Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit.
| name | web-recon |
| description | Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit. |
| allowed-tools | Read |
| metadata | {"subdomain":"reconnaissance","when_to_use":"web recon, web application enumeration, web app fingerprint","tags":"web-recon","mitre_attack":"T1595.003, T1592.004"} |
Sub-skills under this directory:
| Sub-skill | Path | When to load |
|---|---|---|
| Discovery | load_skill("/skills/standard/recon/web-recon/discovery/SKILL.md") | directory/file fuzzing, vhost, JS analysis |
| API enumeration | load_skill("/skills/standard/recon/web-recon/api-enumeration/SKILL.md") | REST/GraphQL/parameter fuzzing |
| CMS scanning | load_skill("/skills/standard/recon/web-recon/cms-scanning/SKILL.md") | WordPress/Joomla/Drupal detected |
| WAF detection | load_skill("/skills/standard/recon/web-recon/waf-detection/SKILL.md") | proxy/CDN suspected |
| Auth mapping | load_skill("/skills/standard/recon/web-recon/auth-mapping/SKILL.md") | login flow analysis |
| Cookie audit | load_skill("/skills/standard/recon/web-recon/cookie-audit/SKILL.md") | sink behind session, race-condition recon |
Overall recon workflow, scope rules, and handoff format are loaded into your system prompt at agent boot — no load_skill call needed for them.
When the orchestrator passes challenge tags, skip straight to the matching sub-skill:
| Tag | First action | Sub-skill to load |
|---|---|---|
sqli | Fire a single error-triggering payload on every form/param | /skills/standard/exploit/web/sqli/SKILL.md recon section |
ssti | Probe every reflection point with {{7*7}} | /skills/standard/exploit/web/ssti/SKILL.md recon section |
lfi | Path-traversal probe on every file/path param | discovery.md |
idor | Enumerate object IDs on every user-data endpoint | api-enumeration.md |
auth | Map the full auth flow before other recon | auth-mapping.md |
When iterating parameters (IDs, pages, paths), always deduplicate via recon/probed.txt to avoid re-probing the same URLs after context summarization:
URL="http://<TARGET>/api/resource/$ID"
if grep -Fxq "$URL" recon/probed.txt 2>/dev/null; then
echo "SKIP: $URL"
else
echo "$URL" >> recon/probed.txt
curl -sS "$URL" -o /tmp/probe.html -w '%{http_code}\n'
head -10 /tmp/probe.html
fi
Resume rule: Before any scan loop, check tail -1 recon/probed.txt to find the last probed item and continue from there — not from the beginning.
Stop rule: If 5 consecutive probes return the same status code + same response size (±50 bytes), stop that enumeration axis and pivot to a different surface.
./
├── ffuf_<target>_dirs.json # Directory fuzzing results
├── ffuf_<target>_vhosts.json # Virtual host discovery
├── ffuf_<target>_api.json # API endpoint fuzzing
├── web_sensitive_<target>.txt # Sensitive file check results
├── js_endpoints_<target>.txt # Extracted JS endpoints
├── wpscan_<target>.json # WordPress scan (if applicable)
└── web_recon_<target>_summary.md # Consolidated web findings
Web application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.
HTTP Request Smuggling (HRS) — front-end / back-end parser disagreement attacks that desync the proxy stack. Covers CL.TE, TE.CL, TE.TE, CL.0, HTTP/2 downgrade (h2.cl, h2.te), pipelining, and connection-state pinning. Includes a confirm-desync gate, header obfuscation catalog, and minimal raw-socket Python harnesses (no smuggler.py available in sandbox).
Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X.
Top-level index for the Decepticon 802.11 wireless attack suite. Routes the WirelessOperator to the correct leaf skill based on the target AP's crypto column (PSK / SAE / MGT / WPS) and engagement posture. BLE, Zigbee, Z-Wave, LoRaWAN, and sub-GHz live under iot/ by design — link provided below to prevent duplication.
Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis.