Tools and Techniques to Attack the Web
Josh Pauli
Scott White, Technical Editor
 |
| The Basics of Web Hacking Tools and Techniques to Attack the Web |
The World Wide Web is a huge and expanding mass of application code. The majority of
businesses, governments, and other organizations are now on the web, exposing their
systems and data to the world via custom application functionality. With today’s
development frameworks, it is easier than ever to create a functional web application
without knowing or doing anything about security. With today’s technologies, that
application is likely to be far more complex than those that have come before. Evolving
technologies bring with them more a􀄴ack surface and new types of a􀄴ack. Meanwhile,
old vulnerabilities live on and are reintroduced into new applications by each generation
of coders.
I n the recent past, numerous high-profile organizations have been compromised via
their web applications. Though their PR departments may claim they were victims of
highly sophisticated hackers, in reality the majority of these a􀄴acks have exploited
simple vulnerabilities that have been well understood for years. S maller companies that
don’t feel under the spotlight may actually be even more exposed. A nd many who are
compromised never know about it.
Clearly, the subject of web application security is more critical today than ever before.
There is a significant need for more people to understand web application a􀄴acks, both
on the offensive side (to test existing applications for flaws) and on the defensive side (to
develop more robust code in the first place). I f you’re completely new to web hacking,
this book will get you started. A ssuming no existing knowledge, it will teach you the
basic tools and techniques you need to find and exploit numerous vulnerabilities in
today’s applications. I f your job is to build or defend web applications, it will open your
eyes to the a􀄴acks that your own applications are probably still vulnerable to and teach
you how to prevent them from happening.
Dafydd Stuttard
Creator of Burp Suite
Coauthor of The Web Application Hacker’s Handbook
Introduction
Many of us rely on web applications for so many of our daily tasks, whether at work, at
home, or at play, and we access them several times a day from our laptops, tablets,
phones, and other devices. We use these web applications to shop, bank, pay bills, a􀄴end
online meetings, social network with friends and family, and countless other tasks. The
problem is that web applications aren’t as secure as we’d like to think, and most of the
time the a􀄴acks used to gain access to a web application are relatively straightforward
and simple. I n fact, anyone can use widely available hacking tools to perform these
devastating web attacks.
This book will teach you how to hack web applications and what you can do to prevent
these a􀄴acks. I t will walk you through the theory, tools, and techniques used to identify
and exploit the most damaging web vulnerabilities present in current web applications.
This means you will be able to make a web application perform actions it was never
intended to perform, such as retrieve sensitive information from a database, bypass the
login page, and assume the identity of other users. You’ll learn how to select a target,
how to perform an a􀄴ack, what tools are needed and how to use them, and how to
protect against these attacks.
About This Book
This book is designed to teach you the fundamentals of web hacking from the ground up.
I t’s for those of you interested in geô€„´ing started with web hacking but haven’t found a
good resource. Basically, if you’re a web hacking newbie, this is the book for you! This
book assumes you have no previous knowledge related to web hacking. Perhaps you have
tinkered around with some of the tools, but you don’t fully understand how or where
they fit into the larger picture of web hacking.
Top web hacking experts have a firm grasp on programming, cryptography, bug
hunting, exploitation development, database layout, data extraction, how network traffic
works, and much more. I f you don’t have these skills, don’t be discouraged! These
knowledge and skills are accumulated over the course of a career, and if you’re just
geô€„´ing started with web hacking, you probably won’t have all of these skills. This book
will teach you the theory, tools, and techniques behind some of the most damaging web
a􀄴acks present in modern web applications. You will gain not only knowledge and skill
but also confidence to transition to even more complex web hacking in the future.
A Hands-On Approach
This book follows a very hands-on approach to introduce and demonstrate the content.
Every chapter will have foundational knowledge so that you know the why of the a􀄴ack
and detailed step-by-step directions so that you know the how of the attack.
O ur approach to web hacking has three specific targets: the web server, the web
application, and the web user. These targets all present different vulnerabilities, so we
need to use different tools and techniques to exploit each of them. That’s exactly what
this book will do; each chapter will introduce different aô€„´acks that exploit these targets’
vulnerabilities.
What's in This Book?
Each chapter covers the following material:
Chapter 1: The Basics of Web Hacking provides an overview of current web
vulnerabilities and how our hands-on approach takes aim at them.
Chapter 2: Web S erver Hacking takes traditional network hacking methodologies and
applies them directly to the web server to not only compromise those machines but also
to provide a base of knowledge to use in a􀄴acks against the web application and web
user. Tools include Nmap, Nessus, Nikto, and Metasploit.
Chapter 3: Web A pplication Recon and S canning introduces tools, such as web proxies
and scanning tools, which set the stage for you to exploit the targeted web application by
finding existing vulnerabilities. Tools include Burp S uite (S pider and I ntercept) and Zed
Attack Proxy (ZAP).
Chapter 4: Web A pplication Exploitation with I njection covers the theory, tools, and
techniques used to exploit web applications with S Q L injection, operating system
command injection, and web shells. Tools include Burp S uite (specifically the functions
and features of the Proxy I ntercept and Repeater tools), sqlmap, J ohn the Ripper (J tR),
custom web shell files, and netcat.
Chapter 5: Web A pplication Exploitation with Broken Authentication and Path
Traversal covers the theory, tools, and techniques used to exploit web applications with
brute forcing logins, sessions a􀄴acks, and forceful browsing. Tools include Burp S uite
(I ntruder and S equencer) and various operating system commands for nefarious purposes.
Chapter 6: Web User Hacking covers the theory, tools, and techniques used to exploit
other web users by exploiting web application cross-site scripting (XS S ) and cross-site
request forgery (CS RF) vulnerabilities as well as a􀄴acks that require no existing web
server or web application vulnerabilities, but instead prey directly on the user’s
willingness to complete dangerous actions. The main tool of choice will be S ocial-
Engineer Toolkit (SET).
Chapter 7: Fixes covers the best practices available today to prevent all the a􀄴acks
introduced in the book. Like most things security-related, the hard part is not identifying
these mitigation strategies, but instead on how to best implement and test that they are
doing what they are intended to do.
Chapter 8: N ext S teps introduces where you can go after finishing this book to
continue on your hacking journey. There are tons of great information security groups
and events to take part in. S ome of you may want formal education, while others may
want to know what certifications are especially applicable to this type of security work. A
quick list of good books to consider is also provided.
home, or at play, and we access them several times a day from our laptops, tablets,
phones, and other devices. We use these web applications to shop, bank, pay bills, a􀄴end
online meetings, social network with friends and family, and countless other tasks. The
problem is that web applications aren’t as secure as we’d like to think, and most of the
time the a􀄴acks used to gain access to a web application are relatively straightforward
and simple. I n fact, anyone can use widely available hacking tools to perform these
devastating web attacks.
This book will teach you how to hack web applications and what you can do to prevent
these a􀄴acks. I t will walk you through the theory, tools, and techniques used to identify
and exploit the most damaging web vulnerabilities present in current web applications.
This means you will be able to make a web application perform actions it was never
intended to perform, such as retrieve sensitive information from a database, bypass the
login page, and assume the identity of other users. You’ll learn how to select a target,
how to perform an a􀄴ack, what tools are needed and how to use them, and how to
protect against these attacks.
About This Book
This book is designed to teach you the fundamentals of web hacking from the ground up.
I t’s for those of you interested in geô€„´ing started with web hacking but haven’t found a
good resource. Basically, if you’re a web hacking newbie, this is the book for you! This
book assumes you have no previous knowledge related to web hacking. Perhaps you have
tinkered around with some of the tools, but you don’t fully understand how or where
they fit into the larger picture of web hacking.
Top web hacking experts have a firm grasp on programming, cryptography, bug
hunting, exploitation development, database layout, data extraction, how network traffic
works, and much more. I f you don’t have these skills, don’t be discouraged! These
knowledge and skills are accumulated over the course of a career, and if you’re just
geô€„´ing started with web hacking, you probably won’t have all of these skills. This book
will teach you the theory, tools, and techniques behind some of the most damaging web
a􀄴acks present in modern web applications. You will gain not only knowledge and skill
but also confidence to transition to even more complex web hacking in the future.
A Hands-On Approach
This book follows a very hands-on approach to introduce and demonstrate the content.
Every chapter will have foundational knowledge so that you know the why of the a􀄴ack
and detailed step-by-step directions so that you know the how of the attack.
O ur approach to web hacking has three specific targets: the web server, the web
application, and the web user. These targets all present different vulnerabilities, so we
need to use different tools and techniques to exploit each of them. That’s exactly what
this book will do; each chapter will introduce different aô€„´acks that exploit these targets’
vulnerabilities.
What's in This Book?
Each chapter covers the following material:
Chapter 1: The Basics of Web Hacking provides an overview of current web
vulnerabilities and how our hands-on approach takes aim at them.
Chapter 2: Web S erver Hacking takes traditional network hacking methodologies and
applies them directly to the web server to not only compromise those machines but also
to provide a base of knowledge to use in a􀄴acks against the web application and web
user. Tools include Nmap, Nessus, Nikto, and Metasploit.
Chapter 3: Web A pplication Recon and S canning introduces tools, such as web proxies
and scanning tools, which set the stage for you to exploit the targeted web application by
finding existing vulnerabilities. Tools include Burp S uite (S pider and I ntercept) and Zed
Attack Proxy (ZAP).
Chapter 4: Web A pplication Exploitation with I njection covers the theory, tools, and
techniques used to exploit web applications with S Q L injection, operating system
command injection, and web shells. Tools include Burp S uite (specifically the functions
and features of the Proxy I ntercept and Repeater tools), sqlmap, J ohn the Ripper (J tR),
custom web shell files, and netcat.
Chapter 5: Web A pplication Exploitation with Broken Authentication and Path
Traversal covers the theory, tools, and techniques used to exploit web applications with
brute forcing logins, sessions a􀄴acks, and forceful browsing. Tools include Burp S uite
(I ntruder and S equencer) and various operating system commands for nefarious purposes.
Chapter 6: Web User Hacking covers the theory, tools, and techniques used to exploit
other web users by exploiting web application cross-site scripting (XS S ) and cross-site
request forgery (CS RF) vulnerabilities as well as a􀄴acks that require no existing web
server or web application vulnerabilities, but instead prey directly on the user’s
willingness to complete dangerous actions. The main tool of choice will be S ocial-
Engineer Toolkit (SET).
Chapter 7: Fixes covers the best practices available today to prevent all the a􀄴acks
introduced in the book. Like most things security-related, the hard part is not identifying
these mitigation strategies, but instead on how to best implement and test that they are
doing what they are intended to do.
Chapter 8: N ext S teps introduces where you can go after finishing this book to
continue on your hacking journey. There are tons of great information security groups
and events to take part in. S ome of you may want formal education, while others may
want to know what certifications are especially applicable to this type of security work. A
quick list of good books to consider is also provided.
Table of Contents
Cover image
Title page
Copyright
Dedication
Acknowledgments
Honey Bear
Lizard
Baby Bird
Family And Friends
Security Community
Scott White—Technical Reviewer
Syngress Team
My Vices
Biography
Foreword
Introduction
About This Book
A Hands-On Approach
What's In This Book?
A Quick Disclaimer
Chapter 1. The Basics of Web Hacking
Chapter Rundown:
Introduction
What Is A Web Application?
What You Need To Know About Web Servers
What You Need To Know About HTTP
The Basics Of Web Hacking: Our Approach
Web Apps Touch Every Part Of IT
Existing Methodologies
Most Common Web Vulnerabilities
Setting Up A Test Environment
Chapter 2. Web Server Hacking
Chapter Rundown:
Introduction
Reconnaissance
Port Scanning
Vulnerability Scanning
Exploitation
Maintaining Access
Chapter 3. Web Application Recon and Scanning
Chapter Rundown:
Introduction
Web Application Recon
Web Application Scanning
Chapter 4. Web Application Exploitation with Injection
Chapter Rundown:
Introduction
SQL Injection Vulnerabilities
SQL Injection Attacks
Sqlmap
Operating System Command Injection Vulnerabilities
Operating System Command Injection Attacks
Web Shells
Chapter 5. Web Application Exploitation with Broken Authentication and Path Traversal
Chapter Rundown:
Introduction
Authentication And Session Vulnerabilities
Path Traversal Vulnerabilities
Brute Force Authentication Attacks
Session Attacks
Path Traversal Attacks
Chapter 6. Web User Hacking
Chapter Rundown:
Introduction
Cross-Site Scripting (XSS) Vulnerabilities
Cross-Site Request Forgery (CSRF) Vulnerabilities
Technical Social Engineering Vulnerabilities
Web User Recon
Web User Scanning
Web User Exploitation
Cross-Site Scripting (XSS) Attacks
Reflected XSS Attacks
Stored XSS Attacks
Cross-Site Request Forgery (CSRF) Attacks
User Attack Frameworks
Chapter 7. Fixes
Chapter Rundown:
Introduction
Web Server Fixes
Web Application Fixes
Web User Fixes
Chapter 8. Next Steps
Chapter Rundown:
Introduction
Security Community Groups And Events
Formal Education
Certifications
Additional Books
Index
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
Pages
| 179 p |
File Size
|
4,714 KB |
File Type
|
PDF format |
ISBN
| 978-0-12-416600-4 |
Copyright
| 2013 Elsevier, Inc |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
