Josh Pauli
Scott White, Technical Editor
ELSEVIER
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an Imprint of Elsevier
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an Imprint of Elsevier
 |
| The Basics of Web Hacking. Tools and Techniques to Attack the Web |
The World Wide Web is a huge and expanding mass of application code. The majority of businesses, governments, and other organizations are now on the web, exposing their systems and data to the world via custom application functionality. With today’s development frameworks, it is easier than ever to create a
functional web application without knowing or doing anything about security. With today’s technologies, that application is likely to be far more complex than those that have come before. Evolving technologies bring with them more attack surface and new types of attack. Meanwhile, old vulnerabilities live on and are
reintroduced into new applications by each generation of coders. In the recent past, numerous high-profile organizations have been compromised via their web applications. Though their PR departments may claim they were victims of highly sophisticated hackers, in reality the majority of these attacks have exploited simple vulnerabilities that have been well understood for years. Smaller companies that don’t feel under the spotlight may actually be even more exposed. And many who are compromised never know about it.
Clearly, the subject of web application security is more critical today than ever before. There is a significant need for more people to understand web application attacks, both on the offensive side (to test existing applications for flaws) and on the defensive side (to develop more robust code in the first place). If
you’re completely new to web hacking, this book will get you started. Assuming no existing knowledge, it will teach you the basic tools and techniques you need to find and exploit numerous vulnerabilities in today’s applications. If your job is to build or defend web applications, it will open your eyes to the attacks that
your own applications are probably still vulnerable to and teach you how to prevent them from happening.
Dafydd Stuttard
Creator of Burp Suite
Coauthor of The Web Application Hacker’s Handbook
Biography
Dr. Josh Pauli received his Ph.D. in software engineering from North Dakota
State University (NDSU) and now serves as an associate professor of cyber security
at Dakota State University (DSU) in Madison, SD. Dr. Pauli has published
nearly 30 international journal and conference papers related to software security
and his work includes invited presentations from DEFCON, Black Hat, and
The National Security Agency. He teaches both undergraduate and graduate
courses in software security at DSU and is the program director for the DSU
Cyber Corps. Dr. Pauli also conducts web application penetration tests for an
information security consulting firm. You can keep up with Josh on Twitter by
following @CornDogGuy and visiting his DSU homepage at www.homepages.dsu.edu/paulij.
Introduction
Many of us rely on web applications for so many of our daily tasks, whether
at work, at home, or at play, and we access them several times a day from our
laptops, tablets, phones, and other devices. We use these web applications to
shop, bank, pay bills, attend online meetings, social network with friends and
family, and countless other tasks. The problem is that web applications aren’t
as secure as we’d like to think, and most of the time the attacks used to gain
access to a web application are relatively straightforward and simple. In fact,
anyone can use widely available hacking tools to perform these devastating web attacks.
This book will teach you how to hack web applications and what you can do
to prevent these attacks. It will walk you through the theory, tools, and techniques
used to identify and exploit the most damaging web vulnerabilities
present in current web applications. This means you will be able to make a
web application perform actions it was never intended to perform, such as
retrieve sensitive information from a database, bypass the login page, and
assume the identity of other users. You’ll learn how to select a target, how to
perform an attack, what tools are needed and how to use them, and how to
protect against these attacks.
ABOUT THIS BOOK
This book is designed to teach you the fundamentals of web hacking from the
ground up. It’s for those of you interested in getting started with web hacking
but haven’t found a good resource. Basically, if you’re a web hacking newbie, this
is the book for you! This book assumes you have no previous knowledge related
to web hacking. Perhaps you have tinkered around with some of the tools, but
you don’t fully understand how or where they fit into the larger picture of web hacking.
Top web hacking experts have a firm grasp on programming, cryptography,
bug hunting, exploitation development, database layout, data extraction, how
network traffic works, and much more. If you don’t have these skills, don’t be
discouraged! These knowledge and skills are accumulated over the course of a
career, and if you’re just getting started with web hacking, you probably won’t
have all of these skills. This book will teach you the theory, tools, and techniques
behind some of the most damaging web attacks present in modern web applications.
