Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Attacking and Exploiting Modern Web Applications
  • Table Of Contents Toc
  • Feedback & Rating feedback
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

By : Simone Onofri, Onofri
4.9 (14)
Buy this Book
close
close
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

4.9 (14)
By: Simone Onofri, Onofri
Buy this Book

Overview of this book

Web attacks and exploits pose an ongoing threat to the interconnected world. This comprehensive book explores the latest challenges in web application security, providing you with an in-depth understanding of hackers' methods and the practical knowledge and skills needed to effectively understand web attacks. The book starts by emphasizing the importance of mindset and toolset in conducting successful web attacks. You’ll then explore the methodologies and frameworks used in these attacks, and learn how to configure the environment using interception proxies, automate tasks with Bash and Python, and set up a research lab. As you advance through the book, you’ll discover how to attack the SAML authentication layer; attack front-facing web applications by learning WordPress and SQL injection, and exploit vulnerabilities in IoT devices, such as command injection, by going through three CTFs and learning about the discovery of seven CVEs. Each chapter analyzes confirmed cases of exploitation mapped with MITRE ATT&CK. You’ll also analyze attacks on Electron JavaScript-based applications, such as XSS and RCE, and the security challenges of auditing and exploiting Ethereum smart contracts written in Solidity. Finally, you’ll find out how to disclose vulnerabilities. By the end of this book, you’ll have enhanced your ability to find and exploit web vulnerabilities.
Table of Contents (14 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Attack Preparation
Part 1: Attack Preparation
Free Chapter
2
Chapter 1: Mindset and Methodologies
Chapter 1: Mindset and Methodologies
Approach and mindset
Methodologies and frameworks
Summary
Further reading
3
Chapter 2: Toolset for Web Attacks and Exploitation
Chapter 2: Toolset for Web Attacks and Exploitation
Technical requirements
Operating systems and the tools of the trade
Virtualization and containerization systems
Summary
Further reading
4
Part 2: Evergreen Attacks
Part 2: Evergreen Attacks
5
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Technical requirements
The Doors of Durin SAML login scenario
How does SAML work and what are its vulnerabilities?
Other authentication methods used with HTTP
How to discover and exploit vulnerabilities in SAML
Summary
Further reading
6
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
chevron up
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Technical requirements
WordPress scenario introduction
How does SQL injection work?
How to discover and exploit SQL injection vulnerabilities
Summary
Further reading
7
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Technical requirements
IoT router exploitation scenario introduction
How to analyze IoT devices
How to find and exploit vulnerabilities in IoT devices
Summary
Further reading
8
Part 3: Novel Attacks
Part 3: Novel Attacks
9
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Technical requirements
Electron JavaScript applications scenario introduction
How Electron JavaScript applications and XSS work
How to find and exploit XSS in Electron JavaScript applications to obtain RCE
Summary
Further reading
10
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Technical requirements
LicenseManager smart contract scenario
How smart contracts work on the Ethereum blockchain and security considerations
How to find and exploit vulnerabilities in Ethereum smart contracts
Summary
Further reading
11
Chapter 8: Continuing the Journey of Vulnerability Discovery
Chapter 8: Continuing the Journey of Vulnerability Discovery
An approach to discovering vulnerabilities
The dilemma of disclosing vulnerabilities
Summary
Further reading
12
Index
Index
Why subscribe?
13
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

How does SQL injection work?

SQL injection (or SQLi) is a vulnerability that allows arbitrary SQL code to be inserted to read, modify, or delete data and interact with the application’s underlying database.

SQL injection works by exploiting the way user input is used in functions that connect to a SQL database by directly concatenating or chaining user input to the SQL statement or using the input as part of a parameter in a prepared statement. If we manage to alter the query semantics to make the database do something unintended such as read, modify, or delete different data or execute commands, we have SQL injection.

SQL injection types

As defined in the OWASP Web Security Testing Guide in Testing for SQL Injection [9], we can consider three classes of SQL injection according to the type of channel used to get some output:

  • In-band: We receive our output directly into the web application
  • Out-of-band: We receive our output on a different channel (e.g., email...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 4
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY