## What’s Inside the Guide
**Phase 1 — Reconnaissance**
- Whois — identify who owns a domain and gather registration details
- theHarvester — pull emails, names, and subdomains from public sources
- Subfinder — map out every subdomain attached to a target
- WhatWeb — fingerprint the technology stack before attacking
- Google Dorking — find exposed files, admin panels, and sensitive data using Google
- Goal: build a complete picture of the target without touching it
**Phase 2 — Scanning & Enumeration**
- nmap — discover open ports, running services, and known vulnerabilities
- Nikto — automatically check a web server for misconfigs and dangerous files
- Gobuster — find hidden directories, admin panels, and backup files
- Nuclei — run thousands of CVE templates against a target automatically
- testssl.sh — audit the HTTPS configuration for weak ciphers and vulnerabilities
- Goal: map every open door on the target and flag the obvious weaknesses
**Phase 3 — Exploitation**
- Burp Suite setup and full workflow — intercept, modify, and replay every HTTP request
- SQL Injection theory and manual payloads — understand how and why it works
- sqlmap — automate SQL injection detection and database extraction
- XSS manual payloads and context testing — inject JavaScript into pages
- XSStrike — automate XSS discovery across a site
- Other vulnerability types — IDOR, CSRF, LFI, SSRF, command injection quick reference
- Goal: trigger real vulnerabilities and prove they are exploitable
**Phase 4 — Proof of Work**
- What makes a valid PoC — evidence, reproducibility, and impact
- Saving requests and responses from Burp Suite
- curl for creating reproducible PoC commands anyone can verify
- Goal: document findings so they are undeniable and reproducible
**Phase 5 — Reporting**
- CVSS severity ratings — Critical, High, Medium, Low, Informational
- Full professional report structure from cover page to conclusion
- Finding template — description, steps to reproduce, evidence, impact, remediation
- Goal: communicate findings clearly to both technical and non-technical audiences
**Complete Workflow Checklist** — a single-page reference covering every command across all 5 phases in the correct order
**Legal Practice Targets** — where to legally practice everything learned, including PortSwigger, TryHackMe, HackTheBox, DVWA, and VulnHub
**OWASP Top 10 Reference** — the 10 most critical web vulnerabilities with simple explanations and what tool to use for each
**Tool Download List** — every tool with its download link and whether it is pre-installed on Kali
---
## What You Will Be Able to Do After Reading and Practicing
After going through the full guide and practicing on the legal targets you will be able to independently perform a complete web application penetration test from start to finish — pick a target, gather intelligence on it without being detected, scan it for every open service and known vulnerability, manually test for SQL injection and XSS using both automated tools and your own hands in Burp Suite, document your findings with proper evidence, assign severity ratings, and write a professional report that clearly explains the impact and how to fix every issue you found. You will understand not just what commands to run but why each one exists and what the output means, which is what separates someone who follows tutorials from someone who can actually think through a real engagement.
