Symbols A - No Starch Press
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Symbols A - No Starch Press
I N D E X
Symbols../, 279, 287, 325.bash_profile, 81/etc/passwd, 252, 291/etc/shadow, 177, 249, 253–260, 279, 332.git directory, 328–330. See also Git
annotated tags, 330blobs, 330commits, 330trees, 330
Aaccess control, 43, 175, 177–178, 278,
324, 364–365. See also broken access control
access tokens, 312–316, 364–365long-lived tokens, 316
account takeover, 172, 185, 321active scanning, 69. See also passive
scanningADB. See Android Debug Bridge (ADB)admin panels, 70–71, 278, 321AFL. See American Fuzzy Lop (AFL)alert box, 116, 122–126allowlist, 133, 141, 194, 215, 220–221.
See also blocklistAltdns, 69Amass, 68Amazon Elastic Compute Cloud (EC2),
77, 226. See also Amazon Web Services (AWS)
Amazon S3, 74–77, 226. See also Amazon Web Services (AWS)
Lazys3, 74S3 buckets, 61, 64, 74
Amazon Web Services (AWS), 61, 75, 308, 316
awscli, 75American Fuzzy Lop (AFL), 370
Android, 335, 347–354Android Debug Bridge (ADB), 351Android Package (APK), 350
Activities, 350AndroidManifest.xml, 350assets, 351BroadcastReceivers, 350classes.dex, 351ContentProviders, 350lib, 351MANIFEST.MF, 351META-INF, 351res, 351resources.arsc, 351res/values/strings.xml, 354Services, 350
Android Studio, 352developer options, 352
ApacheApache Cassandra, 199Apache Commons FileUpload, 243Apache CouchDB, 199Apache Groovy, 243
APIs. See application programming interfaces (APIs)
APK. See Android Package (APK)Apktool, 352application logic errors, 275–281, 379.
See also business logic vulnerabilities
application programming interfaces (APIs), 6, 34, 355–367
API-centric applications, 361API enumeration, 362API keys, 75, 226
apt-get, 219ASCII, 126–127, 138–140, 293ASNs. See autonomous systems (ASNs)asset, 4. See also scope
382 Index
attack scenarios, 19attack surface, 5–6, 25, 61–62, 104, 309authentication app, 276authentication keys, 62authorization code, 276, 314automated testing toolkit, 379automation strategies, 318autonomous systems (ASNs), 67AWS. See Amazon Web Services (AWS)Ayrey, Dylan, 339
Bbash script, 62, 80–104, 372basic authentication, 376Big List of Naughty Strings, 372billion laughs attack, 258. See also
XML bombBitbucket, 316bitly.com, 119black-box testing, 336. See also gray-box
testing, white-box testingblocklist, 126, 133, 215. See also allowlistbroken access control, 275–281, 364. See
also access controlbrute-forcing, 42, 54, 70–71, 376–377
directory brute-forcing, 62, 70–71URL brute-forcing, 278
bug bountybug bounty hunter, 3bug bounty platforms, 8bug bounty program, 3–4notes, 58private programs, 11
bug chains, 27Bugcrowd, 4, 8, 17bug slump, 27built-in functions, 270–272, 288BuiltWith, 79, 104Burp, 39, 47–58
AuthMatrix, 185Auto Repeater, 185Autorize, 185BAppStore, 185Burp Suite Pro, 47, 219Collaborator, 219comparer, 58 crawler, 72decoder, 39, 57
intruder, 54, 129, 370, 372repeater, 56SQLiPy, 203
business impact, 17, 27, 104, 379. See also business priorities
business logic vulnerabilities, 276. See also application logic errors
business priorities, 17, 27. See also business impact
business requirements, 279
CCA. See certificate authority (CA)capitalization, 126CAPTCHA, 65Capture the Flag, 12, 28Cascading Style Sheets (CSS), 34, 147
opacity, 148z-index, 147
cat command, 92CDATA. See character data (CDATA)Censys, 67, 70, 104central processing units (CPUs), 206certificate authority (CA), 50certificate parsing, 67certificate pinning, 349–350, 353cert pinning. See certificate pinningcharacter data (CDATA), 259chmod, 82clickjacking, 143–154, 163–165client, 34. See also serverclient IDs, 313–315Cloud computing, 226CNAME, 308
dangling CNAMEs, 309Cobalt, 4, 8Codecademy, 44, 80code injection, 283. See also command
injection, RCEcommand injection, 285, 343. See also
code injection, RCEcommand substitution, 84, 101, 292Common Vulnerabilities and
Exposures (CVEs), 78, 281, 332, 340
Common Vulnerability Scoring System (CVSS), 17
concurrency, 206
Index 383
confidentiality, 312configuration files, 70CORS. See Cross-Origin Resource
Sharing (CORS)CPUs. See central processing units
(CPUs)Cron, 102–103, 318
crontabs, 102–103Cross-Origin Resource Sharing
(CORS), 297–298, 302–306cross-site request forgery (CSRF), 128,
152, 155–174cross-site scripting (XSS), 111–129, 308CSRF. See cross-site request
forgery (CSRF)cryptography, 6–7, 339
weak cryptography, 339CSS. See Cascading Style Sheets (CSS)CTF. See Capture the Flag
CTF Wiki, 273curl, 87, 211, 366CVEs. See Common Vulnerabilities and
Exposures (CVEs)CVE database, 340
CVSS. See Common Vulnerability Scoring System (CVSS)
CyberChef, 39Cyrillic, 140
DDamn Vulnerable Web Application, 203data:, 122, 138database, 188data entry points, 371data exfiltration, 259data injection points, 371debugging mode, 351debug messages, 64Denial-of-Service Attacks (DoS), 10,
200, 258ReDoS, 63
dependencies, 76, 250, 288, 340outdated dependencies, 76, 340
descriptive error, 196, 257, 266, 268deserialization, 231–246developer comments, 324, 328, 331,
340, 345developer tools, 129
DigitalOcean, 227directory enumerator, 370directory traversal, 43, 177, 279, 325. See
also path traversalDNS. See Domain Name System (DNS)DOCTYPE, 248document.cookie, 115Document Object Model (DOM),
117–118document type definition (DTD),
248–250, 253–260DOM. See Document Object Model
(DOM)domain name, 33. See also hostnameDomain Name System (DNS), 34–35
DNS records, 222AAAA records, 222A records, 222
DNS zone transfers, 68domain privacy, 66domain registrar, 65, 223DoS. See Denial-of-Service Attacks
(DoS)DTD. See document type definition
(DTD)
EEC2. See Amazon Elastic Compute
Cloud (EC2)ECB, 339echo command, 83EdOverflow, 125, 317Eloquent JavaScript, 44embedded browser, 47, 50emulator, 6, 348–349, 352–353
mobile emulator, 348–349encoding
base64 encoding, 38, 138, 181content encoding, 38decimal encoding, 223double encoding, 139double word (dword) encoding,
223–224hex encoding, 38, 223mixed encoding, 223octal encoding, 223URL decoding, 138URL encoding, 38, 138, 181, 223
384 Index
encryption, 312, 338–339, 353entropy, 77, 159, 182, 339ERB. See Embedded Ruby template
(ERB)escaping, 119
escape character, 101, 119, 293output escaping, 119
eval, 284–285, 336–338event listener, 298–300, 302–303, 305
onclick, 122onerror, 122onload, 122
executable, 7Extensible Markup Language (XML),
247–260, 309, 357–358external entities, 248parameter entities, 256XML entities, 248XML parsers, 247
EyeWitness, 71, 316
Ffile inclusion, 286–287
local file inclusions, 287remote file inclusion, 286
File Transfer Protocol (FTP), 260filter bypass, 128, 293fingerprinting, 78Firefox, 46–52, 124, 160–161Flash, 111Frida, 350, 353
Objection, 350Universal Android SSL Pinning
Bypass, 350FTP. See File Transfer Protocol (FTP)fuzzing, 125, 195, 363, 370–379
FuzzDB, 372fuzzers, 369–379web application fuzzing, 370
Ggadgets, 238, 243–245
gadget chains, 243–245getopts, 92–98Git, 328
Blame, 76git diff, 103History, 76Issues, 76
GitHub, 75, 316GitHub gists, 327GitHub Pages, 308–309, 317repositories, 75
Gitleaks, 328Gitrob, 77Global Regular Expression Print
(grep), 88–89GoDaddy, 219Google Cloud, 226–227, 316Google dorking, 62, 65, 74, 134, 278Google Hacking Database, 65Graphical User Interface (GUI), 373GraphQL, 179, 358–365
Clairvoyance, 362introspection, 360-361
__schema, 360__type, 361
mutations, 359queries, 359Playground, 362
gray-box testing, 336. See also black-box testing, white-box testing
grep. See Global Regular Expression Print (grep)
GUI. See Graphical User Interface (GUI)
Hhacker blogs, 28HackerOne, 4, 8, 11, 17, 111, 233
Hacktivity, 209hacking, 61
hacking environment, 45HackTricks, 273hardcoded secrets, 76, 338–339, 354hardware, 7hashing, 177Haverbeke, Marijn, 44HMAC, 42Hostinger, 219hostname, 67, 296. See also domain
nameHTML. See Hypertext Markup
Language (HTML)HTTP. See HyperText Transfer Protocol
(HTTP)HttpOnly, 115, 120
Index 385
Hypertext Markup Language (HTML), 34
HTML tag, 123HyperText Transfer Protocol (HTTP),
36–39cookies, 39
cookie sharing, 308double-submit cookie, 167
request headers, 36Authorization, 36, 376Cookie, 36Host, 36Origin, 297Referer, 36User-Agent, 36, 377
request methods, 183response bodies, 37, 324response headers, 37, 151, 324
Access-Control-Allow-Origin, 37, 297–298, 302–305
Content-Security-Policy, 37, 120, 149, 151
Content-Type, 37, 242, 251frame-ancestors, 149Location, 37Set-Cookie, 37, 150, 156X-Frame-Options, 37, 149, 151,
153–154response times, 9status code, 36, 219
Iidentity assertion, 309–312identity provider, 309–314, 316, 319IDE. See integrated development
environment (IDE)IDORs. See insecure direct object
references (IDORs)IETF. See Internet Engineering Task
Force (IETF)iframe, 144–154, 158, 160, 163–164,
298–299, 304double iframe, 152frame-busting, 151–152
information leaks, 170, 226, 229, 295, 312, 324, 331–332, 354, 363–365
inline scripts, 113–114
input redirection, 83input validation, 119–120, 250, 288,
291, 293, 366insecure deserialization, 231–246,
337–338, 366–367insecure direct object references
(IDORs), 175–186, 353–354blind IDORs, 183read-based IDORs, 184write-based IDORs, 184
instance metadata, 226–229, 255integrated development environment
(IDE), 59internal network, 214. See also private
networkinternal domains, 66
internet, 33internet security controls, 38
Internet Engineering Task Force (IETF), 222
Internet of Things (IoT), 5, 7, 122, 347, 358
Internet Protocol (IP), 34IPv4, 34IPv6, 34, 222IP addresses, 65–66
IP range, 66reserved IP addresses, 218
Intigriti, 4, 8iOS, 348, 350, 353IoT. See Internet of Things (IoT)IP. See Internet Protocol (IP)
Jjava.io.Serializable, 241
readObject(), 241–242, 244writeObject(), 241
javascript:, 122–126JavaScript (JS), 34, 44, 111, 353
Angular, 120fromCharCode(), 126
Jenkins, 69jq, 90–91jQuery, 118
js.do, 127React, 120Retire.js, 180Vue.js, 120
386 Index
JS. See JavaScript (JS)JSON, 68, 184, 234, 357JSONP. See JSON with Padding
(JSONP)JSON Web Tokens (JWT), 41–43
alg field, 42header, 41
JSON with Padding (JSONP), 300–302, 305–306. See also JSON
JWT. See JSON Web Tokens (JWT). See also JSON
KKali Linux, 46KeyHacks, 76Kibana, 64Kubernetes, 227
LLearn Python the Hard Way, 44LinkFinder, 331Linux, 62localhost, 218low-hanging fruit, 25
MmacOS, 62man, 96man-in-the-middle attacks, 349Markdown, 59Masscan, 69MD4, 339MD5, 339memory leaks, 370methodology, 25, 27MFA. See multifactor authentication
(MFA)Miessler, Daniel, 372mind-mapping, 59mitigation process, 19–21mkdir, 83mobile applications, 6mobile hacking, 347–354Mobile Security Framework, 353MongoDB, 199monitoring system, 318
multifactor authentication (MFA), 276–277, 280
multithreading, 206MySQL, 188, 196, 198, 201
NNamecheap, 223Netcat, 219NetRange, 66network perimeter, 214network scanning, 215, 224–228NoSQL, 188, 199–201
NoSQL injections, 199–201NoSQLMap, 200
nslookup, 66, 222NULL origin, 297–298, 303–305
OOAuth, 141, 312–316, 320–321
redirect_uri, 313–316object-oriented programming
languages, 234Obsidian, 59Offensive Security, 120open redirect, 131–141, 221, 314–316,
338, 342–343open redirect chain, 315parameter-based open redirects, 135referer-based open redirects, 132,
135operating system, 46, 62OSINT, 77outbound requests, 228, 249, 252out-of-band interaction, 289out-of-band techniques, 219output redirection, 83–84OWASP, 28, 72
Code Review Guide, 336Dependency-Check tool, 340Deserialization Cheat Sheet, 244IoTGoat, 122Mobile Security Testing Guide, 348SQL injection prevention cheat
sheet, 195Web Security Testing Guide, 367XSS filter evasion cheat sheet, 128XSS prevention cheat sheet, 120
Index 387
Pparameterized queries, 192. See also
prepared statementsparent directory, 279, 325passive scanning, 69–70. See also active
scanningpassword-cracking, 269Pastebin, 77–78, 324, 327–328
pastebin-scraper, 328PasteHunter, 78, 328
paste dump sites, 327path enumeration, 374–375path traversal, 177, 279, 325, 366–367.
