Mastering Modern Web Penetration Testing

Prakhar Prasad

  • 出版商: Packt Publishing
  • 出版日期: 2016-10-28
  • 售價: $1,830
  • 貴賓價: 9.5$1,739
  • 語言: 英文
  • 頁數: 298
  • 裝訂: Paperback
  • ISBN: 1785284584
  • ISBN-13: 9781785284588
  • 下單後立即進貨 (約3~4週)

買這商品的人也買了...

商品描述

Key Features

  • This book covers the latest technologies such as Advance XSS, XSRF, SQL Injection, Web API testing, XML attack vectors, OAuth 2.0 Security, and more involved in today's web applications
  • Penetrate and secure your web application using various techniques
  • Get this comprehensive reference guide that provides advanced tricks and tools of the trade for seasoned penetration testers

Book Description

Web penetration testing is a growing, fast-moving, and absolutely critical field in information security. This book executes modern web application attacks and utilises cutting-edge hacking techniques with an enhanced knowledge of web application security.

We will cover web hacking techniques so you can explore the attack vectors during penetration tests. The book encompasses the latest technologies such as OAuth 2.0, Web API testing methodologies and XML vectors used by hackers. Some lesser discussed attack vectors such as RPO (relative path overwrite), DOM clobbering, PHP Object Injection and etc. has been covered in this book.

We'll explain various old school techniques in depth such as XSS, CSRF, SQL Injection through the ever-dependable SQLMap and reconnaissance.

Websites nowadays provide APIs to allow integration with third party applications, thereby exposing a lot of attack surface, we cover testing of these APIs using real-life examples.

This pragmatic guide will be a great benefit and will help you prepare fully secure applications.

What you will learn

  • Get to know the new and less-publicized techniques such PHP Object Injection and XML-based vectors
  • Work with different security tools to automate most of the redundant tasks
  • See different kinds of newly-designed security headers and how they help to provide security
  • Exploit and detect different kinds of XSS vulnerabilities
  • Protect your web application using filtering mechanisms
  • Understand old school and classic web hacking in depth using SQL Injection, XSS, and CSRF
  • Grasp XML-related vulnerabilities and attack vectors such as XXE and DoS techniques
  • Get to know how to test REST APIs to discover security issues in them

About the Author

Prakhar Prasad is a web application security researcher and penetration tester from India. He has been a successful participant in various bug bounty programs and has discovered security flaws on websites such as Google, Facebook, Twitter, PayPal, Slack, and many more. He secured the tenth position worldwide in the year 2014 at HackerOne's platform. He is OSCP and OSWP certified, which are some of the most widely respected certifications in the information security industry. He occasionally performs training and security assessment for various government, non-government, and educational organizations.

Table of Contents

  1. Common Security Protocols
  2. Information Gathering
  3. Cross-Site Scripting
  4. Cross-Site Request Forgery
  5. Exploiting SQL Injection
  6. File Upload Vulnerabilities
  7. Metasploit and Web
  8. XML Attacks
  9. Emerging Attack Vectors
  10. OAuth 2.0 Security
  11. API Testing Methodology

商品描述(中文翻譯)

主要特點


  • 本書涵蓋了最新的技術,如Advance XSS、XSRF、SQL注入、Web API測試、XML攻擊向量、OAuth 2.0安全等,這些技術在當今的網絡應用中非常重要。

  • 使用各種技術來滲透和保護您的網絡應用

  • 獲得這本全面的參考指南,為經驗豐富的滲透測試人員提供高級技巧和工具

書籍描述

網絡滲透測試是信息安全領域中一個快速發展且至關重要的領域。本書使用先進的網絡應用攻擊和尖端的黑客技術,提高了對網絡應用安全的認識。

我們將介紹網絡黑客技術,以便您在滲透測試中探索攻擊向量。本書涵蓋了最新的技術,如OAuth 2.0、Web API測試方法和黑客使用的XML向量。本書還涵蓋了一些較少討論的攻擊向量,如RPO(相對路徑覆蓋)、DOM clobbering、PHP對象注入等。

我們將深入解釋各種老派技術,如XSS、CSRF、SQL注入,以及可靠的SQLMap和偵察。

現在的網站提供API以允許與第三方應用程序集成,從而暴露了大量的攻擊面,我們將使用實際示例來測試這些API。

這本實用指南將是一個巨大的收益,將幫助您完全保護應用程序的安全性。

你將學到什麼


  • 了解較少公開的技術,如PHP對象注入和基於XML的向量

  • 使用不同的安全工具自動化大部分冗余任務

  • 了解不同類型的新設計安全標頭及其如何提供安全性

  • 利用和檢測不同類型的XSS漏洞

  • 使用過濾機制保護您的網絡應用

  • 深入了解舊學派和經典的網絡黑客技術,如SQL注入、XSS和CSRF

  • 掌握與XML相關的漏洞和攻擊向量,如XXE和DoS技術

  • 了解如何測試REST API以發現其中的安全問題

關於作者

Prakhar Prasad是來自印度的網絡應用安全研究人員和滲透測試人員。他曾成功參與各種獎金計劃,並在Google、Facebook、Twitter、PayPal、Slack等網站上發現了安全漏洞。他在2014年在HackerOne平台上全球排名第十。他擁有OSCP和OSWP認證,這些認證在信息安全行業中得到廣泛認可。他偶爾為各種政府、非政府和教育組織進行培訓和安全評估。

目錄


  1. 常見的安全協議

  2. 信息收集

  3. 跨站腳本攻擊

  4. 跨站請求偽造

  5. 利用SQL注入

  6. 文件上傳漏洞

  7. Metasploit和Web

  8. XML攻擊

  9. 新興攻擊向量

  10. OAuth 2.0安全

  11. API測試方法