Web Application Agent
The Web Application agent is a specialized security testing agent equipped with comprehensive knowledge of the OWASP Web Security Testing Guide (WSTG) v4.2, featuring 109 documented tests across 12 categories.
Overview
The Web Application agent combines deep security knowledge with automated tooling to perform thorough web application penetration testing. It’s pre-loaded with specialized skills for SQL injection testing and OWASP WSTG methodology.
Agent Configuration
| Property | Value |
|---|---|
| Agent ID | web-application |
| Color | Red |
| Pre-loaded Skills | owasp-wstg, sql-injection |
| Allowed Tools | Browser, Bash, WebFetch, WebSearch, Read, Glob, Grep |
Launch the Agent
# Start Cyberstrike with web application agentcyberstrike --agent web-application
# Or switch during session/agent web-applicationKnowledge Base
The Web Application agent has access to extensive security knowledge through the skills system.
OWASP WSTG v4.2 Skill
The agent is pre-loaded with the complete OWASP Web Security Testing Guide v4.2, providing systematic testing methodology for 109 security tests across 12 categories.
SQL Injection Skill
Comprehensive SQL injection testing knowledge including:
- Detection payloads (basic, error-based)
- Database fingerprinting queries (MySQL, PostgreSQL, MSSQL, Oracle, SQLite)
- Union-based injection methodology
- Blind SQL injection (boolean-based, time-based)
- Out-of-band (OOB) techniques with DNS exfiltration
- WAF bypass techniques
- SQLMap command reference
OWASP WSTG v4.2 Coverage
The agent systematically tests all WSTG categories:
WSTG-INFO: Information Gathering (10 tests)
| Test ID | Test Name |
|---|---|
| WSTG-INFO-01 | Conduct Search Engine Discovery Reconnaissance |
| WSTG-INFO-02 | Fingerprint Web Server |
| WSTG-INFO-03 | Review Webserver Metafiles for Information Leakage |
| WSTG-INFO-04 | Enumerate Applications on Webserver |
| WSTG-INFO-05 | Review Webpage Content for Information Leakage |
| WSTG-INFO-06 | Identify Application Entry Points |
| WSTG-INFO-07 | Map Execution Paths Through Application |
| WSTG-INFO-08 | Fingerprint Web Application Framework |
| WSTG-INFO-09 | Fingerprint Web Application |
| WSTG-INFO-10 | Map Application Architecture |
WSTG-CONF: Configuration Testing (13 tests)
| Test ID | Test Name |
|---|---|
| WSTG-CONF-01 | Test Network Infrastructure Configuration |
| WSTG-CONF-02 | Test Application Platform Configuration |
| WSTG-CONF-03 | Test File Extensions Handling |
| WSTG-CONF-04 | Review Old Backup and Unreferenced Files |
| WSTG-CONF-05 | Enumerate Infrastructure and Admin Interfaces |
| WSTG-CONF-06 | Test HTTP Methods |
| WSTG-CONF-07 | Test HTTP Strict Transport Security |
| WSTG-CONF-08 | Test RIA Cross Domain Policy |
| WSTG-CONF-09 | Test File Permission |
| WSTG-CONF-10 | Test for Subdomain Takeover |
| WSTG-CONF-11 | Test Cloud Storage |
| WSTG-CONF-12 | Test for Content Security Policy |
| WSTG-CONF-13 | Test for Path Confusion |
Tip
The agent automatically tests for S3 bucket misconfigurations and Azure Blob storage exposure under WSTG-CONF-11.
WSTG-IDNT: Identity Management (5 tests)
| Test ID | Test Name |
|---|---|
| WSTG-IDNT-01 | Test Role Definitions |
| WSTG-IDNT-02 | Test User Registration Process |
| WSTG-IDNT-03 | Test Account Provisioning Process |
| WSTG-IDNT-04 | Test for Account Enumeration |
| WSTG-IDNT-05 | Test for Weak or Unenforced Username Policy |
WSTG-ATHN: Authentication Testing (11 tests)
| Test ID | Test Name |
|---|---|
| WSTG-ATHN-01 | Test for Credentials Transported over Encrypted Channel |
| WSTG-ATHN-02 | Test for Default Credentials |
| WSTG-ATHN-03 | Test for Weak Lock Out Mechanism |
| WSTG-ATHN-04 | Test for Bypassing Authentication Schema |
| WSTG-ATHN-05 | Test for Vulnerable Remember Password |
| WSTG-ATHN-06 | Test for Browser Cache Weaknesses |
| WSTG-ATHN-07 | Test for Weak Password Policy |
| WSTG-ATHN-08 | Test for Weak Security Question Answer |
| WSTG-ATHN-09 | Test for Weak Password Change or Reset |
| WSTG-ATHN-10 | Test for Weaker Authentication in Alternative Channel |
| WSTG-ATHN-11 | Test Multi-Factor Authentication |
WSTG-ATHZ: Authorization Testing (7 tests)
| Test ID | Test Name |
|---|---|
| WSTG-ATHZ-01 | Test Directory Traversal File Include |
| WSTG-ATHZ-02 | Test for Bypassing Authorization Schema |
| WSTG-ATHZ-03 | Test for Privilege Escalation |
| WSTG-ATHZ-04 | Test for Insecure Direct Object References (IDOR) |
| WSTG-ATHZ-05 | Test for OAuth Weaknesses |
| WSTG-ATHZ-06 | Test for JWT Weaknesses |
| WSTG-ATHZ-07 | Test for GraphQL Weaknesses |
WSTG-SESS: Session Management (11 tests)
| Test ID | Test Name |
|---|---|
| WSTG-SESS-01 | Test for Session Management Schema |
| WSTG-SESS-02 | Test for Cookie Attributes |
| WSTG-SESS-03 | Test for Session Fixation |
| WSTG-SESS-04 | Test for Exposed Session Variables |
| WSTG-SESS-05 | Test for Cross Site Request Forgery (CSRF) |
| WSTG-SESS-06 | Test for Logout Functionality |
| WSTG-SESS-07 | Test Session Timeout |
| WSTG-SESS-08 | Test for Session Puzzling |
| WSTG-SESS-09 | Test for Session Hijacking |
| WSTG-SESS-10 | Test JSON Web Tokens |
| WSTG-SESS-11 | Test for Cookie Scope |
WSTG-INPV: Input Validation Testing (19 tests)
| Test ID | Test Name |
|---|---|
| WSTG-INPV-01 | Test for Reflected Cross Site Scripting |
| WSTG-INPV-02 | Test for Stored Cross Site Scripting |
| WSTG-INPV-03 | Test for HTTP Verb Tampering |
| WSTG-INPV-04 | Test for HTTP Parameter Pollution |
| WSTG-INPV-05 | Test for SQL Injection |
| WSTG-INPV-06 | Test for LDAP Injection |
| WSTG-INPV-07 | Test for XML Injection |
| WSTG-INPV-08 | Test for SSI Injection |
| WSTG-INPV-09 | Test for XPath Injection |
| WSTG-INPV-10 | Test for IMAP SMTP Injection |
| WSTG-INPV-11 | Test for Code Injection |
| WSTG-INPV-12 | Test for Command Injection |
| WSTG-INPV-13 | Test for Format String Injection |
| WSTG-INPV-14 | Test for Incubated Vulnerability |
| WSTG-INPV-15 | Test for HTTP Splitting Smuggling |
| WSTG-INPV-16 | Test for HTTP Incoming Requests |
| WSTG-INPV-17 | Test for Host Header Injection |
| WSTG-INPV-18 | Test for Server-Side Template Injection (SSTI) |
| WSTG-INPV-19 | Test for Server-Side Request Forgery (SSRF) |
Danger
SQL Injection (WSTG-INPV-05) testing uses the pre-loaded sql-injection skill with comprehensive payloads for all major database systems.