See also directory traversalPATH variable, 81pattern matching, 89payload, 41, 54, 154payouts, 9–11Periscope, 153permissions, 178permutations, 69, 74–75phishing, 129, 132, 140, 309PHP, 61, 70–71, 232–241
ExtendsClass, 232instantiation, 235, 239magic methods, 235–238object injection vulnerabilities,
233, 238unserialize(), 235
wrappers, 259phpmyadmin, 70, 79PHPSESSID, 79POC. See proof of conceptPOP chain. See property-oriented
programming chainpop-up, 154port, 35
port number, 35, 296port scanning, 62, 69
Postman, 362postMessage(), 298–306prepared statements, 192–194principle of least privilege, 201, 210, 288private network, 218. See also internal
networkProgrammer Help, 273
programming, 44expression, 262for loop, 93function library, 96functions, 87if-else statements, 86interactive programs, 97statement, 262while loop, 98
Project Sonar, 70proof of concept (POC), 18
POC generation, 174property-oriented programming chain,
238–239protocol, 43, 120, 296, 325proxy, 46, 52, 72, 348
proxy services, 216web proxy, 45
publicly disclosed reports, 25. See also write-up
publicly disclosed vulnerabilities, 324Python, 44, 244–245, 262–273, 289–292
dictionary, 272object, 270
QQuora, 77
Rrace conditions, 205–212, 366, 370randomization, 178rate-limiting, 365–366, 378RCE. See remote code execution (RCE)reachable machines, 224recon. See reconnaissancereconnaissance, 25, 61–107, 243, 360, 369
recon APIs, 104referer, 132–135, 141–163, 168–169, 315regex. See regular expressionregular expression, 77, 88–90, 221, 298,
338–339constants, 89operators, 89RexEgg, 90
remote code execution (RCE), 236–237, 283–293, 337
blind RCEs, 288classic RCEs, 288
388 Index
report states, 21duplicate, 22informative, 22invalid reports, 26low-severity bug, 26mediation, 23N/A, 22need more information, 22resolved, 23triaged, 22
Representational State Transfer (REST), 357
resource locks, 210REST. See Representational State
Transfer (REST)return-oriented programming, 241reverse engineering, 6reverse shell, 285rooted device, 6RSA, 42
SS3. See Amazon S3safe concurrency, 206same-origin policy (SOP), 43, 295–306SameSite, 149–152, 159–160SAML. See Security Assertion Markup
Language (SAML)sandbox
sandbox environment, 265–166sandbox escape, 269–273
sanitizing, 114SAST. See static analysis security
testing (SAST)SCA. See software composition
analysis (SCA)scanner, 72scheduling, 206scope, 9–13, 26
scope discovery, 65search engine, 63SecLists, 68, 372secret-bridge, 325secret key, 40secret storage system, 325Secure Shell Protocol (SSH), 218, 225,
227
Secure Sockets Layer (SSL), 67, 349Security Assertion Markup Language
(SAML), 309SAML Raider, 320SAML signature, 311
security context, 302security patches, 340security program, 4sensitive data leaks, 312sensitive information, 324serialization, 232. See also deserialization
serialized string, 233server, 34, 79. See also client
server logs, 64server status, 64
server-side request forgery (SSRF), 213–229, 278
blind SSRF, 214server-side template injections (SSTIs),
261–274server-side vulnerabilities, 6service banner, 218service enumeration, 69service provider, 309session, 39–40
session cookie, 115, 156–160, 162–172, 308–309, 318–321. See also session ID
session ID, 39. See also session cookie
session management, 39Shaw, Zed, 44shebang, 80shell
commands, 285interpreter, 62
Shopify, 359signature, 40–43, 311–312, 319–321, 351single sign-on (SSO), 307–321
shared-session SSO, 308–309SlideShare, 77Snapper, 71, 316SOAP, 358social engineering, 119, 132
Social-Engineer Toolkit, 154software composition analysis (SCA), 340software supply chain attack, 288
Index 389
SOP. See same-origin policy (SOP)source code review, 76, 328,
