Introduction

Vulnerability Assessment and Penetration Testing (VAPT) is an essential process to identify security weaknesses in web applications before attackers do. This guide covers all key stages, popular tools, example commands, and usage tips for conducting an effective VAPT engagement.

1. Information Gathering (Reconnaissance)

The first step is to gather as much information about the target as possible. This helps identify attack surfaces and entry points.

Tools:

• nmap — Network scanning & port enumeration

• whois — Domain registration and ownership details

• amass / subfinder — Subdomain enumeration

• curl / wget — HTTP header retrieval and web content fetching

Example Commands:

• Scan all open ports and services:

  nmap -sV -p- target.com
  

• Enumerate subdomains:

  amass enum -d target.com
  

  or

  subfinder -d target.com -silent
  

• Retrieve domain info:

  whois target.com
  

• Fetch HTTP headers:

  curl -I https://target.com
  

2. Vulnerability Scanning

Automated tools help quickly find known vulnerabilities and common misconfigurations.

Tools:

• Nikto — Web server vulnerability scanner

• WPScan — WordPress vulnerability scanner

• OWASP ZAP — Dynamic web application scanner

• SQLMap — Automated SQL Injection detection and exploitation

Example Commands:

• Scan web server with Nikto:

  nikto -h https://target.com
  

• Enumerate WordPress users, plugins, themes:

  wpscan --url https://target.com --enumerate u,p,t

• docker run -it --rm wpscanteam/wpscan --url https://target.com --api-token YOUR_API_TOKEN_HERE --enumerate u,t,p --plugins-detection mixed --random-user-agent --disable-tls-checks
  
  

• Test SQL injection on a parameter:

  sqlmap -u "https://target.com/page.php?id=1" --batch --level=3 --risk=2
  

3. Manual Testing & Exploitation

Manual testing validates automated findings and discovers complex or business logic vulnerabilities.

Tools:

• Burp Suite — Proxy, Intruder, Repeater for request interception and manipulation

• Postman — API testing

• Browser Developer Tools — Inspect elements, test injection points

• curl — Command-line HTTP requests

How to Use:

• Intercept requests with Burp Suite to modify parameters and test XSS, LFI, SSRF, etc.

• Use Repeater to send crafted payloads repeatedly.

• Automate brute force or fuzzing with Intruder.

• Example path traversal test with curl:

  curl "https://target.com/index.php?page=../../../../etc/passwd"
  

4. Post Exploitation

Once access is obtained, analyze the environment for privilege escalation and persistence opportunities.

Tools:

• netcat (nc) — Reverse shells

• msfvenom — Payload generator (Metasploit)

• Linux Exploit Suggester — Privilege escalation suggestions

Example:

• Start a reverse shell listener:

  nc -lvnp 4444
  

5. Reporting

A clear, professional report ensures stakeholders understand findings and remediation steps.

Tools:

• Dradis — Collaborative reporting framework

• Serpico — Open-source report generator

• Markdown / Word — Flexible documentation

Report Content Should Include:

• Executive summary

• Detailed vulnerability descriptions with proof of concepts

• Risk ratings (CVSS scores)

• Recommended fixes

• Supporting evidence (screenshots, logs)

Summary Table

Final Notes

• Always obtain explicit written permission before starting any VAPT activity.

• Respect scope and rules of engagement to avoid unintended damage.

• Combine automated scans with thorough manual testing for best results.

• Keep detailed notes and screenshots for reporting accuracy.

This structured approach will help you perform professional VAPT engagements, discover critical security gaps, and provide actionable remediation.