Web Application Penetration Testing — Master Index

Ordered by WAPT workflow: start from input fields → auth → authz → upload → server-side → client-side → infrastructure → API. 76 chapters. All published.

001 — INPUT: User-Controlled Fields & Parameters

First thing you test: every field that sends data to the server.

FileVulnerability
001_INPUT_SQLi.mdSQL Injection (Error-based, Union, Blind, Time-based, OOB)
002_INPUT_NoSQLi.mdNoSQL Injection (MongoDB, CouchDB, Redis)
003_INPUT_LDAP_Injection.mdLDAP Injection
004_INPUT_XPath_Injection.mdXPath Injection
005_INPUT_XQuery_Injection.mdXQuery Injection
006_INPUT_CMDi.mdOS Command Injection
007_INPUT_SSTI.mdServer-Side Template Injection (SSTI)
008_INPUT_CSTI.mdClient-Side Template Injection (CSTI)
009_INPUT_SSI_Injection.mdServer-Side Includes (SSI) Injection
010_INPUT_EL_Injection.mdExpression Language Injection (EL)
011_INPUT_XXE.mdXML External Entity (XXE)
012_INPUT_Log4Shell.mdLog4j / Log Injection (Log4Shell)
013_INPUT_Mail_Injection.mdIMAP/SMTP Header Injection
014_INPUT_HTTP_Header_Injection.mdHTTP Header Injection / Response Splitting
015_INPUT_HTTP_Param_Pollution.mdHTTP Parameter Pollution (HPP)
016_INPUT_Open_Redirect.mdOpen Redirect
017_INPUT_Host_Header.mdHost Header Attacks
018_INPUT_GraphQL_Injection.mdGraphQL Injection (SQLi/CMDi/SSRF via resolvers)
019_INPUT_Integer_Type_Juggling.mdInteger Overflow / Type Juggling
020_INPUT_XSS_Reflected.mdCross-Site Scripting — Reflected
021_INPUT_XSS_Stored.mdCross-Site Scripting — Stored
022_INPUT_XSS_DOM.mdCross-Site Scripting — DOM
023_INPUT_XSS_Blind.mdCross-Site Scripting — Blind

030 — AUTH: Authentication

Login page, tokens, MFA, password reset.

FileVulnerability
030_AUTH_Brute_Force.mdBrute Force & Credential Stuffing
031_AUTH_Username_Enum.mdUsername Enumeration
032_AUTH_Timing_Attacks.mdTiming Attacks on Auth
033_AUTH_Default_Creds.mdDefault Credentials
034_AUTH_JWT.mdJWT Attacks (alg:none, weak secret, kid injection)
035_AUTH_OAuth.mdOAuth 2.0 Misconfigurations
036_AUTH_SAML.mdSAML Attacks
037_AUTH_OIDC.mdOIDC / OpenID Connect Flaws
038_AUTH_Password_Reset_Poisoning.mdPassword Reset Poisoning
039_AUTH_MFA_Bypass.mdMFA Bypass Techniques

040 — SESSION: Session Management

Cookie handling, fixation, state confusion.

FileVulnerability
040_SESSION_Fixation.mdSession Fixation
041_SESSION_Puzzling.mdSession Puzzling / Session Confusion

050 — AUTHZ: Authorization & Business Logic

Who can access what — IDOR, privilege escalation, logic flaws.

FileVulnerability
050_AUTHZ_IDOR.mdInsecure Direct Object Reference (IDOR / BOLA)
051_AUTHZ_BFLA.mdBroken Function Level Authorization (BFLA)
052_AUTHZ_Mass_Assignment.mdMass Assignment
053_AUTHZ_Race_Conditions.mdRace Conditions
054_AUTHZ_Business_Logic.mdBusiness Logic Flaws

060 — UPLOAD: File & Archive Upload

Any endpoint that accepts files.

