This book is for IT professionals, web developers, security enthusiasts, and security professionals who want an accessible reference on how to find, exploit, and prevent security vulnerabilities in web applications. You should know the basics of operating a Linux environment and have some exposure to security technologies and tools.What You Will LearnSet up a penetration testing laboratory in a secure wayFind out what information is useful to gather when performing penetration tests and where to look for itUse crawlers and spiders to investigate an entire website in minutesDiscover security vulnerabilities in web applications in the web browser and using command-line toolsImprove your testing efficiency with the use of automated vulnerability scannersExploit vulnerabilities that require a complex setup, run custom-made exploits, and prepare for extraordinary scenariosSet up Man in the Middle attacks and use them to identify and exploit security flaws within the communication between users and the web serverCreate a malicious site that will find and exploit vulnerabilities in the user's web browserRepair the most common web vulnerabilities and understand how to prevent them becoming a threat to a site's securityIn Detail
Web applications are a huge point of attack for malicious hackers and a critical area for security professionals and penetration testers to lock down and secure. Kali Linux is a Linux-based penetration testing platform and operating system that provides a huge array of testing tools, many of which can be used specifically to execute web penetration testing.
This book will teach you, in the form step-by-step recipes, how to detect a wide array of vulnerabilities, exploit them to analyze their consequences, and ultimately buffer attackable surfaces so applications are more secure, for you and your users.
Starting from the setup of a testing laboratory, this book will give you the skills you need to cover every stage of a penetration test: from gathering information about the system and the application to identifying vulnerabilities through manual testing and the use of vulnerability scanners to both basic and advanced exploitation techniques that may lead to a full system compromise. Finally, we will put this into the context of OWASP and the top 10 web application vulnerabilities you are most likely to encounter, equipping you with the ability to combat them effectively. By the end of the book, you will have the required skills to identify, exploit, and prevent web application vulnerabilities.Style and approach
Taking a recipe-based approach to web security, this book has been designed to cover each stage of a penetration test, with descriptions on how tools work and why certain programming or configuration practices can become security vulnerabilities that may put a whole system, or network, at risk. Each topic is presented as a sequence of tasks and contains a proper explanation of why each task is performed and what it accomplishes.
"Nmap 6: Network exploration and security auditing cookbook" will help you master Nmap and its scripting engine. You will learn how to use this tool to do a wide variety of practical tasks for pentesting and network monitoring. Finally, after harvesting the power of NSE, you will also learn how to write your own NSE scripts.
"Nmap 6: Network exploration and security auditing cookbook" is a book full of practical knowledge for every security consultant, administrator or enthusiast looking to master Nmap. The book overviews the most important port scanning and host discovery techniques supported by Nmap. You will learn how to detect mis-configurations in web, mail and database servers and also how to implement your own monitoring system.
The book also covers tasks for reporting, scanning numerous hosts, vulnerability detection and exploitation, and its strongest aspect; information gathering.
In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You'll learn how to:
* Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
* Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
* Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
* Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
* Embed or host user-supplied content without running into the trap of content sniffing
For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.
Recognized as one of the best tools available for security professionals, specifically for the candidate who is striving to become a CISSP, the Official (ISC)²® Guide to the CISSP® CBK®, Fourth Edition is both up-to-date and relevant. Reflecting the significant changes in the CISSP CBK, this book provides a comprehensive guide to the eight domains.
Numerous illustrated examples and practical exercises are included in this book to demonstrate concepts and real-life scenarios. Endorsed by (ISC)² and compiled and reviewed by CISSPs and industry luminaries around the world, this textbook provides unrivaled preparation for the certification exam and is a reference that will serve you well into your career. Earning your CISSP is a respected achievement that validates your knowledge, skills, and experience in building and managing the security posture of your organization and provides you with membership to an elite network of professionals worldwide.
Today's system administrators face increasing challenges in the quest for network quality, and The Book of PF can help by demystifying the tools of modern *BSD network defense. But, perhaps more importantly, because we know you like to tinker, The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to:
* Create rule sets for all kinds of network traffic, whether it is crossing a simple home LAN, hiding behind NAT, traversing DMZs, or spanning bridges
* Use PF to create a wireless access point, and lock it down tight with authpf and special access restrictions
* Maximize availability by using redirection rules for load balancing and CARP for failover
* Use tables for proactive defense against would-be attackers and spammers
* Set up queues and traffic shaping with ALTQ, so your network stays responsive
* Master your logs with monitoring and visualization, because you can never be too paranoid
The Book of PF is written for BSD enthusiasts and network admins at any level of expertise. With more and more services placing high demands on bandwidth and increasing hostility coming from the Internet at-large, you can never be too skilled with PF.
Security Monitoring is based on the authors' years of experience conducting incident response to keep Cisco's global network secure. It offers six steps to improve network monitoring. These steps will help you:
Develop Policies: define rules, regulations, and monitoring criteriaKnow Your Network: build knowledge of your infrastructure with network telemetrySelect Your Targets: define the subset of infrastructure to be monitoredChoose Event Sources: identify event types needed to discover policy violationsFeed and Tune: collect data, generate alerts, and tune systems using contextual informationMaintain Dependable Event Sources: prevent critical gaps in collecting and monitoring events
Security Monitoring illustrates these steps with detailed examples that will help you learn to select and deploy the best techniques for monitoring your own enterprise network.