

Company

binsec GmbH
Solmsstraße 41
60486 Frankfurt am Main
Germany

Legal notice

Director: Patrick Sauer
Authorised Officer: Florian Zavatzki, Dominik Sauer
Registration: Frankfurt am Main, HRB97277
Turnover Tax Identification No.: DE290966808

© 2025 All rights reserved by binsec GmbH.

© 2025 All rights reserved by binsec GmbH.