Why Your Toolchain Matters More Than Ever
The attack surface has fragmented. In 2019, a skilled tester with Burp Suite and a browser could cover most of a target. In 2026 you're looking at React/Next.js apps that lazy-load routes, GraphQL APIs with nested resolvers, Cloudflare Worker edge functions that behave differently by geolocation, and LLM-backed chat endpoints that accept free-form user input.
No single tool covers all of that. What matters is selecting the right tool for each phase, understanding its blind spots, and knowing where manual analysis must fill the gaps. This guide organises the toolkit by engagement phase, not by vendor marketing material.
A tool is only as good as the tester's understanding of what it cannot see. Every scanner is someone else's assumptions about what a vulnerability looks like.
Phase 1 - Reconnaissance & Asset Discovery
Before a single HTTP request is proxied, you need a complete picture of the target's external footprint. Scope creep is a compliance risk; missed subdomains are a finding risk.
Passive subdomain enumeration from 50+ sources (Shodan, VirusTotal, CertSpotter, passive DNS). Fast and low-noise.
# Enumerate subdomains, resolve live ones, output for httpx subfinder -d target.com -silent \ | httpx -silent -status-code -title \ | tee live-subdomains.txt
Active + passive enumeration with graph-based relationship mapping. Slower but finds assets subfinder misses via BRUTE and CERT modes.
amass enum -passive -d target.com \
-config config.ini \
-o amass-out.txt
Fast HTTP probing for live hosts, tech fingerprinting, title extraction, status codes. Feeds into nuclei and ffuf.
httpx -l subdomains.txt \
-tech-detect -title \
-status-code -json \
-o httpx-results.json
JavaScript-aware crawler from ProjectDiscovery. Extracts endpoints from SPA apps that traditional spiders miss entirely.
katana -u https://app.target.com \
-js-crawl -depth 3 \
-known-files all \
-o endpoints.txt
Phase 2 - Traffic Interception & Proxying
This is where most of the manual work happens. The proxy is your observation layer - every authentication flow, state change, and authorization decision must pass through it.
Still the reference proxy for web app pentesting. Scanner, Repeater, Intruder, Collaborator, BChecks, and a mature extension ecosystem (Turbo Intruder, Auth Analyzer, JWT Editor).
# BCheck example - custom SSRF template metadata: language: v1-beta name: "Blind SSRF via Host header" given request then send request called check replacing headers "Host: {BURP_COLLABORATOR_DOMAIN}" if http_interactions() then report issue
Rust-based proxy built for speed and collaboration. Better handling of HTTP/2 and HTTP/3, team project sharing, cleaner UI. Not a Burp replacement yet - complementary for specific workflows.
# Caido automate - replay with JWT rotation caido automate run \ --workflow jwt-rotate \ --target https://api.target.com/v1
Python-scriptable proxy for custom interception logic. Best for automated manipulation flows - rotating tokens, injecting headers, fuzzing at the protocol layer.
# Intercept + modify all JSON responses def response(flow): if "application/json" in flow.response.headers.get("content-type", ""): data = flow.response.json() data["role"] = "admin" flow.response.text = json.dumps(data)
Phase 3 - Automated Vulnerability Scanning
Automated scanning is not a replacement for manual testing - it's a coverage multiplier. The goal is to eliminate known-pattern findings quickly so human time is spent on business logic, authorization, and novel attack chains.
Template-based vulnerability scanner with 9,000+ community templates. Run against live hosts from httpx output. Custom templates for client-specific tech stacks are a force-multiplier.
# Run all critical/high templates against live hosts nuclei -l live-subdomains.txt \ -severity critical,high \ -es info,low \ -stats -o nuclei-findings.json \ -jsonl # Custom template - exposed .env file id: exposed-env-file info: name: Exposed .env File severity: high http: - method: GET path: - "{{BaseURL}}/.env" matchers: - type: word words: ["DB_PASSWORD", "APP_SECRET", "AWS_SECRET"]
Free DAST scanner with a strong OWASP provenance. Best used via API/daemon mode in CI pipelines. Active scan is noisy - use passive scan in proxy mode alongside Burp.
# ZAP API scan (Docker, CI-friendly) docker run zaproxy/zap-stable \ zap-api-scan.py \ -t https://api.target.com/openapi.json \ -f openapi \ -r zap-report.html
Covers server misconfigurations and outdated software fingerprints that nuclei templates don't always catch. Loud and slow - run off-hours or with `-Tuning` to limit scope.
nikto -h https://target.com \
-Tuning 1,2,3,5,8 \
-output nikto-out.txt
Phase 4 - Directory Fuzzing & Parameter Discovery
Fast web fuzzer for directory brute-force, vhost discovery, parameter fuzzing. Configurable matchers and filters make it precise where other tools produce noise.
