Index.md - jlareaux/sec542-study-guide GitHub Wiki

SEC542 Index

Index of terms in the SEC542 course. This index is exhaustive and references over 99% of the pages the course material.

Legend:

    ↓ Term
### AJAX
β€’ Overview - b *3*  p *130-140*
β€’ Introduction - b *4*  p *130*
β€’ Attack Surface - b *4*  p *138*
  β•°β•΄Context        β•°β•΄Book β•°β•΄Page(s)

The Overview and Introduction contexts have special meaning and appear at the top of the list of references to a term first in a term's references. Other references to a term appear after these, alphabetically by context.

Overview: list of pages which a reference a term. Introduction: list of pages which reference fundamental concepts of a term.

Table of Contents

AJAX

  • Overview - b 3 p 130-140
  • Introduction - b 4 p 130
  • Attack Surface - b 4 p 138
  • Exploitation - b 4 p 140
  • Mapping - b 4 p 139
  • Mash-Ups - b 4 p 134
    • Mash-Up Proxy Features - b 4 p 136
    • Mash-Up Proxy Issues - b 4 p 137
  • Same Origin - b 4 p 135
  • XMLHttpRequest - b 4 p 131
    • Example - b 4 p 133
    • readyState - b 4 p 132

:top:

API Attacks

  • Overview - b 4 p 141-146

:top:

Authentication

  • Overview - b 2 p 133-153
  • Introduction - b 2 p 133
  • Forms-based Authentication - b 2 p 142
    • Attacker's Perspective of, - b 2 p 145
    • Illustrated - b 2 p 144
    • Pieces of, - b 2 p 143
  • HTTP Basic Authentication - b 2 p 134
    • Attacker's Perspective of, - b 2 p 136
    • Illustrated - b 2 p 135
  • HTTP Digest Authentication - b 2 p 137
    • Attacker's Perspective of, - b 2 p 139
    • Illustrated - b 2 p 138
  • Integrated Windows Authentication - b 2 p 140
    • Attacker's Perspective of, - b 2 p 141
  • OAuth - b 2 p 146
    • Attacker's Perspective of, - b 2 p 153
    • Example Requests - b 2 p 152
    • How OAuth Works - b 2 p 147-149
    • OAuth 1.0 - b 2 p 150
    • OAuth 2.0 - b 2 p 151

:top:

BBQSQL

  • Overview - b 3 p 152

:top:

BeEf

  • Overview - b 4 p 107-115
  • Introduction - b 4 p 107
  • Browser Exploitation - b 4 p 114
  • Functionality - b 4 p 110
  • History Browsing - b 4 p 111
  • Interface - b 4 p 108
  • interprotocol Exploitation - b 4 p 115
  • Port Scanning - b 4 p 113
  • Request Initiation - b 4 p 112
  • Zombie Control - b 4 p 109

:top:

Burp

  • Overview - b 1 p 38-51
  • Introduction - b 1 p 38-39
  • Automated Spidering - b 2 p 62
  • Components - b 1 p 39
    • Comparer - b 1 p 51
    • Decoder - b 1 p 50
    • Intruder - b 1 p 47
      • Fuzzing - b 2 p 94
      • Reflection Tests - b 4 p 64
    • Repeater - b 1 p 48
    • Sequencer - b 1 p 49
      • Session Analysis - b 3 p 20
    • Spider - b 1 p 46
  • Proxy - b 1 p 43
    • Options - b 1 p 44
  • Scope - b 1 p 42
  • Target - b 1 p 40
    • Filtering - b 1 p 41
  • Web Interface - b 1 p 45
  • Index: sqlmap > Riding ZAP/Burp Sessions

:top:

Bypass Flaws

  • Authentication Bypass - b 3 p 25
  • Bypass Methods - b 3 p 26

:top:

CeWL

  • Overview - b 2 p 64

:top:

Command Injection

:top:

Cross-Site Request Forgery

:top:

Cross-Site Scripting

:top:

CSRF

  • Overview - b 5 p 6-13
  • Introduction - b 5 p 7-10
  • Attacking CSRF - b 5 p 12
  • Detecting CSRF - b 5 p 11
  • Index: ZAP > CSRF Test Forms

:top:

