While googling around, searching for books about Web Aplications Exploitation, I came across this awsome book called “Web Hacking 101”.
The good thing about this book is the fact that it was written by an early stage hacker, that was on the beggining of learning web exploitations and therefore it reports it’s progress on a compreensive language for new comers.
The book itself is over 200 pages long, and it covers prety much all you need to know to gear up and become a web aplication hacker.
It covers all the basics, explaining how each type of XSS attack works, showing past attacks as exemples, overall you will be presented with dousands of real world cases of XSS exploitations by bug bounties, mostly from Hacker One.
The attack vectors presented are the following:
- Open Redirect Vulnerabilities
- HTTP Parameter Pollution
- Cross-Site Request Forgery
- HTML Injection
- CRLF Injection
- Cross-Site Scripting
- Template Injection
- SQL Injection
- Server Side Request Forgery
- XML External Entity Vulnerability
- Remote Code Execution
- Sub Domain Takeover
- Race Conditions
- Insecure Direct Object References
- Application Logic Vulnerabilities
Besides all the explanations, you will be presented with a big list of tools used during attacks and also youtube videos and twitter profiles to follow.
If you’re just starting on exploring web appliations hacking, I really advise you read this book, most available attack vector are spoken there, giving you a wide view of all possible ways to be successfull.
While you read it, try to test some of the examples, an come back later on fter gaining some knowledge, it will all make more sence.
One very good tool, spoken on this book is Burp Suit, I sudgest you try it, you can find a set of videos on how to work with burp here: https://vimeo.com/album/3510171
Also, follow the author twitter/youtube account, he has plenty of hacking material for you to learn from.