In this chapter, we reviewed some of the vulnerabilities in web applications that may escape the spotlight of XSS, SQL injection, and other common flaws. As a penetration tester, you need to know how to identify, exploit, and mitigate vulnerabilities so that you can seek them out and provide proper advice to your clients.
We began this chapter by covering the broad concept of insecure direct object references and some of its variants. Then we moved on to file inclusion vulnerabilities, which are a special type of insecure direct object reference, but represent a classification category by itself. We did an exercise on LFI and explained the remote version.
After that, we reviewed how different servers process duplicated parameters in requests and how this can be abused by an attacker through HTTP parameter pollution.
Next, we looked at information disclosure, and we reviewed...