Web App Pentesting

Use this skill when the only provided input is the target web application's base URL and you are explicitly authorized to test it.

Input Contract

• Accept exactly one required input: the base URL of the web app under test.
• Derive scope from that URL unless the user explicitly expands it.
• Stay inside the target origin and closely related subpaths unless the user authorizes additional domains.
• Record every finding with the exact URL, request method, parameters, user role used, and observed impact.

Preferred Tooling

Prefer free tools, with an open-source-first approach: