Why is there a need for another book on web attacks and exploitation? More than two decades have passed since Jeff “Rain Forest Puppy” Forristal first discussed the then-unknown SQL injection in the well-known Phrack e-zine in 1998.

The web plays a significant role in our daily lives and business operations. It has progressed from static web pages to the era of user-generated content known as Web 2.0, and now we have Web 3.0, a decentralized web that operates on blockchain technology.

Having been involved in web application security from its infancy, we find it fascinating to assess the current state of attacks and exploitation of web vulnerabilities. As suggested by the OWASP TOP 10, the nature of these vulnerabilities remains relatively consistent, although their specific characteristics evolve. Examining how Advanced Persistent Threats (APTs) often use web attacks for initial access and persistence is interesting – mapping them using MITRE ATT&CK.

This book will provide an in-depth understanding of hackers’ methods for web attacks and exploitation, analyzing some Capture the Flags (CTFs) we created and several Common Vulnerabilities and Exposures (CVEs) we discovered.

The first part helps you understand the methodologies and frameworks, how to configure your research lab, and how to automate tasks with Bash and Python.

The second and third parts will guide you through practical examples using dynamic analysis, analyzing source code, reversing binaries, debugging, and instrumenting. In each chapter, you will find a brief introduction to the basics of each specific technology, the vulnerability, and the risk. Then, we’ll provide step-by-step instructions to discover and exploit the vulnerabilities.

In the second part, you’ll get an overview of evergreen vulnerabilities in authentication with a use case on SAML, SQL injection and Cross-Site Scripting (XSS) on WordPress, and Command Injection and Path Traversal on Internet of Things (IoT) devices, and then we’ll focus on analyzing source code and reversing binaries.

In the third part, you will see vulnerabilities in newer contexts, turning an XSS into a Remote Code Execution (RCE), analyzing Electron JavaScript applications and, exploiting the famous Reentrancy when auditing an Ethereum smart contract written in Solidity.

After reading this book, you will have improved your skills in identifying and taking advantage of web vulnerabilities and comprehending the consequences of disclosure.

This book is aimed at anyone who must ensure their organization’s security. It’s for penetration testers and red teamers who want to deepen their knowledge of the current security challenges for web applications, Developers and DevOps Engineers who want to get into the mindset of an attacker, and Security Managers and Chief Information Security Officers (CISOs) who want to truly understand the impact and risk of the Web, IoT, and smart contracts from an attacker’s point of view.

How to read this book

We recommend reading the various chapters in order if you are a beginner.

If you are familiar with web attacks and exploitation or prefer to go straight to the practical exercises, you can directly read Parts 2 and 3 and skim Part 1.

If you’re a security manager or CISO, the book can help you understand an attacker’s mindset, but you can focus on the sections devoted to you.

If you’re interested in a specific topic instead, each scenario is self-consistent, so you can go straight to the part you’re interested in.

Chapter 1, Mindset and Methodologies, offers an overview of the mindset and guiding principles for attacks, the learning process, the skill set, techniques for exploitation, and the methodologies that can be used to attack web applications.

Chapter 2, Toolset for Web Attacks and Exploitation, explains the tools available to attack web applications such as operating systems, browsers, interception proxies, Bash, and Python by playing a CTF.

Chapter 3, Attacking the Authentication Layer – a SAML Use Case, contains the first scenario we will analyze, again through a CTF exercise, where we will learn to exploit authentication systems, specifically SAML, through Burp.

Chapter 4, Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress, explores another scenario where we will find two CVEs together. We will find a SQL injection by reading the source code for a WordPress plugin and exploiting it first by hand with Burp and then with Python. We will also find an XSS.

Chapter 5, Attacking IoT Devices – Command Injection and Path Traversal, examines a scenario where we will analyze an IoT device, starting from the firmware, emulate it, and find four CVEs relating to command injections, bypassing some security features. We will also reverse-engineer together some of the binaries present in the device.

Chapter 6, Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE), delves into a scenario where we will analyze an Electron JavaScript application we use daily, figuring out how to instrument and debug it. We will find a CVE related to an XSS, which we will then turn into an RCE.

Chapter 7, Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic, provides the last scenario. It’s structured as a CTF exercise, where we will analyze smart contracts on Ethereum, revert them, and exploit several business logic vulnerabilities and the famous reentrancy by writing an attacking contract with Solidity and Foundry.

Chapter 8, Continuing the Journey of Vulnerability Discovery, concludes by reflecting on what we learned in the previous chapters. There’s not so much about specific vulnerabilities and, in general, more about the methods used. We will also mention the vulnerability disclosure dilemma from the researcher and CISO perspectives.

To get the most out of this book, you should be interested in web application security and vulnerability research. We also suggest having a good knowledge of web technologies and related protocols and a basic understanding of reverse engineering.

Having physical GL.iNet devices such as the Mango or the Shadow is preferable for recreating the scenario in Chapter 5.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors in copying and pasting code.

We suggest that you not only read the book but also recreate the scenarios included in it by trying them out locally, either by following the directions in the book or by finding solutions on your own.

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Attacking-and-Exploiting-Modern-Web-Applications. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “We found two headers containing the specific PHP (X-Powered-By) and Apache (Server) versions.”

A block of code is set as follows:

SELECT id, wpid, room, timestamp, UNIX_TIMESTAMP(timestamp) AS unix_timestamp, alias, status, message FROM $Shoutbox_messages_table_name.' WHERE room IN ("'.$rooms.'") AND timestamp > FROM_UNIXTIME('.esc_sql($_POST['last_timestamp']).') ORDER BY unix_timestamp ASC

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

function esc_sql( $data ) {
    global $wpdb;
    return $wpdb->_escape( $data );
}

Any command-line input or output is written as follows:

$ curl -kis  http://localhost | grep generator
<meta name="generator" content="WordPress 6.1.1" />

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Select and right-click on that image from the menu, and click Inspect to see precisely the resulting code.”

Tips or important notes

Appear like this.

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at customercare@packtpub.com and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packtpub.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Once you’ve read Attacking and Exploiting Modern Web Applications, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

1. Scan the QR code or visit the link below

https://packt.link/free-ebook/9781801816298

2. Submit your proof of purchase
3. That’s it! We’ll send your free PDF and other benefits to your email directly