The world of web application security is pretty much a field of its own within the realm of computer security. There are tons of in-house coded web applications in use that are Internet facing. Little surprise then that a pile of them are also bug ridden. When you are contracted to perform a vulnerability assessment/pen-test/choose your term, just how do you go about it? It really isn’t all that different then testing other parts of the network. You might take a web application scanner like Acunetix to make a first pass at the application under evaluation. From there you would view the results and follow up with pin point tests to determine the validity of the alerts. Make no mistake about it, commercial tools are as prone to false positives as open-source ones. They are very helpful though in speeding up your testing by making a fast series of tests. You need to follow up though with specific testing, and that requires knowledge of HTTP, PHP, and so on. A very long list that also includes the oft mentioned SQL injection exploits, cross-site scripting, web traversal, and many others. Keeping up to date is almost a full time exercise of its own. Any of you have some interesting stories that involve web application security?