| Table | Card | RUSMARC | |
|
|
Allowed Actions:
Group: Anonymous Network: Internet |
Annotation
Adrian Pruteanu adopts the mindset of both a defender and an attacker in this practical guide to web application testing. By giving key insights into attack vectors and defenses, Becoming the Hacker builds your ability to analyze from both viewpoints and create robust defense strategies.
Document access rights
| Network | User group | Action | ||||
|---|---|---|---|---|---|---|
| ILC SPbPU Local Network | All |
|
||||
| Internet | Authorized users SPbPU |
|
||||
|
Internet | Anonymous |
Table of Contents
- Cover
- Copyright
- Packt upsell
- Contributors
- Table of Contents
- Preface
- Chapter 1 - Introduction to Attacking Web Applications
- Rules of engagement
- Communication
- Privacy considerations
- Cleaning up
- The tester's toolkit
- Kali Linux
- Kali Linux alternatives
- The attack proxy
- Burp Suite
- Zed Attack Proxy
- Cloud infrastructure
- Resources
- Exercises
- Summary
- Rules of engagement
- Chapter 2 - Efficient Discovery
- Types of assessments
- Target mapping
- Masscan
- WhatWeb
- Nikto
- CMS scanners
- Efficient brute-forcing
- Content discovery
- Burp Suite
- OWASP ZAP
- Gobuster
- Persistent content discovery
- Payload processing
- Content discovery
- Polyglot payloads
- Same payload, different context
- Code obfuscation
- Resources
- Exercises
- Summary
- Chapter 3 - Low-Hanging Fruit
- Network assessment
- Looking for a way in
- Credential guessing
- A better way to shell
- Cleaning up
- Resources
- Summary
- Network assessment
- Chapter 4 - Advanced Brute-forcing
- Password spraying
- LinkedIn scraping
- Metadata
- The cluster bomb
- Behind seven proxies
- Torify
- Proxy cannon
- Summary
- Password spraying
- Chapter 5 - File Inclusion Attacks
- RFI
- LFI
- File inclusion to remote code execution
- More file upload issues
- Summary
- Chapter 6 - Out-of-Band Exploitation
- A common scenario
- Command and control
- Let’s Encrypt Communication
- INet simulation
- The confirmation
- Async data exfiltration
- Data inference
- Summary
- Chapter 7 - Automated Testing
- Extending Burp
- Authentication and authorization abuse
- The Autorize flow
- The Swiss Army knife
- sqlmap helper
- Web shells
- Authentication and authorization abuse
- Obfuscating code
- Burp Collaborator
- Public Collaborator server
- Service interaction
- Burp Collaborator client
- Private Collaborator server
- Public Collaborator server
- Summary
- Extending Burp
- Chapter 8 - Bad Serialization
- Abusing deserialization
- Attacking custom protocols
- Protocol analysis
- Deserialization exploit
- Summary
- Chapter 9 - Practical Client-Side Attacks
- SOP
- Cross-origin resource sharing
- XSS
- Reflected XSS
- Persistent XSS
- DOM-based XSS
- CSRF
- BeEF
- Hooking
- Social engineering attacks
- The keylogger
- Persistence
- Automatic exploitation
- Tunneling traffic
- Summary
- Chapter 10 - Practical Server-Side Attacks
- Internal and external references
- XXE attacks
- A billion laughs
- Request forgery
- The port scanner
- Information leak
- Blind XXE
- Remote code execution
- Interactive shells
- Summary
- Chapter 11 - Attacking APIs
- API communication protocols
- SOAP
- REST
- API authentication
- Basic authentication
- API keys
- Bearer authentication
- JWTs
- JWT quirks
- Burp JWT support
- Postman
- Installation
- Upstream proxy
- The environment
- Collections
- Collection Runner
- Attack considerations
- Summary
- API communication protocols
- Chapter 12 - Attacking CMS
- Application assessment
- WPScan
- sqlmap
- Droopescan
- Arachni web scanner
- Backdooring the code
- Persistence
- Credential exfiltration
- Summary
- Application assessment
- Chapter 13 - Breaking Containers
- Vulnerable Docker scenario
- Foothold
- Situational awareness
- Container breakout
- Summary
- Other Books You May Enjoy
- Index
Usage statistics
pdf/2016348.pdf
|
|
Access count: 0
Last 30 days: 0 Detailed usage statistics |
epub/2016348.epub
|
|
Access count: 0
Last 30 days: 0 Detailed usage statistics |