55,45 €*
Versandkostenfrei per Post / DHL
Lieferzeit 1-2 Wochen
A practical, beginner-friendly introduction to web app pentesting
In A Beginner's Guide to Web Application Penetration Testing, cybersecurity trainer and veteran Ali Abdollahi delivers an incisive and timely discussion of penetration testing that addresses the increasing importance of web application security. The author takes a dual approach, incorporating both theory and practical skills, equipping readers with the knowledge they need to kickstart their journey into the web application penetration testing field.
The book walks you through the five main stages of a comprehensive penetration test: scoping and recon, scanning, gaining and maintaining access, analysis, and reporting. You'll learn how to use popular and effective security tools, as well as how to combat the ten most common security vulnerability categories publicized by the Open Web Application Security Project (OWASP).
From hands-on demonstrations of techniques - like subdomain enumeration with Sublist3r and Subfinder - to practice with input validation and external entity disabling for security maintenance, the book gives you a first-person view of pentesting you can implement immediately.
Perfect for software engineers with an interest in penetration testing, security analysts, web developers, and other information technology professionals, A Beginner's Guide to Web Application Penetration Testing is also an essential read for students of cybersecurity, software engineering, computer science, and related tech industries.
A practical, beginner-friendly introduction to web app pentesting
In A Beginner's Guide to Web Application Penetration Testing, cybersecurity trainer and veteran Ali Abdollahi delivers an incisive and timely discussion of penetration testing that addresses the increasing importance of web application security. The author takes a dual approach, incorporating both theory and practical skills, equipping readers with the knowledge they need to kickstart their journey into the web application penetration testing field.
The book walks you through the five main stages of a comprehensive penetration test: scoping and recon, scanning, gaining and maintaining access, analysis, and reporting. You'll learn how to use popular and effective security tools, as well as how to combat the ten most common security vulnerability categories publicized by the Open Web Application Security Project (OWASP).
From hands-on demonstrations of techniques - like subdomain enumeration with Sublist3r and Subfinder - to practice with input validation and external entity disabling for security maintenance, the book gives you a first-person view of pentesting you can implement immediately.
Perfect for software engineers with an interest in penetration testing, security analysts, web developers, and other information technology professionals, A Beginner's Guide to Web Application Penetration Testing is also an essential read for students of cybersecurity, software engineering, computer science, and related tech industries.
ALI ABDOLLAHI is a cybersecurity researcher with over 12 years of experience. Currently, he is the application and offensive security manager at Canon EMEA. He studied computer engineering, published articles, and holds several professional certificates. Ali is a Microsoft MVP and regular speaker or trainer at industry conferences and events.
Foreword xvii
Introduction xix
Chapter 1 Introduction to Web Application Penetration Testing 1
The Importance of Web Application Security 3
Overview of Web Application Penetration Testing 6
The Penetration Testing Process 8
Methodologies 12
Tools and Techniques 14
Reporting 16
Types of Web Application Vulnerabilities 17
Key Takeaways 25
Chapter 2 Setting Up Your Penetration Testing Environment 27
Setting Up Virtual Machines 28
Container Option 29
Kali Linux Installation 30
PentestBox 34
Installing DVWA 35
OWASP Juice Shop 40
Burp Suite 41
OWASP ZED Attack Proxy 46
WILEY Preconfigured Environment 49
Key Takeaways 49
Chapter 3 Reconnaissance and Information Gathering 51
Passive Information Gathering 52
Automating Subdomain Enumeration 61
Active Information Gathering 64
Open-Source Intelligence Gathering 77
Key Takeaways 88
Chapter 4 Cross-Site Scripting 89
XSS Categories 90
Reflected XSS 91
Stored XSS 93
Automatic User Session Hijacking 94
Website Defacement Using XSS 96
DOM-Based XSS 97
Self-XSS 98
Browser Exploitation Framework 100
XSS Payloads and Bypasses 102
XSS Mitigation Techniques 105
Reflected XSS Bypass Techniques 107
Stored XSS Bypass Technique 110
Key Takeaways 112
Chapter 5 SQL Injection 113
What Is SQL Injection? 113
Types of SQL Injection 114
Error-Based SQL Injection 117
Union-Based SQL Injection 117
Blind SQL Injection 123
SQLMap 126
SQL Injection Payloads with ChatGPT 140
SQL Injection Prevention 142
Key Takeaways 145
Chapter 6 Cross-Site Request Forgery 147
Hunting CSRF Vulnerability 149
CSRF Exploitation 149
XSS and CSRF 151
Clickjacking 152
Generating an Effective Proof of Concept Using ChatGPT 154
Tips for Developers 157
Key Takeaways 158
Chapter 7 Server-Side Attacks and Open Redirects 159
Server-Side Request Forgery 159
SSRF in Action 160
SSRF Vulnerability 162
Blind SSRF 164
Local File Inclusion 166
Remote File Inclusion 170
Open Redirect 173
Server-Side Attacks Differences 177
Security Mitigations 178
Key Takeaways 181
Chapter 8 XML-Based Attacks 183
XML Fundamentals 183
XXE Exploitation 185
Hunting XML Entry Points 187
SSRF Using XXE 192
DoS Using XXE 193
XXE Payload and Exploitation with ChatGPT 195
XML-Based Attacks Countermeasures 196
Key Takeaways 198
Chapter 9 Authentication and Authorization 201
Password Cracking and Brute-Force Attacks 205
Credential Stuffing Attack 211
Password Spraying 213
Password Spraying Using Burp Suite Intruder 214
Other Automated Tools for Password Attacks 215
JSON Web Token 223
Key Takeaways 225
Chapter 10 API Attacks 227
OWASP API Top 10 228
API Enumeration and Discovery 230
API Discovery Using ChatGPT 231
API Broken Object-Level Authorization Exploitation 235
Rate Limiting 240
API Penetration Testing Tools 242
API Security Tips 244
Key Takeaways 245
Appendix A Best Practices and Standards 247
Information Gathering 248
Configuration and Deployment Management Testing 251
Identity Management Testing 254
Authentication Testing 256
Authorization Testing 261
Session Management Testing 265
Input Validation Testing 273
Testing for Error Handling 285
Testing for Weak Cryptography 286
Business Logic Testing 290
Client-Side Testing 297
Appendix B CWE and CVSS Score 307
Base Score 308
Temporal Score 308
Environmental Score 309
Appendix c Writing Effective and Comprehensive Penetration Testing Reports 311
Table of Contents (ToC) 311
Project History and Timeline 311
Scope 312
Testing Approach 312
Executive Summary 312
Industry Standard 312
Findings Table 312
Findings Details 313
Key Takeaways 315
Index 317
| Erscheinungsjahr: | 2025 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Importe, Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | Einband - flex.(Paperback) |
| ISBN-13: | 9781394295593 |
| ISBN-10: | 1394295596 |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Abdollahi, Ali |
| Hersteller: | Wiley |
| Verantwortliche Person für die EU: | Libri GmbH, Europaallee 1, D-36244 Bad Hersfeld, gpsr@libri.de |
| Maße: | 244 x 186 x 22 mm |
| Von/Mit: | Ali Abdollahi |
| Erscheinungsdatum: | 28.01.2025 |
| Gewicht: | 0,458 kg |
ALI ABDOLLAHI is a cybersecurity researcher with over 12 years of experience. Currently, he is the application and offensive security manager at Canon EMEA. He studied computer engineering, published articles, and holds several professional certificates. Ali is a Microsoft MVP and regular speaker or trainer at industry conferences and events.
