Contents
1: Common Web Applications and Architectures
b'Chapter 1: Common Web Applications and Architectures'
b'Common architectures'
b'Web application hosting'
b'Application development cycles'
b'Common weaknesses \xc3\xa2\xc2\x80\xc2\x93 where to start'
b'Web application defenses'
b'Summary'
2: Guidelines for Preparation and Testing
b'Chapter 2: Guidelines for Preparation and Testing'
b'Picking your favorite testing framework'
b'Keeping it legal and ethical'
b'Labbing - practicing what we learn'
b'Summary'
3: Stalking Prey Through Target Recon
b'Chapter 3: Stalking Prey Through Target Recon'
b'The imitation game'
b'Open source awesomeness'
b'Being social with your target'
b'Summary'
4: Scanning for Vulnerabilities with Arachni
b'Chapter 4: Scanning for Vulnerabilities with Arachni'
b'Walking into\xc3\x82\xc2\xa0spider webs'
b'An encore for stacks and frameworks'
b'The Arachni test scenario'
b'Summary'
5: Proxy Operations with OWASP ZAP and Burp Suite
b'Chapter 5: Proxy Operations with OWASP ZAP and Burp Suite'
b'Pulling back the curtain with\xc3\x82\xc2\xa0ZAP'
b'Taking it to a new level with Burp Suite'
b'Summary'
6: Infiltrating Sessions via Cross-Site Scripting
b'Chapter 6: Infiltrating Sessions via Cross-Site Scripting'
b'The low-down on XSS\xc3\x82\xc2\xa0types'
b'Seeing is believing'
b'Summary'
7: Injection and Overflow Testing
b'Chapter 7: Injection and Overflow Testing'
b'Injecting some fun into your testing'
b'Is SQL any good?'
b'The X-factor - XML and XPath injections'
b'Credential Jedi mind tricks'
b'Going beyond persuasion \xc3\xa2\xc2\x80\xc2\x93 Injecting for
execution'
b'Down with HTTP?'
b'Summary'
8: Exploiting Trust Through Cryptography Testing
b'Chapter 8: Exploiting Trust Through Cryptography Testing'
b'How secret is your secret?'
b'Assessing encryption like a pro'
b'Exploiting the flaws'
b'Hanging out as the Man-in-the-Middle'
b'Summary'
9: Stress Testing Authentication and Session Management
b'Chapter 9: Stress Testing Authentication and Session
Management'
b'Knock knock, who's there?'
b'This is the session you are looking for'
b'Functional access level control'
b'Refining a brute's vocabulary'
b'Summary'
10: Launching Client-Side Attacks
b'Chapter 10: Launching Client-Side Attacks'
b'Why are clients so weak?'
b'Picking on the little guys'
b'I don't need your validation'
b'Trendy hacks come and go'
b'Summary'
11: Breaking the Application Logic
b'Chapter 11: Breaking the Application Logic'
b'Speed-dating your target'
b'Functional Feng Shui'
b'Summary'
12: Educating the Customer and Finishing Up
Chapter 1. Common Web Applications and
Architectures
Web applications are essential for today's civilization. I know this sounds
bold, but when you think of how the technology has changed the world, there
is no doubt that globalization is responsible for the rapid exchange of
information across great distances via the internet in large parts of the world.
While the internet is many things, the most inherently valuable components
are those where data resides. Since the advent of the World Wide Web in the
1990s, this data has exploded, with the world currently generating more data
in the next 2 years than in all of the recorded history. While databases and
object storage are the main repositories for this staggering amount of data,
web applications are the portals through which that data comes and goes is
manipulated, and processed into actionable information. This information is
presented to the end users dynamically in their browser, and the relative
simplicity and access that this imbues are the leading reason why web
applications are impossible to avoid. We're so accustomed to web
applications that many of us would find it impossible to go more than a few
hours without them.
Financial, manufacturing, government, defense, businesses, educational, and
entertainment institutions are dependent on the web applications that allow
them to function and interact with each other. These ubiquitous portals are
trusted to store, process, exchange, and present all sorts of sensitive
information and valuable data while safeguarding it from harm. the industrial
world has placed a great deal of trust in these systems. So, any damage to
these systems or any kind of trust violation can and often does cause far-
reaching economic, political, or physical damage and can even lead to loss of
life. The news is riddled with breaking news of compromised web
applications every day. Each of these attacks results in loss of that trust as
data (from financial and health information to intellectual property) is stolen,
leaked, abused, and disclosed. Companies have been irreparably harmed,
patients endangered, careers ended, and destinies altered. This is heavy
stuff!
