Topics

Tags

Favorite Links

Translate

Security Books

Archives

Recent entries...

Announcing SecTemplates.com release #5: Security Exception Program Pack 1.0

Announcing SecTemplates.com release #4: Vulnerability Management Program Release Pack 1.0

Announcing SecTemplates.com release #3: Bug bounty program pack 1.0

Announcing SecTemplates.com release #2: External penetration testing program pack 1.0

Announcing SecTemplates.com and the incident response program pack 1.0

20 years of CGISecurity: What appsec looked like in the year 2000

My experience coleading purple team

oAuth nightmares talk

Extensive IOS hacking guide released by Security Innovation

Presentation: Problems you'll face when building a software security program

Twitter

Sponsored Ads

Sponsored Ads

The Web Security Mailing List

Web Application Penetration Testing

This section provides information for penetration testers. Some of this content is in other sections of this website already (The library). I just created this page as a quick reference. Please, if you feel I that I've missed a important link or document (Or you just feel like chatting :) Email Me.

The best way to find information is to use our search engine on the right.

Articles:
Penetration Testing for Web Applications (Part One)
Penetration Testing for Web Applications (Part Two)
Penetration Testing for Web Applications (Part Three)

Site Sections:
SQL Injection Page
Cross Site Scripting (XSS)

Session ID Attacks:
Brute-Force Exploitation of Web Application Session IDs, November 1, 2001 (PDF)
- David Endler iDefense

Session Fixation Vulnerability in Web-based Applications v1.0, December 2002 (PDF)
- ACROS Security

Cookie Modification and Poisoning:
Hacking Web Applications Using Cookie Poisoning, 2002 (PDF)
- Amit Klein/sanctuminc

HTTP Header Modification:
Header Based Exploitation: Web Statistical Software Threats, January 2002 (TXT)
- www.cgisecurity.com

TCP Port 80 - HyperText Transfer Protocol (HTTP) Header Exploitation, Sept 11th 2002 (HTML)
- William Bellamy Jr.

CRLF Injection, (TXT)
- Ulf Harnhammar

Log Forensics:
Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures. , November 2001 (TXT)
- www.cgisecurity.com

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two., March 2002 (TXT) (HTML)
- www.cgisecurity.com

Web Application Forensics: The Uncharted Territory, 2002 (PDF)
- Ory Segal/sanctuminc
Note: This paper has been posted for its information base only, and we in no way promote or support the products mentioned within.

PHP:
A Study in Scarlet: Exploiting Common Vulnerabilities in PHP Applications (TXT) (Spanish) (French)
"A reprint of reminisces from the Blackhat Briefings Asia 2001"
- Shaun Clowes, SecureReality

Secure Programming in PHP, January 30, 2002 (HTML)
- Thomas Oertli

Perl:
CGI/Perl Taint Mode FAQ, June 3rd, 1998 (HTML)
- Gunther Birznieks

Security Issues in Perl Scripts (HTML)
- Jordan Dimov

Misc Documentation:
Application Security Assessments: Advice on Assessing your Custom Application, 2002 (HTML)
- Gunter Ollmann

Ethical Hacking Techniques to Audit and Secure Web-enabled Applications (PDF)
- sanctuminc

LDAP Injection: Are your web applications vulnerable?, July 28th 2003 (Remote Copy)
- SPI LABS

Application Penetration test (SAMPLE)
- Imperva

Comments

You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

Post a comment