Leanpub Header

Skip to main content
Go to Leanpub.comLeanpub

Hacker’s Elusive Thoughts The Web

Gerasimos Kassaras

Tips and tricks for Web Application Developers, Professional Penetration Testers and Security Analysts on how to perform a generic and custom Web Application Penetration testing using Python.

Minimum price

$7.99

$10.00

You pay

$10.00

Author earns

$8.00
$

...Or Buy With Credits!

You can get credits monthly with a Reader Membership
PDF
294
Pages
About

About

About the Book

This book is going to help Web Application developers, Professional Penetration Testers and Web Application Security Analysts to standardise their Web Application security assessments. It is also going to help them build a comprehensive penetration testing framework, that can easily be integrated to their custom  Secure Life Cycle (SDLC) development.

Share this book

Categories

TestingPythonWeb Development

Feedback

Email the Author

Author

About the Author

Gerasimos Kassaras

Gerasimos is a security consultant holding a MSc in Information Security, a CREST (CRT), a CISSP, an ITILv3, a GIAC GPEN and a GIAC GAWPT accreditation. Working alongside diverse and highly skilled teams Gerasi- mos has been involved in countless comprehensive security tests and web application secure development engagements for global web applications and network platforms, counting more than 14 years in the web application and application security architecture.

Gerasimos further progressing in his career has participated in various projects providing leadership and accountability for assigned IT security projects, security assurance activities, technical security reviews and assess- ments and conducted validations and technical security testing against pre-production systems as part of overall validations.

Contents

Table of Contents

1 Formalizing Web Penetration Test

1.16 Chaining Scanners . . . . . . . . . . . . . . . . . . . . . . . . 23

1.17 Using Wrappers . . . . . . . . . . . . . . . . . . . . . . . . .  24

1.18 Why Python . . . . . . . . . . . . . . . . . . . . . . . . . . .  26

1.19 Useful Python Libraries . . . . . . . . . . . . . . . . . . . . . 27

1.20 Python Useful Open Source Projects . . . . . . . . . . . .   28

1.21 The Python Version . . . . . . . . . . . . . . . . . . . . . .    29

1.22 Python Development Environment . . . . . . . . . . . . . .  29

1.23 Python Libraries Used . . . . . . . . . . . . . . . . . . . . . . 30

1.24 Installing Python . . . . . . . . . . . . . . . . . . . . . . . . 31

1.25 Installing Requests . . . . . . . . . . . . . . . . . . . . . . . 31

1.26 Installing Beautiful Soup 4 . . . . . . . . . . . . . . . . . . . 32

1.27 Python Comments . . . . . . . . . . . . . . . . . . . . . . . . . 34

1.28 Program Structure . . . . . . . . . . . . . . . . . . . . . . . . 34

1.29 Documenting Python code . . . . . . . . . . . . . . . . . . . . . 35

1.30 Writing Your Own Scanner . . . . . . . . . . . . . . . . . . . .  36

1.31 Problematic Scanning . . . . . . . . . . . . . . . . . . . . . .  38

1.32 The Scanner Design . . . . . . . . . . . . . . . . . . . . . . .  40

1.33 Python Useful Modules . . . . . . . . . . . . . . . . . . . . . . 42

1.34 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

1.35 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2 Scanning With Class

2.1 Manual Versus Automated Testing . . . . . . . . . . . . . . . . .  48

2.2 Why Commercial Scanners Fail . . . . . . . . . . . . . . . . . . . 49

2.3 Integrating Our Scanner To SDLC . . . . . . . . . . . . . . . . . .55

2.4 Problems When Writing A Scanner . . . . . . . . . . . . . . . 58

2.5 Scanning Time . . . . . . . . . . . . . . . . . . . . . . . . . . 58

2.6 Scanning Time Improvement . . . . . . . . . . . . . . . . . . . 59

2.7 Defining URL(s) . . . . . . . . . . . . . . . . . . . . . . . . . 64

2.8 Choosing HTML Parser . . . . . . . . . . . . . . . . . . . . . 65

2.9 Defining HTML Pages . . . . . . . . . . . . . . . . . . . . . . 67

2.10 Parsing URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

2.11 Parsing HTML pages . . . . . . . . . . . . . . . . . . . . . . . 72

2.12 Restricting Scanning . . . . . . . . . . . . . . . . . . . . . . . 79

2.13 Connection Handling . . . . . . . . . . . . . . . . . . . . . . . 87

2.14 HTTP Handling . . . . . . . . . . . . . . . . . . . . . . . . . . 89

2.15 Fetching Pages . . . . . . . . . . . . . . . . . . . . . . . . . . 90

2.16 Avoiding Denial Of Service Conditions . . . . . . . . . . . . . 92

2.17 Performing Denial of Service . . . . . . . . . . . . . . . . . . . 96

2.18 Assessing Replies . . . . . . . . . . . . . . . . . . . . . . . . . 99

2.19 Sending Malicious Payloads . . . . . . . . . . . . . . . . . . . 101

2.20 Analysing Fuzz Data with Python . . . . . . . . . . . . . . . . 103

2.21 Passive Scanning Analysing Headers . . . . . . . . . . . . . . 105

2.22 Debugging Code . . . . . . . . . . . . . . . . . . . . . . . . . . 109

2.23 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

2.24 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

3 The Payload Management 

3.1 Keeping Up To Date Payloads . . . . . . . . . . . . . . . . . . 116

3.2 Payloads And Fuzzing . . . . . . . . . . . . . . . . . . . . . . 117

3.3 Intelligent Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . 117

3.4 Input Validation Obfuscation . . . . . . . . . . . . . . . . . . 118

3.5 The Teenage Mutant Ninja Turtles Project . . . . . . . . . . . 119

3.6 Encoding And Payloads . . . . . . . . . . . . . . . . . . . . . 119

3.7 Character Encoding . . . . . . . . . . . . . . . . . . . . . . . . 120

3.8 Code Point Explained . . . . . . . . . . . . . . . . . . . . . . 121

3.9 Encoding And Internet Browsers . . . . . . . . . . . . . . . . 123

3.10 Encoding And Rendering . . . . . . . . . . . . . . . . . . . . . 124

3.11 Payload Logistics . . . . . . . . . . . . . . . . . . . . . . . . . 124

3.12 Browser Sandboxing Bypass . . . . . . . . . . . . . . . . . . . 125

3.13 Payload Size Calculation . . . . . . . . . . . . . . . . . . . . . 126

3.14 Building Universal Exploits . . . . . . . . . . . . . . . . . . . 127

3.15 Base64 Encoding And Cross Site Scripting . . . . . . . . . . . 132

3.16 UTF-7 Encoding And Cross Site Scripting . . . . . . . . . . . 134

3.17 Double URL Encoding And Cross Site Scripting . . . . . . . . 135

3.18 Encoding And Path-Traversal Attacks . . . . . . . . . . . . . 136

3.19 UTF-8 encoding And Path-traversal Attacks . . . . . . . . . . 137

3.20 UTF-16 encoding And Path Traversal Attacks . . . . . . . . . 139

3.21 NULL Character And Path Traversal Attacks . . . . . . . . . 140

3.22 Using Mangled Paths . . . . . . . . . . . . . . . . . . . . . . . 142

3.23 Octal encoding and XSS . . . . . . . . . . . . . . . . . . . . . 142

3.24 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

4 Infiltrating Corporate Networks Using XML Injections 

4.1 Why XXE Attacks Still Exist . . . . . . . . . . . . . . . . . . 145

4.2 How Extensible Markup Language Is Used . . . . . . . . . . . 148