WSTG-ERRH: Error Handling (2 tests)
| Test ID | Test Name |
|---|---|
| WSTG-ERRH-01 | Test for Improper Error Handling |
| WSTG-ERRH-02 | Test for Stack Traces |
WSTG-CRYP: Cryptography (4 tests)
| Test ID | Test Name |
|---|---|
| WSTG-CRYP-01 | Test for Weak Transport Layer Security |
| WSTG-CRYP-02 | Test for Padding Oracle |
| WSTG-CRYP-03 | Test for Sensitive Information Sent via Unencrypted Channels |
| WSTG-CRYP-04 | Test for Weak Encryption |
WSTG-BUSL: Business Logic (10 tests)
| Test ID | Test Name |
|---|---|
| WSTG-BUSL-01 | Test Business Logic Data Validation |
| WSTG-BUSL-02 | Test Ability to Forge Requests |
| WSTG-BUSL-03 | Test Integrity Checks |
| WSTG-BUSL-04 | Test for Process Timing |
| WSTG-BUSL-05 | Test Number of Times a Function Can Be Used Limits |
| WSTG-BUSL-06 | Test for Circumvention of Work Flows |
| WSTG-BUSL-07 | Test Defenses Against Application Misuse |
| WSTG-BUSL-08 | Test Upload of Unexpected File Types |
| WSTG-BUSL-09 | Test Upload of Malicious Files |
| WSTG-BUSL-10 | Test Payment Functionality |
WSTG-CLNT: Client-Side Testing (14 tests)
| Test ID | Test Name |
|---|---|
| WSTG-CLNT-01 | Test for DOM-Based Cross Site Scripting |
| WSTG-CLNT-02 | Test for JavaScript Execution |
| WSTG-CLNT-03 | Test for HTML Injection |
| WSTG-CLNT-04 | Test for Client-Side URL Redirect |
| WSTG-CLNT-05 | Test for CSS Injection |
| WSTG-CLNT-06 | Test for Client-Side Resource Manipulation |
| WSTG-CLNT-07 | Test Cross Origin Resource Sharing |
| WSTG-CLNT-08 | Test for Cross Site Flashing |
| WSTG-CLNT-09 | Test for Clickjacking |
| WSTG-CLNT-10 | Test WebSockets |
| WSTG-CLNT-11 | Test Web Messaging |
| WSTG-CLNT-12 | Test Browser Storage |
| WSTG-CLNT-13 | Test for Cross Site Script Inclusion |
| WSTG-CLNT-14 | Test for Reverse Tabnabbing |
WSTG-APIT: API Testing (4 tests)
| Test ID | Test Name |
|---|---|
| WSTG-APIT-01 | Test for GraphQL |
| WSTG-APIT-02 | Test for REST API |
| WSTG-APIT-03 | Test for SOAP API |
| WSTG-APIT-04 | Test for WebSocket API |
Testing Methodology
The agent follows a structured approach:
┌─────────────────────────────────────────────────────────────┐│ TESTING METHODOLOGY │├─────────────────────────────────────────────────────────────┤│ 1. RECONNAISSANCE ││ └── Information gathering, fingerprinting ││ ││ 2. MAPPING ││ └── Application structure, entry points ││ ││ 3. DISCOVERY ││ └── Vulnerability identification per WSTG category ││ ││ 4. EXPLOITATION ││ └── Proof of concept, impact demonstration ││ ││ 5. REPORTING ││ └── Findings with CVSS scores, remediation │└─────────────────────────────────────────────────────────────┘Integrated Security Tools
The agent leverages industry-standard tools:
| Tool | Purpose |
|---|---|
| Nuclei | Template-based vulnerability scanning |
| SQLMap | Automated SQL injection exploitation |
| FFUF | Web fuzzing and content discovery |
| Nikto | Web server vulnerability scanner |
| curl | HTTP request crafting and testing |
Tool Integration Example
> Use sqlmap to test the login endpoint for SQL injection
[Executing SQLMap...]sqlmap -u "https://target.com/api/login" --data="username=test&password=test" --batch --level=5 --risk=3
[SQLMap Output]Parameter: username (POST) Type: boolean-based blind Payload: username=test' AND 5765=5765 AND 'test'='test
Type: time-based blind Payload: username=test' AND SLEEP(5) AND 'test'='test
Database: MySQL >= 5.0.12Browser-Based Testing
The agent uses the HackerBrowser for dynamic analysis with full traffic capture:
> Launch browser and navigate to https://target.com/login> Test the username field for XSS vulnerabilities
[Browser launched][Navigating to /login...][Injecting XSS payloads...]
