How to Attack and Defend Your Website
eBook - ePub

How to Attack and Defend Your Website

  1. 76 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

How to Attack and Defend Your Website

About this book

How to Attack and Defend Your Website is a concise introduction to web security that includes hands-on web hacking tutorials. The book has three primary objectives: to help readers develop a deep understanding of what is happening behind the scenes in a web application, with a focus on the HTTP protocol and other underlying web technologies; to teach readers how to use the industry standard in free web application vulnerability discovery and exploitation tools – most notably Burp Suite, a fully featured web application testing tool; and finally, to gain knowledge of finding and exploiting the most common web security vulnerabilities. This book is for information security professionals and those looking to learn general penetration testing methodology and how to use the various phases of penetration testing to identify and exploit common web protocols. How to Attack and Defend Your Website is be the first book to combine the methodology behind using penetration testing tools such as Burp Suite and Damn Vulnerable Web Application (DVWA), with practical exercises that show readers how to (and therefore, how to prevent) pwning with SQLMap and using stored XSS to deface web pages. - Learn the basics of penetration testing so that you can test your own website's integrity and security - Discover useful tools such as Burp Suite, DVWA, and SQLMap - Gain a deeper understanding of how your website works and how best to protect it

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access How to Attack and Defend Your Website by Henry Dalziel, Alejandro Caceres in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.
Chapter 1

Web Technologies

Abstract

In this chapter we go over the basic web application technologies, including web servers, client-side versus server-side programming languages, databases and their related workflow. We then use some useful tools, Burp Suite and the Damn Vulnerable Web App (DVWA) to understand HTTP, and POST, and GET requests.

Keywords

web servers
server-side programming languages
client-side programming languages
JavaScript
SQL (Structured Query Language)
HTML
URL encoding
POST requests
GET requests
intercepting proxy
Note: Before starting Chapter 1, please download Lesson 0 (http://www.concise-courses.com/learn/web-application-security/setup/), which provides instructions on setting up your computer to perform the exercises in this book.

1.1. Web servers

The primary function of a web server is to store, process, and deliver web pages to clients. Client requests are processed by Hypertext Transfer Protocol (HTTP), the basic network protocol used to distribute information on the World Wide Web. Pages delivered are most frequently HTML documents that may include images, style sheets, and scripts, in addition to text content.
There is nothing mysterious about web servers, they work in a similar way to a file share on your Mac or Windows PC.

1.2. Client-side versus server-side programming languages

Web servers interpret some programming languages before presenting them to the user. These are called server-side programming languages. The developer writes the code for a web page, you as a web user request that page, and the server prepares that page, and then that content is sent to you through your web browser. Examples of server-side programming languages include: PHP, ASP, Python, and Java.
Client-side languages are different. Client-side languages are also code written by application developers. When a user requests a page, however, client-side languages are executed and interpreted by the user’s browser, not by the web server. An example of a client-side language is JavaScript.
In summary, server-side languages are interpreted by the server, before actually getting to the user. Client-side languages are interpreted by the browser after they are sent to the user.

1.3. JavaScript – what is it?

JavaScript executes in your browser, not on the server. That is an extremely important concept to remember. Generally, JavaScript is found between script tags (<script> </script>) on a page.

1.4. What can JavaScript do?

JavaScript is a powerful language because it can redirect and manipulate a user’s browser: it can edit and change HTML on a page; it can change the look and feel of a page; change the style of a page; and it can log a user in and out of an application. Simply put, that which can be done in a browser can be done in JavaScript (and more!).

1.5. What can JavaScript not do?

JavaScript cannot directly interact with the server’s file system because it is not running on the server; it is running in the browser. Therefore, JavaScript cannot make your browser send data from one domain to another; this is called cross-domain restrictions. In some special cases, this can be worked around, but in general it cannot, for example, transfer data from the web server hosting www.concise-courses.com to the web server hosting www.elsevier.com.

1.6. Databases

A database provides persistent data storage with quick access to that data. The most common ones are SQL (Structured Query Language) databases. SQL databases store data in tables and columns, and rows, and keys. Data is retrieved by using queries written in a structured syntax (hence the name). SQL syntax allows a website or a web application to retrieve, insert, and update records in a database.

1.7. What about HTML?

HTML is a markup language that is generally static, and, with the adoption of HTML5, is getting more complicated and becoming a better attack surface.

1.8. Web technologies – putting it together

The typical flow for a web application is the following: a user requests content (a webpage) through their web browser, and a web server serves that content via the folder that is shared with the world. The server-side scripting language is interpreted (PHP, ASP, Python, etc.) along with (possibly) data from a database, and the output is incorporated, and passed onto the user’s browser. At the same time that the server-side content is received, the user’s browser determines whether there is any client-side script, that is, code that is executed locally, typically JavaScript, Flash, or ActionScript. If there is, it executes it. The last step in this process is for the browser to render the end result, and the user is able to navigate the page.

1.9. Digging deeper

Most web ...

Table of contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Author Biography
  6. Contributing Editor Biography
  7. Introduction
  8. Chapter 1: Web Technologies
  9. Chapter 2: Exploitation
  10. Chapter 3: Finding Vulnerabilities