A Beginner's Guide to Web Application Penetration Testing - Abdollahi, Ali

. .

Résumé :

A practical, beginner-friendly introduction to web app pentesting

In A Beginner's Guide to Web Application Penetration Testing, cybersecurity trainer and veteran Ali ?Abdollahi delivers an incisive and timely discussion of penetration testing that addresses the increasing importance of web application security. The author takes a dual approach, incorporating both theory and practical skills, equipping readers with the knowledge they need to kickstart their journey into the web application penetration testing field.

The book walks you through the five main stages of a comprehensive penetration test: scoping and recon, scanning, gaining and maintaining access, analysis, and reporting. You'll learn how to use popular and effective security tools, as well as how to combat the ten most common security vulnerability categories publicized by the Open Web Application Security Project (OWASP).

From hands-on demonstrations of techniques - like subdomain enumeration with Sublist3r and ?Subfinder - to practice with input validation and external entity disabling for security maintenance, the book gives you a first-person view of pentesting you can implement immediately.

Perfect for software engineers with an interest in penetration testing, security analysts, web developers, and other information technology professionals, A Beginner's Guide to Web Application Penetration Testing is also an essential read for students of cybersecurity, software engineering, computer science, and related tech industries....

Biographie:

ALI ABDOLLAHI is a cybersecurity researcher with over 12 years of experience. Currently, he is the application and offensive security manager at Canon EMEA. He studied computer engineering, published articles, and holds several professional certificates. Ali is a Microsoft MVP and regular speaker or trainer at industry conferences and events....

Sommaire:

Foreword xvii

Introduction xix

Chapter 1 Introduction to Web Application Penetration Testing 1

The Importance of Web Application Security 3

Overview of Web Application Penetration Testing 6

The Penetration Testing Process 8

Methodologies 12

Tools and Techniques 14

Reporting 16

Types of Web Application Vulnerabilities 17

Key Takeaways 25

Chapter 2 Setting Up Your Penetration Testing Environment 27

Setting Up Virtual Machines 28

Container Option 29

Kali Linux Installation 30

PentestBox 34

Installing DVWA 35

OWASP Juice Shop 40

Burp Suite 41

OWASP ZED Attack Proxy 46

WILEY Preconfigured Environment 49

Key Takeaways 49

Chapter 3 Reconnaissance and Information Gathering 51

Passive Information Gathering 52

Automating Subdomain Enumeration 61

Active Information Gathering 64

Open-Source Intelligence Gathering 77

Key Takeaways 88

Chapter 4 Cross-Site Scripting 89

XSS Categories 90

Reflected XSS 91

Stored XSS 93

Automatic User Session Hijacking 94

Website Defacement Using XSS 96

DOM-Based XSS 97

Self-XSS 98

Browser Exploitation Framework 100

XSS Payloads and Bypasses 102

XSS Mitigation Techniques 105

Reflected XSS Bypass Techniques 107

Stored XSS Bypass Technique 110

Key Takeaways 112

Chapter 5 SQL Injection 113

What Is SQL Injection? 113

Types of SQL Injection 114

Error-Based SQL Injection 117

Union-Based SQL Injection 117

Blind SQL Injection 123

SQLMap 126

SQL Injection Payloads with ChatGPT 140

SQL Injection Prevention 142

Key Takeaways 145

Chapter 6 Cross-Site Request Forgery 147

Hunting CSRF Vulnerability 149

CSRF Exploitation 149

XSS and CSRF 151

Clickjacking 152

Generating an Effective Proof of Concept Using ChatGPT 154

Tips for Developers 157

Key Takeaways 158

Chapter 7 Server-Side Attacks and Open Redirects 159

Server-Side Request Forgery 159

SSRF in Action 160

SSRF Vulnerability 162

Blind SSRF 164

Local File Inclusion 166

Remote File Inclusion 170

Open Redirect 173

Server-Side Attacks Differences 177

Security Mitigations 178

Key Takeaways 181

Chapter 8 XML-Based Attacks 183

XML Fundamentals 183

XXE Exploitation 185

Hunting XML Entry Points 187

SSRF Using XXE 192

DoS Using XXE 193

XXE Payload and Exploitation with ChatGPT 195

XML-Based Attacks Countermeasures 196

Key Takeaways 198

Chapter 9 Authentication and Authorization 201

Password Cracking and Brute-Force Attacks 205

Credential Stuffing Attack 211

Password Spraying 213

Password Spraying Using Burp Suite Intruder 214

Other Automated Tools for Password Attacks 215

JSON Web Token 223

Key Takeaways 225

Chapter 10 API Attacks 227

OWASP API Top 10 228

API Enumeration and Discovery 230

API Discovery Using ChatGPT 231

API Broken Object-Level Authorization Exploitation 235

Rate Limiting 240

API Penetration Testing Tools 242

API Security Tips 244

Key Takeaways 245

Appendix A Best Practices and Standards 247

Information Gathering 248

Configuration and Deployment Management Testing 251

Identity Management Testing 254

Authentication Testing 256

Authorization Testing 261

Session Management Testing 265