eBook - ePub

Hands-on Penetration Testing for Web Applications

Name: Hands-on Penetration Testing for Web Applications
Author: Richa Gupta

Run Web Security Testing on Modern Applications Using Nmap, Burp Suite and Wireshark

Richa Gupta

Condividi libro

English
ePUB (disponibile sull'app)
Disponibile su iOS e Android

eBook - ePub

Hands-on Penetration Testing for Web Applications

Run Web Security Testing on Modern Applications Using Nmap, Burp Suite and Wireshark

Richa Gupta

Dettagli del libro

Anteprima del libro

Indice dei contenuti

Citazioni

Informazioni sul libro

Learn how to build an end-to-end Web application security testing framework

Description
Hands-on Penetration Testing for Web Applications offers readers with knowledge and skillset to identify, exploit and control the security vulnerabilities present in commercial web applications including online banking, mobile payments and e-commerce applications.We begin with exposure to modern application vulnerabilities present in web applications. You will learn and gradually practice the core concepts of penetration testing and OWASP Top Ten vulnerabilities including injection, broken authentication and access control, security misconfigurations and cross-site scripting (XSS).

What you will learn

Complete overview of concepts of web penetration testing.
Learn to secure against OWASP TOP 10 web vulnerabilities.
Discover security flaws in your web application using most popular tools like nmap and wireshark.
Learn to respond modern automated cyber attacks with the help of expert-led tips and tricks.

Who this book is for
This book is for Penetration Testers, ethical hackers, and web application developers. People who are new to security testing will also find this book useful. Basic knowledge of HTML, JavaScript would be an added advantage.

Table of Contents
1. Why Application Security?
2. Modern application Vulnerabilities
3. Web Pentesting Methodology
4. Testing Authentication
5. Testing Session Management
6. Testing Secure Channels
7. Testing Secure Access Control
8. Sensitive Data and Information disclosure
9. Testing Secure Data validation
10. Attacking Application Users: Other Techniques
11. Attacking Application Users: Other Techniques
12. Automating Custom Attacks
13. Pentesting Tools
14. Static Code Analysis
15. Mitigations and Core Defense Mechanisms

Domande frequenti

Come faccio ad annullare l'abbonamento?

È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui

È possibile scaricare libri? Se sì, come?

Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui

Che differenza c'è tra i piani?

Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.

Cos'è Perlego?

Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.

Perlego supporta la sintesi vocale?

Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.

Hands-on Penetration Testing for Web Applications è disponibile online in formato PDF/ePub?

Sì, puoi accedere a Hands-on Penetration Testing for Web Applications di Richa Gupta in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Computer Science e Cyber Security. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.

Informazioni

Editore

BPB Publications

Anno

2021

ISBN

9789389328547

Argomento

Computer Science

Categoria

Cyber Security

CHAPTER 1 Why Application Security

During the early days of the internet, cyberattacks were primarily aimed at spreading malware via email and vulnerable network services such as routers, firewalls, etc. Also, data breaches were rare and mostly occurred due to negligence of victims like theft or leakage of USB drives, hard drives, laptops, etc. In 2000, a worm is known as the love bug worm infected millions of computers. In 2007, a spear-phishing incident at the office of the secretary of defense steals sensitive U.S. defense information. In 2011, Bank of America got hacked and an estimated 85,000 credit card numbers were stolen.

Application security has become an absolute necessity. Increasing the use of open source code for the development of apps in various companies can lead to multiple vulnerabilities and attacks because of the risks associates with open-source code available on the internet. Also, developers nowadays follow general coding practices which contain lots of flaws the evolution of the internet, from basic information storing in repositories to multi-functional applications that can have a powerful impact on the real world, has led to the weakening of the security aspects of modern web applications.

We will understand why application security is crucial and its trends in this chapter.

Structure

In this chapter we will discuss the following topics:

Modern web applications
The need for application security
Application security challenges
Application security trends

Objectives

After studying this unit, you should be able to:

Understand how web applications have evolved as a security concern.
Understand some metrics about the need for application security.
Describe the core security challenges that web applications are facing.
Discuss the latest trends in web application security and how these may be expected to evolve in near future.

Modern web applications

In the early days of the Internet, Web sites were mainly information repositories containing static information. Web browsers were invented as a means of retrieving and displaying that information. Many websites at the time simply interlinked HTML documents. HTML (Hypertext Markup Language) is the standard markup language for documents designed to be displayed in a web browser. Styling and positioning were done with attributes on the HTML tags, and the content was static, limited to specific functions.

