Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation

Master the art of web exploitation and bug bounty hunting with real CVEs and CTFs on SAML, WordPress, IoT, ElectronJS, and Ethereum Smart Contracts.

Purchase of the print or Kindle book includes a free PDF eBook.
 
Key Features

• Learn to discover vulnerabilities using source code, dynamic analysis, and decompiling binaries.
• Find and exploit vulnerabilities like SQL Injection, XSS, Command Injection, RCE, and Reentrancy.
• Analyze real security incidents based on MITRE ATT&CK to understand the risk at the CISO level. 

Book Description
Web Attacks and Exploits pose an ongoing threat to the interconnected world. This comprehensive book explores the new challenges of web application security, providing an in-depth understanding of hackers' methods. It equips readers with the practical knowledge and skills needed to effectively understand these attacks, accompanying them through 3 CTFs and explaining the discovery of 7 CVEs.
The book starts by emphasizing the importance of mindset and toolset in conducting successful attacks. It helps you understand the required methodologies and frameworks, how to configure the environment using interception proxies and automate tasks with Bash and Python, and how to set up a research lab.
The book explores how to attack the authentication layer focusing on SAML, internet-facing web applications (specifically WordPress and SQL injection), exploiting vulnerabilities in IoT devices such as Command Injection. It also covers attacks on Electron JavaScript-based applications (XSS and RCE) and the security challenges of auditing and exploiting Ethereum Smart Contracts written in Solidity. The book concludes by describing how to disclose vulnerabilities. Each chapter analyses confirmed cases of exploitation mapped with MITRE ATT&CK.
By the end of this book, you will enhance your ability to find and exploit web vulnerabilities.
 
What you will learn

• Understand the mindset, methodologies, and toolset for Web Attacks and Exploitation.
• Learn how SAML and SSO work and find their vulnerabilities
• Understand WordPress and how to exploit SQL Injections
• Learn how IoT Devices work and to exploit Command Injection
• Understand ElectronJS Applications and transform an XSS to an RCE
• Learn how to audit Solidity's Ethereum Smart Contracts
• Understand how to decompile, debug, and instrument Web Applications

Who this book is for
We aim the audience at anyone who must ensure their organization's security. Penetration Testers and Red Teamers who want to deepen their knowledge of the current security challenges for web applications; Developers and DevOps Engineers who want to get into the mindset of an attacker; and Security Managers and CISOs to truly understand the impact and the Risk of Web, IoT, and Smart Contracts. Basic knowledge of Web Technologies and related protocols is a must.

精通網路攻擊和漏洞賞金獵人的藝術，並使用真實的CVE和CTF來探索SAML、WordPress、IoT、ElectronJS和Ethereum智能合約的漏洞。

購買印刷版或Kindle書籍將包含一本免費的PDF電子書。

主要特點：

- 學習使用源代碼、動態分析和反編譯二進制文件發現漏洞。
- 尋找和利用SQL注入、XSS、命令注入、RCE和重入等漏洞。
- 基於MITRE ATT&CK分析真實的安全事件，以了解CISO級別的風險。

書籍描述：

網路攻擊和漏洞對互聯世界構成持續威脅。這本全面的書籍探討了網絡應用安全的新挑戰，深入理解黑客的方法。它為讀者提供了實際的知識和技能，以有效地理解這些攻擊，並通過3個CTF和7個CVE的發現來陪伴他們。

本書首先強調在進行成功攻擊時心態和工具集的重要性。它幫助您了解所需的方法論和框架，如何使用攔截代理配置環境，如何使用Bash和Python自動化任務，以及如何建立研究實驗室。

本書探討了如何攻擊身份驗證層，重點放在SAML、面向互聯網的Web應用程序（特別是WordPress和SQL注入）以及利用IoT設備的漏洞（如命令注入）。它還涵蓋了針對基於Electron JavaScript的應用程序的攻擊（XSS和RCE），以及審計和利用使用Solidity編寫的Ethereum智能合約的安全挑戰。本書最後描述了如何揭示漏洞。每一章都分析了與MITRE ATT&CK相映射的已確認的利用案例。

通過閱讀本書，您將增強發現和利用網絡漏洞的能力。

您將學到什麼：

- 了解網絡攻擊和漏洞利用的心態、方法論和工具集。
- 了解SAML和SSO的工作原理，並找到它們的漏洞。
- 了解WordPress以及如何利用SQL注入。
- 學習IoT設備的工作原理，並利用命令注入。
- 了解ElectronJS應用程序，並將XSS轉換為RCE。
- 學習如何審計Solidity的Ethereum智能合約。
- 了解如何反編譯、調試和儀器化Web應用程序。

本書的讀者：

我們的目標讀者是必須確保組織安全的任何人。渗透測試人員和紅隊人員希望加深對網絡應用程序當前安全挑戰的了解；開發人員和DevOps工程師希望進入攻擊者的思維模式；安全經理和CISO希望真正理解Web、IoT和智能合約的影響和風險。必須具備Web技術和相關協議的基本知識。

1. Mindset and Methodologies
2. Toolset
3. Attacking the Authentication Layer: a SAML use case
4. Attacking Internet-Facing Web Applications: SQL Injection and Cross-Site Scripting (XSS) on WordPress
5. Attacking IoT Devices: Command Injection and Path Traversal
6. Attacking Electron JavaScript Applications: from Cross-Site Scripting (XSS) to Remote Command Execution (RCE)
7. Attacking Ethereum Smart Contracts: Reentrancy, Weak Sources of Randomness and Business Logic
8. Continuing the Journey of Vulnerability Discovery

1. 思維方式和方法論
2. 工具集
3. 攻擊驗證層：以 SAML 為例
4. 攻擊面向網路的網頁應用程式：WordPress 上的 SQL 注入和跨站腳本攻擊 (XSS)
5. 攻擊物聯網設備：命令注入和路徑遍歷
6. 攻擊 Electron JavaScript 應用程式：從跨站腳本攻擊 (XSS) 到遠端命令執行 (RCE)
7. 攻擊 Ethereum 智能合約：重入、弱隨機性和商業邏輯
8. 持續漏洞發現之旅