WebApp Security

Will be using the below checklist to mark out already covered topics or otherwise

  • for complete tasks

  • for incomplete tasks

Web Security Topics for selfstudy:

  • Sql Injection Attack

  • Hibernate Query Language Injection

  • Direct OS Code Injection

  • XML Entity Injection

  • Broken Authentication and Session Management

  • Cross-Site Scripting (XSS)

  • Insecure Direct Object References

  • Security Misconfiguration

  • Sensitive Data Exposure

  • Missing Function Level Access Control

  • Cross-Site Request Forgery (CSRF)

  • Using Components with Known Vulnerabilities

  • Unvalidated Redirects and Forw 173

  • Execution After Redirect (EAR)ards

  • Cross Site Scripting Attacks

  • Click Jacking Attacks

  • DNS Cache Poisoning

  • Symlinking – An Insider Attack

  • Cross Site Request Forgery Attacks

  • Remote Code Execution Attacks

  • Remote File inclusion

  • Local file inclusion

  • EverCookie

  • Denial oF Service Attack

  • Cookie Eviction

  • PHPwn

  • NAT Pinning

  • XSHM

  • MitM DNS Rebinding SSL/TLS Wildcards and

  • Quick Proxy Detection

  • Improving HTTPS Side Channel Attacks

  • Side Channel Attacks in SSL

  • Turning XSS into Clickjacking

  • Bypassing CSRF protections with ClickJacking

  • HTTP Parameter Pollution

  • URL Hijacking

  • Stroke Jacking

  • Fooling B64_Encode(Payload) on WAFs And Filters

  • MySQL Stacked Queries with SQL Injection.

  • Posting Raw XML cross-domain

  • Generic Cross-Browser Cross-Domain theft

  • Attacking HTTPS with Cache Injection

  • Tap Jacking

  • XSS - Track

  • Next Generation Click Jacking

  • XSSing Client-Side Dynamic HTML.

  • Stroke triggered XSS and Stroke Jacking

  • Lost iN Translation

  • Persistent Cross Interface Attacks

  • Chronofeit Phishing

  • SQLi Filter Evasion Cheat Sheet (MySQL)

  • Tabnabbing

  • UI Redressing

  • Cookie Poisoning

  • SSRF

  • Bruteforce of PHPSESSID

  • Blended Threats and JavaScript

  • Cross-Site Port Attacks

  • CAPTCHA Re-Riding Attack

Web Application Attacks List ?

  • Arbitrary file access

  • Binary planting

  • Blind SQL Injection

  • Blind XPath Injection

  • Brute force attack

  • Buffer overflow attack

  • Cache Poisoning

  • Cash Overflow

  • Clickjacking

  • Command injection attacks

  • Comment Injection Attack

  • Content Security Policy

  • Content Spoofing

  • Credential stuffing

  • Cross Frame Scripting

  • Cross Site History Manipulation (XSHM)

  • Cross Site Tracing

  • Cross-Site Request Forgery (CSRF)

  • Cross Site Port Attack (XSPA)

  • Cross-Site Scripting (XSS)

  • Cross-User Defacement

  • Custom Special Character Injection

  • Denial of Service

  • Direct Dynamic Code Evaluation (‘Eval Injection’)

  • Exploitation of CORS

  • Forced browsing

  • Form action hijacking

  • Format string attack

  • Full Path Disclosure

  • Function Injection

  • Host Header injection

  • HTTP Response Splitting

  • HTTP verb tampering

  • HTML injection

  • LDAP injection

  • Log Injection

  • Man-in-the-browser attack

  • Man-in-the-middle attack

  • Mobile code: invoking untrusted mobile code

  • Mobile code: non-final public field

  • Mobile code: object hijack

  • One-Click Attack

  • Parameter Delimiter

  • Page takeover

  • Path Traversal

  • Reflected DOM Injection

  • Regular expression Denial of Service – ReDoS

  • Repudiation Attack

  • Resource Injection

  • Server-Side Includes (SSI) Injection

  • Session fixation

  • Session hijacking attack

  • Session Prediction

  • Setting Manipulation

  • Special Element Injection

  • SMTP injection

  • SQL Injection

  • SSI injection

  • Traffic flood

  • Web Parameter Tampering

  • XPATH Injection

  • XSRF or SSRF

  • Parameter Pollution