In this chapter, we will explore various methods of testing web applications using freely available tools such as your web browser, w3af, WebScarab, and others. We will also discuss methods of bypassing web application firewalls and intrusion detection systems and how to determine if your targets are being load balanced or filtered. This chapter does require significant lab preparation. If you are not following along with the examples, you may want to bypass these portions.

It is of importance to note that in a secured environment web-based applications may be the most direct method of gaining a toe-hold in the network you are testing. They are also the most likely entry point used by malicious users. It seems that every day there are more breach notices released and most of these stem from web application security flaws or misconfigurations. Considering that many of these applications are accessible to the public via the Internet, web applications...