# Web - [Enumeration](https://book.jorianwoltjer.com/web/enumeration.md): Find all content and functionality on a website, to get an idea of the attack surface. Often through fuzzing - [Finding Hosts & Domains](https://book.jorianwoltjer.com/web/enumeration/finding-hosts-and-domains.md): Find domain names and hosts relating to a company - [Masscan](https://book.jorianwoltjer.com/web/enumeration/masscan.md): Use masscan to asynchronously scan for open ports at incredible speeds, then later analyze the results with other tools - [Nmap](https://book.jorianwoltjer.com/web/enumeration/nmap.md): Network scanning tool with enumeration script to get detailed information about TCP/UDP ports, and the underlying system - [OSINT](https://book.jorianwoltjer.com/web/enumeration/osint.md): Open Source INTelligence: Abusing public information - [Client-Side](https://book.jorianwoltjer.com/web/client-side.md): Attacks on the browser, often involving the victim landing on an attacker's site - [Cross-Site Scripting (XSS)](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss.md): Inject JavaScript code on victims to perform actions on their behalf - [HTML Injection](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss/html-injection.md): Tricks possible with malicious HTML, in case XSS is not quite possible - [Content-Security-Policy (CSP)](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss/content-security-policy-csp.md): The CSP response header restricts what resources are allowed to execute, but can sometimes be bypassed - [postMessage Exploitation](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss/postmessage-exploitation.md): Send cross-origin messages with arbitrary data, which can easily lead to Cross-Site Scripting in vulnerable handler that fail to verify the origin - [CSS Injection](https://book.jorianwoltjer.com/web/client-side/css-injection.md): Injecting CSS code to leak content on a page using selectors - [Cross-Site Request Forgery (CSRF)](https://book.jorianwoltjer.com/web/client-side/cross-site-request-forgery-csrf.md): Submitting data-altering requests blindly from your domain on the client-side. Cookies are automatically sent, often requiring CSRF tokens as protection - [XS-Leaks](https://book.jorianwoltjer.com/web/client-side/xs-leaks.md): Leaking information cross-site often through private search features - [Client-Side Path Traversal (CSPT)](https://book.jorianwoltjer.com/web/client-side/client-side-path-traversal-cspt.md): Using ../ sequences and URL parts to rewrite requests made by the browser - [CRLF / Header Injection](https://book.jorianwoltjer.com/web/client-side/crlf-header-injection.md): Manipulate HTTP headers in your favor or insert completely new ones with even more control - [Window Popup Tricks](https://book.jorianwoltjer.com/web/client-side/window-popup-tricks.md): Abusing browser functionality to do interesting things with popups and interactions - [WebSockets](https://book.jorianwoltjer.com/web/client-side/websockets.md) - [Caching](https://book.jorianwoltjer.com/web/client-side/caching.md): Remember static content to resolve less requests by the backend - [Headless Browsers](https://book.jorianwoltjer.com/web/client-side/headless-browsers.md): Tricks for dealing with input into headless browsers on the server, using client-side methods - [Server-Side](https://book.jorianwoltjer.com/web/server-side.md): Attacks that have impact on the server, often by abusing dangerous functionality - [SQL Injection](https://book.jorianwoltjer.com/web/server-side/sql-injection.md): An infamous and simple attack where code is injected where data should be, rewriting the SQL Query - [NoSQL Injection](https://book.jorianwoltjer.com/web/server-side/nosql-injection.md): NoSQL databases are a type of database where objects are used instead of SQL strings. MongoDB is common but more are vulnerable - [GraphQL](https://book.jorianwoltjer.com/web/server-side/graphql.md): Query structured data through an API and perform mutations with authorization - [XML External Entities (XXE)](https://book.jorianwoltjer.com/web/server-side/xml-external-entities-xxe.md): Injecting Entities into XML data to read local files and exfiltrate data - [HTTP Request Smuggling](https://book.jorianwoltjer.com/web/server-side/http-request-smuggling.md): Parsing of Content-Length and Transfer-Encoding headers leads to messing with boundaries of requests - [Local File Disclosure](https://book.jorianwoltjer.com/web/server-side/local-file-disclosure.md): Gain information by reading files on a web server, also known as Local File Inclusion (LFI) - [Arbitrary File Write](https://book.jorianwoltjer.com/web/server-side/arbitrary-file-write.md): Being able to create or overwrite files on a server, often causing Remote Code Execution (RCE) - [Reverse Proxies](https://book.jorianwoltjer.com/web/server-side/reverse-proxies.md): Servers on top of web applications that route traffic, manage headers and more - [ImageMagick](https://book.jorianwoltjer.com/web/server-side/imagemagick.md): A tool/library for converting and editing images of many formats, with some older versions having known vulnerabilities - [Frameworks](https://book.jorianwoltjer.com/web/frameworks.md): Libraries for specific programming languages that make development easier, with their own quirks - [Flask](https://book.jorianwoltjer.com/web/frameworks/flask.md): A Python library working with Werkzeug and Jinja2 - [Ruby on Rails](https://book.jorianwoltjer.com/web/frameworks/ruby-on-rails.md): A common web framework for the Ruby Programming Language - [NodeJS](https://book.jorianwoltjer.com/web/frameworks/nodejs.md): The backend for running JavaScript as a server or application - [Bun](https://book.jorianwoltjer.com/web/frameworks/bun.md): An alternative JavaScript runtime with unique libraries and quirks - [WordPress](https://book.jorianwoltjer.com/web/frameworks/wordpress.md): A popular Content Management System (CMS) for static content, with a visual UI - [Angular](https://book.jorianwoltjer.com/web/frameworks/angular.md): Frontend framework with template-like syntax --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.jorianwoltjer.com/web.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.