Cover Page
Title Page
Copyright Page
Foreword
Dedication Page
About the Author
About the Reviewer
Acknowledgement
Preface
Errata
Table of Contents
1. Overview of Web and Related Technologies and Understanding the Application
Introduction
Structure
Objectives
Static vs dynamic web application, cookies
Static web application: No cookies, no state/session
Example of static web application
Dynamic web application (web application with session)
Web technologies: HTTP methods, response codes, and importance
HTTP response codes
Introduction to HTTP2
HTTPS basics
Hashing, salting, encrypting
Representational state transfer (REST)
Google Dorking/Google hacking
Simple Google Dorks Syntax for Recon
Web application architecture and understanding the application (Recon)
Visual site map
Basic Linux/Windows commands
Conclusion
References
2. Web Penetration Testing β Through Code Review
Introduction
Structure
Objectives
OWASP survey on effective detection methods for web vulnerabilities
OWASP top 10 vulnerabilities
OWASP' top 10 web application security risks
Attack surface
Code review: Things to look for while reviewing
URL encoding and Same Origin Policy (SOP)
URL encoding and escaping: The key is "In which order things are done"
URL, encoding, and escaping: Things to review
Same Origin Policy (SOP)
Code viewing for Cross Site Scripting (XSS)
SQL injection: The deadliest beast
IDOR/BOLA/Auth bypass is the new pandemic
Code review: Unrestricted file upload
Code review: Scary mistakes
Code review: Cryptography, hashing, and salt: Nothing is secure forever
Code review: Unvalidated URL Redirects
Conclusion
References
3. Web Penetration Testing β Injection Attacks
Introduction
Structure
Objective
Basic usages of Burp Proxy in pentesting
Proxying REST API request using Postman and Burp Proxy
Pentesting for XSS
XSS in HTML context
XSS in HTML attribute context
XSS in URL context (works on PHP based application)
XSS in JavaScript context
XSS with headers and cookies: Application which processes header information
XSS with certificate request or SSL certificate information
DOM XSS
Pentesting for SQL Injection
Pentesting for Simple SQL Injection
Pen testing for error-based SQL Injection
Blind SQL injection
Pen testing for time based Blind SQL Injection
Important usages of SQLMap for detecting SQL Injection
What to notice while the SQLMap scan just started?
Running SQLMap against Rest API
How to send POST request (Example: for REST API) using SQLMap?
Running SQLMap when URL does not have any query string
SQLMapper/CO2 extension for Burp Suite
Pentesting for Command Injection
Locating sensitive files in the server
Blind command injection
Conclusion
References
4. Fuzzing, Dynamic Scanning of REST API, and Web Application
Introduction
Structure
Objective
Fuzzing Web Application and REST API
Fuzz Faster U Fool (Ffuf): A fast web fuzzer written in Go
Fuzzing REST API by adding various HTTP Headers
Fuzzing authenticated pages/REST API end points with cookies
Various usage options of Ffuf
Using Burp Suite Turbo Intruder (Fuzzer that supports HTTP2)
Basic tricks in analyzing the output of fuzzing to conclude our findings
Dynamic scanning of REST API and web application with OWASP ZAP
Pentest REST API using OWASP ZAP
Various setting and tricks while using OWASP ZAP
Add your host in scope for scanning
Configure your application for ZAP Active scanning
Various Active scan settings for Input Vectors in OWAZP ZAP
Other advanced settings of ZAP
ZAP Community scripts
Why will automation without your brain not get any good result?