Data Attacks

  • Overview - b 4 p 148-154
  • Index: JSON

:top:

dig

  • Overview - b 1 p 62-63

:top:

Directory Browsing

  • Overview - b 2 p 111-114
  • Introduction - b 2 p 111
  • Automated Discovery of, - b 2 p 114
  • Google Searching for, - b 2 p 112

:top:

Directory Traversal

:top:

Document Object Model

:top:

DNS

  • Overview - b 1 p 55-60
  • Introduction - b 1 p 55
  • Brute Force Scans - b 1 p 59
  • Reconnaissance Tools - b 1 p 60
  • Reverse DNS Scan - b 1 p 58
  • Zone Transfers - b 1 p 56-57

:top:

DNSRecon

  • Overview - b 1 p 65-66

:top:

DOM

  • Overview - b 4 p 17-22
  • Interacting with Cookies - b 4 p 22

:top:

Drupal

  • Overview - b 5 p 112-116
  • Drupalgeddon - b 5 p 113-115

:top:

Exercises

  • AJAX XSS - b 4 p 155-173
  • Authentication - b 2 p 154-173
  • Authentication Bypass - b 2 p 27-32
  • BeEf - b 4 p 116-128
  • Burp Fuzzing - b 2 p 97-106
  • Command Injection - b 2 p 45-55
  • CSRF - b 2 p 14-25
  • Directory Browsing - b 2 p 115-131
  • DNS Harvesting - b 1 p 68-77
  • Error-Based SQLi - b 2 p 118-127
  • Examining HTTP Requests and Responses - b 1 p 133-141
  • Exploiting Heartbleed - b 1 p 164-173
  • Gathering Server Info - b 2 p 15-18
  • HTML Injection - b 4 p 75-95
  • JavaScript - b 4 p 23-31
  • Local/Remote File Inclusion - b 2 p 65-77
  • Metasploit - b 2 p 117-125
  • Mobile MITM - b 2 p 30-45
  • Python - b 2 p 58-64
  • Reflective XSS - b 4 p 48-53
  • Shellshock - b 2 p 38-49
  • Spidering - b 2 p 65-75
  • sqlmap + ZAP - b 2 p 167-182
  • Testing HTTPS - b 1 p 153-157
  • Username Harvesting - b 2 p 184-201
  • w3af - b 2 p 93-100
  • When Tools Fail - b 2 p 133-144
  • WPScan - b 2 p 68-78
  • ZAP Forced Browse - b 2 p 82-89

:top:

Fiddler

  • Overview - b 1 p 33-34

:top:

File Inclusion

  • Overview - b 3 p 57-64
  • Building Blocks - b 3 p 64

:top:

FOCA

  • Overview - b 1 p 90-92

:top:

FuzzDB

  • Introduction - b 2 p 93
  • XSS POC Payloads - b 4 p 74

:top:

Fuzzing

  • Overview - b 2 p 91-96
  • Index: FuzzDB
  • Index: Burp > Components > Intruder > Fuzzing

:top:

Heartbleed

  • Overview - b 1 p 159-163
  • Exploit Output - b 1 p 162

:top:

HTTP

  • Attacker's Perspective of HTTP - b 1 p 132
  • Methods - b 1 p 119--124
    • CONNECT - b 1 p 123
    • GET/HEAD/POST - b 1 p 121
    • PUT/DELETE - b 1 p 124
    • TRACE/OPTIONS - b 1 p 122
    • Request Methods - b 1 p 120
      • Supported Methods - b 2 p 23
        • Index: Netcat > Determine Supported HTTP Request Methods
  • Protocol - b 1 p 105-118
    • Example HTTP 1.1 Request - b 1 p 114
    • Example HTTP 1.1 Response - b 1 p 116
    • History - b 1 p 106-108
    • HTTP/0.9 - b 1 p 109
    • HTTP/1.0 - b 1 p 110
    • HTTP/1.1 - b 1 p 111
    • HTTP/2 - b 1 p 112-113
  • Status Codes - b 1 p 125-127

:top:

HTTPS

  • Attacker's Perspective of HTTPS - b 1 p 145
  • Certificate Trusts - b 1 p 144
  • Encrypting HTTP in Transit - b 1 p 143
  • Testing for Weak Ciphers - b 1 p 146-152
    • Analyzing Targets - b 1 p 148
    • Evaluating Targets - b 1 p 152
    • Index: Nmap
    • Index: OpenSSL
    • Index: Qualys

