So far in this book, we have covered most of the issues surrounding web application security and penetration testing, albeit briefly. However, due to the nature of web applications—which represent such a mixture of diverse technologies and methodologies that do not always work well together—the number of specific vulnerabilities and different types of attacks targeting these applications is so large and rapidly changing that no single book could possibly cover everything; hence, some things must be left out.

In this chapter, we will cover a diverse set of vulnerabilities commonly present in web applications that sometimes escape the focus of developers and security testers, not because they are unknown (in fact, some are in OWASP Top 10), but because their impact is sometimes underestimated in real-world applications, or because vulnerabilities such as SQL injection and XSS are much more relevant because of their direct impact on users' information. The vulnerabilities covered in this chapter are as follows:

• Insecure direct object references
• File inclusion vulnerabilities
• HTTP parameter pollution
• Information disclosure