4.3 About Document Type Definition . . . . . . . . . . . . . . . . 148

4.4 More On External Entities . . . . . . . . . . . . . . . . . . . . 150

4.5 A URI As Reference In Markup Languages . . . . . . . . . . . 153

4.6 Where XML Parsers Are Used . . . . . . . . . . . . . . . . . . 154

4.7 XML Parser Inner Workings . . . . . . . . . . . . . . . . . . . 155

4.8 XML Parser And XXE . . . . . . . . . . . . . . . . . . . . . . 156

4.9 Generating XML Errors . . . . . . . . . . . . . . . . . . . . . 156

4.10 Error Based XXE Injections . . . . . . . . . . . . . . . . . . . 157

4.11 The XML Web Application . . . . . . . . . . . . . . . . . . . 158

4.12 Generating XXE Errors . . . . . . . . . . . . . . . . . . . . . 159

4.13 Exploiting XXE Injections . . . . . . . . . . . . . . . . . . . . 160

4.14 XXE Injections And HTML Comments . . . . . . . . . . . . . 161

4.15 XXE Injections And CDATA Tags . . . . . . . . . . . . . . . 162

4.16 XXE Injections And Cross Site Scripting . . . . . . . . . . . . 164

4.17 XXE Injections And Open Redirections . . . . . . . . . . . . . 165

4.18 XXE Injections And Clickjacking . . . . . . . . . . . . . . . . 166

4.19 XXE Injections And HTML Forms . . . . . . . . . . . . . . . 168

4.20 XXE Injections And Internal Resource Extraction . . . . . . . 169

4.21 XXE Injections And Denial of Service . . . . . . . . . . . . . . 171

4.22 XXE Injections And Port Scanning . . . . . . . . . . . . . . . 173

4.23 XXE Injections And Post Exploitation . . . . . . . . . . . . . 181

4.24 XXE Injections And Service Fingerprint . . . . . . . . . . . . 181

4.25 XXE Injections And Host Discovery . . . . . . . . . . . . . . . 182

4.26 XXE Injections And Web Server Fingerprinting . . . . . . . . 183

4.27 The XXE Identification Scanner . . . . . . . . . . . . . . . . . 184

4.28 The XXE Port Scanner . . . . . . . . . . . . . . . . . . . . . . 186

4.29 The XXE Directory Enumerator . . . . . . . . . . . . . . . . . 187

4.30 Mitigating XXE Vulnerabilities . . . . . . . . . . . . . . . . . 188

4.31 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

4.32 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

5 Phishing Like A Boss 

5.1 Why Phishing Attacks Still Exist . . . . . . . . . . . . . . . . 192

5.2 Phishing Attacks Evolve . . . . . . . . . . . . . . . . . . . . . 193

5.3 Clickjacking Attacks . . . . . . . . . . . . . . . . . . . . . . . 195

5.4 Exploiting Clickjacking Attacks Using Cascading Style Sheets 196

5.5 CSRF Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

5.6 Exploiting CSRF Using GET Request . . . . . . . . . . . . . . 202

5.7 Exploiting CSRF Using POST To GET Interchanges . . . . . 204

5.8 Exploiting CSRF Using POST Requests . . . . . . . . . . . . 205

5.9 Exploiting CSRF And Enctype . . . . . . . . . . . . . . . . . 207

5.10 Exploiting CSRF Using XMLHttpRequest . . . . . . . . . . . 208

5.11 XSS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

5.12 XSS Attacks And Clickjacking . . . . . . . . . . . . . . . . . . 212

5.13 XSS Attacks, Clickjacking And Payload Obfuscation . . . . . 216

5.14 Clickjacking And CSRF . . . . . . . . . . . . . . . . . . . . . 219

5.15 Countermeasures Against Phishing Attacks . . . . . . . . . . . 221

5.16 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

6 Obfuscating SQL Fuzzing For Fun and Profit

6.1 Why SQL Injection Attacks Still Exist . . . . . . . . . . . . . 224

6.2 SQL injection Attacks Evolve . . . . . . . . . . . . . . . . . . 225

6.3 SQL Obfuscation Techniques . . . . . . . . . . . . . . . . . . . 227

6.4 Using Case Variation . . . . . . . . . . . . . . . . . . . . . . . 229

6.5 Using SQL Comments . . . . . . . . . . . . . . . . . . . . . . 235

6.6 Using Single URL Encoding . . . . . . . . . . . . . . . . . . . 238

6.7 Using Double URL Encoding . . . . . . . . . . . . . . . . . . 241

6.8 Using Dynamic Query Execution . . . . . . . . . . . . . . . . 241

6.9 Using Conversion Functions . . . . . . . . . . . . . . . . . . . 245

6.10 Multil Layer SQL Obfuscation . . . . . . . . . . . . . . . . . . 248

6.11 SQL Injection Filter Design Mentality . . . . . . . . . . . . . 250

6.12 Whitelist Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 251

6.13 Whitelist Filters In .NET . . . . . . . . . . . . . . . . . . . . 252

6.14 Whitelist Filters In Java . . . . . . . . . . . . . . . . . . . . . 253

6.15 Blacklist Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 254

6.16 Blacklist Filters In ASP . . . . . . . . . . . . . . . . . . . . . 255

6.17 Blacklist Filters In Java . . . . . . . . . . . . . . . . . . . . . 257

6.18 Hybrid Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

6.19 Thinks To Consider When Automating Fuzzing . . . . . . . . 259

6.20 Stored Procedures And Parameterized Queries . . . . . . . . . 261

6.21 Web Application Firewall Bypassing . . . . . . . . . . . . . . 262

6.22 Python Library Requests . . . . . . . . . . . . . . . . . . . .  262

6.23 Automating SQL Fuzzing . . . . . . . . . . . . . . . . . . . . 264

6.24 Hiding SQL Injection Attacks From Logs . . . . . . . . . . 269

6.25 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

Download Sample PDFDownload Sample EPUB

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $14 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub