Book Image

Hands-On Application Penetration Testing with Burp Suite

By : Carlos A. Lozano, Dhruv Shah, Riyaz Ahemed Walikar
Book Image

Hands-On Application Penetration Testing with Burp Suite

By: Carlos A. Lozano, Dhruv Shah, Riyaz Ahemed Walikar

Overview of this book

Burp suite is a set of graphic tools focused towards penetration testing of web applications. Burp suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks. The book starts by setting up the environment to begin an application penetration test. You will be able to configure the client and apply target whitelisting. You will also learn to setup and configure Android and IOS devices to work with Burp Suite. The book will explain how various features of Burp Suite can be used to detect various vulnerabilities as part of an application penetration test. Once detection is completed and the vulnerability is confirmed, you will be able to exploit a detected vulnerability using Burp Suite. The book will also covers advanced concepts like writing extensions and macros for Burp suite. Finally, you will discover various steps that are taken to identify the target, discover weaknesses in the authentication mechanism, and finally break the authentication implementation to gain access to the administrative console of the application. By the end of this book, you will be able to effectively perform end-to-end penetration testing with Burp Suite.

Related Content you might be interested in

Current Title:

Small book image
Hands-On Application Penetration Testing with Burp Suite
Carlos A. Lozano | Dhruv Shah | Riyaz Ahemed Walikar
Feb, 2019 | 366 pages
Small book image
Bug Bounty Hunting Essentials
Carlos A Lozano | M Shahmeer Amir
Nov, 2018 | 270 pages
Small book image
Burp Suite Cookbook
Dr Sunny Wear
Oct, 2023 | 450 pages
Small book image
Burp Suite Cookbook.
Dr Sunny Wear
Sep, 2018 | 358 pages
Table of Contents (19 chapters)
Title Page
Title Page
Copyright and Credits
Copyright and Credits
Contributors
Contributors
About Packt
About Packt
Preface
Preface
Free Chapter
1
Configuring Burp Suite
Configuring Burp Suite
Getting to know Burp Suite
Setting up proxy listeners
Managing multiple proxy listeners
Working with non-proxy-aware clients
Creating target scopes in Burp Suite
Working with target exclusions
Quick settings before beginning
Summary
2
Configuring the Client and Setting Up Mobile Devices
Configuring the Client and Setting Up Mobile Devices
Setting up Firefox to work with Burp Suite (HTTP and HTTPS)
Setting up Chrome to work with Burp Suite (HTTP and HTTPS)
Setting up Internet Explorer to work with Burp Suite (HTTP and HTTPS)
Additional browser add-ons that can be used to manage proxy settings
Setting system-wide proxy for non-proxy-aware clients
Setting up Android to work with Burp Suite
Setting up iOS to work with Burp Suite
Summary
3
Executing an Application Penetration Test
Executing an Application Penetration Test
Differences between a bug bounty and a client-initiated pentest
Initiating a penetration test
Why Burp Suite? Let's cover some groundwork!
Why Burp Suite Scanner?
Summary
4
Exploring the Stages of an Application Penetration Test
Exploring the Stages of an Application Penetration Test
Stages of an application pentest
Getting to know Burp Suite better
Summary
5
Preparing for an Application Penetration Test
Preparing for an Application Penetration Test
Setup of vulnerable web applications
Reconnaissance and file discovery
Testing for authentication via Burp
Summary
6
Identifying Vulnerabilities Using Burp Suite
Identifying Vulnerabilities Using Burp Suite
Detecting SQL injection flaws
Detecting OS command injection
Detecting XSS vulnerabilities
Detecting XML-related issues, such as XXE
Detecting SSTI
Detecting SSRF
Summary
7
Detecting Vulnerabilities Using Burp Suite
Detecting Vulnerabilities Using Burp Suite
Detecting CSRF
Detecting Insecure Direct Object References
Detecting security misconfigurations
Detecting insecure deserialization
Detecting OAuth-related issues
Detecting broken authentication
Summary
8
Exploiting Vulnerabilities Using Burp Suite - Part 1
Exploiting Vulnerabilities Using Burp Suite - Part 1
Data exfiltration via a blind Boolean-based SQL injection
Executing OS commands using an SQL injection
Executing an out-of-band command injection
Stealing session credentials using XSS
Taking control of the user's browser using XSS
Extracting server files using XXE vulnerabilities
Performing out-of-data extraction using XXE and Burp Suite collaborator
Exploiting SSTI vulnerabilities to execute server commands
Summary
9
Exploiting Vulnerabilities Using Burp Suite - Part 2
Exploiting Vulnerabilities Using Burp Suite - Part 2
Using SSRF/XSPA to perform internal port scans
Using SSRF/XSPA to extract data from internal machines
Extracting data using Insecure Direct Object Reference (IDOR) flaws
Exploiting security misconfigurations
Using insecure deserialization to execute OS commands
Exploiting crypto vulnerabilities
Brute forcing HTTP basic authentication
Brute forcing forms
Bypassing file upload restrictions
Summary
10
Writing Burp Suite Extensions
Writing Burp Suite Extensions
Setting up the development environment
Writing a Burp Suite extension
Executing the extension
Summary
11
Breaking the Authentication for a Large Online Retailer
Breaking the Authentication for a Large Online Retailer
Remembering about authentication
Large online retailers
Performing information gathering
Summary
12
Exploiting and Exfiltrating Data from a Large Shipping Corporation
Exploiting and Exfiltrating Data from a Large Shipping Corporation
Discovering Blind SQL injection
Summary
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

Appendix 1. Other Books You May Enjoy

If you enjoyed this book, you may be interested in these other books by Packt:

Hands-On Penetration Testing with Python Furqan Khan

ISBN: 978-1-78899-082-0

  • Get to grips with Custom vulnerability scanner development
  • Familiarize yourself with web application scanning automation and exploit development
  • Walk through day-to-day cybersecurity scenarios that can be automated with Python
  • Discover enterprise-or organization-specific use cases and threat-hunting automation
  • Understand reverse engineering, fuzzing, buffer overflows , key-logger development, and exploit development for buffer overflows.
  • Understand web scraping in Python and use it for processing web responses
  • Explore Security Operations Centre (SOC) use cases
  • Get to understand Data Science, Python, and cybersecurity all under one hood

Web Penetration Testing with Kali Linux - Third EditionGilberto Najera-Gutierrez, Juned Ahmed Ansari

ISBN: 978-1-78862-337-7

  • Learn how to set up your lab with Kali Linux
  • Understand the core concepts of web penetration testing
  • Get to know the tools and techniques you need to use with Kali Linux
  • Identify the difference between hacking a web application and network hacking
  • Expose vulnerabilities present in web servers and their applications using server-side attacks
  • Understand the different techniques used to identify the flavor of web applications
  • See standard attacks such as exploiting cross-site request forgery and cross-site scripting flaws
  • Get an overview of the art of client-side attacks
  • Explore automated attacks such as fuzzing web applications
Previous Section
End of Section
Next Section