There is no shortage of great security books that you can transition to after completing
The Basics of Web H acking. A nd, although not officially a book, the O WA S P Testing Guide is a great publication for everybody interested in web applications security and can be
downloaded (or purchased as a hard copy) at
https://www.owasp.org/index.php/OWASP_Testing_Project. I n no particular order, here are some other books that you are especially encouraged to look into.
■The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto
■The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (2nd Edition) by Patrick Engebretson
■Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski
■Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni
■Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig
■Gray Hat Hacking The Ethical Hackers Handbook by Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams
■Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Jared DeMott, and Charlie Miller
Index
Note: Page numbers followed by b indicate boxes and f indicate figures.
A
Access Controller API, 132 Access Reference Map API, 132 Application server, 8 Authentication attacks features, 87–88 proxy-based tool, 87–88 B BackTrack, 12–13, 14f
Browser Exploitation Framework (BeEF) project, 123 Brute Force exercise, for online authentication attack
Burp Intruder
brute force logins, 93–94, 94f
configuration of, 90–92 payloads, 92–93
runtime file selection, 93, 94f
intercepting authentication attempt, 89–90 Burp Scanner
configuration, 59
reviewing results, 59–62 running, 59
bit level results, 97, 99f
description, 96
entropy results, 97, 98f
identification of session identifier, 96, 97f
procedure, 96 Burp Suite Intercept
configuration, 43–45 spidering automated, 45 manual, 45 running, 45–49 C
Code injection vulnerabilities Burp Suite tools, 68, 69 OS command injection
command execution exercise, 80–82 for hackers, 79–80 SQL injection DVWA exercise, 66–75 feature, 64 for hackers, 65–66 SQL interpreter, 64–65 web shells, 85 cmd URL parameter, 86
custom commands execution, 84, 86f
description, 83
file locations, 84, 84f
netstat results, 84, 86f
primitive command shell, 85 shellhelp command, 84, 85f
uploading to DVWA web server, 83, 83f
Common Vulnerability and Exposures (CVE) identifier, 31 Cookie, 5
Credential Harvester method, 121 Cross-site request forgery (CSRF), 11
attacks, 119–120
defense approach, 135
Prevention Cheat Sheet, 135 requirements, 106–107
vs. XSS, 107
Cross-site scripting (XSS), 9–10
See also Reflected XSS attacks, Stored XSS attacks browser defenses, 134
code defenses, 134
vs. CSRF, 107 description, 106
encoding schemes, 110
JavaScript alert box usage, 110 payloads, 111
Prevention Cheat Sheet, 133 same origin policy, 110
Cross-site scripting framework (XSSF), 123 CSRF, See Cross-site request forgery (CSRF)
D
Damn Vulnerable Web Application (DVWA) configuration, 14–17
installation, 13–14 install script, 17–18 properties, 13
DirBuster, 58
Directory traversal attacks, See Path traversal attacks
E
Enterprise Security Application Programming Interface (ESAPI), 126–128, 129, 131, 132 Exploitation, web server hacking
Metasploit, 35–40 payload, 34 vulnerability, 34 F Forced browsing, 103 H
Hacking, web server, See Web server hacking Hypertext Transfer Protocol (HTTP)
cycles, 4 headers, 5 Status Codes, 5–6 usage of, 4 I Injection vulnerabilities, 9
Input Validation Cheat Sheet, 133–134
J
Java Applet attack method, 121, 122
John the Ripper (JtR) password cracker, 74
L
Local host (LHOST), 38
M
Maintaining access, 40
Man left in the middle attack method, 121 Metasploit
browser exploit method, 121 exploit command, 39–40 search, 35–36 set option, 39 set payload, 37–38 show options, 38–39, 38b show payloads, 36–37 use, 36
Multi-attack web method, 122
N Nessus configuration, 29 installation, 28–29 reviewing results, 30–31 running, 29–30
Network hacking, See Web server hacking Nikto, 31–34
Nmap alert, 25b
Nmap scripting engine, 25–27 running, 24–25
updating, 23–24
Offline password cracker, 73–74 Online password cracker, 73–74
Open-source security testing methodology manual (OSSTM), 8 Open Source Vulnerability Database (OSVDB), 34
Operating system (OS) command injection command execution exercise, 80–82
for hackers, 79–80
P
Path traversal attacks forceful browsing, 103 web server file structure
directory discovery, 101, 101f
/etc/passwd file retrieval, 102–103, 102f
partial directory structure, 100, 100f
up a directory command, 102 Path traversal fixes, 131–132
Penetration testing execution standard (PTES), 8 Port scanning, Nmap
Nmap scripting engine, 25–27 running, 24–25 updating, 23–24 R Referrer, 5 Reflected XSS attacks encoding XSS payloads, 114–115 proof-of-concept attack, 112, 112f requirements, 111, 111f
server response, interception of, 113–114 on session identifiers, 116, 117f
in URL address bar, 116 Remote host (RHOST), 38 Robots.txt file, 21–23
S
Safe test environment BackTrack, 12–13, 14f
DVWA install script, 17–18 requirements, 11–12
target web application configuration, 14–17 DVWA, 13 installing, 13–14 virtual machine (VM), 12 VMWare Player, 12 Sandbox BackTrack, 12–13, 14f
DVWA install script, 17–18 requirements, 11–12
target web application configuration, 14–17 DVWA, 13
installing, 13–14
virtual machine (VM), 12 VMWare Player, 12
Scanner, web application Burp Scanner, 58–62 deficiencies
broken access control, 51 forceful browsing, 52 logic flaws, 52
meaningful parameter names, 51 multistep stored XSS, 52 session attacks, 52 stored SQL injection, 51 weak passwords, 51 vulnerabilities
input-based, client side, 50 input-based, server side, 50 request and response cycle, 51 ZAP, 52–58
Security community groups additional books, 141 certifications, 140–141 and events AppSecUSA, 138 B-Sides events, 138–139 DakotaCon, 138 DerbyCon, 138 in Las Vegas, 138 ShmooCon, 138 formal education, 140
in-person and online training workshops, 139–140 regional and local, 139
Security misconfiguration, 11 Session attacks
Burp Sequencer tests bit level results, 97, 99f
description, 96
entropy results, 97, 98f
procedure, 96
cookie reuse concept, 97–100
session-generating algorithms, cracking of, 95 Session donation, 95
Session fixation, 95 Session hijacking, 95 Session ID in URL, 95
Session management fixes, 131 Social-Engineer Toolkit (SET)
attack vectors, 121 IP address, 122
welcome menu, 120, 121f
Spear phishing toolkit (SPT), 123 SQL injection
DVWA exercise
bypassing authentication, 68–69 goals, 66–75
offline password cracking, 74–75 password hashes, 73–74
sqlmap, 75–79
username and password, of administrator, 70–73 vulnerability, 66–68 feature, 64 for hackers, 65–66 SQL interpreter, 64–65 sqlmap tool, 75–79 Stored XSS attacks
guest book entries, 118, 119f
input and output, 118, 118f
schematic illustration, 117, 117f
T
TabNabbing method, 121 Technical social engineering
attacks, 107–108 fixes, 135–136 V Virtual machine (VM), 12 VMWare Player, 12 Vulnerability scanning
and antivirus products, 27 Nessus, 28–31
Nikto, 31–34
W
Web applications
database server and database, 7 definition, 2
file server, 8 fixes
broken authentication fixes, 130–131 ESAPI project, 126–128
injection fixes, 128–129
path traversal fixes, 131–132 session management fixes, 131 injection types, 63
recon
Burp Suite Intercept, 43–45 guidance, 42
web proxy, 42–43 scanning Burp Scanner, 58–62 deficiencies, 51–52 vulnerabilities, 50–51 ZAP, 52–58 security development, 1–2
third-party, off-the-shelf components, 8 tools, 41
vulnerability, 3
Web hacking approach phases, 6
tools, 7
web application, 6–7 web server, 6
web user, 7
Web-Jacking attack method, 121 Web server(s), 3–4
Web server hacking exploitation
Metasploit, 35–40 payload, 34
vulnerability, 34 fixes
generic error messages, 126, 127f
server hardening, 125–126 maintaining access, 40
port scanning, Nmap
Nmap scripting engine, 25–27 running, 24–25
updating, 23–24 reconnaissance stage host, 20, 21 netcraft, 21 robots.txt file, 21–23 targeting, 20–21 vulnerability scanning
and antivirus products, 27 Nessus, 28–31
Nikto, 31–34 Web shells, 85
cmd URL parameter, 86
custom commands execution, 84, 86f
description, 83
file locations, 84, 84f
netstat results, 84, 86f
primitive command shell, 85 shellhelp command, 84, 85f
uploading to DVWA web server, 83, 83f
Web user attack frameworks BeEFr, 123 SET, 120–123 SPT, 123 XSSF, 123 fixes, 132–136
CSRF Prevention Cheat Sheet, 135 Input Validation Cheat Sheet, 133–134 XSS Prevention Cheat Sheet, 133
CSRF (See Cross-site request forgery (CSRF)) technical social engineering attacks, 107–108 XSS (See Cross-site scripting (XSS))
recon efforts, 108–109 scanning, 109
Web vulnerabilities
broken authentication and session management, 10–11 cross-site request forgery, 11
cross-site scripting, 9–10 injection, 9
scanner
input-based, client side, 50 input-based, server side, 50 request and response cycle, 51 security misconfiguration, 11
X
XSS, See Cross-site scripting (XSS)
XSSF, See Cross-site scripting framework (XSSF)
Z
Zed Attack Proxy (ZAP) scanning Brute Force, 58
configuration, 52–53 reviewing results, 56–57 running, 54–56