# Directory fuzzing with auto-calibration ffuf -u https://target.com/FUZZ \ -w /opt/seclists/Discovery/Web-Content/raft-large-words.txt \ -ac -mc 200,204,301,302,401,403 \ -o ffuf-dirs.json -of json # API parameter fuzzing ffuf -u https://api.target.com/v1/users?FUZZ=1 \ -w /opt/seclists/Discovery/Web-Content/api/objects.txt \ -fw 0 -mc 200
Rust-based recursive content discovery. Automatically dives into discovered directories - better than ffuf for deep-tree enumeration at the cost of more requests.
feroxbuster -u https://target.com \
-w raft-large-words.txt \
--depth 3 \
--filter-status 404,429 \
-o ferox-out.txt
HTTP parameter discovery tool. Finds hidden GET/POST parameters that swagger docs and source maps don't expose - especially useful for legacy endpoints.
arjun -u https://target.com/api/search \
--stable -t 10 \
-oJ arjun-params.json
Phase 5 - Injection & Specific Vulnerability Testing
Automated SQL injection detection and exploitation. Use `--level 5 --risk 3` for thorough testing, `--technique=BT` for time-based blind only. Always use with `--batch` in reports.
# Test from Burp request file, all techniques sqlmap -r burp-request.txt \ --level 3 --risk 2 \ --dbms=mysql \ --batch --random-agent \ -o --output-dir=sqlmap-results/
The definitive JWT testing toolkit. Tests alg:none, RS256→HS256 confusion, key injection, embedded JWK, claim manipulation, and custom exploit scripts.
# Run all JWT attack playbook python3 jwt_tool.py <TOKEN> -M pb # alg:none attack explicitly python3 jwt_tool.py <TOKEN> -X a # RS256→HS256 confusion with server cert python3 jwt_tool.py <TOKEN> -X k \ -pk server.pem
Fast XSS parameter analysis with context-aware payload generation. Handles DOM XSS via headless browser, WAF bypass techniques, and blind XSS callback.
dalfox url https://target.com/search?q=test \
--blind https://your.xss.collector \
--waf-evasion \
-o dalfox-findings.json
Server-side template injection detection across Jinja2, Twig, Mako, ERB, Velocity, and 15+ others. Escalates from detection to code execution automatically.
python2 tplmap.py \
-u "https://target.com/page?name=*" \
--engine Jinja2 \
--os-cmd "id"
Phase 6 - API & GraphQL Testing
REST APIs and GraphQL require fundamentally different testing approaches. GraphQL's introspection, batching, and nested resolver chains create attack surface that generic web scanners never touch.
Visualises GraphQL schema relationships as an interactive graph. Reveals hidden types, relationships between objects (where BOLA lives), and undocumented mutations.
# Pull introspection, feed to Voyager curl -s -X POST \ -H "Content-Type: application/json" \ -d '{"query":"{__schema{types{name fields{name type{name}}}}}"}' \ https://api.target.com/graphql \ | python3 -m json.tool > schema.json
GraphQL engine fingerprinting - identifies Apollo, Hasura, Dgraph, AWS AppSync, and others. Engine matters because each has unique vulnerability classes and bypass techniques.
python3 graphw00f.py \
-d -t https://api.target.com/graphql
Reconstructs a GraphQL schema through field suggestion errors even when introspection is disabled. Bypasses the most common GraphQL hardening measure.
python3 -m clairvoyance \
-o discovered-schema.json \
https://api.target.com/graphql
API route brute-forcer using real-world API route wordlists. Finds undocumented endpoints that standard directory lists miss (includes OpenAPI-derived wordlists).
kr scan https://api.target.com \
-w routes-large.kite \
-x 20 \
--fail-status-codes 404,429,500
2026 Attack Surface: What Changed
The following categories represent the fastest-growing sources of new findings on our engagements. Traditional web app testing methodology doesn't fully cover any of them.
Single-Page Applications
React/Next.js/Nuxt apps leak routes in JS bundles, expose API keys in build artifacts, and handle authorization entirely client-side. Use katana + Burp JS analysis + sourcemapper for coverage.
GraphQL APIs
Batching enables rate-limit bypass, nested resolvers create N+1 BOLA chains, and mutations often skip field-level authorization checks. Requires dedicated tooling - scanners miss most of it.
Edge Functions
Cloudflare Workers, Vercel Edge, and AWS Lambda@Edge behave differently by region, often have reduced WAF coverage, and may have weaker secret management than origin servers.
