“The Analysts are required to know their tools, where the tools came from, how the tools work, and have them tested in a restricted test area before using the tools on the client organization.” Pete Herzog

Refer to Chapter 1 to get an idea of how it should look like [1]

Welcome to the second chapter, where we will prepare our means of attacking web applications, starting with our first Capture the Flag (CTF) exercise.

As we read in the opening epigraph from the Open Source Security Methodology Manual (OSSTMM)’s rules of engagement, we need to know our tools and where they come from before using them in a production environment.

We can be caught up in euphoria or haste, so when doing an activity, we feel like throwing whatever comes to mind at our target. However, this approach rarely brings usable results and often has counterproductive aspects, altering the state of the target application in ways we do not expect...

Exploiting web applications can be done with different kinds of software. It can be free software or paid software. Some paid software has clear advantages, but to make this book accessible, we will use only free and open source tools wherever possible.

For professional use, however, it is recommended to consider purchasing software such as Burp Suite Professional, which contains several features such as session saving and has no throttling limitations on Intruder.

Anyway, in this chapter, we will focus on the setup of our main tools for our environment.

Some computing power is needed for the hardware, especially considering you will often work in virtualized environments requiring a good amount of RAM, several CPUs, and disk space. Space is also needed to perform backups, and computing power is necessary because the systems where we work need to be encrypted, so Full Disk Encryption (FDE) is recommended.

We will describe different software options...

This section describes our working tools, focusing first on the operating system and tools that underlie our work.

To test, attack, and exploit web applications, we will most likely use the HTTP and HTTPS protocols, and so we must equip ourselves to analyze this type of traffic according to the scheme depicted in the following figure:

Figure 2.1 – A tester’s machine

We use our browser, or other tools, connected to our proxy to intercept traffic and connect to our target. This basic setup allows us to adapt to operational needs and personal preferences.

We then proceed to choose the following:

• Operating system
• Browser
• Interception proxy
• Tools that can aid us, usually scripting or programming languages (such as Bash, PowerShell, and Python)

Operating system

We need to choose our operating system wisely, especially our host operating system. It must be an operating...

Continuing to think about Agent Smith from The Matrix, we are reminded of his quote from 2003’s Matrix Reloaded: “The best thing about being me... There are so many me’s.” It is indeed helpful to have multiple machines and systems to do our testing.

These days, this does not necessarily require having rooms full of servers, laptops, and PCs but having tools to virtualize what is needed on a single physical hardware of some power. In this section, we will install VirtualBox and Docker. This will allow us to run multiple operating systems concurrently on a single machine.

Decades ago, virtual machines were everywhere, and now – with the advancement of technology – we have containers that allow us to virtualize Linux-based systems easily.

Virtualization is a technology that allows you to have several virtual systems on a single physical PC that share the same level of abstraction, such as a...

In the first part of this chapter, we learned how to choose our tools, including an operating system, interception proxy, and browser. Then, we learned how to install and use common tools and write a few lines of Python.

In the second part of the second chapter, we learned how to install VirtualBox and Docker.

After finishing the preparation, we will turn to scenarios in the second and third parts, starting by attacking the authentication layer, specifically Security Assertion Markup Language (SAML).

This chapter covered many topics. If you want to know more, here is a list of invaluable resources:

• [1] Herzog, P. (2010). OSSTMM 3. [online] Available at https://www.isecom.org/OSSTMM.3.pdf.
• [2] Kali.org. (2019). Our Most Advanced Penetration Testing Distribution, Ever. [online] Available at https://www.kali.org.
• [3] Faletra, L. (2013). The best choice for security experts, developers, and crypto-addicted people. [online] Parrot Security. Available at https://www.parrotsec.org/.
• [4] Canonical (2019). The leading operating system for PCs, IoT devices, servers, and the cloud | Ubuntu. [online] Ubuntu. Available at https://ubuntu.com/.
• [5] cygwin.com. (n.d.). Cygwin. [online] Available at https://cygwin.com.
• [6] craigloewen-msft (n.d.). Install WSL. [online] learn.microsoft.com. Available at https://learn.microsoft.com/en-us/windows/wsl/install.
• [7] Chocolatey. (2019). Chocolatey - The package manager for Windows. [online] Available at...