Nowadays, information security is a hot topic all over the news and the internet. We hear almost every day about web page defacement, data leaks of millions of user accounts and passwords or credit card numbers from websites, and identity theft on social networks. Terms such as cyberattack, cybercrime, hacker, and even cyberwar are becoming part of the daily lexicon in the media.
All this exposure to information security subjects and the very real need to protect both sensitive data and their reputations has made organizations more aware of the need to know where their systems are vulnerable, especially ones that are accessible to the world through the internet, how they could be attacked, and what the consequences would be in terms of information lost or systems being compromised if an attack were successful. Also, much more importantly, how to fix those vulnerabilities and minimize the risks.
The task of detecting vulnerabilities and discovering their impact on organizations can be addressed with penetration testing. A penetration test is an attack, or attacks, made by a trained security professional who uses the same techniques and tools real hackers use, to discover all of the possible weak spots in an organization's systems. Those weak spots are then exploited and the impact is measured. When the test is finished, the penetration tester reports all of their findings and suggests how future damage could be prevented.
In this book, we follow the whole path of a web application penetration test and, in the form of easy-to-follow, step-by-step recipes, show how the vulnerabilities in web applications and web servers can be discovered, exploited, and fixed.