What this book covers
Chapter 1, Common Security Protocols, focuses on different basic concepts of the Web and security in general, which you will find beneficial when conducting tests in real life. Topics such as same-origin policy are very important if someone wants to understand the enforcement done by a browser in the context of a web application; then, there are different encoding techniques, one of them being Base64, which is quite popular.
Chapter 2, Information Gathering, deals with various reconnaissance or enumeration techniques to discover surfaces that can be attacked. The more someone enumerates a particular web target, the better the chances are of finding a vulnerability inside it. The famous quote by Abraham Lincoln sums this chapter up well: If I had eight hours to chop down a tree, I would spend 6 of those hours sharpening my axe.
Chapter 3, Cross-Site Scripting, is a refresher on one of the most exploited flaws on the Web: cross-site scripting. This chapter contains different techniques of XSS, and some of them are really nasty, such as performing XSS by spoofing an IP address.
Chapter 4, Cross-Site Request Forgery, highlights the importance of CSRF as an attack vector, teaches newer ways to perform CSRF, for instance, when the request is a JSON object. Then, there is a real-life case study on a critical CSRF vulnerability on PayPal.
Chapter 5, Exploiting SQL Injection, doesn't need any introduction at all. This chapter makes use of SQLMap and explores it to detect and exploit SQL injection flaws.
Chapter 6, File Upload Vulnerabilities, deals with security flaws plaguing file upload functionality, which is very common in any web application. Methods to create and use different kinds of web shells, some techniques of DoS, and bypasses on certain types of filters have been covered here.
Chapter 7, Metasploit and Web, explains the Metasploit Framework and its relevance to web application security. It covers how to generate a web backdoor payload through MSF and different modules, with direct or indirect relation to the Web.
Chapter 8, XML Attacks, covers attack vectors, which exploit XML parsing implementation in a web application; XXE is a vector covered here apart from DoS issues, such as the XQB attack.
Chapter 9, Emerging Attack Vectors, includes some latest or unpopular techniques, which include RPO (Relative Path Overwrite), DOM clobbering, and Insecure Direct Object Reference to name a few.
Chapter 10, OAuth 2.0 Security, discusses various flaws in implementing the OAuth 2.0 protocol in web applications. It starts with the relevant basics of OAuth and goes on to explain possible attacks.
Chapter 11, API Testing Methodology, is the last chapter of this book and a guest chapter by security researcher and my friend Pranav Hivarekar. It covers the basics of REST APIs and then goes on to explain fundamental issues and mistakes made by developers while implementing them. Various case studies have also been covered in this chapter to provide real-life examples.