Foreword xvii
Introduction xix
Chapter 1 Introduction to Web Application Penetration Testing 1
The Importance of Web Application Security 3
Overview of Web Application Penetration Testing 6
The Penetration Testing Process 8
Methodologies 12
Tools and Techniques 14
Reporting 16
Types of Web Application Vulnerabilities 17
Key Takeaways 25
Chapter 2 Setting Up Your Penetration Testing Environment 27
Setting Up Virtual Machines 28
Container Option 29
Kali Linux Installation 30
PentestBox 34
Installing DVWA 35
OWASP Juice Shop 40
Burp Suite 41
OWASP ZED Attack Proxy 46
WILEY Preconfigured Environment 49
Key Takeaways 49
Chapter 3 Reconnaissance and Information Gathering 51
Passive Information Gathering 52
Automating Subdomain Enumeration 61
Active Information Gathering 64
Open-Source Intelligence Gathering 77
Key Takeaways 88
Chapter 4 Cross-Site Scripting 89
XSS Categories 90
Reflected XSS 91
Stored XSS 93
Automatic User Session Hijacking 94
Website Defacement Using XSS 96
DOM-Based XSS 97
Self-XSS 98
Browser Exploitation Framework 100
XSS Payloads and Bypasses 102
XSS Mitigation Techniques 105
Reflected XSS Bypass Techniques 107
Stored XSS Bypass Technique 110
Key Takeaways 112
Chapter 5 SQL Injection 113
What Is SQL Injection? 113
Types of SQL Injection 114
Error-Based SQL Injection 117
Union-Based SQL Injection 117
Blind SQL Injection 123
SQLMap 126
SQL Injection Payloads with ChatGPT 140
SQL Injection Prevention 142
Key Takeaways 145
Chapter 6 Cross-Site Request Forgery 147
Hunting CSRF Vulnerability 149
CSRF Exploitation 149
XSS and CSRF 151
Clickjacking 152
Generating an Effective Proof of Concept Using ChatGPT 154
Tips for Developers 157
Key Takeaways 158
Chapter 7 Server-Side Attacks and Open Redirects 159
Server-Side Request Forgery 159
SSRF in Action 160
SSRF Vulnerability 162
Blind SSRF 164
Local File Inclusion 166
Remote File Inclusion 170
Open Redirect 173
Server-Side Attacks Differences 177
Security Mitigations 178
Key Takeaways 181
Chapter 8 XML-Based Attacks 183
XML Fundamentals 183
XXE Exploitation 185
Hunting XML Entry Points 187
SSRF Using XXE 192
DoS Using XXE 193
XXE Payload and Exploitation with ChatGPT 195
XML-Based Attacks Countermeasures 196
Key Takeaways 198
Chapter 9 Authentication and Authorization 201
Password Cracking and Brute-Force Attacks 205
Credential Stuffing Attack 211
Password Spraying 213
Password Spraying Using Burp Suite Intruder 214
Other Automated Tools for Password Attacks 215
JSON Web Token 223
Key Takeaways 225
Chapter 10 API Attacks 227
OWASP API Top 10 228
API Enumeration and Discovery 230
API Discovery Using ChatGPT 231
API Broken Object-Level Authorization Exploitation 235
Rate Limiting 240
API Penetration Testing Tools 242
API Security Tips 244
Key Takeaways 245
Appendix A Best Practices and Standards 247
Information Gathering 248
Configuration and Deployment Management Testing 251
Identity Management Testing 254
Authentication Testing 256
Authorization Testing 261
Session Management Testing 265
Input Validation Testing 273
Testing for Error Handling 285
Testing for Weak Cryptography 286
Business Logic Testing 290
Client-Side Testing 297
Appendix B CWE and CVSS Score 307
Base Score 308
Temporal Score 308
Environmental Score 309
Appendix c Writing Effective and Comprehensive Penetration Testing Reports 311
Table of Contents (ToC) 311
Project History and Timeline 311
Scope 312
Testing Approach 312
Executive Summary 312
Industry Standard 312
Findings Table 312
Findings Details 313
Key Takeaways 315
Index 317
| Erscheinungsjahr: | 2025 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Importe, Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | Einband - flex.(Paperback) |
| ISBN-13: | 9781394295593 |
| ISBN-10: | 1394295596 |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Abdollahi, Ali |
| Hersteller: | Wiley |
| Verantwortliche Person für die EU: | Libri GmbH, Europaallee 1, D-36244 Bad Hersfeld, gpsr@libri.de |
| Maße: | 244 x 186 x 22 mm |
| Von/Mit: | Ali Abdollahi |
| Erscheinungsdatum: | 28.01.2025 |
| Gewicht: | 0,458 kg |
Ähnliche Produkte
Lieferzeit 1-2 Wochen
Lieferzeit 1-2 Wochen
Lieferzeit 2-4 Werktage
Lieferzeit 1-2 Werktage
Lieferzeit 1-2 Wochen
Lieferzeit 1-2 Wochen
Lieferzeit 2-4 Werktage
Lieferzeit 1-2 Wochen