Chapter 9
Exploiting Application Vulnerabilities
THE COMPTIA PENTEST+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE:
Domain 3: Attacks and Exploits
- 3.4 Given a scenario, exploit application-based vulnerabilities.
- Injections
- SQL
- HTML
- Command
- Code
- Authentication
- Credential brute forcing
- Session hijacking
- Redirect
- Default credentials
- Weak credentials
- Kerberos exploits
- Authorization
- Parameter pollution
- Insecure direct object references
- Cross-site scripting (XSS)
- Stored/persistent
- Reflected
- DOM
- Cross-site request forgery (CSRF/XSRF)
- Clickjacking
- Security misconfiguration
- Directory traversal
- Cookie manipulation
- File inclusion
- Local
- Remote
- Unsecure code practices
- Comments in source code
- Lack of error handling
- Overly verbose error handling
- Hard-coded credentials
- Race conditions
- Unauthorized use of functions/unprotected APIs
- Hidden elements
- Sensitive information in the DOM
- Lack of code signing
- Injections
Domain 4: Penetration Testing Tools
- 4.2 Compare and contrast...