Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Attacking and Exploiting Modern Web Applications
  • Table Of Contents Toc
  • Feedback & Rating feedback
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

By : Simone Onofri, Onofri
4.9 (14)
Buy this Book
close
close
Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

4.9 (14)
By: Simone Onofri, Onofri
Buy this Book

Overview of this book

Web attacks and exploits pose an ongoing threat to the interconnected world. This comprehensive book explores the latest challenges in web application security, providing you with an in-depth understanding of hackers' methods and the practical knowledge and skills needed to effectively understand web attacks. The book starts by emphasizing the importance of mindset and toolset in conducting successful web attacks. You’ll then explore the methodologies and frameworks used in these attacks, and learn how to configure the environment using interception proxies, automate tasks with Bash and Python, and set up a research lab. As you advance through the book, you’ll discover how to attack the SAML authentication layer; attack front-facing web applications by learning WordPress and SQL injection, and exploit vulnerabilities in IoT devices, such as command injection, by going through three CTFs and learning about the discovery of seven CVEs. Each chapter analyzes confirmed cases of exploitation mapped with MITRE ATT&CK. You’ll also analyze attacks on Electron JavaScript-based applications, such as XSS and RCE, and the security challenges of auditing and exploiting Ethereum smart contracts written in Solidity. Finally, you’ll find out how to disclose vulnerabilities. By the end of this book, you’ll have enhanced your ability to find and exploit web vulnerabilities.
Table of Contents (14 chapters)
close
close
close
Preface
chevron up
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Attack Preparation
Part 1: Attack Preparation
Free Chapter
2
Chapter 1: Mindset and Methodologies
Chapter 1: Mindset and Methodologies
Approach and mindset
Methodologies and frameworks
Summary
Further reading
3
Chapter 2: Toolset for Web Attacks and Exploitation
Chapter 2: Toolset for Web Attacks and Exploitation
Technical requirements
Operating systems and the tools of the trade
Virtualization and containerization systems
Summary
Further reading
4
Part 2: Evergreen Attacks
Part 2: Evergreen Attacks
5
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Chapter 3: Attacking the Authentication Layer – a SAML Use Case
Technical requirements
The Doors of Durin SAML login scenario
How does SAML work and what are its vulnerabilities?
Other authentication methods used with HTTP
How to discover and exploit vulnerabilities in SAML
Summary
Further reading
6
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Chapter 4: Attacking Internet-Facing Web Applications – SQL Injection and Cross-Site Scripting (XSS) on WordPress
Technical requirements
WordPress scenario introduction
How does SQL injection work?
How to discover and exploit SQL injection vulnerabilities
Summary
Further reading
7
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Chapter 5: Attacking IoT Devices – Command Injection and Path Traversal
Technical requirements
IoT router exploitation scenario introduction
How to analyze IoT devices
How to find and exploit vulnerabilities in IoT devices
Summary
Further reading
8
Part 3: Novel Attacks
Part 3: Novel Attacks
9
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Chapter 6: Attacking Electron JavaScript Applications – from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
Technical requirements
Electron JavaScript applications scenario introduction
How Electron JavaScript applications and XSS work
How to find and exploit XSS in Electron JavaScript applications to obtain RCE
Summary
Further reading
10
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Chapter 7: Attacking Ethereum Smart Contracts – Reentrancy, Weak Sources of Randomness, and Business Logic
Technical requirements
LicenseManager smart contract scenario
How smart contracts work on the Ethereum blockchain and security considerations
How to find and exploit vulnerabilities in Ethereum smart contracts
Summary
Further reading
11
Chapter 8: Continuing the Journey of Vulnerability Discovery
Chapter 8: Continuing the Journey of Vulnerability Discovery
An approach to discovering vulnerabilities
The dilemma of disclosing vulnerabilities
Summary
Further reading
12
Index
Index
Why subscribe?
13
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Attacking-and-Exploiting-Modern-Web-Applications. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “We found two headers containing the specific PHP (X-Powered-By) and Apache (Server) versions.”

A block of code is set as follows:

SELECT id, wpid, room, timestamp, UNIX_TIMESTAMP(timestamp) AS unix_timestamp, alias, status, message FROM $Shoutbox_messages_table_name.' WHERE room IN ("'.$rooms.'") AND timestamp > FROM_UNIXTIME('.esc_sql($_POST['last_timestamp']).') ORDER BY unix_timestamp ASC

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

function esc_sql( $data ) {
    global $wpdb;
    return $wpdb->_escape( $data );
}

Any command-line input or output is written as follows:

$ curl -kis  http://localhost | grep generator
<meta name="generator" content="WordPress 6.1.1" />

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Select and right-click on that image from the menu, and click Inspect to see precisely the resulting code.”

Tips or important notes

Appear like this.

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY