Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Attacking and Exploiting Modern Web Applications
  • Table Of Contents Toc
  • Feedback & Rating feedback
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

By : Simone Onofri, Onofri
4.9 (14)
Buy this Book
close
close
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

4.9 (14)
By: Simone Onofri, Onofri
Buy this Book

Overview of this book

Web attacks and exploits pose an ongoing threat to the interconnected world. This comprehensive book explores the latest challenges in web application security, providing you with an in-depth understanding of hackers' methods and the practical knowledge and skills needed to effectively understand web attacks. The book starts by emphasizing the importance of mindset and toolset in conducting successful web attacks. You’ll then explore the methodologies and frameworks used in these attacks, and learn how to configure the environment using interception proxies, automate tasks with Bash and Python, and set up a research lab. As you advance through the book, you’ll discover how to attack the SAML authentication layer; attack front-facing web applications by learning WordPress and SQL injection, and exploit vulnerabilities in IoT devices, such as command injection, by going through three CTFs and learning about the discovery of seven CVEs. Each chapter analyzes confirmed cases of exploitation mapped with MITRE ATT&CK. You’ll also analyze attacks on Electron JavaScript-based applications, such as XSS and RCE, and the security challenges of auditing and exploiting Ethereum smart contracts written in Solidity. Finally, you’ll find out how to disclose vulnerabilities. By the end of this book, you’ll have enhanced your ability to find and exploit web vulnerabilities.
Table of Contents (14 chapters)
close
close
close
Preface
chevron up
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Attack Preparation
Part 1: Attack Preparation
Free Chapter
2
Chapter 1: Mindset and Methodologies
Chapter 1: Mindset and Methodologies
Approach and mindset
Methodologies and frameworks
Summary
Further reading
3
Chapter 2: Toolset for Web Attacks and Exploitation
Chapter 2: Toolset for Web Attacks and Exploitation
Technical requirements
Operating systems and the tools of the trade
Virtualization and containerization systems
Summary
Further reading
4
Part 2: Evergreen Attacks
Part 2: Evergreen Attacks
5
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Technical requirements
The Doors of Durin SAML login scenario
How does SAML work and what are its vulnerabilities?
Other authentication methods used with HTTP
How to discover and exploit vulnerabilities in SAML
Summary
Further reading
6
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Technical requirements
WordPress scenario introduction
How does SQL injection work?
How to discover and exploit SQL injection vulnerabilities
Summary
Further reading
7
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Technical requirements
IoT router exploitation scenario introduction
How to analyze IoT devices
How to find and exploit vulnerabilities in IoT devices
Summary
Further reading
8
Part 3: Novel Attacks
Part 3: Novel Attacks
9
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Technical requirements
Electron JavaScript applications scenario introduction
How Electron JavaScript applications and XSS work
How to find and exploit XSS in Electron JavaScript applications to obtain RCE
Summary
Further reading
10
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Technical requirements
LicenseManager smart contract scenario
How smart contracts work on the Ethereum blockchain and security considerations
How to find and exploit vulnerabilities in Ethereum smart contracts
Summary
Further reading
11
Chapter 8: Continuing the Journey of Vulnerability Discovery
Chapter 8: Continuing the Journey of Vulnerability Discovery
An approach to discovering vulnerabilities
The dilemma of disclosing vulnerabilities
Summary
Further reading
12
Index
Index
Why subscribe?
13
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

What this book covers

Chapter 1, Mindset and Methodologies, offers an overview of the mindset and guiding principles for attacks, the learning process, the skill set, techniques for exploitation, and the methodologies that can be used to attack web applications.

Chapter 2, Toolset for Web Attacks and Exploitation, explains the tools available to attack web applications such as operating systems, browsers, interception proxies, Bash, and Python by playing a CTF.

Chapter 3, Attacking the Authentication Layer – a SAML Use Case, contains the first scenario we will analyze, again through a CTF exercise, where we will learn to exploit authentication systems, specifically SAML, through Burp.

Chapter 4, Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress, explores another scenario where we will find two CVEs together. We will find a SQL injection by reading the source code for a WordPress plugin and exploiting it first by hand with Burp and then with Python. We will also find an XSS.

Chapter 5, Attacking IoT Devices – Command Injection and Path Traversal, examines a scenario where we will analyze an IoT device, starting from the firmware, emulate it, and find four CVEs relating to command injections, bypassing some security features. We will also reverse-engineer together some of the binaries present in the device.

Chapter 6, Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE), delves into a scenario where we will analyze an Electron JavaScript application we use daily, figuring out how to instrument and debug it. We will find a CVE related to an XSS, which we will then turn into an RCE.

Chapter 7, Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic, provides the last scenario. It’s structured as a CTF exercise, where we will analyze smart contracts on Ethereum, revert them, and exploit several business logic vulnerabilities and the famous reentrancy by writing an attacking contract with Solidity and Foundry.

Chapter 8, Continuing the Journey of Vulnerability Discovery, concludes by reflecting on what we learned in the previous chapters. There’s not so much about specific vulnerabilities and, in general, more about the methods used. We will also mention the vulnerability disclosure dilemma from the researcher and CISO perspectives.

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY