Becoming the Hacker: The Playbook for Getting Inside the Mind of the Attacker [1 ed.] 1788627962, 9781788627962

Web penetration testing by becoming an ethical hacker. Protect the web by learning the tools, and the tricks of the web

1,782 39 11MB

English Pages 404 [405] Year 2019

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Cover
Copyright
Packt upsell
Contributors
Table of Contents
Preface
Chapter 1 - Introduction to Attacking Web Applications
Rules of engagement
Communication
Privacy considerations
Cleaning up
The tester's toolkit
Kali Linux
Kali Linux alternatives
The attack proxy
Burp Suite
Zed Attack Proxy
Cloud infrastructure
Resources
Exercises
Summary
Chapter 2 - Efficient Discovery
Types of assessments
Target mapping
Masscan
WhatWeb
Nikto
CMS scanners
Efficient brute-forcing
Content discovery
Burp Suite
OWASP ZAP
Gobuster
Persistent content discovery
Payload processing
Polyglot payloads
Same payload, different context
Code obfuscation
Resources
Exercises
Summary
Chapter 3 - Low-Hanging Fruit
Network assessment
Looking for a way in
Credential guessing
A better way to shell
Cleaning up
Resources
Summary
Chapter 4 - Advanced Brute-forcing
Password spraying
LinkedIn scraping
Metadata
The cluster bomb
Behind seven proxies
Torify
Proxy cannon
Summary
Chapter 5 - File Inclusion Attacks
RFI
LFI
File inclusion to remote code execution
More file upload issues
Summary
Chapter 6 - Out-of-Band Exploitation
A common scenario
Command and control
Let’s Encrypt Communication
INet simulation
The confirmation
Async data exfiltration
Data inference
Summary
Chapter 7 - Automated Testing
Extending Burp
Authentication and authorization abuse
The Autorize flow
The Swiss Army knife
sqlmap helper
Web shells
Obfuscating code
Burp Collaborator
Public Collaborator server
Service interaction
Burp Collaborator client
Private Collaborator server
Summary
Chapter 8 - Bad Serialization
Abusing deserialization
Attacking custom protocols
Protocol analysis
Deserialization exploit
Summary
Chapter 9 - Practical Client-Side Attacks
SOP
Cross-origin resource sharing
XSS
Reflected XSS
Persistent XSS
DOM-based XSS
CSRF
BeEF
Hooking
Social engineering attacks
The keylogger
Persistence
Automatic exploitation
Tunneling traffic
Summary
Chapter 10 - Practical Server-Side Attacks
Internal and external references
XXE attacks
A billion laughs
Request forgery
The port scanner
Information leak
Blind XXE
Remote code execution
Interactive shells
Summary
Chapter 11 - Attacking APIs
API communication protocols
SOAP
REST
API authentication
Basic authentication
API keys
Bearer authentication
JWTs
JWT quirks
Burp JWT support
Postman
Installation
Upstream proxy
The environment
Collections
Collection Runner
Attack considerations
Summary
Chapter 12 - Attacking CMS
Application assessment
WPScan
sqlmap
Droopescan
Arachni web scanner
Backdooring the code
Persistence
Credential exfiltration
Summary
Chapter 13 - Breaking Containers
Vulnerable Docker scenario
Foothold
Situational awareness
Container breakout
Summary
Other Books You May Enjoy
Index

Becoming the Hacker: The Playbook for Getting Inside the Mind of the Attacker [1 ed.]
 1788627962, 9781788627962

  • Commentary
  • Vector PDF
  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Recommend Papers