Web Pentesting

Sections Web MOC

Web application attack chain. Find hidden surfaces, break auth, inject everything.

Recon

Content Discovery

Auth

Auth & Session

Injection

SQL Injection
NoSQL Injection
Command Injection
SSTI
XXE

Client-side

XSS
CSRF & CORS

Protocol-level

Request Smuggling
Web Cache Poisoning
SSRF

Code execution

File Upload & LFI
Deserialization
Prototype Pollution

Flow

Content discovery first, then test auth. Work injection classes top to bottom. Command injection and SSTI are the fastest paths to shell. File upload and deserialization for RCE when injection doesn’t land.

Recon #

Auth #

Injection #

Client-side #

Protocol-level #

Code execution #