Conclusion
References
5. Web Penetration Testing β Unvalidated Redirects/Forwards, SSRF
Introduction
Structure
Objective
Pen testing for unvalidated redirects or forwards
Pentesting for Server-Side Request Forgery (SSRF)
Pentesting for SSRF
SSRF scenario 1
SSRF scenario 2
Bypass of SSRF protection
Restriction of localhost or 127.0.0.1 bypass using "::1"
Other representation of localhost
IP obfuscation to bypass restriction for 127.0.0.1
IPv6/IPv4 address embedding
DNS spoofing
Conclusion
References
6. Pentesting for Authentication, Authorization Bypass, and Business Logic Flaws
Introduction
Structure
Objective
Authentication bypass
Authorization issues
Tricking authentication, authorization, and business logic
Business logic bypass test scenarios
IDOR/Access Control Bypass scenarios for REST API
Pen testing for HTTP 403 or Access Denied bypass
Conclusion
References
7. Pentesting for Sensitive Data, Vulnerable Components, Security Monitoring
Introduction
Structure
Objective
Sensitive data in log, URL, DB, config, default credentials
egrep
Various methods for assessing the application for sensitive data exposure issues
Discovering components with known vulnerabilities
OWASP RetireJS
Apache
OpenSSL
SSLyze
VulnerableCode
Snyk scan for GitHub
Deny access to backup and source files with .htaccess
Implement security logging and monitoring: Splunk Alerts
Conclusion
References
8. Exploiting File Upload Functionality and XXE Attack
Introduction
Structure
Objective
Pentesting for unrestricted file upload with REST API
Unrestricted file upload: XSS: File name having XSS payload
Unrestricted file upload: Remote Code Execution (RCE) attack
Unrestricted file upload: XSS: File metadata having malicious payload
Use null byte in file extension to bypass file extension checks
Use double extension of file to bypass file extension checks
Bypass Blacklisted extension check in file upload: Remote Code Execution (RCE) attack scenario
Bypass php gd() checks for file upload
XML and XXE attacks
XML custom entities
Protection against XXE attack
Performing Gray-Box XXE pentesting while doing Blackbox pentesting
Conclusion
References
9. Web Penetration Testing: Thick Client
Introduction
Structure
Objective
Thick Client application architecture
Understanding the Thick Client application
Perform reconnaissance of the Thick Client application
Reverse engineering the Thick Client application
Sensitive data in registry
Sensitive data in config file
Sensitive data in communication
Using Process Monitor
Username/password/keys in memory
SQL Injection vulnerability
Conclusion
References
10. Introduction to Network Pentesting
Introduction
Structure
Objective
Setting up of pentest lab
Various phases of pentesting
Host discovery and service detection using Nmap
Service (web server, SMTP etc.) detection
Nmap Scripting Engine (NSE)
Exploiting the vulnerabilities using Metasploit and other tools
Exploiting FTP (port 21) service using username enumeration with Hydra
Metasploit framework
Upgrade Metasploit framework on Kali
Scanning for port 8180 (Apache Tomcat) for getting access to Tomcat Admin Console
Exploiting VNC protocol
Setting up lab with log4jshell vulnerability (CVE-2021-44228)
Detecting log4j in the victim machine
Scanning for vulnerabilities using Nessus Essentials/Home
Conclusion
References
11. Introduction to Wireless Pentesting
Introduction
Structure
Objective
Reconnaissance to identify wireless network
Hacking into the wireless network by cracking weak password
Conclusion
References
12. Penetration Testing - Mobile App
Introduction
Structure
Objective
Android application security architecture
Android application build process
Android Application Package or Android Package Kit (APK) file
OWASP Top 10 mobile risks
Setting up lab for pentesting mobile App
Basic ADB commands
Install diva app in emulated mobile device for pentesting
Reverse engineering or analyze APK file
Embedded secrets in application code
Sensitive data printed on log
Sensitive data disclosure via SQLite DB
Insecure data storage
Extracting sensitive internal file through URL scheme hijacking
Debug enabled
SQL Injection vulnerability
Static Analysis using mobile security framework
Introducing dynamic analysis on MobSF
Conclusion
References
13. Security Automation for Web Pentest
Introduction
Structure
Objective
Prerequisite
Scenario 1: Brute Forcing Login Page
Scenario 2: Simple SQL Injection Checker
Scenario 3: Simple Privilege Escalation Checker
Scenario 4: Indirect Object Reference (IDOR) Checker
Conclusion
14. Setting Up Pentest Lab
Host machine: Windows 11 laptop
Download and install Python, pip, and other required modules
Download and install XAMM and DVWA
Setting up insecure thick client application, DVTA and other required tools
Installing MS SQL Server and SQL Server Management Studio
Kali Linux Network Service Policy
Vulnerable victim machine: Multipliable2
Setting up Windows VM
References
Index