Mastering Modern Web Penetration Testing

Master the art of conducting modern pen testing attacks and techniques on your web application before the hacker does!
Preview in Mapt

Mastering Modern Web Penetration Testing

Prakhar Prasad

2 customer reviews
Master the art of conducting modern pen testing attacks and techniques on your web application before the hacker does!

Quick links: > What will you learn?> Table of content> Product reviews

eBook
$25.20
RRP $35.99
Save 29%
Print + eBook
$44.99
RRP $44.99
What do I get with a Mapt Pro subscription?
  • Unlimited access to all Packt’s 5,000+ eBooks and Videos
  • Early Access content, Progress Tracking, and Assessments
  • 1 Free eBook or Video to download and keep every month after trial
What do I get with an eBook?
  • Download this book in EPUB, PDF, MOBI formats
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
What do I get with Print & eBook?
  • Get a paperback copy of the book delivered to you
  • Download this book in EPUB, PDF, MOBI formats
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
What do I get with a Video?
  • Download this Video course in MP4 format
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
$25.20
$44.99
RRP $35.99
RRP $44.99
eBook
Print + eBook

Frequently bought together


Mastering Modern Web Penetration Testing Book Cover
Mastering Modern Web Penetration Testing
$ 35.99
$ 25.20
Mastering Metasploit - Second Edition Book Cover
Mastering Metasploit - Second Edition
$ 39.99
$ 28.00
Buy 2 for $35.00
Save $40.98
Add to Cart

Book Details

ISBN 139781785284588
Paperback298 pages

Book Description

Web penetration testing is a growing, fast-moving, and absolutely critical field in information security. This book executes modern web application attacks and utilises cutting-edge hacking techniques with an enhanced knowledge of web application security.

We will cover web hacking techniques so you can explore the attack vectors during penetration tests. The book encompasses the latest technologies such as OAuth 2.0, Web API testing methodologies and XML vectors used by hackers. Some lesser discussed attack vectors such as RPO (relative path overwrite), DOM clobbering, PHP Object Injection and etc. has been covered in this book.

We'll explain various old school techniques in depth such as XSS, CSRF, SQL Injection through the ever-dependable SQLMap and reconnaissance.

Websites nowadays provide APIs to allow integration with third party applications, thereby exposing a lot of attack surface, we cover testing of these APIs using real-life examples.

This pragmatic guide will be a great benefit and will help you prepare fully secure applications.

Table of Contents

Chapter 1: Common Security Protocols
SOP
CORS
URL encoding – percent encoding
Double encoding
Base64 encoding
Summary
Chapter 2: Information Gathering
Information gathering techniques
Enumerating Domains, Files, and Resources
Fierce
theHarvester
SubBrute
CeWL
DirBuster
WhatWeb
Shodan
DNSdumpster
Reverse IP Lookup – YouGetSignal
Pentest-Tools
Google Advanced Search
Summary
Chapter 3: Cross-Site Scripting
Reflected XSS
Stored XSS
Flash-based XSS – ExternalInterface.call()
HttpOnly and secure cookie flags
DOM-based XSS
XSS exploitation – The BeEF
Summary
Chapter 4: Cross-Site Request Forgery
Introducing CSRF
Exploiting POST-request based CSRF
How developers prevent CSRF?
PayPal's CSRF vulnerability to change phone numbers
Exploiting CSRF in JSON requests
Using XSS to steal anti-CSRF tokens
Exploring pseudo anti-CSRF tokens
Flash comes to the rescue
Summary
Chapter 5: Exploiting SQL Injection
Installation of SQLMap under Kali Linux
Introduction to SQLMap
Dumping the data – in an error-based scenario
SQLMap and URL rewriting
Speeding up the process!
Dumping the data – in blind and time-based scenarios
Reading and writing files
Handling injections in a POST request
SQL injection inside a login-based portal
SQL shell
Command shell
Evasion – tamper scripts
Configuring with proxies
Summary
Chapter 6: File Upload Vulnerabilities
Introducing file upload vulnerability
Remote code execution
The return of XSS
Denial of Service
Bypassing upload protections
MIME content type verification bypass
Summary
Chapter 7: Metasploit and Web
Discovering Metasploit modules
Interacting with Msfconsole
Using Auxiliary Modules related to Web Applications
Understanding WMAP – Metasploit's Web Application Security Scanner
Generating Web backdoor payload with Metasploit
Summary
Chapter 8: XML Attacks
XML 101 – the basics
XXE attack
XML quadratic blowup
Summary
Chapter 9: Emerging Attack Vectors
Server Side Request Forgery
Insecure Direct Object Reference
DOM clobbering
Relative Path Overwrite
UI redressing
PHP Object Injection
Summary
Chapter 10: OAuth 2.0 Security
Introducing the OAuth 2.0 model
Receiving grants
Exploiting OAuth for fun and profit
Summary
Chapter 11: API Testing Methodology
Understanding REST APIs
Setting up the testing environment
Learning the API
Basic methodology to test developer APIs
Summary

