Index

Note: Page numbers followed by b indicate boxes and f indicate figures.

A
Access Reference Map API, 132
Application server, 8
Authentication attacks
features, 87–88
proxy-based tool, 87–88

B

BackTrack, 12–13, 14f
Browser Exploitation Framework (BeEF) project, 123
Brute Force exercise, for online authentication attack
Burp Intruder
brute force logins, 93–94, 94f
configuration of, 90–92
payloads, 92–93
runtime file selection, 93, 94f
intercepting authentication attempt, 89–90
Burp Scanner
configuration, 59
reviewing results, 59–62
running, 59
Burp Sequencer tests, for session attacks
bit level results, 97, 99f
description, 96
entropy results, 97, 98f
identification of session identifier, 96, 97f
procedure, 96
Burp Suite Intercept
configuration, 43–45
spidering
automated, 45
manual, 45
running, 45–49

C

Code injection vulnerabilities
Burp Suite tools, 68, 69
OS command injection
command execution exercise, 80–82
for hackers, 79–80
SQL injection
DVWA exercise, 66–75
feature, 64
for hackers, 65–66
SQL interpreter, 64–65
web shells, 85
cmd URL parameter, 86
custom commands execution, 84, 86f
description, 83
file locations, 84, 84f
netstat results, 84, 86f
primitive command shell, 85
shellhelp command, 84, 85f
uploading to DVWA web server, 83, 83f
Common Vulnerability and Exposures (CVE) identifier, 31
Cookie, 5
Credential Harvester method, 121
Cross-site request forgery (CSRF), 11
attacks, 119–120
defense approach, 135
Prevention Cheat Sheet, 135
requirements, 106–107
vs. XSS, 107
Cross-site scripting (XSS), 9–10
See also Reflected XSS attacks, Stored XSS attacks
browser defenses, 134
code defenses, 134
vs. CSRF, 107
description, 106
encoding schemes, 110
JavaScript alert box usage, 110
payloads, 111
Prevention Cheat Sheet, 133
same origin policy, 110
Cross-site scripting framework (XSSF), 123

D

Damn Vulnerable Web Application (DVWA)
configuration, 14–17
installation, 13–14
install script, 17–18
properties, 13
Database server and database, 7
DirBuster, 58
Directory traversal attacks, See Path traversal attacks

E

Enterprise Security Application Programming Interface (ESAPI), 126–128, 129, 131, 132
Exploitation, web server hacking
Metasploit, 35–40
payload, 34
vulnerability, 34

F

Forced browsing, 103

H

Hacking, web server, See Web server hacking
Hypertext Transfer Protocol (HTTP)
cycles, 4
headers, 5
Status Codes, 5–6
usage of, 4

I

Injection vulnerabilities, 9
Input Validation Cheat Sheet, 133–134

J

Java Applet attack method, 121, 122
John the Ripper (JtR) password cracker, 74

L

Linux web server, 3
Local host (LHOST), 38

M

Maintaining access, 40
Man left in the middle attack method, 121
Metasploit
browser exploit method, 121
exploit command, 39–40
search, 35–36
set option, 39
set payload, 37–38
show options, 38–39, 38b
show payloads, 36–37
use, 36
Multi-attack web method, 122

N

Nessus
configuration, 29
installation, 28–29
reviewing results, 30–31
running, 29–30
Network hacking, See Web server hacking
Nikto, 31–34
Nmap
alert, 25b
Nmap scripting engine, 25–27
running, 24–25
updating, 23–24

O

Offline password cracker, 73–74
Online password cracker, 73–74
Open-source security testing methodology manual (OSSTM), 8
Open Source Vulnerability Database (OSVDB), 34
Operating system (OS) command injection
command execution exercise, 80–82
for hackers, 79–80

P

Path traversal attacks
forceful browsing, 103
web server file structure
directory discovery, 101, 101f
/etc/passwd file retrieval, 102–103, 102f
partial directory structure, 100, 100f
up a directory command, 102
Path traversal fixes, 131–132
Penetration testing execution standard (PTES), 8
Port scanning, Nmap
Nmap scripting engine, 25–27
running, 24–25
updating, 23–24

R

Referrer, 5
Reflected XSS attacks
encoding XSS payloads, 114–115
proof-of-concept attack, 112, 112f
requirements, 111, 111f
server response, interception of, 113–114
on session identifiers, 116, 117f
in URL address bar, 116
Remote host (RHOST), 38
Robots.txt file, 21–23

