The fundamental security problem with web applications — that all user input is untrusted — gives rise to a number of security mechanisms that applications use to defend themselves against attack. Virtually all applications employ mechanisms that are conceptually similar, although the details of the design and the effectiveness of the implementation differ very widely indeed.
The defense mechanisms employed by web applications comprise the following core elements:
Handling user access to the application's data and functionality, to prevent users from gaining unauthorized access.
Handling user input to the application's functions, to prevent malformed input from causing undesirable behavior.
Handling attackers, to ensure that the application behaves appropriately when being directly targeted, taking suitable defensive and offensive measures to frustrate the attacker.
Managing the application itself, by enabling administrators to monitor its activities and configure its functionality.
Because of their central role in addressing the core security problem, these mechanisms also make up the vast majority of a typical application's attack surface. If knowing your enemy is the first rule of warfare, then understanding these mechanisms thoroughly is the main prerequisite to being able to attack applications effectively. If you are new to hacking web applications, and even if you are not, you should be sure to take time to understand how these core mechanisms ...