Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Attacking and Exploiting Modern Web Applications
  • Table Of Contents Toc
  • Feedback & Rating feedback
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

By : Simone Onofri, Onofri
4.9 (14)
Buy this Book
close
close
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

4.9 (14)
By: Simone Onofri, Onofri
Buy this Book

Overview of this book

Web attacks and exploits pose an ongoing threat to the interconnected world. This comprehensive book explores the latest challenges in web application security, providing you with an in-depth understanding of hackers' methods and the practical knowledge and skills needed to effectively understand web attacks. The book starts by emphasizing the importance of mindset and toolset in conducting successful web attacks. You’ll then explore the methodologies and frameworks used in these attacks, and learn how to configure the environment using interception proxies, automate tasks with Bash and Python, and set up a research lab. As you advance through the book, you’ll discover how to attack the SAML authentication layer; attack front-facing web applications by learning WordPress and SQL injection, and exploit vulnerabilities in IoT devices, such as command injection, by going through three CTFs and learning about the discovery of seven CVEs. Each chapter analyzes confirmed cases of exploitation mapped with MITRE ATT&CK. You’ll also analyze attacks on Electron JavaScript-based applications, such as XSS and RCE, and the security challenges of auditing and exploiting Ethereum smart contracts written in Solidity. Finally, you’ll find out how to disclose vulnerabilities. By the end of this book, you’ll have enhanced your ability to find and exploit web vulnerabilities.
Table of Contents (14 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Attack Preparation
Part 1: Attack Preparation
Free Chapter
2
Chapter 1: Mindset and Methodologies
chevron up
Chapter 1: Mindset and Methodologies
Approach and mindset
Methodologies and frameworks
Summary
Further reading
3
Chapter 2: Toolset for Web Attacks and Exploitation
Chapter 2: Toolset for Web Attacks and Exploitation
Technical requirements
Operating systems and the tools of the trade
Virtualization and containerization systems
Summary
Further reading
4
Part 2: Evergreen Attacks
Part 2: Evergreen Attacks
5
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Technical requirements
The Doors of Durin SAML login scenario
How does SAML work and what are its vulnerabilities?
Other authentication methods used with HTTP
How to discover and exploit vulnerabilities in SAML
Summary
Further reading
6
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Technical requirements
WordPress scenario introduction
How does SQL injection work?
How to discover and exploit SQL injection vulnerabilities
Summary
Further reading
7
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Technical requirements
IoT router exploitation scenario introduction
How to analyze IoT devices
How to find and exploit vulnerabilities in IoT devices
Summary
Further reading
8
Part 3: Novel Attacks
Part 3: Novel Attacks
9
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Technical requirements
Electron JavaScript applications scenario introduction
How Electron JavaScript applications and XSS work
How to find and exploit XSS in Electron JavaScript applications to obtain RCE
Summary
Further reading
10
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Technical requirements
LicenseManager smart contract scenario
How smart contracts work on the Ethereum blockchain and security considerations
How to find and exploit vulnerabilities in Ethereum smart contracts
Summary
Further reading
11
Chapter 8: Continuing the Journey of Vulnerability Discovery
Chapter 8: Continuing the Journey of Vulnerability Discovery
An approach to discovering vulnerabilities
The dilemma of disclosing vulnerabilities
Summary
Further reading
12
Index
Index
Why subscribe?
13
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Methodologies and frameworks

As Pete wrote in the Open Source Security Testing Methodology Manual (OSSTMM) [14], “A security methodology is not a simple thing. It is the back-end of a process or solution which defines what or who is tested as well as when and where. It has to contain a lot of information, processes, steps, and what needs to be done. There are many valuable methodologies in security testing. What is needed is to know them all and to be able to combine them correctly, taking cues and inspiration.

Let’s first look at the primary methodologies and then explore how to blend them effectively.

NIST SP 800-115

The 800-115 special publication is a technical guide from the US National Institute for Standards and Technologies (NIST), entitled Technical Guide to Information Security Testing and Assessment. It was last updated in 2008. The process is as follows:

Figure 1.2 – The SP 800-115 process

Figure 1.2 – The SP 800-115 process

Skipping the organizational aspects, such as Planning and Reporting, Execution starts with an initial Discovery phase, divided into steps. The first one is Information Gathering – for web applications. It involves understanding the web server and mapping the hosted applications, the various pages for each application, and the input entry points. The second step is related to Vulnerability Analysis.

The Attack phase we are most interested in is Gaining Access when we effectively execute the exploits. The other steps, such as Escalating Privileges, System Browsing, and Installing Additional Tools, are often outside the pure web scope (even if uploading a web shell can be a good idea).

Appendix C contains some helpful information for application testing. It also describes three testing techniques we have already discussed: white box (static analysis), black box (analyzing up-and-running code), and gray box (a mix of the two).

White box techniques are cost-effective but limited because verifying an application’s interactions with other components is impossible. It recommends black box techniques, at least for critical components, as they help analyze the interactions between an application and other components.

Penetration Testing Execution Standard (PTES)

PTES was published in 2014 by several security practitioners. This process, which we previously discussed, is shown here:

Figure 1.3 – PTES technical process

Figure 1.3 – PTES technical process

While similar to NIST SP 800-115, PTES goes deeper into the technical aspects and clearly defines a Threat Modeling phase that helps us better understand potential threats. This methodology also includes management steps such as pre-engagement interactions and reporting.

Focusing on the technical components, we can see elements such as Intelligence Gathering, Threat Modeling, Vulnerability Analysis, and finally, the culminating Exploitation phase.

The Vulnerability Analysis phase is notable because it involves active and passive identification of vulnerabilities and a validation part, where we compare the data we collect. Perhaps the most exciting aspect is the private research phase. This involves recreating the environment and hunting for vulnerabilities by fuzzing, reading, or decompiling code.

Finally, although this often serves as a new starting point, we have the comprehensive Post-Exploitation phase. This reminds us that we can use the compromised system as a pivot point within the network.

OWASP's WSTG

OWASP is an independent organization dedicated to spreading an application security culture. One of the primary documents for a security test is the WSTG.

The Top 10 is also produced, which is used to make the general public aware of the most critical risks.

The WSTG, currently at version 4.2, was published in 2020, and it is structured into several parts:

  • The first and second parts provide an introduction to application security
  • The third part describes how to perform the various tests during the life cycle of an application
  • The fourth part contains one of the most comprehensive lists of the various tests that can be performed, divided by category
  • The fifth part provides an example of reporting

What interests us most in this context is the fourth part, which contains the test categories that we often use as an operational checklist of what to look for when faced with an application:

Figure 1.4 – OWASP WSTG sections

Figure 1.4 – OWASP WSTG sections

During a penetration test, the following steps are usually taken:

  1. First, start with Information Gathering, Configuration, Deployment Management, and Weak Cryptography in the system configuration to understand the general situation of applying its context.
  2. Then, carry out an analysis of the Authentication part, including the elements of Authorization, Identity, and Session Management.
  3. We then continue with the “pure” fuzzing part, with Input Validation, Client-Side Testing, and API Testing, always looking at errors, how we are answered, or the absence of an answer.
  4. This then concludes by verifying the application’s Business Logic, which often requires manual intervention.

It is important to remember that the WSTG focuses on the application level, so it lacks all the elements of privilege escalation that may accompany the attack, but other guides cover them.

ISECOM's OSSTMM

The Institute for Security and Open Methodologies (ISECOM) is a research community that produces resources, tools, and certifications in security. One of the primary documents we can refer to is the OSSTMM. Now in its third version in 2010, it began in late 2000 and early 2001, and it was one of the first methodologies published. It is currently one of the most inclusive methodologies and is structured as follows:

  • The first five chapters describe a meta-model for security testing
  • The sixth chapter describes the workflow to be used
  • Chapters 7 to 11 contain the test “channels” – human, physical, wireless, telecommunications, and data networks
  • The last chapters contain information on compliance and reporting

Unfortunately, version 4 – which contains a particular chapter for the application “channel” – has not yet been released in the public domain. However, its first version had a “web bug analysis” section.

The OSSTMM focuses not on attacks or exploitation but on the broader concept of security testing. It is still helpful to figure out which tests to run and map out the various workflow steps (as shown in the following figure) when testing a web application. It is a must-read. It will change how you approach testing, just as it did for us.

Figure 1.5 – The OSSTMM process

Figure 1.5 – The OSSTMM process

The recipe

We have created a recipe incorporating NIST SP 800-115, PTES, OWASP's WSTG, and The OSSTMM.

The PTES sections form the foundation of the process. We employ testing techniques outlined in NIST SP 800-115 during the Vulnerability Analysis and Exploitation phases. Throughout all phases, we refer to the WSTG as a task checklist. The approach is built upon the OSSTMM and its philosophy, which is the backbone:

  • Information gathering: Finding helpful information for the subsequent phases, such as the applications installed and web server information:
    • PTES: Intelligence gathering
    • SP 800-115: Discovery (information gathering and scanning)
    • WSTG: Information gathering, configuration, deployment management testing, and weak cryptography for the system part (from Chapter 4)
  • Threat modeling: To understand which kind of attacks and vulnerabilities can be helpful considering the application, its technical aspect, and the interest of a threat actor:
    • PTES: Threat modeling
    • WSTG: Threat modeling from Chapter 2, which considers the tests from Chapter 4
  • Vulnerability analysis: We use testing techniques to identify and look at the vulnerabilities list:
    • PTES: Vulnerability analysis.
    • SP 800-115: Discovery (vulnerability analysis), looking for known vulnerabilities and using the testing techniques (white, black, and gray boxes) to find new vulnerabilities.
    • WSTG: In general, the entire process is both iterative and incremental. Understanding the initial objectives derived from threat modeling and intelligence gathering begins. Typically, we begin the process with an unauthenticated preliminary analysis, looking for low-hanging fruits. Then, we continue with the complete tests/attacks.
  • Exploitation: Where we can execute attacks and exploits. Once we are “in”, we have the initial access.
    • PTES: Exploitation.
    • SP 800-115: Attack (gaining access). Successfully exploiting an application can sometimes mean gaining access to an operating system. Often, the process is more complex.
  • Post-exploitation: When inside a system where we escalate our privileges and gain visibility, we gather more information. If it aligns with our goals, we extract the data we need. This process may further enable us to establish persistence or even initiate a pivot (a lateral movement). This phase, in which we seek to understand the different paths attackers take, is where the MITRE ATT&CK framework comes into play:
    • PTES: Post-exploitation
    • SP 800-115: Attack (gaining access)

We can take further inspiration from the Application Security Verification Standard (ASVS) [15] and OWASP, which contains over 250 application security requirements.

There are also specific methodologies, such as the PCI-DSS [16], for compliance requirements on payment systems and the NESCOR Guide for Industrial Control Systems (ICS).

Finally, we can use the MITRE ATT&CK [18] framework to create and analyze wide-ranging attacks, such as a sophisticated operation against an organization. As noted, a web attack often represents a tiny, though crucial, tactic for initial access.

End of Section 3
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY