The Basics of Web Hacking : Tools and Techniques to Attack the Web.
Title:
The Basics of Web Hacking : Tools and Techniques to Attack the Web.
Author:
Pauli, Josh.
ISBN:
9780124166592
Personal Author:
Physical Description:
1 online resource (160 pages)
Contents:
Front Cover -- The Basics of Web Hacking: Tools and Techniques to Attack the Web -- Copyright -- Dedication -- Acknowledgments -- Honey Bear -- Lizard -- Baby Bird -- Family and Friends -- Security Community -- Scott White-Technical Reviewer -- Syngress Team -- My Vices -- Biography -- Foreword -- Introduction -- About this Book -- A Hands-on Approach -- What's in this Book? -- A Quick Disclaimer -- Contents -- Chapter 1: The Basics of Web Hacking -- Introduction -- What Is a Web Application? -- What You Need to Know About Web Servers -- What You Need to Know About HTTP -- HTTP Cycles -- Noteworthy HTTP Headers -- Noteworthy HTTP Status Codes -- The Basics of Web Hacking: Our Approach -- Our Targets -- Our Tools -- Web Apps Touch Every Part of IT -- Existing Methodologies -- The Open-Source Security Testing Methodology Manual (OSSTM) -- Penetration Testing Execution Standard (PTES) -- Making Sense of Existing Methodologies -- Most Common Web Vulnerabilities -- Injection -- Cross-site Scripting (XSS) -- Broken Authentication and Session Management -- Cross-site Request Forgery -- Security Misconfiguration -- Setting Up a Test Environment -- Target Web Application -- Installing the Target Web Application -- Configuring the Target Web Application -- DVWA Install Script -- Chapter 2: Web Server Hacking -- Introduction -- Reconnaissance -- Learning About the Web Server -- The Robots.txt File -- Port Scanning -- Nmap -- Updating Nmap -- Running Nmap -- Nmap Scripting Engine (NSE) -- Vulnerability Scanning -- Nessus -- Installing Nessus -- Configuring Nessus -- Running Nessus -- Reviewing Nessus Results -- Nikto -- Exploitation -- Basics of Metasploit -- Search -- Use -- Show Payloads -- Set Payload -- Show Options -- Set Option -- Exploit -- Maintaining Access -- Chapter 3: Web Application Recon and Scanning -- Introduction -- Web Application Recon.
Basics of a Web Proxy -- Burp Suite -- Configuring Burp Proxy -- Spidering with Burp -- Automated Spidering -- Manual Spidering -- Running Burp Spider -- Web Application Scanning -- What a Scanner Will Find -- What a Scanner Won't Find -- Scanning with ZED Attack Proxy (ZAP) -- Configuring ZAP -- Running ZAP -- Reviewing ZAP Results -- ZAP Brute Force -- Scanning with Burp Scanner -- Configuring Burp Scanner -- Running Burp Scanner -- Reviewing Burp Scanner Results -- Chapter 4: Web Application Exploitation with Injection -- Introduction -- SQL Injection Vulnerabilities -- SQL Interpreter -- SQL for Hackers -- SQL Injection Attacks -- Finding the Vulnerability -- Bypassing Authentication -- Extracting Additional Information -- Harvesting Password Hashes -- Offline Password Cracking -- sqlmap -- Operating System Command Injection Vulnerabilities -- O/S Command Injection for Hackers -- Operating System Command Injection Attacks -- Web Shells -- Chapter 5: Web Application Exploitation with Broken Authentication and Path Traversal -- Introduction -- Authentication and Session Vulnerabilities -- Path Traversal Vulnerabilities -- Brute Force Authentication Attacks -- Intercepting the Authentication Attempt -- Configuring Burp Intruder -- Intruder Payloads -- Running Intruder -- Session Attacks -- Cracking Cookies -- Burp Sequencer -- Other Cookie Attacks -- Path Traversal Attacks -- Web Server File Structure -- Forceful Browsing -- Chapter 6: Web User Hacking -- Introduction -- Cross-Site Scripting (XSS) Vulnerabilities -- Cross-Site Request Forgery (CSRF) Vulnerabilities -- XSS Versus CSRF -- Technical Social Engineering Vulnerabilities -- Web User Recon -- Web User Scanning -- Web User Exploitation -- Cross-Site Scripting (XSS) Attacks -- XSS Payloads -- Reflected XSS Attacks -- Intercepting the Server Response -- Encoding XSS Payloads.
XSS in URL Address Bar -- XSS Attacks on Session Identifiers -- Stored XSS Attacks -- Persistence of Stored XSS -- Cross-Site Request Forgery (CSRF) Attacks -- User Attack Frameworks -- Social-Engineer Toolkit (SET) -- Other Notable User Attack Frameworks -- Chapter 7: Fixes -- Introduction -- Web Server Fixes -- Server Hardening -- Generic Error Messages -- Web Application Fixes -- Injection Fixes -- Broken Authentication and Session Management Fixes -- Authentication -- Session Management -- Path Traversal Fixes -- Web User Fixes -- The XSS Prevention Cheat Sheet -- Input Validation Cheat Sheet -- Code Defenses for XSS -- Browser Defenses for XSS -- The CSRF Prevention Cheat Sheet -- More CSRF Defenses -- Technical Social Engineering Fixes -- Chapter 8: Next Steps -- Introduction -- Security Community Groups and Events -- Formal Education -- Certifications -- Additional Books -- Index.
Abstract:
The Basics of Web Hacking introduces you to a tool-driven process to identify the most widespread vulnerabilities in Web applications. No prior experience is needed. Web apps are a "path of least resistance" that can be exploited to cause the most damage to a system, with the lowest hurdles to overcome. This is a perfect storm for beginning hackers. The process set forth in this book introduces not only the theory and practical information related to these vulnerabilities, but also the detailed configuration and usage of widely available tools necessary to exploit these vulnerabilities. The Basics of Web Hacking provides a simple and clean explanation of how to utilize tools such as Burp Suite, sqlmap, and Zed Attack Proxy (ZAP), as well as basic network scanning tools such as nmap, Nikto, Nessus, Metasploit, John the Ripper, web shells, netcat, and more. Dr. Josh Pauli teaches software security at Dakota State University and has presented on this topic to the U.S. Department of Homeland Security, the NSA, BlackHat Briefings, and Defcon. He will lead you through a focused, three-part approach to Web security, including hacking the server, hacking the Web app, and hacking the Web user. With Dr. Pauli's approach, you will fully understand the what/where/why/how of the most widespread Web vulnerabilities and how easily they can be exploited with the correct tools. You will learn how to set up a safe environment to conduct these attacks, including an attacker Virtual Machine (VM) with all necessary tools and several known-vulnerable Web application VMs that are widely available and maintained for this very purpose. Once you complete the entire process, not only will you be prepared to test for the most damaging Web exploits, you will also be prepared to conduct more advanced Web hacks that mandate a strong base of knowledge. Provides a simple and
clean approach to Web hacking, including hands-on examples and exercises that are designed to teach you how to hack the server, hack the Web app, and hack the Web user Covers the most significant new tools such as nmap, Nikto, Nessus, Metasploit, John the Ripper, web shells, netcat, and more! Written by an author who works in the field as a penetration tester and who teaches Web security classes at Dakota State University.
Local Note:
Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2017. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.
Genre:
Electronic Access:
Click to View