What are the interesting and trending topics in web security?
It's an incredibly broad topic, so I'll try to cover this as best I can:
Quickly Master the Most Important Web Hacking/Penetration Testing Tool, the Burp Suite.
1. Learn the most important features of the Burp Suite.
2. Hands-on exercises.
3. Automate what you can.
4. Do efficient manual testing.
- Web application vulnerabilities, such as those found to be vulnerable to XSS (e.g., JS injection), SQLi, and occur in any language/framework that has not been properly implemented, for instance J2EE with Netbeans, Ruby on Rails, Python Django, and so on (most of which have the capability to do CSFR protection, form field sanitization, etc., built into the framework today that aids greatly in protection).
- Endpoint vulnerability, such as MiM attacks that utilize vulnerabilities in encryption technology like TLS/SSL (e.g., Transport Layer Security BEAST attack), SSL certificate collision attack (Collision attack), or simply stealing valid SSL certificates from their source (Warning over stolen digital certificates used to attack 'Google properties'). It was recently revealed that the NSA may have weakened or broken SSL/TLS security for the web (Has the NSA broken SSL? TLS? AES? | ZDNet).
- Denial of service type attacks (Slow/HTTP DoS, DDoS, etc.), which often take advantage of problems in the web server applications themselves (Slowloris) or poorly configured DNS servers (DNS Amplification Attacks).
- Broader web server application vulnerabilities, such as those being exploited by the Blackhole Exploit Kit (Linux/Cdorked.A - A new Apache backdoor is being used in the wild to serve Blackhole).
Quickly Master the Most Important Web Hacking/Penetration Testing Tool, the Burp Suite.
1. Learn the most important features of the Burp Suite.
2. Hands-on exercises.
3. Automate what you can.
4. Do efficient manual testing.