How to Find Vulnerabilities in Web Applications

Web applications are a frequent target for cyberattacks due to their extensive use and potential security weaknesses. Detecting vulnerabilities is essential for developers, security researchers, and ethical hackers to safeguard systems from exploitation.

In this guide, we’ll delve into common web application vulnerabilities, effective tools for identifying them, and practical examples to enhance security measures.

Web Application Vulnerabilities

Before diving into detection methods, let’s review the most common vulnerabilities:

1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSR
4. Broken Authentication & Session Management
5. Security Misconfigurations
6. Insecure Direct Object References (IDOR)
7. Server-Side Request Forgery (SSRF)
8. XML External Entity (XXE) Injection
9. File Upload Vulnerabilities
10.API Security Issues

Step-by-Step Guide to Finding Vulnerabilities

1. Reconnaissance & Information Gathering

Before testing, gather as much information as possible:

• Subdomain Enumeration: Use tools like Sublist3r, Amass.
• Port Scanning: Nmap helps identify open ports and services.
• Web Technologies: Wappalyzer or BuiltWith detect frameworks (e.g., WordPress,Django).

Example:

nmap -sV target.com

2. Manual Testing for Common Vulnerabilities

A. SQL Injection (SQLi)

Web applications play a vital role in our digital world, but they are also prime targets for cyber threats. One of the most common and dangerous vulnerabilities is SQL Injection (SQLi), which allows attackers to manipulate a website’s database through malicious queries. In this guide, we'll explore manual testing techniques for detecting SQLi vulnerabilities, along with practical examples to help enhance security.

Testing:Detecting SQLi manually involves testing user input fields to see if they improperly process SQL commands.

1. Input Manipulation – Try entering ' OR '1'='1' -- in a login or search field to see if it bypasses authentication.

2. Error-Based Testing – Input "' or " OR 1=1" into a form and observe if error messages reveal database details.

3. Union-Based Testing – Use statements like UNION SELECT null,null,... to check if the application merges results from multiple queries.

4. Boolean-Based Testing – Send payloads like AND 1=1 or AND 1=2 to analyze the response behavior.

5. Time-Based Testing – Utilize SLEEP(5) or WAITFOR DELAY '00:00:05' in queries to test if the database is processing commands.

Example:

sqlmap -u "http://target.com/login?user=admin&pass=test" --dbs

B. Cross-Site Scripting (XSS)

Web applications often handle user input, but if not properly secured, they can be vulnerable to Cross-Site Scripting (XSS) attacks. XSS allows attackers to inject malicious scripts into web pages, which then execute in unsuspecting users' browsers—leading to stolen data, session hijacking, or unauthorized actions.

Testing:

Stored XSS – Malicious scripts are saved within the database and affect all users who view the compromised page.

Reflected XSS – Scripts are embedded in a URL or form input and executed when the victim interacts with them.

DOM-Based XSS – Exploits JavaScript within a web page to manipulate the Document Object Model (DOM) dynamically.

• Inject `<script>alert(1)</script>`  in input fields.
• Use Burp Suite or XSS Hunter.

Example:

http://target.com/search?q=<script>alert('XSS')</script>

C. CSRF (Cross-Site Request Forgery)

Description: Forces users to execute unwanted actions.

Testing:

• Craft a fake form and check if the action executes without CSRF tokens.
• Use Burp Suite’s CSRF PoC generator.

Example:

<form action="http://target.com/change-password" method="POST">

  <input type="hidden" name="new_password" value="hacked123">

</form>

<script>document.forms[0].submit();</script>

3. Automated Scanning Tools

Manual testing is effective, but automation speeds up the process:

• Burp Suite  (Pro for active scanning)
• OWASP ZAP (Free alternative to Burp)
• Nikto   (Web server scanner)
• Nessus   (Vulnerability assessment)

Example with OWASP ZAP:

1. Launch ZAP and configure the proxy.

2. Spider the target site.

3. Run an active scan.

4. API Security Testing

APIs are often vulnerable to:

• Broken Object Level Authorization (BOLA)
• Excessive Data Exposure
• Injection Attacks

Tools:

• Postman (Manual API testing)
• OWASP API Security Testing Guide
• Kiterunner  (API endpoint brute-forcing)

Example:

kr scan http://api.target.com -w routes.kite

5. File Upload Vulnerabilities

Testing

Upload a `.php` file and check if it executes.

Bypass filters using double extensions (`test.jpg.php`).

Example:

POST /upload HTTP/1.1

Content-Disposition: form-data; name="file"; filename="shell.php"

Real-World Exploitation Example: 
SQLi to Admin Access

1.Find a vulnerable parameter  (e.g., `?id=1`).

2. Test for SQLi:

http://target.com/profile?id=1' AND 1=1 -- 

3. Extract database info:

http://target.com/profile?id=1 UNION SELECT 1,2,3,table_name FROM information_schema.tables -- 

4.Dump admin credentials  and log in.

Best Practices

- Use parameterized queries to prevent SQLi.

- Implement  CSP (Content Security Policy) for XSS.

- Enable CSRF tokens.

- Regularly  update dependencies.

By understanding how to find vulnerabilities in web applications and implementing robust security measures, developers and security professionals can significantly reduce the risk of exploitation. Whether you are a developer looking to enhance the security of your applications or a security researcher aiming to identify potential threats, following the guidelines in this post will help you build more secure web applications. Engage with your peers in discussions about vulnerabilities, tools, and best practices to stay informed in this ever-evolving field.