Web on MrAzoth https://az0th.it/web/ Recent content in Web on MrAzoth Hugo -- 0.154.5 en-us Tue, 24 Feb 2026 00:00:00 +0000 Web Application Penetration Testing — Master Index https://az0th.it/web/web-vuln-index/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/web-vuln-index/ <h1 id="web-application-penetration-testing--master-index">Web Application Penetration Testing — Master Index</h1> <blockquote> <p>Ordered by WAPT workflow: start from input fields → auth → authz → upload → server-side → client-side → infrastructure → API. 76 chapters. All published.</p> </blockquote> <hr> <h2 id="001--input-user-controlled-fields--parameters">001 — INPUT: User-Controlled Fields &amp; Parameters</h2> <p><em>First thing you test: every field that sends data to the server.</em></p> <table> <thead> <tr> <th>File</th> <th>Vulnerability</th> </tr> </thead> <tbody> <tr> <td><code>001_INPUT_SQLi.md</code></td> <td>SQL Injection (Error-based, Union, Blind, Time-based, OOB)</td> </tr> <tr> <td><code>002_INPUT_NoSQLi.md</code></td> <td>NoSQL Injection (MongoDB, CouchDB, Redis)</td> </tr> <tr> <td><code>003_INPUT_LDAP_Injection.md</code></td> <td>LDAP Injection</td> </tr> <tr> <td><code>004_INPUT_XPath_Injection.md</code></td> <td>XPath Injection</td> </tr> <tr> <td><code>005_INPUT_XQuery_Injection.md</code></td> <td>XQuery Injection</td> </tr> <tr> <td><code>006_INPUT_CMDi.md</code></td> <td>OS Command Injection</td> </tr> <tr> <td><code>007_INPUT_SSTI.md</code></td> <td>Server-Side Template Injection (SSTI)</td> </tr> <tr> <td><code>008_INPUT_CSTI.md</code></td> <td>Client-Side Template Injection (CSTI)</td> </tr> <tr> <td><code>009_INPUT_SSI_Injection.md</code></td> <td>Server-Side Includes (SSI) Injection</td> </tr> <tr> <td><code>010_INPUT_EL_Injection.md</code></td> <td>Expression Language Injection (EL)</td> </tr> <tr> <td><code>011_INPUT_XXE.md</code></td> <td>XML External Entity (XXE)</td> </tr> <tr> <td><code>012_INPUT_Log4Shell.md</code></td> <td>Log4j / Log Injection (Log4Shell)</td> </tr> <tr> <td><code>013_INPUT_Mail_Injection.md</code></td> <td>IMAP/SMTP Header Injection</td> </tr> <tr> <td><code>014_INPUT_HTTP_Header_Injection.md</code></td> <td>HTTP Header Injection / Response Splitting</td> </tr> <tr> <td><code>015_INPUT_HTTP_Param_Pollution.md</code></td> <td>HTTP Parameter Pollution (HPP)</td> </tr> <tr> <td><code>016_INPUT_Open_Redirect.md</code></td> <td>Open Redirect</td> </tr> <tr> <td><code>017_INPUT_Host_Header.md</code></td> <td>Host Header Attacks</td> </tr> <tr> <td><code>018_INPUT_GraphQL_Injection.md</code></td> <td>GraphQL Injection (SQLi/CMDi/SSRF via resolvers)</td> </tr> <tr> <td><code>019_INPUT_Integer_Type_Juggling.md</code></td> <td>Integer Overflow / Type Juggling</td> </tr> <tr> <td><code>020_INPUT_XSS_Reflected.md</code></td> <td>Cross-Site Scripting — Reflected</td> </tr> <tr> <td><code>021_INPUT_XSS_Stored.md</code></td> <td>Cross-Site Scripting — Stored</td> </tr> <tr> <td><code>022_INPUT_XSS_DOM.md</code></td> <td>Cross-Site Scripting — DOM</td> </tr> <tr> <td><code>023_INPUT_XSS_Blind.md</code></td> <td>Cross-Site Scripting — Blind</td> </tr> </tbody> </table> <hr> <h2 id="030--auth-authentication">030 — AUTH: Authentication</h2> <p><em>Login page, tokens, MFA, password reset.</em></p>