The Web Application Hacker's Handbook
Dafydd Stuttard and Marcus Pinto
13 skills extracted
Browse on ClawhHub
Browse on ClawhHubSecurity assessments rely on running automated scanners and checking generic vulnerability lists. Code reviews miss subtle injection patterns and logic flaws. Developers fix symptoms without understanding root causes.
Systematic, methodology-driven security assessments that follow structured test procedures for each vulnerability category. Code reviews guided by language-specific vulnerability signatures and dangerous API patterns. Security reports with specific findings, exploitation paths, and targeted remediation advice.
Quality
Problems These Skills Solve
Conducting systematic web application security assessments without missing vulnerability categories
Reviewing source code for security flaws across multiple languages (Java, PHP, ASP.NET, Perl, JavaScript)
Detecting and verifying SQL injection, XSS, CSRF, and other injection vulnerabilities with specific test procedures
Identifying authentication, session management, and access control weaknesses
Working Environment
docker-compose.yml
security-assessment.md
*.txt
web.xmlSkills operate on web application source code, server configurations, HTTP request/response data, and security assessment artifacts. The agent reviews code for vulnerability patterns, analyzes HTTP traffic captures, generates security audit reports, and produces remediation guidance.
You provide
·web application source code
·server configuration files
·URL or description of target application
·HTTP request/response samples
·deployment architecture description
Install
Full
Complete web application security testing skill set — all 13 skills
Core
Core attack skills — reconnaissance + top vulnerability classes
Minimal
Methodology hub + reconnaissance only
Extracted Skills
Access Control Vulnerability Testing
Systematically test web application access controls for broken authorization vulnerabilities. Use this skill whenever: performing a penetration test or security assessment of a web application's authorization model; testing for vertical privilege escalation (low-privilege user accessing high-privilege functions); testing for horizontal privilege escalation (user accessing another user's data); auditing multistage workflows for mid-flow authorization bypasses; checking whether protected static files are directly accessible without authorization; testing whether HTTP method substitution (HEAD, arbitrary verbs) bypasses platform-level access rules; probing for insecure access control models based on client-submitted parameters (admin=true), HTTP Referer headers, or IP geolocation; enumerating hidden or unlisted application functionality; reviewing source code or HTTP traffic for missing server-side authorization checks; using Burp Suite's site map comparison feature to compare high-privilege and low-privilege user access; assessing server-side API endpoint authorization. Covers all six WAHH vulnerability categories: completely unprotected functionality, identifier-based access control (IDOR), multistage function bypasses, static file exposure, platform misconfiguration, and insecure client-controlled access models. Maps to OWASP Testing Guide (OTG-AUTHZ-*), CWE-284 (Improper Access Control), CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), and OWASP Top 10 A01:2021 (Broken Access Control).
Application Logic Flaw Testing
Test web application business logic for vulnerabilities that automated scanners cannot detect. Use this skill when: performing a penetration test or security assessment and automated tools have been run but logic-layer coverage is still needed; testing multistage workflows (checkout, account creation, approval flows, insurance applications) for stage-skipping or cross-stage parameter pollution; probing authentication and password-change functions for parameter-removal bypasses (deleting existingPassword to impersonate an admin); testing numeric business limits for negative-number bypass (submitting -$20,000 to avoid approval thresholds); probing discount or pricing logic for timing flaws (add items to qualify, remove before payment); investigating whether shared code components allow session object poisoning across unrelated application flows; hunting for encryption oracles where a low-value crypto context can be used to forge high-value tokens; probing search functions that return match counts as side-channel inference oracles; testing for defense interaction flaws where quote-doubling plus length truncation reconstructs an injection payload; checking whether debug error messages expose session tokens or credentials cross-user via static storage; testing race conditions in authentication that cause cross-user session assignment under concurrent login. Logic flaws arise from violated developer assumptions — assumptions that users will follow intended sequences, supply only requested parameters, omit parameters they were not asked for, and not cross-pollinate state between application flows. Each flaw is unique and application-specific, but the 12 attack patterns documented here provide a reusable taxonomy that transfers across application domains. Maps to OWASP Testing Guide (OTG-BUSLOGIC-*), CWE-840 (Business Logic Errors), CWE-841 (Improper Enforcement of Behavioral Workflow), CWE-362 (Race Condition), and OWASP Top 10 A04:2021 (Insecure Design).
Authentication Security Assessment
Systematically assess web application authentication mechanisms for design flaws and implementation vulnerabilities. Use this skill whenever: testing the login security of a web application; auditing authentication for unauthorized access risk; evaluating password policy strength or brute-force resistance; checking whether login failure messages leak usernames (user enumeration); testing credential transmission over HTTP vs HTTPS; reviewing password change or forgotten password flows for logic flaws; assessing "remember me" cookie security; testing multistage login mechanisms for stage-skipping or cross-stage credential mixing; reviewing source code or HTTP traffic for fail-open logic or insecure credential storage; performing a penetration test or security code review of any user authentication system. Covers HTML forms-based, HTTP Basic/Digest, and multifactor authentication. Maps to OWASP Testing Guide (OTG-AUTHN-*) and CWE-287 (Improper Authentication), CWE-521 (Weak Password Requirements), CWE-307 (Improper Restriction of Excessive Authentication Attempts), CWE-640 (Weak Password Recovery Mechanism), CWE-312 (Cleartext Storage of Sensitive Information), CWE-522 (Insufficiently Protected Credentials).
Client Side Attack Testing
Test web applications for client-side security vulnerabilities spanning two major attack families: client-side trust anti-patterns and user-targeting attacks. Use this skill when: auditing hidden form fields, HTTP cookies, URL parameters, Referer headers, or ASP.NET ViewState for client-side data transmission vulnerabilities; bypassing HTML maxlength limits, JavaScript validation, or disabled form elements to probe server-side enforcement gaps; intercepting and analyzing browser extension traffic (Java applets, Flash, Silverlight) and handling serialized data; testing for cross-site request forgery (CSRF) by identifying cookie-only session tracking and constructing auto-submitting PoC forms; testing for clickjacking and UI redress attacks by checking X-Frame-Options headers and constructing iframe overlay proofs of concept; detecting cross-domain data capture vectors via HTML injection and CSS injection; auditing Flash crossdomain.xml and HTML5 CORS Access-Control-Allow-Origin configurations for overly permissive same-origin policy exceptions; finding HTTP header injection and response splitting vulnerabilities via CRLF injection; identifying open redirection vulnerabilities and testing filter bypass payloads; testing cookie injection and session fixation; assessing local privacy exposure through persistent cookies, cached content lacking no-cache directives, autocomplete on sensitive fields, and HTML5 local storage. Excludes XSS (covered by xss-detection-and-exploitation). Maps to OWASP Testing Guide (OTG-INPVAL-*, OTG-SESS-*, OTG-CLIENT-*), CWE-352 (CSRF), CWE-601 (Open Redirect), CWE-113 (HTTP Header Injection), CWE-565 (Reliance on Cookies), CWE-1021 (Improper Restriction of Rendered UI Layers), CWE-311 (Missing Encryption of Sensitive Data), and OWASP Top 10 A01:2021, A03:2021, A05:2021.
Server Side Injection Testing
Test web application back-end components for non-SQL server-side injection vulnerabilities. Use this skill when: testing for OS command injection via shell metacharacters (pipe, ampersand, semicolon, backtick) or dynamic execution functions (eval/exec/Execute); detecting blind command injection using time-delay technique (ping -i 30 loopback) when output is not reflected; probing for path traversal vulnerabilities including filter bypass via URL encoding, double encoding, 16-bit Unicode, overlong UTF-8, null byte injection, or non-recursive strip bypass; testing for Local File Inclusion or Remote File Inclusion; identifying XML External Entity (XXE) injection for local file read or Server-Side Request Forgery (SSRF); detecting SOAP injection via XML metacharacter probing; testing for HTTP Parameter Injection (HPI) and HTTP Parameter Pollution (HPP) in back-end HTTP requests; identifying SMTP injection through email header manipulation or SMTP command injection in mail submission forms. Covers detection procedures, filter bypass techniques, exploitation impact, and prevention countermeasures. Maps to CWE-78 (OS Command Injection), CWE-22 (Path Traversal), CWE-98 (File Inclusion), CWE-611 (XXE), CWE-91 (XML Injection), CWE-88 (Argument Injection), CWE-93 (SMTP Injection). For authorized security testing, security code review, and defensive hardening contexts.
Session Management Security Assessment
Systematically assess web application session management for security vulnerabilities. Use when testing session token generation quality, cookie security configuration, session fixation susceptibility, cross-site request forgery (CSRF) exposure, or session token handling across a session's full lifecycle. Covers the complete taxonomy of generation weaknesses (meaningful tokens with user data embedded, predictable tokens from concealed sequences or time-dependent algorithms or weak pseudorandom number generators, encrypted tokens vulnerable to ECB block rearrangement or CBC bit-flipping) and handling weaknesses (cleartext transmission, token disclosure in server logs or URLs, vulnerable token-to-session mapping, ineffective logout and expiration, client-side hijacking exposure, overly liberal cookie domain or path scope). Use when someone says 'test our session tokens', 'analyze cookie security', 'check for session fixation', 'verify CSRF protection', 'assess token predictability', 'evaluate our session management', 'can session tokens be guessed', 'review logout implementation', 'check cookie flags', or 'audit session security'. Produces a structured vulnerability report with per-weakness findings and remediation guidance. Framed for authorized security testing, defensive security assessment, and educational contexts.
Source Code Security Review
Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized access to an application's source code and need to identify security flaws faster or more thoroughly than black-box testing alone; auditing a codebase prior to launch or after a security incident; reviewing open-source or purchased software for embedded vulnerabilities; complementing an active penetration test with source-level analysis. Applies a three-phase methodology: (1) identify all user-input entry points via platform-specific source APIs — Java HttpServletRequest, ASP.NET Request.Params/Form/QueryString, PHP $_GET/$_POST/$_COOKIE/$_REQUEST, Perl CGI param(), JavaScript document.location/URL; (2) trace data flow forward to dangerous sink APIs — Runtime.exec()/Process.Start() for OS command injection, Statement.execute()/mysql_query() for SQL injection, FileInputStream/include() for path traversal, sendRedirect()/header() for open redirect, eval() for script injection; (3) line-by-line close review of authentication, session management, access control, and native code components. Covers 8 vulnerability signature categories: cross-site scripting, SQL injection, path traversal, arbitrary redirection, OS command injection, backdoor passwords, native software bugs (buffer overflow, integer flaw, format string), and incriminating source code comments. Also covers database code components (stored procedures with dynamic SQL) and environment configuration checks (web.xml, Web.config, php.ini). Produces a prioritized findings report with evidence and countermeasures. Maps to CWE-79 (XSS), CWE-89 (SQL Injection), CWE-22 (Path Traversal), CWE-601 (Open Redirect), CWE-78 (OS Command Injection), CWE-798 (Hardcoded Credentials), CWE-120/121/122 (Buffer Overflow), CWE-134 (Format String). For authorized security review engagements, appsec engineers, and security-minded developers.
Sql Injection Detection And Exploitation
Perform a complete SQL injection assessment chain — from initial detection through full data extraction — against web applications. Use this skill whenever: testing any URL parameter, POST body field, cookie, or HTTP header for SQL injection susceptibility; auditing source code for unsafe query construction; reviewing whether parameterized queries or stored procedures are correctly applied; walking through the full UNION-based data extraction procedure against a vulnerable endpoint; applying blind SQL injection (boolean-based or time-based) when query results are not reflected; determining which database platform (MS-SQL, MySQL, Oracle, PostgreSQL) is running and adapting payloads accordingly; bypassing input filters using case variation, comment injection, encoding, or nested-expression techniques; identifying second-order SQL injection where stored data is later used unsafely in a query; assessing whether SQL injection can escalate to OS command execution via xp_cmdshell, UTL_HTTP, or SELECT INTO OUTFILE; testing NoSQL, XPath, or LDAP injection as related interpreted-language injection classes; performing a penetration test or secure code review of any application data-access layer. Maps to OWASP Testing Guide (OTG-INPVAL-005), CWE-89 (SQL Injection), CWE-564 (SQL Injection via Stored Procedure), CWE-943 (Improper Neutralization of Special Elements in Data Query Logic).
Web Application Attack Surface Mapping
Systematically map a web application's content, entry points, technologies, and attack surface during authorized security testing or security-focused code review. Use this skill whenever you are performing reconnaissance on a web application, need to enumerate application functionality and hidden content, want to identify all user-input entry points (URLs, query parameters, POST fields, cookies, HTTP headers), need to fingerprint server-side technologies from HTTP responses, or are building an attack surface inventory before vulnerability testing. Also invoke it when analyzing application behavior to infer server-side structure, looking for undiscovered directories and files through brute-force enumeration, using search engines or web archives to find historical content, probing for hidden debug parameters, mapping functional paths in parameter-driven applications, or producing a behavior-to-vulnerability mapping that prioritizes which areas to probe first. Produces a structured attack surface map: enumerated URLs and functional paths, identified entry points, technology fingerprint, and a prioritized vulnerability-class checklist. Does not perform active exploitation — use this before any active testing phase.
