38,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Master the art of conducting modern pen testing attacks and techniques on your web application before the hacker does!
About This Book
- This book covers the latest technologies such as Advance XSS, XSRF, SQL Injection, Web API testing, XML attack vectors, OAuth 2.0 Security, and more involved in today's web applications
- Penetrate and secure your web application using various techniques
- Get this comprehensive reference guide that provides advanced tricks and tools of the trade for seasoned penetration testers
Who This Book Is For
This book is for security professionals and penetration testers who want to speed up their modern web application penetrating testing. It will also benefit those at an intermediate level and web developers who need to be aware of the latest application hacking techniques.
What You Will Learn
- Get to know the new and less-publicized techniques such PHP Object Injection and XML-based vectors
- Work with different security tools to automate most of the redundant tasks
- See different kinds of newly-designed security headers and how they help to provide security
- Exploit and detect different kinds of XSS vulnerabilities
- Protect your web application using filtering mechanisms
- Understand old school and classic web hacking in depth using SQL Injection, XSS, and CSRF
- Grasp XML-related vulnerabilities and attack vectors such as XXE and DoS techniques
- Get to know how to test REST APIs to discover security issues in them
In Detail
Web penetration testing is a growing, fast-moving, and absolutely critical field in information security. This book executes modern web application attacks and utilises cutting-edge hacking techniques with an enhanced knowledge of web application security.
We will cover web hacking techniques so you can explore the attack vectors during penetration tests. The book encompasses the latest technologies such as OAuth 2.0, Web API testing methodologies and XML vectors used by hackers. Some lesser discussed attack vectors such as RPO (relative path overwrite), DOM clobbering, PHP Object Injection and etc. has been covered in this book.
We'll explain various old school techniques in depth such as XSS, CSRF, SQL Injection through the ever-dependable SQLMap and reconnaissance.
Websites nowadays provide APIs to allow integration with third party applications, thereby exposing a lot of attack surface, we cover testing of these APIs using real-life examples.
This pragmatic guide will be a great benefit and will help you prepare fully secure applications.
Style and approach
This master-level guide covers various techniques serially. It is power-packed with real-world examples that focus more on the practical aspects of implementing the techniques rather going into detailed theory.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 258
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
Mastering Modern Web Penetration Testing
Mastering Modern Web Penetration Testing
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: October 2016
Production reference: 1251016
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78528-458-8
www.packtpub.com
Credits
Author
Prakhar Prasad
Reviewer
Kubilay Onur Gungor
Commissioning Editor
Julian Ursell
Acquisition Editor
Rahul Nair
Content Development Editor
Amrita Noronha
Technical Editors
Manthan Raja
Copy Editor
Safis Editing
Project Coordinator
Shweta H Birwatkar
Proofreader
Safis Editing
Indexer
Mariammal Chettiyar
Graphics
Disha Haria
Production Coordinator
Arvindkumar Gupta
Cover Work
Arvindkumar Gupta
About the Author
Prakhar Prasad is a web application security researcher and penetration tester from India. He has been a successful participant in various bug bounty programs and has discovered security flaws on websites such as Google, Facebook, Twitter, PayPal, Slack, and many more. He secured the tenth position worldwide in the year 2014 at HackerOne's platform. He is OSCP and OSWP certified, which are some of the most widely respected certifications in the information security industry. He occasionally performs training and security assessment for various government, non-government, and educational organizations.
I am thankful from the bottom of my heart to the editors of this book, Kajal Thapar, Amrita Noronha, and Manthan Raja, for helping and assisting me at various stages of this book. The kick starter behind this book is my dear friend Rafay Baloch, a known name in the ethical-hacking community; he has been a constant source of encouragement and motivation.
The last chapter of this book on API testing is written entirely by Pranav Hivarekar, a renowned researcher in the domain of web application security, who is a very good friend of mine and a down-to-earth human being. I'm immensely thankful to him for coming up with and authoring a guest chapter for this book.
I'll do injustice if I don't mention my family, friends, and loved ones, who have always worked behind the scenes to keep me pumped up and motivated at different stages of this book. This book wouldn't be possible without their efforts.
About the Reviewer
Kubilay Onur Gungor has been working in the cyber security field for more than 8 years. He started his professional career with crypt analysis of encrypted images using chaotic logistic maps.
After working as a QA tester in the Netsparker project, he continued his career in the penetration testing field. He performed many penetration tests and consultancies for the IT infrastructure of many large clients, such as banks, government institutions, and telecommunication companies. After pen testing activities, he worked as a web application security expert and incident management and response expert in Sony Europe and Global Sony Electronics.
He believes in multidisciplinary approach on cyber security and defines it as a struggle. With this approach, he has developed his own unique certification and training program, including penetration testing, malware analysis, incident management and response, cyber terrorism, criminal profiling, unorthodox methods, perception management, and international relations. Currently, this certification program is up and running in Istanbul in the name of Cyber Struggle (https://cyberstruggle.org).
Besides security, he holds certificates in foreign policy, brand management, surviving in extreme conditions, international cyber conflicts, anti-terrorism accreditation board, terrorism and counter-terrorism comparing studies.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www.packtpub.com/mapt
Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.
Why subscribe?
Preface
The World Wide Web, or what we generally refer to as the Web, has become a vital part of our everyday lives. The usage of the Web, ranging from a simple webmail to a complex and sensitive banking web application, has made our lives easier. The Web was initially designed as a means of sharing information among users of the Internet using a combination of web pages and a browser. The era has passed now, and it's no longer a place limited to sharing information. Instead, our day-to-day work is getting automated and put into web applications; this has definitely revolutionized communication and empowered us. The mere idea of your or my banking application being offline is a nightmare; the same is the case with cloud services, such as like Dropbox, Gmail, or even iCloud. Well, if this wasn't enough, imagine these services were hacked and all the sensitive data stored in them fell into the hands of hackers—this is even scarier, right? They can sell the data, distribute it in the public domain, or even blackmail individual users. All of this has happened in the past—recall the celebrity photo leaks in 2014, when Apple's iCloud service API was breached by hackers and sensitive photos were leaked on the Internet. Similarly, Ashley Madison, a controversial dating website, was breached in 2015, and its users received blackmail letters.
The Web, although charismatic, is not a safe place for anybody; the previously mentioned cases clearly prove the point. However, we can beef up security to an extent that it becomes really hard to break into. It's a well-known fact that nothing can be a hundred per cent secure, but improving security never hurt anybody.
In a classic penetration test of web applications, different types of attacking techniques are used to find vulnerabilities and use them to break into systems. However, the Web is a growing field, and newer technologies are added every now and then. Any penetration tester conducting a test on a web application needs to be aware of newer techniques in the domain so that the latest classes of issues don't remain unpatched; at the same time, the old techniques must be extrapolated for better outcomes. This book is an attempt to achieve both in order to impart newer techniques, such as XML attack vectors, which include the recently popular XXE attack. Then we have OAuth 2.0, which varies with implementations, and this results in flaws, such as account takeovers. Among older techniques, we have XSS, CSRF, and Metasploit Framework (relevant to web) to name a few. The content I have added here in this book will help augment the already understood concepts in depth.
This book is a means of sharing my knowledge of web applications with the community. I truly believe you will find this book beneficial in one way or another. As an author, I wish you good luck exploring this book.
Happy reading!
What this book covers
Chapter 1, Common Security Protocols, focuses on different basic concepts of the Web and security in general, which you will find beneficial when conducting tests in real life. Topics such as same-origin policy are very important if someone wants to understand the enforcement done by a browser in the context of a web application; then, there are different encoding techniques, one of them being Base64, which is quite popular.
Chapter 2, Information Gathering, deals with various reconnaissance or enumeration techniques to discover surfaces that can be attacked. The more someone enumerates a particular web target, the better the chances are of finding a vulnerability inside it. The famous quote by Abraham Lincoln sums this chapter up well: If I had eight hours to chop down a tree, I would spend 6 of those hours sharpening my axe.
Chapter 3, Cross-Site Scripting, is a refresher on one of the most exploited flaws on the Web: cross-site scripting. This chapter contains different techniques of XSS, and some of them are really nasty, such as performing XSS by spoofing an IP address.
Chapter 4, Cross-Site Request Forgery, highlights the importance of CSRF as an attack vector, teaches newer ways to perform CSRF, for instance, when the request is a JSON object. Then, there is a real-life case study on a critical CSRF vulnerability on PayPal.
