1. Warm up

1 Introduction

2 Disclaimer

3 Methodology

2. Environment setup

1 In this section

2 Setting up the target

3 Setting up Kali

4 Setting up the Burp Suite

3. Web 101

1 In this section

2 How HTTP works

3 Static HTML

4 PHP and friends

5 Modern MVC frameworks

6 Javascript

4. Application discovery

1 Manual discovery

2 Automated discovery

5. Attacking session management

1 Session management intro

2 Session fixation

3 Weak logout

4 Same origin policy

5 CSRF

6 Securing the session

6. Attacking authentication

1 SSLTLS

2 Authentication bypass

3 Unauthenticated URL access

4 Password quality

5 Password brute force

6 Default accounts

7 Weak password recovery

8 Mitigations

7. Attacking authorization

1 Authorization Intro

2 Manipulating variables

3 Client side authentication

4 Mitigations

8. Attacking the client

1 Reflected XSS

2 Stored XSS

3 HTTP header injection

4 Malicious URL redirection

5 Exploiting wrong content-type

6 Mitigations

9. Server side injections

1 Malicious file upload

2 LFI and RFI

3 OS command injection

4 SQL injection

5 UNION Select Attack

6 Blind SQL injection

7 Automating SQLi testing

8 Mitigations

10. The rest

1 Reporting

2 Checklist

3 What's next