Web Application Fuzzing Automation
Build and execute customized automated attacks against web applications. Use this skill when: systematically enumerating valid identifiers (userids, document IDs, session tokens) by iterating through a parameter range and detecting hits via HTTP status code, response length, response time, Location header, Set-Cookie header, or grep expression; harvesting sensitive data at scale from access-control-flawed endpoints; fuzzing every request parameter with a universal payload kit covering SQL injection (`'`, `'--`, `'; waitfor delay '0:30:0'--`), XSS (`xsstest`, `"><script>alert('xss')</script>`), OS command injection (`|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 &` and separator variants), path traversal (`../../../../../../etc/passwd`, `../../../../../../boot.ini`), script injection (`;echo 111111`, `response.write 111111`), and remote file inclusion (`http://<your-server>/`); selecting the correct Burp Intruder attack type: Sniper (one position cycled through all payloads), Battering Ram (same payload into all positions simultaneously), Pitchfork (parallel payload sets, one per position, advanced in lockstep), or Cluster Bomb (Cartesian product of multiple payload sets across multiple positions); maintaining valid sessions across automated runs using Burp Suite cookie jar, request macros (login, token fetch, multistep pre-requests), and session-handling rules (check session validity, run re-login macro, update token per request); bypassing automation barriers including per-request anti-CSRF tokens (macro extracts token from prior response, session-handling rule injects it), session expiry (validate-and-re-login rule), and CAPTCHA (solution exposed in source, solution replay, OCR, or human-solver integration); triaging results by clicking column headings to sort by status/length/time and Shift-clicking to reverse-sort. Covers JAttack custom Java scripting framework as a reference model for payload source design and response parsing. For authorized penetration testing and application security assessment only.
Web Application Hardening Assessment
Systematically assess a web application's defensive security posture across input validation, information disclosure, application architecture, and server configuration. Use this skill whenever: evaluating the quality of an application's input handling strategy and whether it correctly applies whitelist vs blacklist vs sanitization approaches; assessing whether boundary validation is implemented at each trust boundary (not only the perimeter); checking whether multistep validation and canonicalization ordering are implemented safely; auditing error handling to determine whether verbose error messages, stack traces, debug output, or database banners are exposed to clients; assessing whether server and service banners are suppressed and whether HTML source comments have been removed; evaluating tiered application architecture for trust-boundary segregation weaknesses, dangerous inter-tier trust relationships, and least-privilege violations; assessing shared hosting or cloud environments for customer isolation deficiencies; auditing application server configuration for default credentials, default content, directory listing exposure, dangerous HTTP methods (WebDAV PUT/DELETE), misconfigured proxy functionality, virtual hosting security gaps, and web application firewall effectiveness; performing a pre-deployment security hardening review; conducting a security architecture review or threat modeling session; reviewing a web application penetration test scope for defensive control gaps. Covers core defense mechanisms (Ch2), information leakage prevention (Ch15), architecture security (Ch17), and application server hardening (Ch18). Maps to CWE-20 (Improper Input Validation), CWE-209 (Information Exposure Through Error Message), CWE-16 (Configuration), CWE-284 (Improper Access Control), CWE-693 (Protection Mechanism Failure).
Web Application Penetration Testing Methodology
Orchestrate a complete, structured web application penetration test through 13 testing areas during authorized security assessments. Use this skill when you are conducting a full web application security engagement and need a top-level methodology that sequences and delegates all testing phases — from initial reconnaissance through exploitation. Invoke it to plan and coordinate an engagement end-to-end: mapping application content, analyzing the attack surface, testing client-side controls, assessing authentication and session management, verifying access controls, probing all parameters for injection vulnerabilities, testing function-specific input flaws (SMTP, SOAP, LDAP, XPath, XXE), identifying logic flaws, checking shared hosting and server configuration, and conducting miscellaneous browser-security checks. Also invoke it as the master checklist for ensuring no test area has been missed, when delegating specific areas to domain-specific skills, or when producing a complete security assessment report. This is the hub skill — it calls twelve domain skills and provides the connective workflow between them. For white-box complement and source code analysis use alongside source-code-security-review.
Xss Detection And Exploitation
Detect, exploit, and remediate cross-site scripting (XSS) vulnerabilities across all three varieties — reflected, stored, and DOM-based — in web applications under authorized security testing. Use when conducting penetration tests or security assessments that require identifying XSS entry points, constructing context-aware payloads, bypassing input filters, and producing evidence for remediation.