This is a list of tutorial resources that can be helpful to security researchers that want to learn more about web and mobile application hacking. Please let us know if you have any suggestions for resources that we should add to this post!
Web applications:
XSS
- A comprehensive tutorial on cross-site scripting - link
- Favorite XSS Filters/IDS and how to attack them - pdf link
- Introduction to cross-site scripting - link
- Avoiding XSS Detection - link
CSRF
SQL Injection
- Introduction to SQL Injection - link
- Introduction to MySQL Injection - link
- Full MSSQL Injection PWNage - link
- Everything you wanted to know about SQL injection - link
Remote Code/Command Execution
- How to find RCE in scripts (with examples)- link
- Yahoo LFI Converted to RCE - link
- Remote Code Execution in Elasticsearch - CVE-2015-1427 - link
XXE
- Generic XXE Detection - link
- XML Out-Of-Band Data Retrieval - pdf link
- SSRF vs. Business-critical applications: XXE tunneling in SAP - pdf
link - What you didn’t know about XXE - pdf link
Other:
- SSRF Attacks - slideshare link
- Cross Site Port Attacks - link
- Hunting for Top Bounties - YouTube link
- How to steal and modify data using Business Logic flaws - slideshare
link - Exploiting CVE-2011-2461 on google.com - link
- PentesterLab - link - PentesterLab provides vulnerable systems that can be used to test and understand vulnerabilities. (thanks @n0x00)
- InjectX to find XSS - link - thanks @1N3
- Attacking Ruby on Rails Applications - link
Mobile Applications:
Android
iOS