Web

Web Application Penetration Testing — Master Index Ordered by WAPT workflow: start from input fields → auth → authz → upload → server-side → client-side → infrastructure → API. 76 chapters. All published. 001 — INPUT: User-Controlled Fields & Parameters First thing you test: every field that sends data to the server. File Vulnerability 001_INPUT_SQLi.md SQL Injection (Error-based, Union, Blind, Time-based, OOB) 002_INPUT_NoSQLi.md NoSQL Injection (MongoDB, CouchDB, Redis) 003_INPUT_LDAP_Injection.md LDAP Injection 004_INPUT_XPath_Injection.md XPath Injection 005_INPUT_XQuery_Injection.md XQuery Injection 006_INPUT_CMDi.md OS Command Injection 007_INPUT_SSTI.md Server-Side Template Injection (SSTI) 008_INPUT_CSTI.md Client-Side Template Injection (CSTI) 009_INPUT_SSI_Injection.md Server-Side Includes (SSI) Injection 010_INPUT_EL_Injection.md Expression Language Injection (EL) 011_INPUT_XXE.md XML External Entity (XXE) 012_INPUT_Log4Shell.md Log4j / Log Injection (Log4Shell) 013_INPUT_Mail_Injection.md IMAP/SMTP Header Injection 014_INPUT_HTTP_Header_Injection.md HTTP Header Injection / Response Splitting 015_INPUT_HTTP_Param_Pollution.md HTTP Parameter Pollution (HPP) 016_INPUT_Open_Redirect.md Open Redirect 017_INPUT_Host_Header.md Host Header Attacks 018_INPUT_GraphQL_Injection.md GraphQL Injection (SQLi/CMDi/SSRF via resolvers) 019_INPUT_Integer_Type_Juggling.md Integer Overflow / Type Juggling 020_INPUT_XSS_Reflected.md Cross-Site Scripting — Reflected 021_INPUT_XSS_Stored.md Cross-Site Scripting — Stored 022_INPUT_XSS_DOM.md Cross-Site Scripting — DOM 023_INPUT_XSS_Blind.md Cross-Site Scripting — Blind 030 — AUTH: Authentication Login page, tokens, MFA, password reset. ...