Chapter 5, Exploiting SQL Injection, doesn't need any introduction at all. This chapter makes use of SQLMap and explores it to detect and exploit SQL injection flaws.
Chapter 6, File Upload Vulnerabilities, deals with security flaws plaguing file upload functionality, which is very common in any web application. Methods to create and use different kinds of web shells, some techniques of DoS, and bypasses on certain types of filters have been covered here.
Chapter 7, Metasploit and Web, explains the Metasploit Framework and its relevance to web application security. It covers how to generate a web backdoor payload through MSF and different modules, with direct or indirect relation to the Web.
Chapter 8, XML Attacks, covers attack vectors, which exploit XML parsing implementation in a web application; XXE is a vector covered here apart from DoS issues, such as the XQB attack.
Chapter 9, Emerging Attack Vectors, includes some latest or unpopular techniques, which include RPO (Relative Path Overwrite), DOM clobbering, and Insecure Direct Object Reference to name a few.
Chapter 10, OAuth 2.0 Security, discusses various flaws in implementing the OAuth 2.0 protocol in web applications. It starts with the relevant basics of OAuth and goes on to explain possible attacks.
Chapter 11, API Testing Methodology, is the last chapter of this book and a guest chapter by security researcher and my friend Pranav Hivarekar. It covers the basics of REST APIs and then goes on to explain fundamental issues and mistakes made by developers while implementing them. Various case studies have also been covered in this chapter to provide real-life examples.
What you need for this book
Chapter number
Software required (with version)
Hardware specifications
OS required
1-11
VirtualBox 5.1.x/VMWare Workstation 12.x
PC or Mac
Windows 7 SP1 (recommended) or higher Mac OS X 10.10 or higher
The host machine should have at least: 2.2 GHz Core i3/i5 processor or AMD equivalent. 8GB or 16GB of RAM, the higher the better.
VirtualBox or VMWare Workstation running the following operating systems: Kali Linux 2.0 Windows 7 SP1 (if host is Mac)
Windows 7/Mac OS X
Who this book is for
This book targets security professionals and penetration testers who want to speed up their modern web-application penetration testing. It will also benefit intermediate-level readers and web developers, who need to be aware of the latest application-hacking techniques.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning:
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles as shown next: "Data stored inside localStorage is also governed by this policy, that is, origin-separated."
A block of code is set as follows:
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus, or in dialog boxes, for example, appear in the text like this: "The Origin B server responds with Access-Control-Allow-Origin."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. This is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title in the subject of your message.
If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, take a look at our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you get the most out of your purchase.
Downloading the example code
You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
You can download the code files by following these steps:
You can also download the code files by clicking on the Code Files button on the book's webpage at the Packt Publishing website. This page can be accessed by entering the book's name in the Search box. Please note that you need to be logged in to your Packt account.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Modern-Web-Penetration-Testing. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately, so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
CORS
CORS allows cross-domain HTTP data exchange, which means a page running at origin A can send/receive data from a server at origin B. CORS is abundantly used in web applications where web fonts, CSS, documents, and so on are loaded from different origins, which may not be of the origin where the resources are actually stored. Most content delivery networks (CDNs) which provide resource-hosting functionality typically allow any website or origin to interact with themselves.
CORS works by adding a new HTTP header that allows the web server to speak up a list of whitelisted domains that are allowed to connect and interact with the server. This thing is also browser enforced; the browser reads the header and processes accordingly.
The following flow chart shows the CORS flow at different positions:
CORS flowchart diagram (Source: https://www.soasta.com)
CORS headers
There are less than a dozen HTTP headers that are related to CORS but I'll try to explain a few commonly used CORS headers:
Example: Access-Control-Allow-Origin: http://api.example.com
Access-Control-Allow-Methods: This is another response header; the server responds with this header and instructs the browser to check for allowed HTTP methods mentioned inside it. If the server only allows GET and a POST request is initiated then it will be dropped if not mentioned in this list.Example: Access-Control-Allow-Methods: GET
Origin: This is a request header which tells the server from which domain origin the request was attempted. The origin header is always sent alongside cross-domain requests.Example: Origin: http://example.com
Pre-flight request
A pre-flight request
