A Few Tricks to Manually Pentest a Website (Without Any Tools)

February 22, 2016 | Views: 27535

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Dear Cybrary Readers,

First, I’d like to say “Thank you” for your enormous support in following and reading my articles. I’ll be happy to continue writing new articles related to IT security.

Many people have asked me to concisely explain what happens “under the hood” while a pentester is testing a website. You should know that many things happen, on many levels, over a brief period of time.

This article will explain the basics about how things work and how you can pentest a website without any automated tools.

Many testers worldwide are researching and using tools for pentesting purposes. That’s a good practice if you want to save some time and automate many manual tests. However, you may not know what a tool is actually trying to do, since the developer/s of the tools are the ones with full control over how the test is performed. That’s why you have to be careful and choose tools you trust.


Before we begin, I’d like to remind you of some facts to keep in mind:

  • A website is rendered by web browsers only, which translates the declarative text content from more technologies (HTML, CSS, JS etc.) into an actual visual representation. In short, the web browser parses the text in the web files that explain the functionality and appearance of the website, and it draws the visual representation out of it.
  • The server usually keeps all the main logic, data and resources of that website, and usually shares the allowed/needed services to the client. Whenever client connects to the server, they “communicate” in order to resolve the situation of sharing the needed information.
  • The data between the server/s and the clients is transmitted via the network technologies and protocols. This means that the quality of the service that server is sharing, directly depends of the network performance, security and availability.


Let’s begin…

– You can manually check if website is available (online) by pinging the hostname or the IP address. The most simple way is to use CMD or Terminal to ping a website. Ping sends a packet to the server, and if it gets a packet back, the server is online.)

– You can manually try to find the admin login website. Add /admin, /administration, /administrator at the end of the main url (example: www.example.com/admin), and if it’s the default, you will guess it. Then, you can see what type of the website is and research more about it.

– You can manually use crawlers to get more links, websites and data related to the website that you are testing. (The web crawler is a bot that tries to visit every link related to the server, and then it indexes the data that was researched).

– You can manually write a code script that will provide the test results. Many simple tests are made in Batch scripts (in every OS).


Tools do make things easier, but you don’t need to install anything for some basic tests. You could also just use the tools from online sources. I prefer to use (http://codebeautify.org/) or (http://tools.seochat.com/category/online-webmaster-tools).


I hope that this journey made some things easier to understand. Use your imagination and develop new ways to manually pentest a website. Feel free to support my articles and I wish you great days.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Not detailed enough, Vague

  2. fingerprinting a web server is even a good start for a starter

  3. I apologize if this sounds harsh, but when trying to manually test a web application over the internet, I would suggest explaining how “the internals” of a web server works.

    I see where you’re trying to discover directories in the web root by guessing directory names.

    What I’d have expected to see for example is an explanation regarding “robots.txt” and “sitemap.xml” that can be used to discover directories that the site admin does not want any bots to crawl. In addition to that, Google Dorking might reveal some interesting information regarding your target.

    Having said that, a pentester should be able to only use one tool and that’s a proxy (Fiddler / Burp) to intercept requests and responses to and from the server.

    Just my thoughts. Negative comments are welcome.

    • Thank you Jeroen for sharing your thoughts, I don’t take anything personal, and I agree with you. However, this post was older and I wanted just to give the global picture to the beginners. However, I could explain in details the workings of the servers and how everything communicates, but I am sure that beginner wont understand the most of it because there are so much new concepts to be learned. That might be explained in some new articles. I don’t have any negative comments on your comments, I just explain why this article doesn’t contain the complex part, it’s because we don’t want to confuse and mislead the reader. Greets 🙂

  4. Great article!

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?