• 1. Information Gathering

  • 1.1.1. Finding owner, IP and Emails
  • 1.1.1.1. Who-is
  • - Command line
  • - Web based tool
  • 1.1.1.2. DNS
  • 1.1.1.3. Ns-lookup
  • - Find target ISP
  • - Net-craft
  • 1.2. Fingerprinting frameworks and applications
  • 1.2.1. Third party add-ons
  • 1.2.2. Mapping results
  • 1.3. Fingerprinting custom applications
  • 1.3.1. Burp target crawler
  • 1.3.2. Mapping the attack surface
  • 1.3.2.1. Client side validation
  • 1.3.2.4. Display of user supplied data
  • 1.3.2.5. Redirections
  • 1.3.2.6. Access control and login protected pages
  • 1.3.2.7. Error messages
  • 1.4. Enumerating resources
  • 1.4.1. Crawling the website
  • 1.4.2. Finding hidden files
  • 1.4.2.1. Back up and source code
  • 1.5. Relevant information through misconfigurations
  • 1.5.1. Directory listing
  • 1.5.2. Log and configuration files
  • 1.5.3. HTTP verbs and file upload

  • 2. Cross Site Scripting

  • 2.1. Cross Site Scripting
  • 2.1.1. Basics
  • 2.2. Anatomy of an XSS Exploitation
  • 2.3. The three types of XSS
  • 2.3.1. Reflected XSS
  • 2.3.2. Persistent XSS
  • 2.3.3. DOM based XSS
  • 2.4. Finding XSS
  • 2.4.1. Finding XSS in PHP code
  • 2.5. XSS Exploitation
  • 2.5.1. XSS and Browsers
  • 2.5.2. XSS Attacks
  • 2.5.2.1. Cookie Stealing through XSS
  • 2.5.2.2. Defacement
  • 2.5.2.3. XSS for advanced phishing attacks
  • 2.6. Mitigation
  • 2.6.1. Input Validation
  • 2.6.2. Context-Aware output encoding
  • 2.6.3. Never trust user input

  • 3. SQL Injection

  • 3.1. Introduction to SQL Injections
  • 3.1.1. SQL Statements
  • 3.1.1.1. SELECT
  • 3.1.1.2. UNION
  • 3.1.2. SQL Queries inside web applications
  • 3.1.3. Vulnerable dynamic queries
  • 3.1.4. How dangerous is a SQL Injection
  • 3.1.5. SQLi attacks classification
  • 3.1.5.1. In-band SQLi
  • 3.1.5.2. Error-based SQLi
  • 3.1.5.3. Blind SQLi
  • 3.2. Finding SQL Injections
  • 3.2.1. Simple SQL injection scenario
  • 3.2.2. SQL errors in web applications
  • 3.2.3. Boolean based detection
  • 3.2.3.1. Example
  • 3.3. Exploiting Error based SQL Injections
  • 3.3.1. MS SQL Server error-based exploitation
  • 3.3.2. The CAST technique
  • 3.3.3. Finding the DBMS version
  • 3.3.4. Dumping the database data
  • 3.3.4.1. Finding the current username
  • 3.3.4.2. Finding readable databases
  • 3.3.4.3. Enumerating database tables
  • 3.3.4.4. Enumerating columns
  • 3.3.4.5. Dumping data
  • 3.4.1. Exploitation Scenario
  • 3.4.2. Detecting the current user
  • 3.4.3. Scripting Blind SQLi data dump
  • 3.4.4. Exploiting blind SQLi
  • 3.4.4.1. String extraction
  • 3.4.5. Optimize blind SQLi
  • 3.4.6. Time based blind SQLi

  • 4. Authentication and Authorization

  • 4.1. Introduction
  • 4.1.1. Authentication vs Authorization
  • 4.1.2. Authentication factors
  • 4.1.2.1. Single-factor authentication
  • 4.1.2.2. Two-factor authentication
  • 4.2. Common Vulnerabilities
  • 4.2.1. Credentials over unencrypted channel
  • 4.2.2. Inadequate password policy
  • 4.2.2.1. Dictionary attacks
  • 4.2.2.2. Brute force attacks
  • 4.2.2.3. Defending from inadequate password policy
  • - Strong password policy
  • - Storing hashes
  • - Lockout/Blocking requests
  • 4.2.3. User enumeration
  • 4.2.3.1. Via error messages
  • 4.2.3.2. Via website behavior
  • 4.2.3.3. Via timing attacks
  • 4.2.3.4. Taking advantage of user enumeration
  • 4.2.4. Default or easily-guessable user accounts
  • 4.2.5. The remember me functionality
  • 4.2.5.1. Cache browser method
  • 4.2.5.2. Cookie method
  • 4.2.5.3. Web storage method
  • 4.2.5.4. Best defensive techniques
  • 4.2.5. Password reset feature
  • 4.2.6.1. Easily guessable answers
  • 4.2.6.2. Unlimited attempts
  • 4.2.6.3. Password reset link
  • 4.2.7. Logout weaknesses
  • 4.2.7.1. Incorrect session destruction
  • 4.2.8. CAPTCHA
  • 4.3. Bypassing Authorization
  • 4.3.1. Insecure direct object references
  • 4.3.1.1. Best defensive techniques
  • 4.3.2. Missing function level access control
  • 4.3.3. Parameter modification
  • 4.3.3.1. Vulnerable web application
  • 4.3.4. Incorrect redirection
  • 4.3.4.1. Redirect to protect contents
  • 4.3.4.2. Best defensive techniques
  • 4.3.5. Session-ID prediction
  • 4.3.6. SQL Injections
  • 4.3.7. Local file inclusion and path traversal

  • 5. Session Security

  • 5.1. Weaknesses of the session identifier
  • 5.2. Session hijacking
  • 5.2.1. Session Hijacking via XSS
  • 5.2.1.1. Exploit session hijacking via XSS
  • 5.2.1.2. Preventing session hijacking via XSS
  • - PHP
  • - Java
  • - .Net
  • 5.2.2. Session Hijacking via Packet Sniffing
  • 5.2.3. Session Hijacking via access to the web server
  • 5.3. Session Fixation
  • 5.3.1. Attacks
  • 5.3.1.1. Set the session-ID
  • 5.3.1.2. Force the victim
  • 5.3.1.3. Vulnerable web application
  • 5.3.2. Preventing Session Fixation
  • 5.4. Cross-site request forgeries
  • 5.4.1. Finding CSRF
  • 5.4.2. Exploiting CSRF
  • 5.4.3. Preventing CSRF
  • 5.4.4. Finding SSRF
  • 5.4.5. Exploiting SSRF
  • 5.4.6. Preventing SSRF

  • 6. Other Attacks

  • 6.1. Clickjacking
  • 6.1.1. Understanding Clickjacking
  • 6.1.2. Feasibility study
  • 6.1.2.1. Case 1: Clickjacking is possible
  • 6.1.2.2. Case 2: Clickjacking is not possible
  • 6.1.3. Building of a malicious web page
  • 6.1.4. Spreading the malicious link
  • 6.1.5. Waiting for the victim click
  • 6.1.6. Best defensive techniques
  • 6.1.6.1. The old school
  • 6.1.6.2. Using HTTP header X-Frame-Options
  • 6.1.7. Like-jacking in Facebook
  • 6.1.8. Cursor-jacking
  • 6.2. HTTP Response Splitting
  • 6.2.1. Typical vulnerable scenario
  • 6.2.2. XSS through HTTP response splitting
  • 6.2.3. Bypassing Same Origin Policy
  • 6.2.3.1. Attack explained
  • 6.2.3.2. Best defensive techniques
  • 6.2.3.3. Defense in PHP
  • 6.3. Denial of Services
  • 6.3.1. Different DoS attacks
  • 6.3.1.1. DoS due huge number of requests
  • 6.3.1.2. DoS due to greedy pages
  • 6.3.2. Best defensive techniques

  • 7. File and Resource Attacks

  • 7.1. Path traversal
  • 7.1.1. Path convention
  • 7.1.2. Encoding
  • 7.1.3. Best defensive techniques
  • 7.2. File Inclusion vulnerabilities
  • 7.2.1. Local File Inclusion (LFI)
  • 7.2.2. Remote File Inclusion (RFI)
  • 7.3. Unrestricted file upload
  • 7.3.1. Vulnerable web application
  • 7.3.1.1. The attack
  • 7.3.2. Best defensive techniques
  • 7.3.2.1. Filtering based on file content