You are previewing The Basics of Web Hacking.
O'Reilly logo
The Basics of Web Hacking

Book Description

The Basics of Web Hacking introduces you to a tool-driven process to identify the most widespread vulnerabilities in Web applications. No prior experience is needed. Web apps are a "path of least resistance" that can be exploited to cause the most damage to a system, with the lowest hurdles to overcome. This is a perfect storm for beginning hackers. The process set forth in this book introduces not only the theory and practical information related to these vulnerabilities, but also the detailed configuration and usage of widely available tools necessary to exploit these vulnerabilities.

The Basics of Web Hacking provides a simple and clean explanation of how to utilize tools such as Burp Suite, sqlmap, and Zed Attack Proxy (ZAP), as well as basic network scanning tools such as nmap, Nikto, Nessus, Metasploit, John the Ripper, web shells, netcat, and more. Dr. Josh Pauli teaches software security at Dakota State University and has presented on this topic to the U.S. Department of Homeland Security, the NSA, BlackHat Briefings, and Defcon. He will lead you through a focused, three-part approach to Web security, including hacking the server, hacking the Web app, and hacking the Web user.

With Dr. Pauli’s approach, you will fully understand the what/where/why/how of the most widespread Web vulnerabilities and how easily they can be exploited with the correct tools. You will learn how to set up a safe environment to conduct these attacks, including an attacker Virtual Machine (VM) with all necessary tools and several known-vulnerable Web application VMs that are widely available and maintained for this very purpose. Once you complete the entire process, not only will you be prepared to test for the most damaging Web exploits, you will also be prepared to conduct more advanced Web hacks that mandate a strong base of knowledge.

  • Provides a simple and clean approach to Web hacking, including hands-on examples and exercises that are designed to teach you how to hack the server, hack the Web app, and hack the Web user
  • Covers the most significant new tools such as nmap, Nikto, Nessus, Metasploit, John the Ripper, web shells, netcat, and more!
  • Written by an author who works in the field as a penetration tester and who teaches Web security classes at Dakota State University

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Acknowledgments
    1. Honey Bear
    2. Lizard
    3. Baby Bird
    4. Family and Friends
    5. Security Community
    6. Scott White—Technical Reviewer
    7. Syngress Team
    8. My Vices
  7. Biography
  8. Foreword
  9. Introduction
    1. About This Book
    2. A Hands-On Approach
    3. What's in This Book?
    4. A Quick Disclaimer
  10. Chapter 1. The Basics of Web Hacking
    1. Chapter Rundown:
    2. Introduction
    3. What Is a Web Application?
    4. What You Need to Know About Web Servers
    5. What You Need to Know About HTTP
    6. The Basics of Web Hacking: Our Approach
    7. Web Apps Touch Every Part of IT
    8. Existing Methodologies
    9. Most Common Web Vulnerabilities
    10. Setting Up a Test Environment
  11. Chapter 2. Web Server Hacking
    1. Chapter Rundown:
    2. Introduction
    3. Reconnaissance
    4. Port Scanning
    5. Vulnerability Scanning
    6. Exploitation
    7. Maintaining Access
  12. Chapter 3. Web Application Recon and Scanning
    1. Chapter Rundown:
    2. Introduction
    3. Web Application Recon
    4. Web Application Scanning
  13. Chapter 4. Web Application Exploitation with Injection
    1. Chapter Rundown:
    2. Introduction
    3. SQL Injection Vulnerabilities
    4. SQL Injection Attacks
    5. sqlmap
    6. Operating System Command Injection Vulnerabilities
    7. Operating System Command Injection Attacks
    8. Web Shells
  14. Chapter 5. Web Application Exploitation with Broken Authentication and Path Traversal
    1. Chapter Rundown:
    2. Introduction
    3. Authentication and Session Vulnerabilities
    4. Path Traversal Vulnerabilities
    5. Brute Force Authentication Attacks
    6. Session Attacks
    7. Path Traversal Attacks
  15. Chapter 6. Web User Hacking
    1. Chapter Rundown:
    2. Introduction
    3. Cross-Site Scripting (XSS) Vulnerabilities
    4. Cross-Site Request Forgery (CSRF) Vulnerabilities
    5. Technical Social Engineering Vulnerabilities
    6. Web User Recon
    7. Web User Scanning
    8. Web User Exploitation
    9. Cross-Site Scripting (XSS) Attacks
    10. Reflected XSS Attacks
    11. Stored XSS Attacks
    12. Cross-Site Request Forgery (CSRF) Attacks
    13. User Attack Frameworks
  16. Chapter 7. Fixes
    1. Chapter Rundown:
    2. Introduction
    3. Web Server Fixes
    4. Web Application Fixes
    5. Web User Fixes
  17. Chapter 8. Next Steps
    1. Chapter Rundown:
    2. Introduction
    3. Security Community Groups and Events
    4. Formal Education
    5. Certifications
    6. Additional Books
  18. Index