Attacks to web application layer are on the rise and innovative methodologies, attack vectors and exploits are coming into existence. To combat these threats it is imperative to understand its nature, characteristics and risk to application layer. Some of the new attack vectors are XPATH injection, LDAP poisoning and advanced SQL injection. These vectors are getting popular with XML based web applications. At the same time new methodologies for web application foot printing and discovery are coming to existence with rich search engine information provided by Google & MSN. These methodologies are important to have as a tool to web security professionals. Open source exploit framework like Metasploit can be used effectively for web application exploit development for penetration testers. This presentation will encompass new methodologies, tools and techniques on both the aspects - attacks & defense.