Due to the digital transformation in the 21^st century, our lives have been changed invariably and amazingly. We are using more and more web applications related to shopping or social networking sites, banking, or mails. For instance, you are selecting a cool new jeans/dress from Myntra, sharing its pictures thru WhatsApp for your friends' suggestion, and then paying for it via personal banking; all thru a single click or touch on your mobile app.

On one hand, these modern-day apps make your lives easier and comfortable but on the other hand, every web application brings new security threats and unique vulnerabilities with them. A backdoor in code, unwise use of coding standards, or un-sanitized input forms attracts an attacker to steal your personal details, your credit/debit card information, and can perform malicious actions against other users as well.

The need for application security

With the advent of new horizons in Technology, a number of the new range of security vulnerabilities has marked their arrival on the web applications as well. It will not be wrong if I say that A Secure Web Application is a Myth. If a web application is claiming to be secure just because of the use of SSL certificates or because they are doing regular scans on the website or a website is using HTTPS or CA Signed SSL/TLS Certificates, does not necessarily mean that it's secure. In fact, the majority of the websites are insecure because there are instances in which hidden backdoors in code, defects in application login functionality, information leakage by the website, exposing sensitive information, or application failing to protect the data of users, can lead to far adverse impact on the applications and its shareholders. Website defaming, system downtime is such critical events that occur frequently can impact the business of many organizations like ecommerce websites, etc. In all of these scenarios, Secure connection, or HTTPS does nothing to stop an attacker from submitting crafted input to the server.

Users submitting arbitrary input to the server-side application, interfering with data parameters of the website such as cookies, headers, etc. allow triggering of an unlikely event which can lead to an unexpected or undesirable result for the website. Just Imagine if you are able to buy one or more items from a shopping site free of cost just by playing with some web-parameters or inputs, how cool it would be. No doubt why everyone wants to be a hacker in their life once. But, you can also imagine the impact of such an act on the website and its shareholders. Hence, millions of dollars are funneled into the application security by companies every year because the security of a website is paramount in today's digital world. The need for application security has become a necessity now. We can't only rely upon the basic security controls like HTTP, Firewalls, etc. as defensive mechanisms.

The following image explains application security visually:

Figure 1.1: Application security

A Wider and more exposed "ATTACK SURFACE"

Information Systems are still evolving
More Complex Applications
No of applications and services rising every year
Everything is now directly exposed(As a Service)
Applications are exposed to internal threats, hackers, Script kiddies

Application security challenges

Application security challenges lie not only in the threats and application vulnerabilities themselves but also in the processes and approaches taken within the organization to manage application security. The following below points explain various challenges posed for application security:

Lack of security awareness:
- Lack of awareness of major threats existing in the applications among the peers and correct security control measures to be taken.
- Sometimes, even experienced web application developers are over-confident about their coding practices and make big assumptions about the security provided by their programming frameworks and security protocols, resulting in poor programming and attracts hackers to find vulnerability in their application.
Lack of resources and experts:
- Inconsistent testing demands due to the agile development environment result in continual application releases.
- Expertise is required for in-depth manual testing and test analysis along with running and interpreting results of automated scanning programs.
Rapidly growing zero-day vulnerabilities:
- New concepts and threats growing at an exponential rate in today's Digital World make the lives of hackers easy and force a Security professional to think two steps ahead of a hacker and to keep track of new and possible unknown vulnerabilities originating and how to tackle them.
Increasing functionalities in the application:
- Modern sites now include numerous functionalities like password recovery, username recovery, password hints, and an option to remember the username and password on future visits, etc. thus increasing the site's attack surface.

Application security trends

In the times where there were no or fewer web applications in the digital world, things were somewhat simple. The focus of the security team majorly used to be on strengthening network periphery to secure against attacks. Patching the services, firewalls implementation network monitoring scans, etc. were done for the defending network boundaries. All this has changed by the rise of web applications. Web applications are commonly being considered as vulnerable entry points to gain unauthorized access to an organization's sensitive business data. Application developers are increasingly incorporating libraries from open source code, and attackers are constantly looking for vulnerabilities they can exploit in the most commonly used libraries.

Organizations must go to even greater lengths to protect websites and apps than they do to protect their computers and other network-connected devices. As more organizations move their websites and apps to the cloud, web application security will only get more crucial and complex.

The following image explains web apps exploits trends visually:

Figure 1.2: Security Trends

Conclusion

So, in this chapter, we have discussed why there is a need for application security, what are the challenges posed, recent and future trends of application security.

In the next chapter, we are going to discuss Web Application Techn...