AI / LLM Endpoints
Prompt injection via user-controlled input to LLM context, indirect injection through retrieved documents, insecure system prompt exposure, and model output used in downstream code execution.
OAuth / OIDC Flows
PKCE downgrade attacks, redirect_uri validation bypass, state parameter CSRF, token leakage via Referer, and cross-tenant token reuse are endemic in OAuth implementations.
WebSockets & SSE
WebSocket connections bypass same-origin checks in ways HTTP requests don't. Authorization must be re-validated per-message, not just at handshake. Burp's WS Repeater is essential here.
Recommended Toolchains by Engagement Type
Standard Web App Pentest (2-5 days)
Recon: subfinder + httpx + katana. Proxy: Burp Suite Pro. Scanning: nuclei (critical/high) + ZAP passive. Fuzzing: ffuf with raft-large. Auth: jwt_tool + Burp Auth Analyzer. Injection: sqlmap on identified params. Reporting: Burp scanner issues + manual findings.
GraphQL API Security Review
Fingerprint: graphw00f. Schema: Voyager + clairvoyance (if introspection off). Route discovery: kiterunner. Proxy: Burp with InQL extension. BOLA: manual with Burp Repeater, Turbo Intruder for rate-limit bypass. Depth/complexity: manual batching attacks.
SPA / Frontend-Heavy App
JS enumeration: katana + sourcemapper + retire.js. Bundle analysis: Chrome DevTools + webpack-bundle-analyzer output. API endpoint extraction: truffleHog on JS for secrets. Proxy: Burp with JS Miner extension. DOM XSS: dalfox + manual review.
Compliance-Scoped Assessment (PCIDSS / SOC 2)
Authenticated scan: Burp active scan + nuclei authenticated templates. OWASP Top 10 coverage: structured manual testing per WSTG. Evidence capture: Burp project export + nuclei JSONL. Deliverable: findings mapped to PCI DSS Req 6.2.4 test requirements.
Tool Selection Quick Reference
| Phase | Primary Tool | Alternative | When to switch |
|---|---|---|---|
| Subdomain Enum | subfinder | amass | Need graph relationships or active brute-force |
| HTTP Probing | httpx | masscan + nmap | Large IP ranges vs. hostname lists |
| Crawling | katana | gospider | Legacy apps without heavy JS |
| Proxy | Burp Suite Pro | Caido | HTTP/2/3 heavy targets, team collaboration |
| Vuln Scanning | nuclei | ZAP API scan | CI pipeline integration, compliance-mapped reports |
| Dir Fuzzing | ffuf | feroxbuster | Need recursive enumeration into deep directory trees |
| SQL Injection | sqlmap | Manual (Burp) | WAF bypass, custom injection types, NoSQL |
| JWT Testing | jwt_tool | Burp JWT Editor | GUI preferred, quick header inspection |
| XSS | dalfox | XSStrike | Polyglot payloads, DOM context analysis |
| GraphQL | Burp + InQL | Altair + manual | Schema exploration + manual mutation testing |
What No Tool Catches
This section is the most important in the guide. Automated tools - even best-in-class - have fundamental blind spots. The highest-impact findings almost always require manual analysis.
Race conditions, workflow bypass (skipping payment steps), limit override (negative quantities), and state machine abuse. These require domain knowledge of how the application is supposed to work.
Accessing another tenant's data requires understanding the data model and creating multiple test accounts. No scanner can reason about tenant isolation - it requires human-guided enumeration.
IDOR in step 3 of a 5-step workflow only triggers after steps 1-2 complete with specific state. Scanners replay single requests without workflow context.
Context-aware prompt injection that bypasses system prompt restrictions requires iterative manual testing. There's no reliable automated detection as of early 2026.
Custom token signing, homegrown encryption, and non-standard key derivation require code review and/or cryptanalysis - not HTTP-level scanning.
Building Your Toolkit
The right toolkit is not the most comprehensive list of tools - it's the minimum set that gives maximum coverage for your specific target class. A 50-tool setup that 80% duplicates effort is worse than a 12-tool setup where each fills a distinct gap.
Start with: subfinder → httpx → katana → Burp Suite Pro → nuclei → ffuf. That chain covers the majority of automated attack surface. Layer in specialised tools (jwt_tool, sqlmap, GraphQL Voyager, dalfox) when the target has those specific components. Reserve the rest for when you have confirmed attack surface to investigate.
Our full pentest checklist maps each tool to its test cases and the specific OWASP/WSTG test IDs it covers. Download it below.
Web App Pentest Checklist - 156 Test Cases
Phase-by-phase checklist mapping tools to OWASP WSTG test IDs. Covers pre-engagement through reporting. Used on every CyberFortify engagement.