A practical, beginner-friendly introduction to web app pentesting In A Beginner's Guide to Web Application Penetration Testing, cybersecurity trainer and veteran Ali Abdollahi delivers an incisive and timely discussion of penetration testing that addresses the increasing importance of web application security. The author takes a dual approach, incorporating both theory and practical skills, equipping readers with the knowledge they need to kickstart their journey into the web application penetration testing field. The book walks you through the five main stages of a comprehensive penetration…mehr
A practical, beginner-friendly introduction to web app pentesting In A Beginner's Guide to Web Application Penetration Testing, cybersecurity trainer and veteran Ali Abdollahi delivers an incisive and timely discussion of penetration testing that addresses the increasing importance of web application security. The author takes a dual approach, incorporating both theory and practical skills, equipping readers with the knowledge they need to kickstart their journey into the web application penetration testing field. The book walks you through the five main stages of a comprehensive penetration test: scoping and recon, scanning, gaining and maintaining access, analysis, and reporting. You'll learn how to use popular and effective security tools, as well as how to combat the ten most common security vulnerability categories publicized by the Open Web Application Security Project (OWASP). From hands-on demonstrations of techniques - like subdomain enumeration with Sublist3r and Subfinder - to practice with input validation and external entity disabling for security maintenance, the book gives you a first-person view of pentesting you can implement immediately. Perfect for software engineers with an interest in penetration testing, security analysts, web developers, and other information technology professionals, A Beginner's Guide to Web Application Penetration Testing is also an essential read for students of cybersecurity, software engineering, computer science, and related tech industries.Hinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
ALI ABDOLLAHI is a cybersecurity researcher with over 12 years of experience. Currently, he is the application and offensive security manager at Canon EMEA. He studied computer engineering, published articles, and holds several professional certificates. Ali is a Microsoft MVP and regular speaker or trainer at industry conferences and events.
Inhaltsangabe
Foreword xvii Introduction xix Chapter 1 Introduction to Web Application Penetration Testing 1 The Importance of Web Application Security 3 Overview of Web Application Penetration Testing 6 The Penetration Testing Process 8 Methodologies 12 Tools and Techniques 14 Reporting 16 Types of Web Application Vulnerabilities 17 Key Takeaways 25 Chapter 2 Setting Up Your Penetration Testing Environment 27 Setting Up Virtual Machines 28 Container Option 29 Kali Linux Installation 30 PentestBox 34 Installing DVWA 35 OWASP Juice Shop 40 Burp Suite 41 OWASP ZED Attack Proxy 46 WILEY Preconfigured Environment 49 Key Takeaways 49 Chapter 3 Reconnaissance and Information Gathering 51 Passive Information Gathering 52 Automating Subdomain Enumeration 61 Active Information Gathering 64 Open-Source Intelligence Gathering 77 Key Takeaways 88 Chapter 4 Cross-Site Scripting 89 XSS Categories 90 Reflected XSS 91 Stored XSS 93 Automatic User Session Hijacking 94 Website Defacement Using XSS 96 DOM-Based XSS 97 Self-XSS 98 Browser Exploitation Framework 100 XSS Payloads and Bypasses 102 XSS Mitigation Techniques 105 Reflected XSS Bypass Techniques 107 Stored XSS Bypass Technique 110 Key Takeaways 112 Chapter 5 SQL Injection 113 What Is SQL Injection? 113 Types of SQL Injection 114 Error-Based SQL Injection 117 Union-Based SQL Injection 117 Blind SQL Injection 123 SQLMap 126 SQL Injection Payloads with ChatGPT 140 SQL Injection Prevention 142 Key Takeaways 145 Chapter 6 Cross-Site Request Forgery 147 Hunting CSRF Vulnerability 149 CSRF Exploitation 149 XSS and CSRF 151 Clickjacking 152 Generating an Effective Proof of Concept Using ChatGPT 154 Tips for Developers 157 Key Takeaways 158 Chapter 7 Server-Side Attacks and Open Redirects 159 Server-Side Request Forgery 159 SSRF in Action 160 SSRF Vulnerability 162 Blind SSRF 164 Local File Inclusion 166 Remote File Inclusion 170 Open Redirect 173 Server-Side Attacks Differences 177 Security Mitigations 178 Key Takeaways 181 Chapter 8 XML-Based Attacks 183 XML Fundamentals 183 XXE Exploitation 185 Hunting XML Entry Points 187 SSRF Using XXE 192 DoS Using XXE 193 XXE Payload and Exploitation with ChatGPT 195 XML-Based Attacks Countermeasures 196 Key Takeaways 198 Chapter 9 Authentication and Authorization 201 Password Cracking and Brute-Force Attacks 205 Credential Stuffing Attack 211 Password Spraying 213 Password Spraying Using Burp Suite Intruder 214 Other Automated Tools for Password Attacks 215 JSON Web Token 223 Key Takeaways 225 Chapter 10 API Attacks 227 OWASP API Top 10 228 API Enumeration and Discovery 230 API Discovery Using ChatGPT 231 API Broken Object-Level Authorization Exploitation 235 Rate Limiting 240 API Penetration Testing Tools 242 API Security Tips 244 Key Takeaways 245 Appendix A Best Practices and Standards 247 Information Gathering 248 Configuration and Deployment Management Testing 251 Identity Management Testing 254 Authentication Testing 256 Authorization Testing 261 Session Management Testing 265 Input Validation Testing 273 Testing for Error Handling 285 Testing for Weak Cryptography 286 Business Logic Testing 290 Client-Side Testing 297 Appendix B CWE and CVSS Score 307 Base Score 308 Temporal Score 308 Environmental Score 309 Appendix c Writing Effective and Comprehensive Penetration Testing Reports 311 Table of Contents (ToC) 311 Project History and Timeline 311 Scope 312 Testing Approach 312 Executive Summary 312 Industry Standard 312 Findings Table 312 Findings Details 313 Key Takeaways 315 Index 317
