In this chapter, we will dive much further into website and database penetration testing than we have so far. As a penetration tester, we need to simulate real-world attacks on a target organization's systems and networks, based on the rules of engagement. However, while being able to conduct information gathering, such as reconnaissance and scanning websites, is excellent, the true challenge comes when it's time to break in. It's all well and good preparing to infiltrate an enemy base, but all that preparation will come to nothing if you simply stand at a distance and do nothing!

In this chapter, we will look at compromising and gaining access to web servers and web applications. Additionally, you will learn some hands-on techniques and methodologies to discover vulnerabilities and retrieve data.

In this chapter, we will cover the following topics:

• Exploring the dangers of SQL injection
• SQL injection vulnerabilities and exploitation
• Cross-site scripting vulnerabilities
• Discovering vulnerabilities automatically