You will gain not only knowledge and skill but also confidence to transition
to even more complex web hacking in the future.
A HANDS-ON APPROACH
This book follows a very hands-on approach to introduce and demonstrate the
content. Every chapter will have foundational knowledge so that you know the
why of the attack and detailed step-by-step directions so that you know the how of the attack.
Our approach to web hacking has three specific targets: the web server, the web
application, and the web user. These targets all present different vulnerabilities,
so we need to use different tools and techniques to exploit each of them. That’s
exactly what this book will do; each chapter will introduce different attacks that
exploit these targets’ vulnerabilities.
WHAT'S IN THIS BOOK?
Each chapter covers the following material:
Chapter 1: The Basics of Web Hacking provides an overview of current web vulnerabilities
and how our hands-on approach takes aim at them.
Chapter 2: Web Server Hacking takes traditional network hacking methodologies
and applies them directly to the web server to not only compromise those
machines but also to provide a base of knowledge to use in attacks against the web
application and web user. Tools include Nmap, Nessus, Nikto, and Metasploit.
Chapter 3: Web Application Recon and Scanning introduces tools, such as web
proxies and scanning tools, which set the stage for you to exploit the targeted
web application by finding existing vulnerabilities. Tools include Burp Suite
(Spider and Intercept) and Zed Attack Proxy (ZAP).
Chapter 4: Web Application Exploitation with Injection covers the theory, tools,
and techniques used to exploit web applications with SQL injection, operating
system command injection, and web shells. Tools include Burp Suite (specifically
the functions and features of the Proxy Intercept and Repeater tools), sqlmap,
John the Ripper (JtR), custom web shell files, and netcat.
Chapter 5: Web Application Exploitation with Broken Authentication and Path
Traversal covers the theory, tools, and techniques used to exploit web applications
with brute forcing logins, sessions attacks, and forceful browsing. Tools
include Burp Suite (Intruder and Sequencer) and various operating system commands
for nefarious purposes.
Chapter 6: Web User Hacking covers the theory, tools, and techniques used to
exploit other web users by exploiting web application cross-site scripting (XSS)
and cross-site request forgery (CSRF) vulnerabilities as well as attacks that
require no existing web server or web application vulnerabilities, but instead
prey directly on the user’s willingness to complete dangerous actions. The main
tool of choice will be Social-Engineer Toolkit (SET).
Chapter 7: Fixes covers the best practices available today to prevent all the attacks
introduced in the book. Like most things security-related, the hard part is not
identifying these mitigation strategies, but instead on how to best implement
and test that they are doing what they are intended to do.
Chapter 8: Next Steps introduces where you can go after finishing this book to
continue on your hacking journey. There are tons of great information security
groups and events to take part in. Some of you may want formal education,
while others may want to know what certifications are especially applicable to
this type of security work. A quick list of good books to consider is also provided.
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 24,766 KB |
Pages
|
153 p |
File Type
|
PDF format |
ISBN
| 978-0-12-416600-4 |
Copyright
| 2013 Elsevier, Inc |
ADDITIONAL BOOKS
There is no shortage of great security books that you can transition to after
completing The Basics of Web Hacking. And, although not officially a book,
the OWASP Testing Guide is a great publication for everybody interested in
web applications security and can be downloaded (or purchased as a hard
In no particular order, here are some other books that you are especially encouraged
to look into.
■ The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
by Dafydd Stuttard and Marcus Pinto
■ The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration
Testing Made Easy (2nd Edition) by Patrick Engebretson
■ Tangled Web: A Guide to Securing Modern Web Applications by Michal
Zalewski
■ Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman,
Devon Kearns, and Mati Aharoni
■ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski and Andrew Honig
■ Gray Hat Hacking The Ethical Hackers Handbook by Allen Harper, Shon Harris,
Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams
■ Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Jared
DeMott, and Charlie Miller
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
