Who Should Read This Book
How This Book Is Organized
Chapter 1: Web Application (In)security
The Evolution of Web Applications
Chapter 2: Core Defense Mechanisms
Chapter 3: Web Application Technologies
Chapter 4: Mapping the Application
Enumerating Content and Functionality
Analyzing the Application
Chapter 5: Bypassing Client-Side Controls
Transmitting Data via the Client
Capturing User Data: HTML Forms
Capturing User Data: Thick-Client Components
Handling Client-Side Data Securely
Chapter 6: Attacking Authentication
Authentication Technologies
Design Flaws in Authentication Mechanisms
Implementation Flaws in Authentication
Chapter 7: Attacking Session Management
Weaknesses in Session Token Generation
Weaknesses in Session Token Handling
Securing Session Management
Chapter 8: Attacking Access Controls
Attacking Access Controls
Chapter 9: Injecting Code
Injecting into Interpreted Languages
Injecting into Web Scripting Languages
Chapter 10: Exploiting Path Traversal
Finding and Exploiting Path Traversal Vulnerabilities
Preventing Path Traversal Vulnerabilities
Chapter 11: Attacking Application Logic
The Nature of Logic Flaws
Chapter 12: Attacking Other Users
Attacking ActiveX Controls
Advanced Exploitation Techniques
Chapter 13: Automating Bespoke Attacks
Uses for Bespoke Automation
Enumerating Valid Identifiers
Fuzzing for Common Vulnerabilities
Putting It All Together: Burp Intruder
Chapter 14: Exploiting Information Disclosure
Exploiting Error Messages
Gathering Published Information