FileVulnerability
060_UPLOAD_File_Upload_Bypass.mdFile Upload Bypass
061_UPLOAD_Zip_Slip.mdZip Slip / Archive Path Traversal
062_UPLOAD_XXE_Binary_Formats.mdXXE via Binary Formats (XLSX, SVG, DOCX)

070 — SERVER: Server-Side Vulnerabilities

SSRF, path traversal, deserialization — server trusts attacker-controlled data.

FileVulnerability
070_SERVER_SSRF.mdServer-Side Request Forgery (SSRF)
071_SERVER_Path_Traversal.mdPath Traversal / Directory Traversal
072_SERVER_File_Inclusion_LFI_RFI.mdFile Inclusion (LFI / RFI)
073_SERVER_Deser_Java.mdInsecure Deserialization — Java
074_SERVER_Deser_PHP.mdInsecure Deserialization — PHP
075_SERVER_Deser_Python.mdInsecure Deserialization — Python (Pickle)
076_SERVER_Deser_DotNet.mdInsecure Deserialization — .NET
077_SERVER_Deser_NodeJS.mdInsecure Deserialization — Node.js
078_SERVER_Proto_Pollution.mdPrototype Pollution — Server-Side (Node.js)

080 — CLIENT: Client-Side Attacks

Attacks that execute in the victim’s browser.

FileVulnerability
080_CLIENT_CSRF.mdCross-Site Request Forgery (CSRF)
081_CLIENT_Clickjacking.mdClickjacking
082_CLIENT_CORS.mdCORS Misconfiguration
083_CLIENT_postMessage.mdpostMessage Attacks
084_CLIENT_DOM_Clobbering.mdDOM Clobbering
085_CLIENT_Proto_Pollution.mdPrototype Pollution — Client-Side
086_CLIENT_WebSocket.mdWebSocket Attacks

090 — REQUEST: Request-Level Manipulation

HTTP protocol abuse — smuggling, cache attacks.

FileVulnerability
090_REQUEST_HTTP1_Smuggling.mdHTTP Request Smuggling (CL.TE / TE.CL / TE.TE)
091_REQUEST_HTTP2_Smuggling.mdHTTP/2 Request Smuggling (H2.CL / H2.TE)
092_REQUEST_HTTP2_RapidReset.mdHTTP/2 Rapid Reset (CVE-2023-44487)
093_REQUEST_Cache_Poisoning.mdWeb Cache Poisoning
094_REQUEST_Cache_Deception.mdWeb Cache Deception

100 — INFRA: Infrastructure & Configuration

DNS, cloud storage, containers, exposed services.

FileVulnerability
100_INFRA_Subdomain_Takeover.mdSubdomain Takeover
101_INFRA_DNS_Rebinding.mdDangling DNS / DNS Rebinding
102_INFRA_Cloud_Storage.mdS3 / Cloud Storage Misconfigurations
103_INFRA_Kubernetes.mdKubernetes API Exposure
104_INFRA_Docker.mdDocker API Exposure
105_INFRA_Admin_Interfaces.mdExposed Admin Interfaces (Actuator, Kibana, etc.)
106_INFRA_Security_Headers.mdSecurity Headers Misconfiguration

110 — API: API-Specific Testing

REST, GraphQL, gRPC, WebSocket — protocol-level issues.

FileVulnerability
110_API_REST.mdREST API — BOLA / BFLA / Mass Assignment
111_API_GraphQL_Full.mdGraphQL (Introspection, Batching, Alias, Directive)
112_API_gRPC.mdgRPC Security Testing
113_API_WebSockets_Deep.mdWebSockets Security (Deep Dive)
114_API_Key_Leakage.mdAPI Key Leakage & Token Exposure
115_API_Shadow_Zombie.mdAPI Security — Shadow/Zombie APIs

Workflow reminder: INPUT → AUTH → SESSION → AUTHZ → UPLOAD → SERVER → CLIENT → REQUEST → INFRA → API Start with what the app exposes directly (input fields), work inward toward infrastructure. Oh yes, low hanging fruit first :')