What should you know for Web Application Pentesting...!

• HTTP/HTTPS protocol basics
• Understanding Web Application Architectures
• Lab setup and tools of the trade
• Converting your browser into an attack platform
• Traffic Interception and Modification using Proxies
• Cross Site Scripting
• Types
• Reflected
• Persistent
• DOM based
• Filtering XSS
• Evading XSS filters
• Cookie stealing and session hijacking
• Self-XSS
• BeeF
• SQL Injection
• Error based
• Blind
• Second order injections
• Broken authentication and session management
• session id analysis
• custom authentication
• Security misconfigurations
• Web and database server
• Application framework
• Insecure direct object reference
• Cross-site Request Forgery
• GET and POST based
• JSON based in RESTful Service
• Token Hijacking via XSS
• Multi-Step CSRF
• Insecure cryptographic storage
• Clickjacking
• File upload vulnerabilities
• Bypassing extension, content-type etc. checks
• RFI and LFI
• Web to Shell
• Web Shells
• PHP meterpreter
• Analyzing Web 2.0 applications
• AJAX
• RIAs using Flash, Flex
• Attacking Caching servers
• Memcached
• Redis
• Non Relational Database Attacks
• Appengine Datastore
• MongoDB, CouchDB etc.
• HTML5 Attack Vectors
• Tag abuse and use in XSS
• Websockets
• Client side injection
• Clickjacking
• Web Application firewalls
• Fingerprinting
• Detection Techniques
• Evading WAFs
• … more additions will be made as course evolves