Our approach is made up of four phases that cover all the necessary tasks during
an attack.
1. Reconnaissance
2. Scanning
3. Exploitation
4. Fix
It’s appropriate to introduce and discuss how these vulnerabilities and attacks
can be mitigated, thus there is a fix phase to our approach. As a penetration tester
or ethical hacker, you will get several questions after the fact related to how
the discovered vulnerabilities can be fixed. Consider the inclusion of the fix
phase to be a resource to help answer those questions.
Our Targets
Our approach targets three separate, yet related attack vectors: the web server, the
web application, and the web user. For the purpose of this book, we will define
each of these attack vectors as follows:
1. Web server: the application running on an operating system that is hosting
the web application. We are NOT talking about traditional computer hardware
here, but rather the services running on open ports that allow a web
application to be reached by users’ internet browsers. The web server may be
vulnerable to network hacking attempts targeting these services in order to
gain unauthorized access to the web server’s file structure and system files.
2. Web application: the actual source code running on the web server that provides
the functionality that web users interact with is the most popular
target for web hackers. The web application may be susceptible to a vast collection
of attacks that attempt to perform unauthorized actions within the
web application.
3. Web user: the internal users that manage the web application (administrators
and programmers) and the external users (human clients or customers) of the
web applications are worthy targets of attacks. This is where a cross-site scripting
(XSS) or cross-site request forgery (CSRF) vulnerabilities in the web application
rear their ugly heads. Technical social engineering attacks that target web users
and rely on no existing web application vulnerabilities are also applicable here.
The vulnerabilities, exploits, and payloads are unique for each of these targets,
so unique tools and techniques are needed to efficiently attack each of them.
Our Tools
For every tool used in this book, there are probably five other tools that can do
the same job. (The same goes for methods, too.) We’ll emphasize the tools that
are the most applicable to beginner web hackers. We recommend these tools not
because they’re easy for beginners to use, but because they’re fundamental tools
that virtually every professional penetration tester uses on a regular basis. It’s
paramount that you learn to use them from the very first day. Some of the tools
that we’ll be using include:
■ Burp Suite, which includes a host of top-notch web hacking tools, is a musthave
for any web hacker and it’s widely accepted as the #1 web hacking tool
collection.
■ Zed Attack Proxy (ZAP) is similar to Burp Suite, but also includes a free vulnerability
scanner that’s applicable to web applications.
■ Network hacking tools such as Nmap for port scanning, Nessus and Nikto for
vulnerability scanning, and Metasploit for exploitation of the web server.
■ And other tools that fill a specific role such as sqlmap for SQL injection,
John the Ripper (JtR) for offline password cracking, and the Social Engineering
Toolkit (SET) for technical social engineering attacks against web users!