> For the complete documentation index, see [llms.txt](https://notes.sfoffo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.sfoffo.com/web-applications.md).

# Web Applications

## **Web Penetration Testing Methodologies**

* [OWASP WSTG](https://owasp.org/www-project-web-security-testing-guide/)
  * [OWASP WSTG Checklists](https://github.com/OWASP/wstg/tree/master/checklists)
  * [WSTG Checklist.MD](https://raw.githubusercontent.com/OWASP/wstg/master/checklists/checklist.md)
  * [WSTG Checklist.xlsx](https://github.com/OWASP/wstg/raw/master/checklists/checklist.xlsx)
* [OWASP Top 10](https://owasp.org/www-project-top-ten/)
* [OWASP CheatSheets](https://cheatsheetseries.owasp.org/Glossary.html)
* [CWE List](https://cwe.mitre.org/data/)
* [CVSS v3 Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
* [Mitre ATT\&CK matrix](https://attack.mitre.org/)

***

## **Learning Resources**

1. <https://portswigger.net/web-security>
2. <https://book.hacktricks.xyz/network-services-pentesting/pentesting-web>
3. <https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/web-api-pentesting>
4. <https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology>
