WebApp Compendium 06_2012

This text is available for purchase but you need to login or register first.
You can buy this for 10 USD
Please register for free account or subscribe and get access to all issues on this website!

Remember Me

Important:
active subscribers – to download this issue click on the cover of the magazine on the main website or scroll down this page and click the Download button
single issue buyers – after paying for this issue click “WebApp Compendium 20120618″ (which will show just above that text)  to download your copy of the magazine

 

Quite a big number of web applications remains potentially vulnerable to standard attacks due to a lack of proper test methodology. It is hard to estimate what percentage of successful hackers attacks might be blocked, but a good thoughtful pentesting strategy may significantly reduce attackers chances.

We present Web App Pentesting Compendium containing the most popular threads and discussions which have ever been published in our Magazine. It is a revealing publication with 29 highly specialistic articles from various fields.

Overall

Open Source Web Application Security Testing Tools
By Vinodh Velusamy
Author shows us the significance of Open Source Web Application Security Testing Tools. As he claims „When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish. Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems. At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook”.
Web services and testing
By Saurabh Malhotra
Building Your Own Pentesting Application
By Dhananjay D. Garg
Web Application Security Vulnerabilities Have Been Prevalent The Last Decade
By Matt Parsons

Attack

Session Hijacking
By Nikhil Srivastava
Finding Your Target
By Willem Mouton
Search Form Based DoS
By Bunyamin Demir
Backdoors Hiding Malicious Payloads Inside Cascading Style Sheets
By Hans-Michael Varbaek
How to pentest well-known CMS
By Sumedt Jitpukdebodin
Bypassing web antiviruses
By Eugene Dokukin aka MustLive
How to attack DNS
By Aleksandar Bratic

XSS & CSRF

XSS Using Shell of the future
By Sow Ching Shiong
Shell of the Future is a Reverse Web Shell handler. It can be used to hijack sessions where JavaScript can be injected using XSS or through the browser’s address bar. It makes use of HTML5′s Cross Origin Requests and can bypass anti-session hijacking measures like Http-Only cookies and IP address-Session ID binding.It has been designed to be used as a proof of concept to demonstrate the impact of XSS vulnerability in a penetration test with the same ease as getting an alert box to pop-up.
Cross-Site Request Forgery
By Jamie
XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications
By Marsel Nizamutdinov
Discovering Modern CSRF Patch Failures
By Tyler Borland
Business Logic Vulnerabilities via CSRF
By Eugene Dokukin
CSRF Attacks on Network Devices
By Eugene Dokukin

SQL Injection

NTO SQL Invader
By Sow Ching Shiong
NTO SQL Invader is a SQL injection exploitation tool. It gives the ability to quickly and easily exploit or demonstrate SQL injection vulnerabilities in Web applications. With a few simple clicks, a penetration tester will be able to exploit a vulnerability to view the list of records, tables and user accounts of the back-end database.

SQL Injection Pen-Testing
By Sow Ching Shiong

SQL Injection: Inject Your Way to Success
By Christopher Payne

Fuzzing

Fuzzing for Free
By Mrityunjay Gautam
As a developer working on a product release, we tend to re-use most of the legacy code from the
previous release and then work on the new features and bug-fixes only. As a QA resource, we would
be using the same “conformance test suite” or the same “stress test suite” to ensure that the new
builds are working as expected. In this article the author gives us the good insight into the theory of
the art of fuzzing.
Fuzzing With Sulley
By Jose Selvi
Fuzzing With WebScarab
By Sagar Chandrashekar
Fuzzing in a Penetration Test
By Joshua Wright

Memory Corruption

Introduction to exploit automation with Pmcma, Part I
By Jonathan Brossard
Determining exploitability is hard, writing exploits is hard. In fact, due to theoretical limitations
hopefully known to the reader of this paper (aka: halting point problem), they are two sides of the
same coin. Proving unexploitability is provably unfeasible in the general case, and practically for
the vast majority of computer programs actually used nowadays. So what you can get at best is a it’s
not doable given the state of the art of exploitation. Public knowledge, common sense… In this
article the author made a serious efforts to provide you all the details concerning Pmcma tool,
released at the Black Hat US conference this year.
Introduction to exploit automation with Pmcma, Part II
By Jonathan Brossard

Basics

Web Application Security for Newbies part 1
By Herman Stevens
Herman introduces us to the world of hacking and web application security. He shows us his own biography as a hacker and professional, as he mention: „Let’s face it: hackers like to take things apart to see how they work and find it challenging to find other, completely different uses other than their intended purpose”. What are his first conclusions, and what he recommends for newbies you will know reading this brilliant article.
Web Application Security for Newbies part 2
By Herman Stevens
Web Application Security for Newbies part 3
By Herman Stevens

 


 

WebApp Compendium 06_2012WebApp Compendium 06_2012 - PenTest Teaser
WebApp Compendium 06_2012

Follow the steps below to download the magazine:
  1. Register, accept the Disclaimer and choose subscription option.
    Attention!
    By choosing the Free Account option you will only be able to download the teaser of each issue.
  2. Verify your account using the verification link sent to your email address.
  3. Check the password sent on your email address and use it to log in.
  4. Click the download button to get the issue.

IMPORTANT: the registration on the website includes subscription to our newsletter.

Comments are closed.