Testing payload: <script>alert('XSS')</script>Testing payload: <img src=x onerror=alert('XSS')>Testing payload: javascript:alert('XSS')Testing payload: <svg onload=alert('XSS')>
FINDING: Reflected XSS━━━━━━━━━━━━━━━━━━━━━━━WSTG-ID: WSTG-INPV-01Location: GET /login?error=<message>Parameter: errorPayload: <svg onload=alert(document.domain)>Severity: High (CVSS 6.1)Evidence: JavaScript executed in browser contextCWE: CWE-79CVSS Severity Rating
The agent rates findings using CVSS 3.1:
| Severity | CVSS Score | Example Vulnerabilities |
|---|---|---|
| Critical | 9.0 - 10.0 | RCE, Auth Bypass, SQLi with data exfil |
| High | 7.0 - 8.9 | Stored XSS, IDOR with sensitive data |
| Medium | 4.0 - 6.9 | Reflected XSS, CSRF, Info disclosure |
| Low | 0.1 - 3.9 | Missing headers, verbose errors |
Session Example
You: Test the e-commerce site at shop.example.com for OWASP Top 10 vulnerabilities
Agent: I'll perform comprehensive security testing following OWASP WSTG methodology.
## Phase 1: Information Gathering
[Fingerprinting web server...]Server: nginx/1.18.0Framework: React (frontend), Node.js/Express (backend)Technologies: JWT authentication, PostgreSQL database
[Mapping application structure...]Found 47 endpoints across 8 API routes
## Phase 2: Authentication Testing (WSTG-ATHN)
[Testing WSTG-ATHN-02: Default Credentials...]✓ No default credentials found
[Testing WSTG-ATHN-04: Auth Bypass...]⚠ FINDING: JWT Algorithm Confusion
FINDING: JWT Algorithm Confusion━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━WSTG-ID: WSTG-SESS-10Location: Authorization headerParameter: JWT tokenPayload: Algorithm changed from RS256 to HS256Severity: Critical (CVSS 9.8)Evidence: Forged admin token acceptedCWE: CWE-347
## Phase 3: Authorization Testing (WSTG-ATHZ)
[Testing WSTG-ATHZ-04: IDOR...]⚠ FINDING: Insecure Direct Object Reference
FINDING: IDOR in Order History━━━━━━━━━━━━━━━━━━━━━━━━━━━━━WSTG-ID: WSTG-ATHZ-04Location: GET /api/orders/{id}Parameter: idPayload: Sequential ID enumerationSeverity: High (CVSS 7.5)Evidence: Accessed orders of other usersCWE: CWE-639
[Continuing with remaining WSTG categories...]Best Practices
- Scope Definition - Clearly define testing boundaries and excluded endpoints
- Authentication - Provide valid credentials for comprehensive authenticated testing
- Rate Limiting - Configure appropriate delays to avoid triggering WAF/rate limits
- Evidence Collection - Use HAR export for complete traffic capture
- Verification - Manually verify critical and high severity findings
Caution
Always obtain proper written authorization before testing web applications. Unauthorized security testing is illegal and unethical.
Related Documentation
- HackerBrowser Deep Dive - Browser automation internals
- SQL Injection Skill - SQL injection knowledge base
- OWASP WSTG Skill - Complete WSTG reference
- Report Generator - Creating professional reports