Skip to main content
The web-application agent is a web security specialist pre-loaded with the full OWASP Web Security Testing Guide (WSTG) v4.2. It covers all 12 WSTG categories and maps findings directly to OWASP Top 10 entries.

Activating the agent

Press Tab until web-application appears in the status bar, then describe your target.

Skills loaded

The agent automatically loads four skill files that contain detailed test procedures for each WSTG category:
SkillCategories covered
wstg-recon-configWSTG-INFO (information gathering), WSTG-CONF (configuration)
wstg-auth-sessionWSTG-IDNT (identity), WSTG-ATHN (authentication), WSTG-AUTHZ (authorization), WSTG-SESS (session)
wstg-injectionWSTG-INPV (input validation), WSTG-ERRH (error handling), WSTG-CRYP (cryptography)
wstg-logic-client-apiWSTG-BUSL (business logic), WSTG-CLNT (client-side), WSTG-APIT (API testing)

Tools

The agent has access to these tools:
ToolUse
bashRun security tools: nuclei, sqlmap, ffuf, nmap, nikto, testssl.sh, commix, tplmap
browserNavigate, capture traffic, interact with forms, execute JavaScript, take screenshots
webfetchFetch URLs for content analysis
websearchResearch vulnerabilities and CVEs
report_vulnerabilityRecord findings in HackerOne-compatible format with severity, CWE, and evidence
The agent always uses the browser tool for web operations so that all HTTP traffic is captured for analysis. It does not use open, xdg-open, or raw webfetch for navigation.

Testing methodology

The agent follows a six-phase workflow mapped to WSTG categories.
1

Reconnaissance (WSTG-INFO)

Enumerate attack surface using search engine discovery, server fingerprinting, robots.txt and sitemap analysis, subdomain enumeration, web page content review, and application architecture mapping. Documents tech stack, entry points, and open attack surface before testing begins.
2

Configuration and cryptography (WSTG-CONF, WSTG-ERRH, WSTG-CRYP)

Tests security headers (HSTS, CSP, X-Frame-Options), TLS configuration, HTTP methods, backup and unreferenced files, admin interface exposure, subdomain takeover risks, and cloud storage misconfigurations. Triggers errors to check for information leakage via stack traces.
3

Identity and authentication (WSTG-IDNT, WSTG-ATHN)

Tests user registration flows for enumeration and bypass, default credentials, brute-force lockout mechanisms, authentication bypass via parameter manipulation or SQLi, MFA weaknesses, password reset token predictability, and weaker alternative authentication channels.
4

Authorization and sessions (WSTG-AUTHZ, WSTG-SESS)

Tests IDOR via ID manipulation, directory traversal, privilege escalation (horizontal and vertical), forced browsing to admin pages, session token entropy, cookie security attributes (Secure, HttpOnly, SameSite), session fixation, CSRF, logout functionality, JWT algorithm confusion, and OAuth misconfiguration.
5

Input validation (WSTG-INPV)

Tests all input vectors: SQL injection (error-based, union, blind, time-based) across MySQL, PostgreSQL, Oracle, and SQL Server; XSS (reflected, stored, DOM-based); SSTI; SSRF including cloud metadata endpoints; command injection; XXE; LDAP injection; HTTP request smuggling; and host header injection.
6

Business logic, client-side, and API (WSTG-BUSL, WSTG-CLNT, WSTG-APIT)

Tests business logic: negative prices, workflow bypass, race conditions, coupon reuse. Client-side: DOM XSS, CORS misconfiguration, clickjacking, WebSocket security, postMessage origin checks, localStorage secrets. API: OpenAPI/Swagger enumeration, BOLA/IDOR on resources, GraphQL introspection and batch query abuse.

WSTG categories

Search engine discovery (INFO-01), web server fingerprinting (INFO-02), webserver metafiles (INFO-03), application enumeration (INFO-04), web page content review (INFO-05), entry point identification (INFO-06), execution path mapping (INFO-07), framework fingerprinting (INFO-08), application fingerprinting (INFO-09), and architecture mapping (INFO-10).
Network infrastructure config (CONF-01), platform config (CONF-02), file extension handling (CONF-03), backup and unreferenced files (CONF-04), admin interfaces (CONF-05), HTTP methods (CONF-06), HSTS (CONF-07), RIA cross-domain policy (CONF-08), file permissions (CONF-09), subdomain takeover (CONF-10), cloud storage (CONF-11), CSP (CONF-12), and path confusion (CONF-13).
Encrypted channel verification (ATHN-01), default credentials (ATHN-02), lockout mechanisms (ATHN-03), auth bypass (ATHN-04), remember password (ATHN-05), browser cache (ATHN-06), password policy (ATHN-07), security questions (ATHN-08), password change/reset (ATHN-09), weaker alternative channels (ATHN-10), and MFA (ATHN-11).
Directory traversal (AUTHZ-01), authorization bypass (AUTHZ-02), privilege escalation (AUTHZ-03), IDOR (AUTHZ-04), OAuth weaknesses (AUTHZ-05), OAuth authorization server (AUTHZ-05.1), and OAuth client weaknesses (AUTHZ-05.2).
Session schema analysis (SESS-01), cookie attributes (SESS-02), session fixation (SESS-03), exposed session variables (SESS-04), CSRF (SESS-05), logout (SESS-06), timeout (SESS-07), session puzzling (SESS-08), hijacking (SESS-09), JWT testing (SESS-10), and concurrent sessions (SESS-11).
XSS reflected (INPV-01), stored XSS (INPV-02), HTTP verb tampering (INPV-03), parameter pollution (INPV-04), SQL injection across 8 DB types (INPV-05 through INPV-05.8), LDAP injection (INPV-06), XML/XXE (INPV-07), SSI (INPV-08), XPath (INPV-09), IMAP/SMTP (INPV-10), code injection and LFI/RFI (INPV-11), command injection (INPV-12), format string (INPV-13), incubated vulnerabilities (INPV-14), HTTP splitting/smuggling (INPV-15 and INPV-16), host header injection (INPV-17), SSTI (INPV-18), SSRF (INPV-19), and mass assignment (INPV-20).
Business logic (10 tests): data validation, forged requests, integrity checks, race conditions, workflow bypass, and payment manipulation.Client-side (14 tests): DOM XSS, JavaScript execution, HTML injection, open redirect, CSS injection, CORS misconfiguration, clickjacking, WebSockets, postMessage, browser storage, and reverse tabnabbing.API testing (4 tests): API reconnaissance, BOLA/IDOR, and GraphQL security.

Example workflows

cyberstrike run --agent web-application \
  "Run a full OWASP WSTG assessment against https://app.example.com"

Finding output format

Each finding the agent reports includes:
  • WSTG-ID — e.g., WSTG-INPV-05
  • Title — e.g., SQL injection in login form
  • Severity — Critical / High / Medium / Low with CVSS score
  • CWE — e.g., CWE-89
  • Evidence — Request/response details and screenshots
  • Impact — What an attacker could achieve
  • Remediation — Specific fix recommendations
Findings are recorded via report_vulnerability and appear in the session sidebar in real time. You can export them as a structured report at the end of the session.

Build docs developers (and LLMs) love

Get started for freeTalk to us