# Web application penetration testing

## Reconocimiento y recolección de información

<details>

<summary><a href="/pages/kev5rqp2QV60BEHoKba4">Web Application Firewall (WAF)</a></summary>

```sh
wafw00f <target>
nuclei -u <target> -t dns/dns-waf-detect.yaml,http/technologies/secui-waf-detect.yaml,http/technologies/waf-detect.yaml -ts -silent
```

</details>

<details>

<summary><a href="/spaces/-M885ZMMY91-3v53_ySd/pages/-M886vsXuA02rplCw75k">Domain Name System (DNS)</a></summary>

```sh
dig any <target> @<dns-server>
dnsrecon -d <target>
nuclei -u <target> -t dns -ts -silent
```

</details>

<details>

<summary><a href="/pages/h7eqJJDVLT1YWg4cfCAZ">Subdominios y Virtual Host (VHost)</a></summary>

```sh
# Subdominios
subfinder -d <target> -recursive -all -silent | alterx -en -silent | dnsx -silent -o subdomains.txt
dnsx -d <target> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -silent -o dnsx-subdomains.txt
ffuf -u http://FUZZ.<target>/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -c -o ffuf-subdomains.html -of html
# Virtual Host (VHost)
ffuf -u http://<target>/ -w <path-wordlist>:FUZZ -H 'Host: FUZZ.<target>' -fs <size> -c -o ffuf-vhost.html -of html
```

</details>

<details>

<summary><a href="/pages/kEplepdlrVxyhjle2VYa">SSL/TLS y algoritmos de cifrados</a></summary>

```bash
sslscan <target>
nuclei -u <target> -t ssl -ts -silent
```

</details>

<details>

<summary><a href="/pages/zszaO2jqTqWWNMDuDYw2">Tecnologías web</a></summary>

```sh
whatweb -v -a 1 <target>
nuclei -u <target> -t http/technologies -ts --silent
```

</details>

<details>

<summary>Otros</summary>

* Revisión de archivo `robots.txt`.

```sh
curl <target>/robots.txt
```

* Revisión de código fuente.
  * Meta tags de HTML.
  * Titulo y pie de página (footer).
  * Comentarios.
  * Funciones y endpoints/APIs en archivos JavaScript.&#x20;
* [Google hacking / dorks](https://pentesting.mrw0l05zyn.cl/reconocimiento-y-recoleccion-de-informacion/google-hacking-dorks).

</details>

## Escaneo y enumeración

<details>

<summary><a href="/pages/xSuQnKMiPyCQPNsaPD0s">HTTP security headers</a></summary>

```sh
shcheck.py -i -k <target>
nuclei -u <target> -t http/misconfiguration/http-missing-security-headers.yaml -ts -silent
```

</details>

<details>

<summary>Redireccionamiento estricto de HTTP a HTTPS</summary>

```sh
nmap -sV -p 80,443 -n -Pn <host>
curl -I -l http://<target>
curl https://<target>
```

</details>

<details>

<summary><a href="/pages/i6upPeOoz6IkIAQA9TWw">Crawling y spidering</a></summary>

```sh
echo 'http://<target>' | hakrawler | sort -u
cewl http://<target> -d 2 -m 5 -w wordlist-crawling-01.txt
cewl http://<target> -d 3 -m 3 -w wordlist-crawling-02.txt
```

</details>

<details>

<summary><a href="/pages/HTNzexBU1jwdLWikvm75">Fuzzing</a></summary>

[Fuzzing general](/escaneo-y-enumeracion/fuzzing.md).

```sh
# General
dirsearch -u http://<target>/ -o $(pwd)/dirsearch-fuzzing.txt
# Búsqueda recursiva
dirsearch -u http://<target>/ -o $(pwd)/dirsearch-fuzzing-recursive.txt -r
```

[Fuzzing de directorios](/escaneo-y-enumeracion/fuzzing/directorios.md).

```sh
# Wordlist
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories.html -of html
# Wordlist crawling
ffuf -u http://<target>/FUZZ -w <wordlist-crawling.txt>:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories-crawling.html -of html
```

[Fuzzing de archivos](/escaneo-y-enumeracion/fuzzing/archivos.md).

```sh
# Wordlist
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-files.html -of html
```

[Fuzzing por extensiones](/escaneo-y-enumeracion/fuzzing/extensiones.md).

```sh
# Identificación de extensiones
ffuf -u http://<target>/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -c -mc all -fc 404
# Wordlist + extensiones (.html, .js, .php, .jsp, .aspx)
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .html,.js,.php,.jsp,.aspx -c -mc all -fc 404 -o ffuf-fuzzing-extensions.html -of html
# Wordlist + extensiones (ocultos / .txt, .config, .old, .bak, .inc)
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-extensions-hidden.html -of html
# Wordlist crawling + extensiones
ffuf -u http://<target>/FUZZ -w <wordlist-crawling.txt>:FUZZ -e .html,.js,.php,.jsp,.aspx,.txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-crawling-extensions.html -of html
```

</details>

<details>

<summary>Escaneo automatizado</summary>

* Burp Suite Professional.
* Nuclei.

```sh
nuclei -u <target> -ts -silent
```

* OWASP Zed Attack Proxy (ZAP).
* Nessus.

</details>

## **Explotación**

* [API keys](/explotacion/api-keys.md)
* [Clickjacking](/explotacion/clickjacking.md)
* [HTTP methods (verbs)](/explotacion/http-methods-verbs.md)
* [Input data validation](/explotacion/input-data-validation.md)
* [HTTP Host header](/explotacion/http-host-header.md)
* [Autenticación y autorización](/explotacion/autenticacion-y-autorizacion.md)
* [Same-origin policy (SOP)](/explotacion/same-origin-policy-sop.md)
* [Cross-site scripting (XSS)](/explotacion/cross-site-scripting-xss.md)
* [Cross-site request forgery (CSRF)](/explotacion/cross-site-request-forgery-csrf.md)
* [File upload](/explotacion/file-upload.md)
* [Path traversal & file inclusion](/explotacion/path-traversal-and-file-inclusion.md)
* [Command injection](/explotacion/command-injection.md)
* [SQL injection (SQLi)](/explotacion/sql-injection-sqli.md)
* [NoSQL injection (NoSQLi)](/explotacion/nosql-injection-nosqli.md)
* [XML external entity (XXE) injection](/explotacion/xml-external-entity-xxe-injection.md)
* [CRLF injection](/explotacion/crlf-injection.md)
* [XPath injection](/explotacion/xpath-injection.md)
* [LDAP injection](/explotacion/ldap-injection.md)
* [PDF injection](/explotacion/pdf-injection.md)
* [Server-side template injection (SSTI)](/explotacion/server-side-template-injection-ssti.md)
* [Server-side include (SSI) injection](/explotacion/server-side-include-ssi-injection.md)
* [Server-side request forgery (SSRF)](/explotacion/server-side-request-forgery-ssrf.md)
* [Web cache poisoning](/explotacion/web-cache-poisoning.md)
* [HTTP request smuggling](/explotacion/http-request-smuggling.md)
* [Prototype pollution](/explotacion/prototype-pollution.md)
* [Web API](/checklist/web-api-penetration-testing.md)
  * [GraphQL](/explotacion/graphql.md)
* Webservices
  * Obtención de archivo WSDL
  * Análisis de archivo WSDL para obtener información general sobre la estructura de cada operación y la existencia de métodos ocultos
  * SOAPAction spoofing
* [Open redirect](/explotacion/open-redirect.md)
* [Content Management System (CMS)](/explotacion/content-management-system-cms.md)
  * [WordPress](/explotacion/content-management-system-cms/wordpress.md)
* [Websocket](/explotacion/websocket.md)
* [Deserialization](/explotacion/deserialization.md)
* [Flash](/explotacion/flash.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://web.mrw0l05zyn.cl/checklist/web-application-penetration-testing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.