Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Attacking and Exploiting Modern Web Applications
  • Table Of Contents Toc
  • Feedback & Rating feedback
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

By : Simone Onofri, Onofri
4.9 (14)
Buy this Book
close
close
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

4.9 (14)
By: Simone Onofri, Onofri
Buy this Book

Overview of this book

Web attacks and exploits pose an ongoing threat to the interconnected world. This comprehensive book explores the latest challenges in web application security, providing you with an in-depth understanding of hackers' methods and the practical knowledge and skills needed to effectively understand web attacks. The book starts by emphasizing the importance of mindset and toolset in conducting successful web attacks. You’ll then explore the methodologies and frameworks used in these attacks, and learn how to configure the environment using interception proxies, automate tasks with Bash and Python, and set up a research lab. As you advance through the book, you’ll discover how to attack the SAML authentication layer; attack front-facing web applications by learning WordPress and SQL injection, and exploit vulnerabilities in IoT devices, such as command injection, by going through three CTFs and learning about the discovery of seven CVEs. Each chapter analyzes confirmed cases of exploitation mapped with MITRE ATT&CK. You’ll also analyze attacks on Electron JavaScript-based applications, such as XSS and RCE, and the security challenges of auditing and exploiting Ethereum smart contracts written in Solidity. Finally, you’ll find out how to disclose vulnerabilities. By the end of this book, you’ll have enhanced your ability to find and exploit web vulnerabilities.
Table of Contents (14 chapters)
close
close
close
Preface
chevron up
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Attack Preparation
Part 1: Attack Preparation
Free Chapter
2
Chapter 1: Mindset and Methodologies
Chapter 1: Mindset and Methodologies
Approach and mindset
Methodologies and frameworks
Summary
Further reading
3
Chapter 2: Toolset for Web Attacks and Exploitation
Chapter 2: Toolset for Web Attacks and Exploitation
Technical requirements
Operating systems and the tools of the trade
Virtualization and containerization systems
Summary
Further reading
4
Part 2: Evergreen Attacks
Part 2: Evergreen Attacks
5
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Technical requirements
The Doors of Durin SAML login scenario
How does SAML work and what are its vulnerabilities?
Other authentication methods used with HTTP
How to discover and exploit vulnerabilities in SAML
Summary
Further reading
6
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Technical requirements
WordPress scenario introduction
How does SQL injection work?
How to discover and exploit SQL injection vulnerabilities
Summary
Further reading
7
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Technical requirements
IoT router exploitation scenario introduction
How to analyze IoT devices
How to find and exploit vulnerabilities in IoT devices
Summary
Further reading
8
Part 3: Novel Attacks
Part 3: Novel Attacks
9
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Technical requirements
Electron JavaScript applications scenario introduction
How Electron JavaScript applications and XSS work
How to find and exploit XSS in Electron JavaScript applications to obtain RCE
Summary
Further reading
10
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Technical requirements
LicenseManager smart contract scenario
How smart contracts work on the Ethereum blockchain and security considerations
How to find and exploit vulnerabilities in Ethereum smart contracts
Summary
Further reading
11
Chapter 8: Continuing the Journey of Vulnerability Discovery
Chapter 8: Continuing the Journey of Vulnerability Discovery
An approach to discovering vulnerabilities
The dilemma of disclosing vulnerabilities
Summary
Further reading
12
Index
Index
Why subscribe?
13
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Preface

Why is there a need for another book on web attacks and exploitation? More than two decades have passed since Jeff “Rain Forest Puppy” Forristal first discussed the then-unknown SQL injection in the well-known Phrack e-zine in 1998.

The web plays a significant role in our daily lives and business operations. It has progressed from static web pages to the era of user-generated content known as Web 2.0, and now we have Web 3.0, a decentralized web that operates on blockchain technology.

Having been involved in web application security from its infancy, we find it fascinating to assess the current state of attacks and exploitation of web vulnerabilities. As suggested by the OWASP TOP 10, the nature of these vulnerabilities remains relatively consistent, although their specific characteristics evolve. Examining how Advanced Persistent Threats (APTs) often use web attacks for initial access and persistence is interesting – mapping them using MITRE ATT&CK.

This book will provide an in-depth understanding of hackers’ methods for web attacks and exploitation, analyzing some Capture the Flags (CTFs) we created and several Common Vulnerabilities and Exposures (CVEs) we discovered.

The first part helps you understand the methodologies and frameworks, how to configure your research lab, and how to automate tasks with Bash and Python.

The second and third parts will guide you through practical examples using dynamic analysis, analyzing source code, reversing binaries, debugging, and instrumenting. In each chapter, you will find a brief introduction to the basics of each specific technology, the vulnerability, and the risk. Then, we’ll provide step-by-step instructions to discover and exploit the vulnerabilities.

In the second part, you’ll get an overview of evergreen vulnerabilities in authentication with a use case on SAML, SQL injection and Cross-Site Scripting (XSS) on WordPress, and Command Injection and Path Traversal on Internet of Things (IoT) devices, and then we’ll focus on analyzing source code and reversing binaries.

In the third part, you will see vulnerabilities in newer contexts, turning an XSS into a Remote Code Execution (RCE), analyzing Electron JavaScript applications and, exploiting the famous Reentrancy when auditing an Ethereum smart contract written in Solidity.

After reading this book, you will have improved your skills in identifying and taking advantage of web vulnerabilities and comprehending the consequences of disclosure.

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY