Authentication

Attacks
Presented by Anindya Sinha
OBJECTIVES
Overview of Topics:
Scanning with Nmap
Discovering the infrastructure within the application
Identifying the machines and operating systems
Exploring virtual hosting and its impact on testing
Learning methods to identify load balancers
Attacking session management
Hijacking web session cookies
Web session tools
Session tracking
Authentication bypass flaws
Mutillidae
Command Injection
Directory traversal, Local File Inclusion (LFI), Remote File
Inclusion (RFI)
SQL injection (Error based, Blind)
Exploiting SQL injection
DVWA
Cross-site scripting: Anatomy of an XSS exploitation, XSS
exploitations
Intro to Nmap
Definition:
Nmap (Network Mapper) is an open-source tool for network exploration and
security auditing.
Purpose:
Identify active devices on a network.
Discover services and their versions running on these devices.
Detect operating systems and other host characteristics.
Perform network inventory and manage service upgrade schedules.
Monitor host or service uptime.
Common Uses:
Network inventory.
Service management and upgrade schedules.
Security auditing and vulnerability scanning.
Monitoring host or service uptime.
Installing Nmap
Windows Installation:
Download the installer from the official Nmap website.
Run the installer and follow the prompts.
Ensure the PATH variable includes the Nmap directory for command-line use.
Linux Installation:
Use package managers like APT (Debian-based): sudo apt-get install nmap.
For RPM-based systems (RedHat, CentOS): sudo yum install nmap.
Mac Installation:
Use Homebrew package manager: brew install nmap.
Common Installation Issues:
Dependency errors: Install required libraries and dependencies.
Permissions issues: Run the installation with root or administrative privileges.
Basic Scanning Techniques
Basic Command Syntax:
Basic Scan: nmap [target].
Multiple Targets: nmap [target1] [target2].
Range of IPs: nmap 192.168.1.1-254.
Subnet: nmap 192.168.1.0/24.
Common Options:
-sP or -sn: Ping scan to discover active hosts.
-sS: TCP SYN scan, the most common and fast scan type.
-A: Enable OS detection, version detection, script scanning, and traceroute.
-v: Increase verbosity level.
Interpreting Results:
Open Ports: Listed with their state (open, filtered, closed) and service name.
Service Versions: When using -sV, shows the version of the services.
OS Information: Displayed when using OS detection options.
Advanced Scanning
Service and Version Detection:
Command: nmap -sV [target].
Purpose: Identify running services and their versions for vulnerability
assessment.
Example: nmap -sV 192.168.1.1.
OS Detection:
Command: nmap -O [target].
Purpose: Determine the operating system of the target machine.
Example: nmap -O 192.168.1.1.
Additional Flags: Use --osscan-guess for a more aggressive guess.
Additional Advanced Options:
-p: Specify port range, e.g., nmap -p 80,443,8080 [target].
--script: Run specific Nmap scripts for advanced detection, e.g., nmap --
script=vuln [target].
-T4: Adjust timing templates for faster scans, suitable for large networks.
Real World Scenarios
Example 1: Scanning a Network Segment:
Objective: Identify all active devices within a subnet.
Command: nmap -sn 192.168.1.0/24.
Output: Lists IP addresses of active devices.
Example 2: Detailed Scan of a Single Host:
Objective: Discover open ports, services, and OS on a specific host.
Command: nmap -A 192.168.1.10.
Output: Detailed information on open ports, running services, service versions,
and OS.
Example 3: Detecting Vulnerabilities:
Objective: Identify potential vulnerabilities on a web server.
Command: nmap --script=vuln 192.168.1.10.
Output: Displays known vulnerabilities associated with detected services.
Nmap Scripts NSE
Introduction to NSE:
The Nmap Scripting Engine (NSE) allows users to write and share scripts for
automating a wide variety of networking tasks.
Scripts can be used for vulnerability detection, network discovery, and more.
Commonly Used Scripts:
Vulnerability Detection: nmap --script vuln [target].
Checks for known vulnerabilities on the target.
Service Detection: nmap --script http-enum [target].
Enumerates web server directories.
Brute Force Attacks: nmap --script http-brute [target].
Attempts to brute force HTTP authentication.
Running Scripts:
Basic Command: nmap --script [script_name] [target].
Example: nmap --script http-enum 192.168.1.10.
Summary and Best Practices
Nmap is a versatile and powerful tool for network discovery and security auditing.
It supports basic scanning, service and OS detection, and advanced scripting.

Best Practices:
Regular Scans: Perform regular network scans to maintain up-to-date
knowledge of your network.
Combination of Tools: Use Nmap in conjunction with other security tools for
comprehensive assessment.
Ethical Considerations: Always have proper authorization before scanning any
network.
Staying Updated: Keep Nmap and its scripts updated to leverage the latest
features and detection capabilities.
Infrastructure of an Application
Components:
- Front-End
- Back-End
- Network Components
- Data Storage

Purpose: Provide a cohesive framework to understand how different parts of a

web application interact and how to secure them.
Front End
Definition: The client-side part of the application that interacts directly with the
user.
- Technologies:
- HTML: Structure of the web page.
- CSS: Styling of the web page.
- JavaScript: Dynamic behavior and interactivity.
- Frameworks:
- React: A JavaScript library for building user interfaces.
- Angular: A platform for building mobile and desktop web applications.
- Vue.js: A progressive JavaScript framework for building UIs.
- Role:
- Render content and user interfaces.
- Handle user inputs and interactions.
- Communicate with the back-end via APIs.
Back End
Definition: The server-side part of the application that handles business logic,
database operations, and user authentication.
Technologies:
Web Servers: Apache, Nginx.
Serve web content and manage HTTP requests.
Application Servers: Node.js, Tomcat.
Execute server-side scripts and manage application operations.
Databases: MySQL, PostgreSQL, MongoDB.
Store, retrieve, and manage data.
Frameworks:
Express.js: Web framework for Node.js.
Spring: Java-based framework for building enterprise applications.
Django: High-level Python web framework.
Role:
Process user requests and business logic.
Interact with databases to fetch and store data.
Ensure data integrity and security.
Network Component
Definition: Hardware and software that facilitate the communication between the
client and server.
Key Components:
Routers:
Direct data packets between devices on different networks.
Example: Cisco routers.
Firewalls:
Monitor and control incoming and outgoing network traffic.
Example: pfSense, Palo Alto.
Load Balancers:
Distribute network or application traffic across multiple servers.
Example: HAProxy, F5 Big-IP.
Role:
Ensure reliable communication.
Provide security by blocking unauthorized access.
Enhance performance by balancing loads.
Data Storage Component
Definition: Systems used to store and manage data persistently.

Types:
Relational Databases: MySQL, PostgreSQL.
Use structured query language (SQL) for defining and manipulating data.
Ensure data integrity through ACID properties (Atomicity, Consistency,
Isolation, Durability).
NoSQL Databases: MongoDB, Cassandra.
Store data in various formats (document, key-value, wide-column, graph).
Offer high scalability and flexibility.
File Storage Systems: Amazon S3, Google Cloud Storage.
Store unstructured data like images, videos, and backups.

Role:
Persistently store data.
Ensure data availability and redundancy.
Manage data access and security.
Communication Protocols
HTTP/HTTPS:
HTTP: HyperText Transfer Protocol, the foundation of data communication for
the web.
HTTPS: Secure version of HTTP, using SSL/TLS to encrypt data.
WebSockets:
Full-duplex communication channels over a single TCP connection.
Used for real-time applications like chat apps and live updates.
API Protocols:
REST: Representational State Transfer, uses standard HTTP methods (GET,
POST, PUT, DELETE).
GraphQL: Query language for APIs, provides a complete and understandable
description of the data.

Role:
Facilitate data exchange between client and server.
Ensure secure data transmission.
Provide real-time communication capabilities.
Security Considerations
Authentication:
Verifying user identity.
Methods: Passwords, OAuth, Multi-factor authentication (MFA).
Authorization:
Granting or denying user access to resources.
Methods: Role-Based Access Control (RBAC), Attribute-Based Access Control
(ABAC).
Data Encryption:
Protecting data at rest and in transit.
Methods: SSL/TLS for HTTPS, AES for data storage.
Intrusion Detection and Prevention:
Monitoring and protecting against malicious activities.
Tools: Snort, OSSEC.
Regular Security Audits:
Conducting vulnerability assessments and penetration testing.
Compliance with security standards (e.g., OWASP, ISO 27001).
Performance Optimization
Caching:
Storing frequently accessed data for quick retrieval.
Tools: Redis, Memcached.
Load Balancing:
Distributing traffic across multiple servers.
Ensures high availability and reliability.
Database Optimization:
Indexing, query optimization, and partitioning.
Content Delivery Networks (CDNs):
Distributing content closer to the user’s geographical location.
Tools: Cloudflare, Akamai.
Monitoring and Maintenance
Monitoring Tools:
Server Monitoring: Nagios, Zabbix.
Application Performance Monitoring (APM): New Relic, Dynatrace.
Log Management: ELK Stack (Elasticsearch, Logstash, Kibana), Splunk.

Regular Updates:
Keeping software and libraries up-to-date to patch vulnerabilities.

Backup and Recovery:

Regular backups and having a disaster recovery plan.
Tools: Veeam, AWS Backup.
Real World Example
E-commerce Application:

Front-End: Built with React for dynamic user interfaces.

Back-End: Node.js with Express.js handling server-side logic.
Database: MongoDB for product and user data.
Network: Load balancer (HAProxy), firewall (pfSense), and secure routers
(Cisco).
Data Storage: Amazon S3 for images and other media files.
Security: HTTPS for secure communication, OAuth for user authentication, and
regular vulnerability assessments.
Performance: Caching with Redis, CDN for content delivery, and optimized
queries for faster database access.
Monitoring: New Relic for application performance, Nagios for server health,
and ELK Stack for log management.
Best Practices
Design for Scalability: Plan infrastructure to handle growth in user load.
Prioritize Security: Implement robust security measures at every layer.
Optimize Performance: Regularly review and optimize performance.
Monitor Continuously: Use monitoring tools to keep track of the application’s
health and performance.
Regular Maintenance: Keep all components up-to-date and conduct regular
security audits.
Machine and OS Identification
Definition:
Machine Identification: The process of discovering devices on a network and
gathering information about them.
OS Identification: Determining the operating system running on a discovered
device.
Purpose:
Enhance network security by understanding the devices and systems present.
Identify potential vulnerabilities specific to operating systems.
Aid in network inventory and management.
Why do we need to do it?
Security Analysis: Understanding the devices and OSes present on a network allows
organizations to assess potential security risks and vulnerabilities. Different operating systems
have unique security features and vulnerabilities. By identifying the OS, security teams can
prioritize patches, updates, and security measures accordingly.

Vulnerability Assessment: Once the machines and OSes are identified, security professionals
can perform vulnerability assessments to determine if any known vulnerabilities exist for those
specific systems. This knowledge helps prioritize remediation efforts and strengthen overall
network security posture.

Access Control: Knowing which devices and OSes are accessing the network enables
administrators to enforce access control policies more effectively. By identifying unauthorized
devices or unusual OS versions, administrators can take proactive measures to prevent
unauthorized access and potential security breaches.

Network Inventory: Identifying machines and OSes aids in maintaining an accurate inventory of
network assets. This inventory is crucial for asset management, resource allocation, and
planning for future network upgrades or expansions.
Why do we need to do it?
Troubleshooting and Performance Optimization: Understanding the types of devices and OSes
on the network can help diagnose and troubleshoot network issues more efficiently. It enables
administrators to tailor troubleshooting approaches to the specific characteristics of the
devices and OSes involved. Additionally, knowing the OS can aid in optimizing network
performance by configuring network settings and resources based on OS requirements.

Compliance and Regulatory Requirements: Many compliance standards and regulatory

requirements mandate the identification and documentation of network assets, including
machines and their respective operating systems. Compliance with these standards helps
organizations avoid penalties, maintain customer trust, and demonstrate a commitment to
cybersecurity best practices.
 Tools for Identification
Popular Tools:
Nmap: Network discovery and security auditing tool.
Netcat: Versatile networking tool for debugging and investigation.
Wireshark: Network protocol analyzer for packet capturing and analysis.
Ping: Basic network utility to test reachability and measure round-trip time.
p0f
Xprobe2
p0scan
Hping
Why do we need to do it?
Security Analysis: Understanding the devices and OSes present on a network allows
organizations to assess potential security risks and vulnerabilities. Different operating systems
have unique security features and vulnerabilities. By identifying the OS, security teams can
prioritize patches, updates, and security measures accordingly.

Vulnerability Assessment: Once the machines and OSes are identified, security professionals
can perform vulnerability assessments to determine if any known vulnerabilities exist for those
specific systems. This knowledge helps prioritize remediation efforts and strengthen overall
network security posture.

Access Control: Knowing which devices and OSes are accessing the network enables
administrators to enforce access control policies more effectively. By identifying unauthorized
devices or unusual OS versions, administrators can take proactive measures to prevent
unauthorized access and potential security breaches.

Network Inventory: Identifying machines and OSes aids in maintaining an accurate inventory of
network assets. This inventory is crucial for asset management, resource allocation, and
planning for future network upgrades or expansions.
Load Balancers
Load balancers are critical components in network infrastructure that distribute incoming
network traffic across multiple servers. This ensures no single server becomes overwhelmed,
improving performance and reliability. They also provide fault tolerance by rerouting traffic if a
server fails.

Functions of Load Balancers

Traffic Distribution: Distributes incoming requests to multiple servers to optimize resource use.
High Availability: Ensures application uptime by redirecting traffic if a server goes down.
Scalability: Enables adding or removing servers based on demand.
Security: Often includes features like SSL termination, DDoS protection, and Web Application
Firewalls (WAF).
 Identifying Load Balancers
1. DNS Analysis
DNS Records and Resolution:
Multiple IP Addresses: When you resolve a domain name using tools like nslookup or dig, if
multiple IP addresses are returned, it suggests that DNS-based load balancing might be in place
(e.g., round-robin DNS).

dig example.com +short

Output:

Copy code
192.0.2.1
192.0.2.2
192.0.2.3
Multiple IP addresses suggest DNS-based load balancing.
 Identifying Load Balancers
2. HTTP Headers
Headers Indicating Load Balancing:
X-Forwarded-For (XFF): This header is commonly added by proxies and load balancers to
identify the original IP address of the client making the request.
X-Forwarded-Host: Indicates the original host requested by the client.
X-Load-Balancer: Some load balancers may add this custom header to signify their presence.
Via: This header can show information about intermediate proxies or load balancers handling
the request.
To inspect headers, you can use tools like:
Burp Suite: Intercept and analyze HTTP headers.
Curl: Fetch and display HTTP headers.
curl -I http://example.com
Output:
HTTP/1.1 200 OK
X-Forwarded-For: 203.0.113.10
X-Forwarded-Host: example.com
Server: nginx
The presence of X-Forwarded-For indicates traffic is routed through a load balancer.
 Identifying Load Balancers
3. Network Behavior
Inconsistent IP Addresses:
Varying IP Responses: When you repeatedly access a service, if the IP address in the responses
changes, it indicates the presence of multiple backend servers behind a load balancer.
TTL Values:
TTL Variability: Different TTL values in ICMP responses can indicate different network paths to
multiple servers behind a load balancer.
Tools:
Traceroute: Can help detect routing paths and potential load balancer presence by showing
different hops.
traceroute to example.com (192.0.2.1), 30 hops max, 60 byte packets
1 router.local (192.168.1.1) 1.123 ms 1.101 ms 1.091 ms
2 10.0.0.1 (10.0.0.1) 2.456 ms 2.423 ms 2.412 ms
3 load-balancer.example.com (203.0.113.1) 3.789 ms 3.745 ms 3.731 ms
Seeing a hop that resolves to a known load balancer hostname indicates load balancing.
 Identifying Load Balancers
4. Tools and Techniques
Service and Port Scanning:
Nmap: Use nmap to perform a service scan which can reveal specific load balancer devices and
configurations.
Netcraft: Provides detailed infrastructure analysis of websites, which can reveal load balancers
and other components.

5. Response Analysis
Response Discrepancies:
Inconsistent Responses: Different responses for the same request can indicate load balancing,
such as variations in server headers, cookies, or response times.
Server Headers: Sometimes backend servers expose their identity via HTTP headers, like Server:
Apache vs. Server: Nginx, indicating different servers behind a load balancer.
 Identifying Load Balancers
6. Load Balancer-Specific Behavior
Session Persistence (Sticky Sessions):

Session Affinity: If a load balancer is configured for session persistence, the same client will be
directed to the same backend server. This can be detected by monitoring consistent session
behavior from the same client over multiple requests.

7. Advanced Fingerprinting Techniques

SSL/TLS Fingerprinting:

Certificate Details: Different backend servers might present slightly different SSL/TLS
certificates or configurations, which can be detected by tools like SSL Labs.
Timing Attacks:

Response Times: Analyzing response times can sometimes reveal load balancing patterns,
especially under different loads. Consistent timing anomalies might indicate switching between
servers.
Attacking Session Management
Session management is crucial in web applications to maintain the state of interactions between a
client and a server. However, improper session management can lead to severe security
vulnerabilities.

Session Fixation:
Description: An attacker fixes a user's session ID before they log in, then takes over the session
once the user is authenticated.
Techniques:
URL Parameter: Forcing the victim to use a specific session ID via a URL.
Cookie Setting: Tricking the victim into setting a specific session cookie.

Session Prediction:
Description: Predicting or brute-forcing session IDs if they are not generated securely.
Techniques:
Weak Session ID Generation: Exploiting predictable or short session ID patterns.
Brute Force: Systematically trying possible session IDs until a valid one is found.
Attacking Session Management
Cross-Site Request Forgery (CSRF):
Description: Forcing a logged-in user to execute unwanted actions on a web application where
they are authenticated.
Techniques:
Hidden Forms: Sending the victim a form that submits a request automatically.
Image Tags: Embedding a request in an image tag.

Session Token Analysis:

Entropy Analysis: Analyzing the randomness of session tokens to identify patterns.
Replay Attack: Reusing a valid session token to gain unauthorized access.

Token Sniffing and Manipulation:

Network Sniffing: Capturing tokens from unsecured communication channels.
Token Replay: Using intercepted tokens to re-establish a session.
Attacking Session Management
Session Expiry and Invalidation Attacks:
Forced Logout: Using stolen session tokens before they expire.
Session Inactivity: Exploiting improper session expiry policies.

Subdomain and Path Leakage:

Scope Inconsistencies: Stealing session tokens set for broader scopes (e.g., *.example.com).

Tools for Session Management Attacks

Burp Suite: For intercepting, modifying, and replaying HTTP requests.
Wireshark: For capturing network traffic and analyzing session tokens.
OWASP ZAP: For automated and manual security testing.
Cookie Cadger: For sniffing HTTP cookies over insecure networks.
Web Session Cookies
Session Cookies:
Definition: Session cookies are small pieces of data stored by a browser and sent to the server
with each request. They typically contain a session ID (SID) that uniquely identifies the user's
session.
Purpose: Maintain the state and allow users to stay logged in as they navigate different pages of
the web application.

HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: sessionId=abc123; Path=/; HttpOnly; Secure; SameSite=Strict

Breakdown of the Cookie

Name=Value Pair:
sessionId=abc123: The cookie's name is sessionId, and its value is abc123.
Web Session Cookies
Attributes:

Path=/: The path attribute specifies the URL path for which the cookie is valid. In this case, the
cookie is valid for the entire site.
HttpOnly: This attribute makes the cookie inaccessible to JavaScript running on the page, which
helps mitigate certain types of attacks such as Cross-Site Scripting (XSS).
Secure: The cookie will only be sent over HTTPS, ensuring it is encrypted during transmission.
SameSite=Strict: This attribute prevents the cookie from being sent with cross-site requests,
which helps mitigate Cross-Site Request Forgery (CSRF) attacks.
Web Session Cookies - Hijacking
Session hijacking involves intercepting or manipulating the communication between a user and a
web application to take over a user's session. The primary target of session hijacking is the session
cookie, which is used to maintain the state of the user's interaction with the web application.

Packet Sniffing:
How It Works: An attacker captures unencrypted traffic between the client and server to
extract session cookies.
Tools: Wireshark, tcpdump.
Scenario: On a public Wi-Fi network, an attacker intercepts HTTP traffic to steal session
cookies.

Cross-Site Scripting (XSS):

How It Works: An attacker exploits a vulnerability in the web application to inject malicious
scripts. These scripts run in the victim's browser and steal session cookies.
Tools: Burp Suite, OWASP ZAP for injecting and testing XSS payloads.
Scenario: A user visits a compromised page that executes a script to send their session cookie
to the attacker.
Web Session Cookies - Hijacking
Man-in-the-Middle (MITM):
How It Works: An attacker intercepts communication between the client and server, potentially
modifying the data in transit or stealing session cookies.
Tools: Ettercap, SSLstrip.
Scenario: An attacker intercepts and downgrades HTTPS traffic to HTTP, capturing session cookies.

Session Fixation:
How It Works: An attacker sets a known session ID before the user logs in. Once the user
authenticates, the attacker uses the fixed session ID to hijack the session.
Tools: Burp Suite for manipulating requests.
Scenario: An attacker sends a user a link with a predefined session ID. The user logs in, and the
attacker accesses the account using the same session ID.

Cross-Site Request Forgery (CSRF):

How It Works: An attacker tricks the user into performing actions without their knowledge, using
the victim's authenticated session.
Tools: Burp Suite, OWASP ZAP for crafting CSRF payloads.
Scenario: An attacker sends a malicious link to the victim, which, when clicked, performs actions
on the web application using the victim's session.
Authentication Bypass
Authentication bypass flaws are vulnerabilities that allow attackers to bypass the authentication
mechanisms of a web application, gaining unauthorized access to restricted areas. These flaws can
result from various weaknesses in the implementation of authentication logic.

Weak Password Policy

Default Credentials
Brute Force Attacks
Insecure Direct Object References (IDOR)
SQL Injection
Logic Flaws in Authentication
Session Fixation
Unvalidated Redirects and Forwards
Exposed Session Tokens
Client-Side Authentication
Authentication Bypass -MFA
Multi-Factor Authentication (MFA) significantly enhances the security of web applications by
requiring users to provide multiple forms of verification before gaining access. Typically, MFA
involves a combination of:
Something you know (e.g., password or PIN)
Something you have (e.g., a smartphone or hardware token)
Something you are (e.g., fingerprint or other biometric data)

Key Benefits of MFA

1. Increased Security:
Defense in Depth: Even if one factor (e.g., password) is compromised, additional factors provide
a secondary line of defense.
Reduced Risk of Credential Theft: Phishing attacks, which often target passwords, are less
effective since an attacker also needs the second factor.
2. Mitigation of Common Attacks:
Brute Force Attacks: MFA limits the effectiveness of brute force attacks as knowing the
password alone is insufficient.
Man-in-the-Middle Attacks: Even if an attacker intercepts the credentials, the second factor
remains a barrier.
Authentication Bypass -MFA
Potential Challenges in Implementing MFA
1. User Experience and Usability:
Complexity: MFA can be perceived as cumbersome, leading to resistance from users
accustomed to single-factor authentication.
Accessibility: Users without access to reliable mobile phones or who have disabilities might find
it difficult to use certain MFA methods.
2. Implementation Challenges:
Integration: Adding MFA to existing applications can be complex, requiring changes to the
authentication logic and user management systems.
Compatibility: Ensuring MFA works seamlessly across different devices, operating systems, and
browsers can be challenging.
3. Cost and Resource Requirements:
Initial Setup: Implementing MFA involves upfront costs for purchasing and setting up the
necessary infrastructure (e.g., hardware tokens, SMS gateways).
Maintenance: Ongoing costs include maintaining the MFA system, managing user support, and
handling lost or stolen second factors.
Authentication Bypass -MFA
Security Considerations:
Attack Surface: MFA can introduce new vulnerabilities if not implemented correctly (e.g., flaws
in the SMS delivery mechanism or the MFA software itself).
Phishing of Second Factors: Advanced phishing attacks might target the second factor, such as
tricking users into revealing their OTPs.
Evaluation of MFA Effectiveness
Positive Impact
Substantial Security Improvement: MFA greatly reduces the risk of unauthorized access due to
stolen or guessed passwords.
Adaptability: Modern MFA solutions (e.g., app-based authenticators like Google Authenticator
or hardware tokens like YubiKey) provide flexible and robust security options.
Widespread Adoption: Many high-profile web services (e.g., Google, Microsoft) implement MFA,
demonstrating its effectiveness and practicality.
Negative Impact
User Frustration: Poor implementation or lack of user-friendly options can lead to frustration
and potential circumvention by users.
Overreliance on Single MFA Method: Solely relying on one type of second factor (e.g., SMS-
based OTP) can introduce vulnerabilities, as seen with SIM-swapping attacks.
Imp topics
Command Injection, Directory traversal Local File
Inclusion (LFI), Remote File Inclusion (RFI), SQL
injection, Blind SQL injection, Error based SQL
injection, Exploiting SQL injection, Cross-site
scripting: Anatomy of an XSS exploitation, XSS
exploitations.

Topics to read - Definition, How does it work, example.