In this chapter, you will learn the basics of web application vulnerabilities. Application security is a category by itself, and since we would need a whole book to cover all the application security topics, we'll use this chapter to cover just the most obvious ones.

A lot of what you'll learn in this chapter will allow you to test web applications before deployment into the production environment. If you're interested in the trending security career of bug bounty hunting, then you must master this topic.

DevSecOps is all about making sure that the pipeline can deliver a secure web application. Every company needs to make changes to its website, but before deploying the changes into production, they must pass through a continuous integration/continuous deployment (CI/CD) pipeline. As a security analyst, your role is to detect any vulnerabilities ahead of time before deploying the changes into the production environment.

If you go back in time (10 or more years), you'll notice that we used to have Windows applications, but nowadays, the trend has changed, and most of the projects are web‐based/cloud‐based.

In this chapter, you will learn about the following:

• Cross‐site scripting
• SQL injection
• Command injection
• File inclusion
• Cross‐site request forgery
• File upload bypass

Web Application Vulnerabilities

The back end of web applications is built using different programming languages. The most popular ones are Java, C# .NET (Framework/Core), ...