335–346, 351, 378. See also static analysis security testing (SAST), static code analysis
source command, 96spidering, 62, 71Spring Framework, 243SQL. See Structured Query Language
(SQL)SQL injections, 187–203
blind, 188, 195Boolean based, 196classic, 188, 195error based, 195first-order, 191inferential, 196out-of-band, 188, 195second-order, 191time based, 197UNION based, 195
sqlmap, 202Squarespace, 316SSH. See Secure Shell Protocol (SSH)SSL. See Secure Sockets Layer (SSL)SSL pinning. See certificate pinningSSO. See single sign-on (SSO)SSRF. See server-side request
forgery (SSRF)SSRFmap, 220SSTIs. See server-side template
injections (SSTIs)Stack Overflow, 77state-changing action, 149, 161static analysis security testing (SAST),
346. See also source code review, static code analysis
static code analysis, 378. See also source code review, static analysis security testing (SAST)
Structured Query Language (SQL), 187–188
SubBrute, 68subdomain, 64–65
sibling subdomains, 296subdomain enumeration, 68–69, 379subdomain takeovers, 308–309,
316–318
Subject Alternative Name, 67–68Sublime Text, 59superdomain, 296SVG, 253Swagger, 363Synack, 4, 8synchronization, 210syntax error, 123system root, 279
Ttechnology stack, 6, 69, 78–79, 104template engines, 261–266
Embedded Ruby template (ERB), 266
FreeMarker, 266Jinja, 262Smarty, 266Thymeleaf, 266Twig, 266
template injections. See server-side template injections (SSTIs)
test command, 95testing guides, 28third-party service, 308threads, 206time-of-check/time-of-use vulnerabilities.
See race conditionstime throttling, 366, 373–374token-based authentication, 40token forgery, 40Tomnomnom, 78tplmap, 273triage, 8–9truffleHog, 77, 328, 339tuple, 270Tutorials Point, 232Twitter, 356
UUnarchiver, 253unexpected behavior, 370Unicode, 140Unix, 46, 81, 100–102, 177, 249, 279,
290, 292, 325, 372Unrouted addresses, 228URLs, 63
absolute URL, 133–134, 325
390 Index
components of, 136internal URLs, 218mangled URLs, 136relative URLs, 133, 325
URL fragments, 118, 121, 266URL validation, 133, 136USB debugging, 351user input, 342user-interface redressing, 143. See also
clickjacking
Vvalidating, 114Vault, 325VBScript, 111VDPs. See vulnerability disclosure
programs (VDPs)ViewDNS.info, 66View Source Code, 79virtual environment, 352vulnerabilities, 61vulnerability disclosure programs
(VDPs), 10vulnerability report, 16. See also write-up
severity, 16steps to reproduce, 18
vulnerability scanners, 25
WW3Schools, 188WAF. See web application firewall
(WAF)Wappalyzer, 79Wayback Machine, 326
Waybackurls, 78web application firewall (WAF), 288
WAF bypass, 293web applications, 5web browser, 46web crawling, 71, 326web frameworks, 187Webhooks, 216web-hosting service, 223web page, 34Web Services Description Language
(WSDL), 358, 362web shell, 202web spidering, 62, 71Wfuzz, 370–371, 374–379
wget, 285, 329white-box testing, 336. See also black-
box testing, gray-box testingwhoami, 289whois, 65
reverse whois, 65whois.cymru.com, 67
Wikipedia, 63wildcard, 63, 101, 292, 297–299Windows 353WordPress, 7, 79, 280write-up, 28WSDL. See Web Services Description
Language (WSDL)
XXInclude Attacks, 251, 254XMind, 59XML. See Extensible Markup Language
(XML)XML bomb, 258. See also billion laughs
attackXML external entity (XXE), 247–260
blind XXE, 252classic XXE, 251
XMLHttpRequest, 128, 170XmlLint, 259X-Powered-By, 79, 324XSS, 111–129
blind XSS, 116, 125reflected XSS, 117, 343self-XSS, 119, 171stored XSS, 115
XSS filter, 126XSS Hunter, 125XSS polyglot, 124XSS protection, 126XXE. See XML external entity (XXE)
YYAML, 234, 338Ysoserial, 243
ZZAP. See Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP), 47, 72–73, 174,
362, 374zip command, 254zlib, 331