This section provides information for penetration testers. Some of this content is in other sections of this website already (The library). I just created this page as a quick reference. Please, if you feel I that I've missed a important link or document (Or you just feel like chatting :) Email Me.
The best way to find information is to use our search engine on the right.
Penetration Testing for Web Applications (Part One)
Penetration Testing for Web Applications (Part Two)
Penetration Testing for Web Applications (Part Three)
SQL Injection Page
Cross Site Scripting (XSS)
Session ID Attacks:
Brute-Force Exploitation of Web Application Session IDs, November 1, 2001 (PDF)
- David Endler iDefense
Session Fixation Vulnerability in Web-based Applications v1.0, December 2002 (PDF)
- ACROS Security
Cookie Modification and Poisoning:
Hacking Web Applications Using Cookie Poisoning, 2002 (PDF)
- Amit Klein/sanctuminc
HTTP Header Modification:
Header Based Exploitation: Web Statistical Software Threats, January 2002 (TXT)
TCP Port 80 - HyperText Transfer Protocol (HTTP) Header Exploitation, Sept 11th 2002 (HTML)
- William Bellamy Jr.
CRLF Injection, (TXT)
- Ulf Harnhammar
Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures. , November 2001 (TXT)
Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two., March 2002 (TXT) (HTML)
Web Application Forensics: The Uncharted Territory, 2002 (PDF)
- Ory Segal/sanctuminc
Note: This paper has been posted for its information base only, and we in no way promote or support the products mentioned within.
A Study in Scarlet: Exploiting Common Vulnerabilities in PHP Applications (TXT) (Spanish) (French)
"A reprint of reminisces from the Blackhat Briefings Asia 2001"
- Shaun Clowes, SecureReality
Secure Programming in PHP, January 30, 2002 (HTML)
- Thomas Oertli
CGI/Perl Taint Mode FAQ, June 3rd, 1998 (HTML)
- Gunther Birznieks
Security Issues in Perl Scripts (HTML)
- Jordan Dimov
Application Security Assessments: Advice on Assessing your Custom Application, 2002 (HTML)
- Gunter Ollmann
Ethical Hacking Techniques to Audit and Secure Web-enabled Applications (PDF)
LDAP Injection: Are your web applications vulnerable?, July 28th 2003 (Remote Copy)
- SPI LABS
Application Penetration test (SAMPLE)