eBook - ePub
Hands-on Penetration Testing for Web Applications
Run Web Security Testing on Modern Applications Using Nmap, Burp Suite and Wireshark
Richa Gupta
This is a test
Share book
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Hands-on Penetration Testing for Web Applications
Run Web Security Testing on Modern Applications Using Nmap, Burp Suite and Wireshark
Richa Gupta
Book details
Book preview
Table of contents
Citations
About This Book
Learn how to build an end-to-end Web application security testing framework
Description
Hands-on Penetration Testing for Web Applications offers readers with knowledge and skillset to identify, exploit and control the security vulnerabilities present in commercial web applications including online banking, mobile payments and e-commerce applications.We begin with exposure to modern application vulnerabilities present in web applications. You will learn and gradually practice the core concepts of penetration testing and OWASP Top Ten vulnerabilities including injection, broken authentication and access control, security misconfigurations and cross-site scripting (XSS).
What you will learn
- Complete overview of concepts of web penetration testing.
- Learn to secure against OWASP TOP 10 web vulnerabilities.
- Discover security flaws in your web application using most popular tools like nmap and wireshark.
- Learn to respond modern automated cyber attacks with the help of expert-led tips and tricks.
Who this book is for
This book is for Penetration Testers, ethical hackers, and web application developers. People who are new to security testing will also find this book useful. Basic knowledge of HTML, JavaScript would be an added advantage.
Table of Contents
1. Why Application Security?
2. Modern application Vulnerabilities
3. Web Pentesting Methodology
4. Testing Authentication
5. Testing Session Management
6. Testing Secure Channels
7. Testing Secure Access Control
8. Sensitive Data and Information disclosure
9. Testing Secure Data validation
10. Attacking Application Users: Other Techniques
11. Attacking Application Users: Other Techniques
12. Automating Custom Attacks
13. Pentesting Tools
14. Static Code Analysis
15. Mitigations and Core Defense Mechanisms
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Hands-on Penetration Testing for Web Applications an online PDF/ePUB?
Yes, you can access Hands-on Penetration Testing for Web Applications by Richa Gupta in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
CHAPTER 1
Why Application Security
During the early days of the internet, cyberattacks were primarily aimed at spreading malware via email and vulnerable network services such as routers, firewalls, etc. Also, data breaches were rare and mostly occurred due to negligence of victims like theft or leakage of USB drives, hard drives, laptops, etc. In 2000, a worm is known as the love bug worm infected millions of computers. In 2007, a spear-phishing incident at the office of the secretary of defense steals sensitive U.S. defense information. In 2011, Bank of America got hacked and an estimated 85,000 credit card numbers were stolen.
Application security has become an absolute necessity. Increasing the use of open source code for the development of apps in various companies can lead to multiple vulnerabilities and attacks because of the risks associates with open-source code available on the internet. Also, developers nowadays follow general coding practices which contain lots of flaws the evolution of the internet, from basic information storing in repositories to multi-functional applications that can have a powerful impact on the real world, has led to the weakening of the security aspects of modern web applications.
We will understand why application security is crucial and its trends in this chapter.
Structure
In this chapter we will discuss the following topics:
- Modern web applications
- The need for application security
- Application security challenges
- Application security trends
Objectives
After studying this unit, you should be able to:
- Understand how web applications have evolved as a security concern.
- Understand some metrics about the need for application security.
- Describe the core security challenges that web applications are facing.
- Discuss the latest trends in web application security and how these may be expected to evolve in near future.
Modern web applications
In the early days of the Internet, Web sites were mainly information repositories containing static information. Web browsers were invented as a means of retrieving and displaying that information. Many websites at the time simply interlinked HTML documents. HTML (Hypertext Markup Language) is the standard markup language for documents designed to be displayed in a web browser. Styling and positioning were done with attributes on the HTML tags, and the content was static, limited to specific functions.
Due to the digital transformation in the 21st century, our lives have been changed invariably and amazingly. We are using more and more web applications related to shopping or social networking sites, banking, or mails. For instance, you are selecting a cool new jeans/dress from Myntra, sharing its pictures thru WhatsApp for your friends' suggestion, and then paying for it via personal banking; all thru a single click or touch on your mobile app.
On one hand, these modern-day apps make your lives easier and comfortable but on the other hand, every web application brings new security threats and unique vulnerabilities with them. A backdoor in code, unwise use of coding standards, or un-sanitized input forms attracts an attacker to steal your personal details, your credit/debit card information, and can perform malicious actions against other users as well.
The need for application security
With the advent of new horizons in Technology, a number of the new range of security vulnerabilities has marked their arrival on the web applications as well. It will not be wrong if I say that A Secure Web Application is a Myth. If a web application is claiming to be secure just because of the use of SSL certificates or because they are doing regular scans on the website or a website is using HTTPS or CA Signed SSL/TLS Certificates, does not necessarily mean that it's secure. In fact, the majority of the websites are insecure because there are instances in which hidden backdoors in code, defects in application login functionality, information leakage by the website, exposing sensitive information, or application failing to protect the data of users, can lead to far adverse impact on the applications and its shareholders. Website defaming, system downtime is such critical events that occur frequently can impact the business of many organizations like ecommerce websites, etc. In all of these scenarios, Secure connection, or HTTPS does nothing to stop an attacker from submitting crafted input to the server.
Users submitting arbitrary input to the server-side application, interfering with data parameters of the website such as cookies, headers, etc. allow triggering of an unlikely event which can lead to an unexpected or undesirable result for the website. Just Imagine if you are able to buy one or more items from a shopping site free of cost just by playing with some web-parameters or inputs, how cool it would be. No doubt why everyone wants to be a hacker in their life once. But, you can also imagine the impact of such an act on the website and its shareholders. Hence, millions of dollars are funneled into the application security by companies every year because the security of a website is paramount in today's digital world. The need for application security has become a necessity now. We can't only rely upon the basic security controls like HTTP, Firewalls, etc. as defensive mechanisms.
The following image explains application security visually:
Figure 1.1: Application security
A Wider and more exposed "ATTACK SURFACE"
- Information Systems are still evolving
- More Complex Applications
- No of applications and services rising every year
- Everything is now directly exposed(As a Service)
- Applications are exposed to internal threats, hackers, Script kiddies
Application security challenges
Application security challenges lie not only in the threats and application vulnerabilities themselves but also in the processes and approaches taken within the organization to manage application security. The following below points explain various challenges posed for application security:
- Lack of security awareness:
- Lack of awareness of major threats existing in the applications among the peers and correct security control measures to be taken.
- Sometimes, even experienced web application developers are over-confident about their coding practices and make big assumptions about the security provided by their programming frameworks and security protocols, resulting in poor programming and attracts hackers to find vulnerability in their application.
- Lack of resources and experts:
- Inconsistent testing demands due to the agile development environment result in continual application releases.
- Expertise is required for in-depth manual testing and test analysis along with running and interpreting results of automated scanning programs.
- Rapidly growing zero-day vulnerabilities:
- New concepts and threats growing at an exponential rate in today's Digital World make the lives of hackers easy and force a Security professional to think two steps ahead of a hacker and to keep track of new and possible unknown vulnerabilities originating and how to tackle them.
- Increasing functionalities in the application:
- Modern sites now include numerous functionalities like password recovery, username recovery, password hints, and an option to remember the username and password on future visits, etc. thus increasing the site's attack surface.
Application security trends
In the times where there were no or fewer web applications in the digital world, things were somewhat simple. The focus of the security team majorly used to be on strengthening network periphery to secure against attacks. Patching the services, firewalls implementation network monitoring scans, etc. were done for the defending network boundaries. All this has changed by the rise of web applications. Web applications are commonly being considered as vulnerable entry points to gain unauthorized access to an organization's sensitive business data. Application developers are increasingly incorporating libraries from open source code, and attackers are constantly looking for vulnerabilities they can exploit in the most commonly used libraries.
Organizations must go to even greater lengths to protect websites and apps than they do to protect their computers and other network-connected devices. As more organizations move their websites and apps to the cloud, web application security will only get more crucial and complex.
The following image explains web apps exploits trends visually:
Figure 1.2: Security Trends
Conclusion
So, in this chapter, we have discussed why there is a need for application security, what are the challenges posed, recent and future trends of application security.
In the next chapter, we are going to discuss Web Application Techn...