You are previewing How to Attack and Defend Your Website.
O'Reilly logo
How to Attack and Defend Your Website

Book Description

How to Attack and Defend Your Website is a concise introduction to web security that includes hands-on web hacking tutorials. The book has three primary objectives: to help readers develop a deep understanding of what is happening behind the scenes in a web application, with a focus on the HTTP protocol and other underlying web technologies; to teach readers how to use the industry standard in free web application vulnerability discovery and exploitation tools – most notably Burp Suite, a fully featured web application testing tool; and finally, to gain knowledge of finding and exploiting the most common web security vulnerabilities.

This book is for information security professionals and those looking to learn general penetration testing methodology and how to use the various phases of penetration testing to identify and exploit common web protocols.

How to Attack and Defend Your Website is be the first book to combine the methodology behind using penetration testing tools such as Burp Suite and Damn Vulnerable Web Application (DVWA), with practical exercises that show readers how to (and therefore, how to prevent) pwning with SQLMap and using stored XSS to deface web pages.



  • Learn the basics of penetration testing so that you can test your own website's integrity and security
  • Discover useful tools such as Burp Suite, DVWA, and SQLMap
  • Gain a deeper understanding of how your website works and how best to protect it

Table of Contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Author Biography
  6. Contributing Editor Biography
  7. Introduction
  8. Chapter 1: Web Technologies
    1. Abstract
    2. 1.1. Web servers
    3. 1.2. Client-side versus server-side programming languages
    4. 1.3. JavaScript – what is it?
    5. 1.4. What can JavaScript do?
    6. 1.5. What can JavaScript not do?
    7. 1.6. Databases
    8. 1.7. What about HTML?
    9. 1.8. Web technologies – putting it together
    10. 1.9. Digging deeper
    11. 1.10. Hypertext Transfer Protocol (HTTP)
    12. 1.11. Verbs
    13. 1.12. Special characters and encodings
    14. 1.13. Cookies, sessions, and authentication
    15. 1.14. Short exercise: Linux machine setup
    16. 1.15. Using the Burp Suite intercepting proxy
    17. 1.16. Why is the intercepting proxy important?
    18. 1.17. Short exercise – using the Burp Suite decoder
    19. 1.18. Short exercise – getting comfortable with HTTP and Burp Suite
    20. 1.19. Understanding the application
    21. 1.20. The Burp Suite site map
    22. 1.21. Discovering content and structures
    23. 1.22. Understanding an application
  9. Chapter 2: Exploitation
    1. Abstract
    2. 2.1. Bypassing client side controls
    3. 2.2. Bypassing client-side controls – example
    4. 2.3. Bypassing client-side controls – exercise solution
    5. 2.4. SQL injection
    6. 2.5. SQL injection
    7. 2.6. Short Exercise: Pwning with SQLMap
    8. 2.7. Cross-site scripting (XSS)
    9. 2.8. Stored cross-site scripting XSS
    10. 2.9. Short exercise: using stored XSS to deface a website
  10. Chapter 3: Finding Vulnerabilities
    1. Abstract
    2. 3.1. The basic process – steps
    3. 3.2. Exercise – finding vulnerabilities