> For the complete documentation index, see [llms.txt](https://web.mrw0l05zyn.cl/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://web.mrw0l05zyn.cl/checklist/web-application-penetration-testing.md). # Web application penetration testing ## Reconocimiento y recolección de información

```sh wafw00f nuclei -u -t dns/dns-waf-detect.yaml,http/technologies/secui-waf-detect.yaml,http/technologies/waf-detect.yaml -ts -silent ```

```sh dig any @ dnsrecon -d nuclei -u -t dns -ts -silent ```

Subdominios y Virtual Host (VHost)

```sh # Subdominios subfinder -d -recursive -all -silent | alterx -en -silent | dnsx -silent -o subdomains.txt dnsx -d -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -silent -o dnsx-subdomains.txt ffuf -u http://FUZZ./ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -c -o ffuf-subdomains.html -of html # Virtual Host (VHost) ffuf -u http:/// -w :FUZZ -H 'Host: FUZZ.' -fs -c -o ffuf-vhost.html -of html ```

SSL/TLS y algoritmos de cifrados

```bash sslscan nuclei -u -t ssl -ts -silent ```

Tecnologías web

```sh whatweb -v -a 1 nuclei -u -t http/technologies -ts --silent ```

Otros

* Revisión de archivo `robots.txt`. ```sh curl /robots.txt ``` * Revisión de código fuente. * Meta tags de HTML. * Titulo y pie de página (footer). * Comentarios. * Funciones y endpoints/APIs en archivos JavaScript. * [Google hacking / dorks](https://pentesting.mrw0l05zyn.cl/reconocimiento-y-recoleccion-de-informacion/google-hacking-dorks).

## Escaneo y enumeración

HTTP security headers

```sh shcheck.py -i -k nuclei -u -t http/misconfiguration/http-missing-security-headers.yaml -ts -silent ```

Redireccionamiento estricto de HTTP a HTTPS

```sh nmap -sV -p 80,443 -n -Pn curl -I -l http:// curl https:// ```

Crawling y spidering

```sh echo 'http://' | hakrawler | sort -u cewl http:// -d 2 -m 5 -w wordlist-crawling-01.txt cewl http:// -d 3 -m 3 -w wordlist-crawling-02.txt ```

Fuzzing

[Fuzzing general](/escaneo-y-enumeracion/fuzzing.md). ```sh # General dirsearch -u http:/// -o $(pwd)/dirsearch-fuzzing.txt # Búsqueda recursiva dirsearch -u http:/// -o $(pwd)/dirsearch-fuzzing-recursive.txt -r ``` [Fuzzing de directorios](/escaneo-y-enumeracion/fuzzing/directorios.md). ```sh # Wordlist ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories.html -of html # Wordlist crawling ffuf -u http:///FUZZ -w :FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories-crawling.html -of html ``` [Fuzzing de archivos](/escaneo-y-enumeracion/fuzzing/archivos.md). ```sh # Wordlist ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-files.html -of html ``` [Fuzzing por extensiones](/escaneo-y-enumeracion/fuzzing/extensiones.md). ```sh # Identificación de extensiones ffuf -u http:///indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -c -mc all -fc 404 # Wordlist + extensiones (.html, .js, .php, .jsp, .aspx) ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .html,.js,.php,.jsp,.aspx -c -mc all -fc 404 -o ffuf-fuzzing-extensions.html -of html # Wordlist + extensiones (ocultos / .txt, .config, .old, .bak, .inc) ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-extensions-hidden.html -of html # Wordlist crawling + extensiones ffuf -u http:///FUZZ -w :FUZZ -e .html,.js,.php,.jsp,.aspx,.txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-crawling-extensions.html -of html ```

Escaneo automatizado

* Burp Suite Professional. * Nuclei. ```sh nuclei -u -ts -silent ``` * OWASP Zed Attack Proxy (ZAP). * Nessus.

## **Explotación** * [API keys](/explotacion/api-keys.md) * [Clickjacking](/explotacion/clickjacking.md) * [HTTP methods (verbs)](/explotacion/http-methods-verbs.md) * [Input data validation](/explotacion/input-data-validation.md) * [HTTP Host header](/explotacion/http-host-header.md) * [Autenticación y autorización](/explotacion/autenticacion-y-autorizacion.md) * [Same-origin policy (SOP)](/explotacion/same-origin-policy-sop.md) * [Cross-site scripting (XSS)](/explotacion/cross-site-scripting-xss.md) * [Cross-site request forgery (CSRF)](/explotacion/cross-site-request-forgery-csrf.md) * [File upload](/explotacion/file-upload.md) * [Path traversal & file inclusion](/explotacion/path-traversal-and-file-inclusion.md) * [Command injection](/explotacion/command-injection.md) * [SQL injection (SQLi)](/explotacion/sql-injection-sqli.md) * [NoSQL injection (NoSQLi)](/explotacion/nosql-injection-nosqli.md) * [XML external entity (XXE) injection](/explotacion/xml-external-entity-xxe-injection.md) * [CRLF injection](/explotacion/crlf-injection.md) * [XPath injection](/explotacion/xpath-injection.md) * [LDAP injection](/explotacion/ldap-injection.md) * [PDF injection](/explotacion/pdf-injection.md) * [Server-side template injection (SSTI)](/explotacion/server-side-template-injection-ssti.md) * [Server-side include (SSI) injection](/explotacion/server-side-include-ssi-injection.md) * [Server-side request forgery (SSRF)](/explotacion/server-side-request-forgery-ssrf.md) * [Web cache poisoning](/explotacion/web-cache-poisoning.md) * [HTTP request smuggling](/explotacion/http-request-smuggling.md) * [Prototype pollution](/explotacion/prototype-pollution.md) * [Web API](/checklist/web-api-penetration-testing.md) * [GraphQL](/explotacion/graphql.md) * Webservices * Obtención de archivo WSDL * Análisis de archivo WSDL para obtener información general sobre la estructura de cada operación y la existencia de métodos ocultos * SOAPAction spoofing * [Open redirect](/explotacion/open-redirect.md) * [Content Management System (CMS)](/explotacion/content-management-system-cms.md) * [WordPress](/explotacion/content-management-system-cms/wordpress.md) * [Websocket](/explotacion/websocket.md) * [Deserialization](/explotacion/deserialization.md) * [Flash](/explotacion/flash.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://web.mrw0l05zyn.cl/checklist/web-application-penetration-testing.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.