S

Safe test environment
BackTrack, 12–13, 14f
DVWA install script, 17–18
requirements, 11–12
target web application
configuration, 14–17
DVWA, 13
installing, 13–14
virtual machine (VM), 12
VMWare Player, 12
Sandbox
BackTrack, 12–13, 14f
DVWA install script, 17–18
requirements, 11–12
target web application
configuration, 14–17
DVWA, 13
installing, 13–14
virtual machine (VM), 12
VMWare Player, 12
Scanner, web application
Burp Scanner, 58–62
deficiencies
broken access control, 51
forceful browsing, 52
logic flaws, 52
meaningful parameter names, 51
multistep stored XSS, 52
session attacks, 52
stored SQL injection, 51
weak passwords, 51
vulnerabilities
input-based, client side, 50
input-based, server side, 50
request and response cycle, 51
ZAP, 52–58
Security community groups
additional books, 141
certifications, 140–141
and events
AppSecUSA, 138
B-Sides events, 138–139
DakotaCon, 138
DerbyCon, 138
in Las Vegas, 138
ShmooCon, 138
formal education, 140
in-person and online training workshops, 139–140
regional and local, 139
Security misconfiguration, 11
Session attacks
Burp Sequencer tests
bit level results, 97, 99f
description, 96
entropy results, 97, 98f
identification of session identifier, 96, 97f
procedure, 96
cookie reuse concept, 97–100
session-generating algorithms, cracking of, 95
Session donation, 95
Session fixation, 95
Session hijacking, 95
Session ID in URL, 95
Session management fixes, 131
Social-Engineer Toolkit (SET)
attack vectors, 121
IP address, 122
welcome menu, 120, 121f
Spear phishing toolkit (SPT), 123
SQL injection
DVWA exercise
bypassing authentication, 68–69
goals, 66–75
offline password cracking, 74–75
password hashes, 73–74
sqlmap, 75–79
username and password, of administrator, 70–73
vulnerability, 66–68
feature, 64
for hackers, 65–66
SQL interpreter, 64–65
sqlmap tool, 75–79
Stored XSS attacks
guest book entries, 118, 119f
input and output, 118, 118f
properties of, 117
schematic illustration, 117, 117f

T

TabNabbing method, 121
Technical social engineering
attacks, 107–108
fixes, 135–136

V

Virtual machine (VM), 12
VMWare Player, 12
Vulnerability scanning
and antivirus products, 27
Nessus, 28–31
Nikto, 31–34

W

Web applications
database server and database, 7
definition, 2
file server, 8
fixes
broken authentication fixes, 130–131
ESAPI project, 126–128
injection fixes, 128–129
path traversal fixes, 131–132
session management fixes, 131
injection types, 63
recon
Burp Suite Intercept, 43–45
guidance, 42
web proxy, 42–43
scanning
Burp Scanner, 58–62
deficiencies, 51–52
vulnerabilities, 50–51
ZAP, 52–58
security development, 1–2
third-party, off-the-shelf components, 8
tools, 41
vulnerability, 3
Web hacking approach
phases, 6
tools, 7
web application, 6–7
web server, 6
web user, 7
Web-Jacking attack method, 121
Web server(s), 3–4
Web server hacking
exploitation
Metasploit, 35–40
payload, 34
vulnerability, 34
fixes
generic error messages, 126, 127f
server hardening, 125–126
maintaining access, 40
port scanning, Nmap
Nmap scripting engine, 25–27
running, 24–25
updating, 23–24
reconnaissance stage
host, 20, 21
netcraft, 21
robots.txt file, 21–23
targeting, 20–21
vulnerability scanning
and antivirus products, 27
Nessus, 28–31
Nikto, 31–34
Web shells, 85
cmd URL parameter, 86
custom commands execution, 84, 86f
description, 83
file locations, 84, 84f
netstat results, 84, 86f
primitive command shell, 85
shellhelp command, 84, 85f
uploading to DVWA web server, 83, 83f
Web user
attack frameworks
BeEFr, 123
SPT, 123
XSSF, 123
fixes, 132–136
CSRF Prevention Cheat Sheet, 135
Input Validation Cheat Sheet, 133–134
XSS Prevention Cheat Sheet, 133
hacking
technical social engineering attacks, 107–108
recon efforts, 108–109
scanning, 109
Web vulnerabilities
broken authentication and session management, 10–11
cross-site request forgery, 11
cross-site scripting, 9–10
injection, 9
scanner
input-based, client side, 50
input-based, server side, 50
request and response cycle, 51
security misconfiguration, 11

X

Z

Zed Attack Proxy (ZAP) scanning
Brute Force, 58
configuration, 52–53
reviewing results, 56–57
running, 54–56