1: Hacking Web Apps 101
In this chapter, we take a 50,000-foot aerial view of web application hacking tools and techniques. Buckle your seatbelt, Dorothy, because Kansas is going bye-bye.

2: Profiling
The first step in any methodology is often one of the most critical, and profiling is no exception. This chapter illustrated the process of reconnaissance in prelude to attacking a web application and its associated infrastructure.

3: Hacking Web Platforms
No application can be secured if it's built on a web platform that's full of security holes - this chapter describes attacks, detection evasion techniques, and countermeasures for the most popular web platforms, including IIS, Apache, PHP, and ASP.NET.

4: Attacking Web Authentication
This chapter covers attacks and countermeasures for common web authentication mechanisms, including password-based, multi-factor (e.g. SecureID, Passmark, CAPTCHA) and online authentication services like Passport.

5: Attacking Web Authorization
See how to excise the heart of any Web application's access controls through advanced session analysis, hijacking, and fixation techniques.

6: Input Validation Attacks
Brackets and quotes and dashes, oh my! A common theme to web hacking (some may say hacking generally) is providing crafty input to ususpecting software. Take an overview of common mistakes that result in devastating atacks, like client-side validation, canonicalization errors, inadequate decoding, etc.

7: Attacking Web Datastores
SQL injection is perhaps the most devastating of web application attacks, since it strikes at the most important application asset: data. Here we offer a soup-to-nuts illustration of SQL injection basics through advanced exploitation, and of course...countermeasures.

8: Attacking XML-Web Services
XML web services are all the rage nowadays as digital commerce becomes increasingly automated. Learn web services technologies like SOAP from the hacker's perspective, see the most cutting-edge attacks, and read about evolving security standards like WS-*.

10: Hacking Web Clients
Did you know that your web browser is actually an effective portal through which unsavory types can enter directly into your homes and offices? Take a tour of the nastiest Firefox and IE exploits around, and then follow our "10 Steps to a Safer Internet Experience" (along with dozens of additional countermeasures) so you can breathe a little easier when you browse.

11: Distributed Attacks and DoS
Thanks to the rise of botnets, distributed attacks on Internet-facing businesses has reached a crisis point. You can't outright prevent many of the attacks we illustrate, but you can take steps to mitigate and recover quickly, remaining resilient for your customers.

12: Full-Knowledge Analysis
Go behind-the-scenes to see our white/grey-box web security testing methodology and how it integrates into the web application development lifecycle.

Nish Bhalla's secret.dll and secret.htm are provided here as examples to help interested readers follow along with the book section "An Example of Binary Analysis" starting on page 416.

13: Web Application Security Scanners
Devoted primarily to a review of the currently available web app security scanning tools commissioned specifically for Hacking Exposed Web Applications 2, embellished with the authors’ collective experience as security managers and consultants for large enterprises who've had successful web app security scanner deployments.

Appendices
A: Web Site Security Checklist
B: Web Hacking Tools & Techniques Cribsheet
C: URLScan & mod_sec
D: About The Companion Website