O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Mastering Modern Web Penetration Testing

Book Description

Master the art of conducting modern pen testing attacks and techniques on your web application before the hacker does!

About This Book

  • This book covers the latest technologies such as Advance XSS, XSRF, SQL Injection, Web API testing, XML attack vectors, OAuth 2.0 Security, and more involved in today’s web applications
  • Penetrate and secure your web application using various techniques
  • Get this comprehensive reference guide that provides advanced tricks and tools of the trade for seasoned penetration testers

Who This Book Is For

This book is for security professionals and penetration testers who want to speed up their modern web application penetrating testing. It will also benefit those at an intermediate level and web developers who need to be aware of the latest application hacking techniques.

What You Will Learn

  • Get to know the new and less-publicized techniques such PHP Object Injection and XML-based vectors
  • Work with different security tools to automate most of the redundant tasks
  • See different kinds of newly-designed security headers and how they help to provide security
  • Exploit and detect different kinds of XSS vulnerabilities
  • Protect your web application using filtering mechanisms
  • Understand old school and classic web hacking in depth using SQL Injection, XSS, and CSRF
  • Grasp XML-related vulnerabilities and attack vectors such as XXE and DoS techniques
  • Get to know how to test REST APIs to discover security issues in them

In Detail

Web penetration testing is a growing, fast-moving, and absolutely critical field in information security. This book executes modern web application attacks and utilises cutting-edge hacking techniques with an enhanced knowledge of web application security.

We will cover web hacking techniques so you can explore the attack vectors during penetration tests. The book encompasses the latest technologies such as OAuth 2.0, Web API testing methodologies and XML vectors used by hackers. Some lesser discussed attack vectors such as RPO (relative path overwrite), DOM clobbering, PHP Object Injection and etc. has been covered in this book.

We'll explain various old school techniques in depth such as XSS, CSRF, SQL Injection through the ever-dependable SQLMap and reconnaissance.

Websites nowadays provide APIs to allow integration with third party applications, thereby exposing a lot of attack surface, we cover testing of these APIs using real-life examples.

This pragmatic guide will be a great benefit and will help you prepare fully secure applications.

Style and approach

This master-level guide covers various techniques serially. It is power-packed with real-world examples that focus more on the practical aspects of implementing the techniques rather going into detailed theory.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Mastering Modern Web Penetration Testing
    1. Table of Contents
    2. Mastering Modern Web Penetration Testing
    3. Credits
    4. About the Author
    5. About the Reviewer
    6. www.PacktPub.com
      1. eBooks, discount offers, and more
        1. Why subscribe?
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Downloading the example code
        2. Errata
        3. Piracy
        4. Questions
    8. 1. Common Security Protocols
      1. SOP
        1. Demonstration of the same-origin policy in Google Chrome
        2. Switching origins
        3. Quirks with Internet Explorer
        4. Cross-domain messaging
        5. AJAX and the same-origin policy
      2. CORS
        1. CORS headers
        2. Pre-flight request
        3. Simple request
      3. URL encoding – percent encoding
        1. Unrestricted characters
        2. Restricted characters
        3. Encoding table
        4. Encoding unrestricted characters
      4. Double encoding
        1. Introducing double encoding
        2. IIS 5.0 directory traversal code execution – CVE-2001-0333
        3. Using double encoding to evade XSS filters
      5. Base64 encoding
        1. Character set of Base64 encoding
        2. The encoding process
        3. Padding in Base64
      6. Summary
    9. 2. Information Gathering
      1. Information gathering techniques
        1. Active techniques
        2. Passive techniques
      2. Enumerating Domains, Files, and Resources
      3. Fierce
      4. theHarvester
      5. SubBrute
      6. CeWL
      7. DirBuster
      8. WhatWeb
        1. Maltego
        2. Wolfram Alpha
      9. Shodan
      10. DNSdumpster
      11. Reverse IP Lookup – YouGetSignal
      12. Pentest-Tools
      13. Google Advanced Search
      14. Summary
    10. 3. Cross-Site Scripting
      1. Reflected XSS
        1. Demonstrating reflected XSS vulnerability
        2. Reflected XSS – case study 1
        3. Reflected XSS – case study 2
      2. Stored XSS
        1. Demonstrating stored XSS
        2. Stored XSS through Markdown
        3. Stored XSS through APIs
        4. Stored XSS through spoofed IP addresses
      3. Flash-based XSS – ExternalInterface.call()
      4. HttpOnly and secure cookie flags
      5. DOM-based XSS
      6. XSS exploitation – The BeEF
        1. Setting Up BeEF
        2. Demonstration of the BeEF hook and its components
          1. Logs
          2. Commands
          3. Rider
          4. Xssrays
          5. IPec
          6. Network
      7. Summary
    11. 4. Cross-Site Request Forgery
      1. Introducing CSRF
      2. Exploiting POST-request based CSRF
      3. How developers prevent CSRF?
      4. PayPal's CSRF vulnerability to change phone numbers
      5. Exploiting CSRF in JSON requests
      6. Using XSS to steal anti-CSRF tokens
      7. Exploring pseudo anti-CSRF tokens
      8. Flash comes to the rescue
        1. Rosetta Flash
        2. Defeating XMLHTTPRequest-based CSRF protection
      9. Summary
    12. 5. Exploiting SQL Injection
      1. Installation of SQLMap under Kali Linux
      2. Introduction to SQLMap
        1. Injection techniques
      3. Dumping the data – in an error-based scenario
        1. Interacting with the wizard
        2. Dump everything!
      4. SQLMap and URL rewriting
      5. Speeding up the process!
        1. Multi-threading
        2. NULL connection
        3. HTTP persistent connections
        4. Output prediction
        5. Basic optimization flags
      6. Dumping the data – in blind and time-based scenarios
      7. Reading and writing files
        1. Checking privileges
        2. Reading files
        3. Writing files
      8. Handling injections in a POST request
      9. SQL injection inside a login-based portal
      10. SQL shell
      11. Command shell
      12. Evasion – tamper scripts
      13. Configuring with proxies
      14. Summary
    13. 6. File Upload Vulnerabilities
      1. Introducing file upload vulnerability
      2. Remote code execution
        1. Multi-functional web shells
        2. Netcat accessible reverse shell
      3. The return of XSS
        1. SWF – the flash
        2. SVG images
      4. Denial of Service
        1. Malicious JPEG file – pixel flood
        2. Malicious GIF file – frame flood
        3. Malicious zTXT field of PNG files
      5. Bypassing upload protections
        1. Case-sensitive blacklist extension check bypass
      6. MIME content type verification bypass
        1. Apache's htaccess trick to execute benign files as PHP
          1. SetHandler method
          2. The AddType method
        2. Bypassing image content verification
      7. Summary
    14. 7. Metasploit and Web
      1. Discovering Metasploit modules
      2. Interacting with Msfconsole
      3. Using Auxiliary Modules related to Web Applications
      4. Understanding WMAP – Metasploit's Web Application Security Scanner
      5. Generating Web backdoor payload with Metasploit
      6. Summary
    15. 8. XML Attacks
      1. XML 101 – the basics
        1. XML elements
        2. XML Attributes
        3. XML DTD and entities
          1. Internal DTD
          2. External DTD
        4. Entities
          1. Entity declaration
      2. XXE attack
        1. Reading files
          1. PHP Base64 conversion URI as an alternative
        2. SSRF through XXE
        3. Remote code execution
        4. Denial of Service through XXE
      3. XML quadratic blowup
        1. XML billion laughs
        2. The quadratic blowup
          1. WordPress 3.9 quadratic blowup vulnerability – Case Study
      4. Summary
    16. 9. Emerging Attack Vectors
      1. Server Side Request Forgery
        1. Demonstrating SSRF
        2. Protocol Handlers for SSRF URLs
        3. Case Study – MailChimp port scan SSRF
          1. Open port – with non-HTTP service
          2. Open port – with HTTP service
          3. Closed port – with HTTP service
      2. Insecure Direct Object Reference
        1. The basics of IDOR
        2. Case studies
          1. IDOR in Flipkart to delete saved shipping addresses
          2. IDOR in HackerOne to leak private response template data
      3. DOM clobbering
        1. Case study – breaking GitHub's Gist comment system through DOM clobbering
      4. Relative Path Overwrite
        1. Controlling CSS
        2. Internet Explorer
      5. UI redressing
      6. PHP Object Injection
        1. PHP serialization
        2. PHP magic functions
        3. Object injection
      7. Summary
    17. 10. OAuth 2.0 Security
      1. Introducing the OAuth 2.0 model
        1. OAuth 2.0 roles
          1. Resource owner
          2. Client
          3. Resource server
          4. Authorization server
        2. The application
          1. Redirect URI
          2. Access token
          3. Client ID
          4. Client secret
      2. Receiving grants
        1. Authorization grant
        2. Implicit grant
      3. Exploiting OAuth for fun and profit
        1. Open redirect – the malformed URL
        2. Hijacking the OAuth flow – fiddling with redirect URI
          1. Directory traversal tricks
          2. Domain tricks
            1. Naked domain
            2. TLD suffix confusion
          3. Flow hijack through open redirect on client
        3. Force a malicious app installation
      4. Summary
    18. 11. API Testing Methodology
      1. Understanding REST APIs
        1. REST API concepts
          1. URIs
          2. URI format
          3. Modelling of resource
        2. Stitching things together
        3. REST API and HTTP
          1. Request methods
          2. Response codes
          3. Headers
      2. Setting up the testing environment
        1. Analyzing the API
          1. Basic HTTP authentication
          2. Access token
          3. Cookies
        2. Tools
          1. Burp Suite
          2. REST API clients
          3. Custom API explorers
      3. Learning the API
        1. Developer documentation
        2. Understanding requests/responses
        3. Learning scopes
        4. Learning roles
      4. Basic methodology to test developer APIs
        1. Listing endpoints
        2. Firing different request methods
        3. Exploiting API bugs
          1. Scope based testing
            1. Case study 1
            2. Case study 2
          2. Roles based testing
            1. Case study 1
          3. Insecure direct object reference testing
            1. Case study 2
      5. Summary
    19. Index