Becoming the Hacker
eBook - ePub

Becoming the Hacker

The Playbook for Getting Inside the Mind of the Attacker

  1. 404 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Becoming the Hacker

The Playbook for Getting Inside the Mind of the Attacker

About this book

Web penetration testing by becoming an ethical hacker. Protect the web by learning the tools, and the tricks of the web application attacker.

Key Features

  • Builds on books and courses on penetration testing for beginners
  • Covers both attack and defense perspectives
  • Examines which tool to deploy to suit different applications and situations

Book Description

Becoming the Hacker will teach you how to approach web penetration testing with an attacker's mindset. While testing web applications for performance is common, the ever-changing threat landscape makes security testing much more difficult for the defender.

There are many web application tools that claim to provide a complete survey and defense against potential threats, but they must be analyzed in line with the security needs of each web application or service. We must understand how an attacker approaches a web application and the implications of breaching its defenses.

Through the first part of the book, Adrian Pruteanu walks you through commonly encountered vulnerabilities and how to take advantage of them to achieve your goal. The latter part of the book shifts gears and puts the newly learned techniques into practice, going over scenarios where the target may be a popular content management system or a containerized application and its network.

Becoming the Hacker is a clear guide to web application security from an attacker's point of view, from which both sides can benefit.

What you will learn

  • Study the mindset of an attacker
  • Adopt defensive strategies
  • Classify and plan for standard web application security threats
  • Prepare to combat standard system security problems
  • Defend WordPress and mobile applications
  • Use security tools and plan for defense against remote execution

Who this book is for

The reader should have basic security experience, for example, through running a network or encountering security issues during application development. Formal education in security is useful, but not required. This title is suitable for people with at least two years of experience in development, network management, or DevOps, or with an established interest in security.

Trusted by 375,005 students

Access to over 1.5 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Publisher
Packt Publishing
Year
2019
Print ISBN
9781788627962
Edition
1
eBook ISBN
9781788623759
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Becoming the Hacker

Table of Contents

Becoming the Hacker
Why subscribe?
Packt.com
Contributors
About the author
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
1. Introduction to Attacking Web Applications
Rules of engagement
Communication
Privacy considerations
Cleaning up
The tester's toolkit
Kali Linux
Kali Linux alternatives
The attack proxy
Burp Suite
Zed Attack Proxy
Cloud infrastructure
Resources
Exercises
Summary
2. Efficient Discovery
Types of assessments
Target mapping
Masscan
WhatWeb
Nikto
CMS scanners
Efficient brute-forcing
Content discovery
Burp Suite
OWASP ZAP
Gobuster
Persistent content discovery
Payload processing
Polyglot payloads
Same payload, different context
Code obfuscation
Resources
Exercises
Summary
3. Low-Hanging Fruit
Network assessment
Looking for a way in
Credential guessing
A better way to shell
Cleaning up
Resources
Summary
4. Advanced Brute-forcing
Password spraying
LinkedIn scraping
Metadata
The cluster bomb
Behind seven proxies
Torify
Proxy cannon
Summary
5. File Inclusion Attacks
RFI
LFI
File inclusion to remote code execution
More file upload issues
Summary
6. Out-of-Band Exploitation
A common scenario
Command and control
Let’s Encrypt Communication
INet simulation
The confirmation
Async data exfiltration
Data inference
Summary
7. Automated Testing
Extending Burp
Authentication and authorization abuse
The Autorize flow
The Swiss Army knife
sqlmap helper
Web shells
Obfuscating code
Burp Collaborator
Public Collaborator server
Service interaction
Burp Collaborator client
Private Collaborator server
Summary
8. Bad Serialization
Abusing deserialization
Attacking custom protocols
Protocol analysis
Deserialization exploit
Summary
9. Practical Client-Side Attacks
SOP
Cross-origin resource sharing
XSS
Reflected XSS
Persistent XSS
DOM-based XSS
CSRF
BeEF
Hooking
Social engineering attacks
The keylogger
Persistence
Automatic exploitation
Tunneling traffic
Summary
10. Practical Server-Side Attacks
Internal and external references
XXE attacks
A billion laughs
Request forgery
The port scanner
Information leak
Blind XXE
Remote code execution
Interactive shells
Summary
11. Attacking APIs
API communication protocols
SOAP
REST
API authentication
Basic authentication
API keys
Bearer authentication
JWTs
JWT quirks
Burp JWT support
Postman
Installation
Upstream proxy
The environment
Collections
Collection Runner
Attack considerations
Summary
12. Attacking CMS
Application assessment
WPScan
sqlmap
Droopescan
Arachni web scanner
Backdooring the code
Persistence
Credential exfiltration
Summary
13. Breaking Containers
Vulnerable Docker scenario
Foothold
Situational awareness
Container breakout
Summary
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index

Becoming the Hacker

Copyright © 2019 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Acquisition Editors: Andrew Waldron, Frank Pohlmann, Suresh Jain
Project Editor: Veronica Pais
Content Development Editor: Joanne Lovell
Technical Editor: Saby D'silva
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Graphics: Sandip Tadge
Production Coordinator: Sandip Tadge
First published: January 2019
Production reference: 1310119
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78862-796-2
www.packtpub.com
Becoming the Hacker
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

  • Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
  • Learn better with Skill Plans built especially for you
  • Get a free eBook or video every month
  • Mapt is fully searchable
  • Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.Packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.Packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Adrian Pruteanu is an accomplished security consultant and researcher working primarily in the offensive security space. In his career of over 10 years, he has gone through countless penetration testing engagements, red team exercises, and application security assessments. He routinely works with Fortune 500 companies, helping them secure their systems by identifying vulnerabilities or reversing malware samples. Adrian likes to keep up with his certifications as well, and holds several of them, including CISSP, OSCE, OSCP, GXPN, GREM, and a bunch of Microsoft titles as well. As a certified trainer for Microsoft, he has also delivered custom training in the past to various clients...

Table of contents

  1. Becoming the Hacker

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Becoming the Hacker by Adrian Pruteanu in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over 1.5 million books available in our catalogue for you to explore.