What You Will Learn

  • Get to know the new and less-publicized techniques such PHP Object Injection and XML-based vectors
  • Work with different security tools to automate most of the redundant tasks
  • See different kinds of newly-designed security headers and how they help to provide security
  • Exploit and detect different kinds of XSS vulnerabilities
  • Protect your web application using filtering mechanisms
  • Understand old school and classic web hacking in depth using SQL Injection, XSS, and CSRF
  • Grasp XML-related vulnerabilities and attack vectors such as XXE and DoS techniques
  • Get to know how to test REST APIs to discover security issues in them

Authors

Table of Contents

Chapter 1: Common Security Protocols
SOP
CORS
URL encoding – percent encoding
Double encoding
Base64 encoding
Summary
Chapter 2: Information Gathering
Information gathering techniques
Enumerating Domains, Files, and Resources
Fierce
theHarvester
SubBrute
CeWL
DirBuster
WhatWeb
Shodan
DNSdumpster
Reverse IP Lookup – YouGetSignal
Pentest-Tools
Google Advanced Search
Summary
Chapter 3: Cross-Site Scripting
Reflected XSS
Stored XSS
Flash-based XSS – ExternalInterface.call()
HttpOnly and secure cookie flags
DOM-based XSS
XSS exploitation – The BeEF
Summary
Chapter 4: Cross-Site Request Forgery
Introducing CSRF
Exploiting POST-request based CSRF
How developers prevent CSRF?
PayPal's CSRF vulnerability to change phone numbers
Exploiting CSRF in JSON requests
Using XSS to steal anti-CSRF tokens
Exploring pseudo anti-CSRF tokens
Flash comes to the rescue
Summary
Chapter 5: Exploiting SQL Injection
Installation of SQLMap under Kali Linux
Introduction to SQLMap
Dumping the data – in an error-based scenario
SQLMap and URL rewriting
Speeding up the process!
Dumping the data – in blind and time-based scenarios
Reading and writing files
Handling injections in a POST request
SQL injection inside a login-based portal
SQL shell
Command shell
Evasion – tamper scripts
Configuring with proxies
Summary
Chapter 6: File Upload Vulnerabilities
Introducing file upload vulnerability
Remote code execution
The return of XSS
Denial of Service
Bypassing upload protections
MIME content type verification bypass
Summary
Chapter 7: Metasploit and Web
Discovering Metasploit modules
Interacting with Msfconsole
Using Auxiliary Modules related to Web Applications
Understanding WMAP – Metasploit's Web Application Security Scanner
Generating Web backdoor payload with Metasploit
Summary
Chapter 8: XML Attacks
XML 101 – the basics
XXE attack
XML quadratic blowup
Summary
Chapter 9: Emerging Attack Vectors
Server Side Request Forgery
Insecure Direct Object Reference
DOM clobbering
Relative Path Overwrite
UI redressing
PHP Object Injection
Summary
Chapter 10: OAuth 2.0 Security
Introducing the OAuth 2.0 model
Receiving grants
Exploiting OAuth for fun and profit
Summary
Chapter 11: API Testing Methodology
Understanding REST APIs
Setting up the testing environment
Learning the API
Basic methodology to test developer APIs
Summary

Book Details

ISBN 139781785284588
Paperback298 pages
Read More
From 2 reviews

Read More Reviews

Recommended for You

Mastering Metasploit - Second Edition Book Cover
Mastering Metasploit - Second Edition
$ 39.99
$ 28.00
Python: Penetration Testing for Developers Book Cover
Python: Penetration Testing for Developers
$ 67.99
$ 47.60
Building Virtual Pentesting Labs for Advanced Penetration Testing - Second Edition Book Cover
Building Virtual Pentesting Labs for Advanced Penetration Testing - Second Edition
$ 47.99
$ 33.60
Kali Linux 2 - Assuring Security by Penetration Testing - Third Edition Book Cover
Kali Linux 2 - Assuring Security by Penetration Testing - Third Edition
$ 35.99
$ 25.20
Penetration Testing: A Survival Guide Book Cover
Penetration Testing: A Survival Guide
$ 69.99
$ 49.00
Web Development with Bootstrap 4 and Angular 2 - Second Edition Book Cover
Web Development with Bootstrap 4 and Angular 2 - Second Edition
$ 39.99
$ 28.00