:top:

Information Leakage

  • Overview - b 2 p 108-114
  • Introduction - b 2 p 109
  • Searching for CVEs - b 2 p 113
  • Types of, - b 2 p 110
  • Index: Directory Browsing

:top:

Interception Proxies

  • Overview - b 1 p 30-51
  • Introduction - b 1 p 30-32
  • Index: Burp
  • Index: Fiddler
  • Index: ZAP

:top:

JavaScript

  • Overview - b 4 p 5-15

:top:

JSON

  • Overview - b 4 p 150-151

:top:

Logic Attacks

  • Overview - b 5 p 27-29

:top:

Maltego

  • Overview - b 1 p 94-96
  • Index: Recon-ng

:top:

Metasploit

  • Overview - b 5 p 102-116
  • Introduction - b 5 p 102
  • Exploiting Drupalgeddon - b 5 p 116
    • Index: Drupal > Drupalgeddon
  • Integrations - b 5 p 107
    • BeEf + Metasploit - b 5 p 108-109
    • Sqlmap <-> Metasploit - b 5 p 110
  • Modules
    • DNS - b 1 p 67
    • WMAP - b 5 p 106
  • Index:ding the Database - b 5 p 104
    • db_import - b 5 p 105
  • Using Known Vulnerabilities - b 5 p 111
  • Web Testing - b 5 p 103

:top:

Mutillidae

  • Overview - b 3 p 34-39

:top:

Netcat

  • Determine Supported HTTP Request Methods - b 2 p 24
  • Grabbing Server Connection Strings - b 2 p 11
    • Server Version - b 2 p 12

:top:

Netcraft

  • Overview - b 2 p 13-14

:top:

Nikto

  • Overview - b 2 p 26

:top:

Nmap

  • Introduction - b 2 p 10
  • Analyzing HTTPS Support - b 1 p 150
  • NSE Scripts
    • DNS - b 1 p 64
  • Port Scanner - b 2 p 6
    • Example - b 2 p 7

:top:

NsLookup

  • Introduction - b 1 p 61

:top:

Open Source Information

:top:

OpenSSL

  • Scripting - b 1 p 149

:top:

OTG

  • Penetration Testing - b 1 p 21
  • Tests
    • OTG-CONFIG-004: Review Unreferenced Files for Sensitive Information - b 2 p 108
    • OTG-CONFIG-006: Test HTTP Methods - b 2 p 21
    • OTG-CRYPST-001: Testing for Weak SSL/TSL Ciphers - b 1 p 147
    • OTG-IDENT-004: Testing for Account Enumeration - b 2 p 175
    • OTG-INFO-002: Fingerprint Web Server - b 2 p 20
    • OTG-INFO-005 Review Webpage Comments and Metadata for Information Leakage - b 2 p 51
    • OTG-INFO-006 Identify Application Entry Points - b 2 p 51
    • OTG-INFO-007 Map Execution Paths Through Application - b 2 p 51
    • OTG-INFO-008 Fingerprint Web Application Framework - b 2 p 51
    • OTG-INFO-009 Fingerprint Web Application - b 2 p 51
    • OTG-INFO-010 Map Application Architecture - b 2 p 51
    • OTG-INPVAL-012: Testing for Code Injection: LFI/RFI - b 3 p 57
    • OTG-INPVAL-013: Testing for Command Injection - b 3 p 41
    • OTG-SESS-005: Test for Cross-Site Request Forgery - b 5 p 6
  • Testing Categories - b 1 p 22

:top:

OWASP Testing Guide

:top:

PTR Record/Scan

  • Index: DNS > Reverse DNS Scan

:top:

Python

  • Overview - b 5 p 49-57
  • Introduction - b 5 p 49
    • Accessing Files - b 5 p 57
    • Comments and Code Blocks - b 5 p 51
    • Functions - b 5 p 54
    • If Statement - b 5 p 52
    • Looping Structures - b 5 p 53
    • Making HTTP Requests - b 5 p 56
    • Standard Library - b 5 p 55
    • Variables - b 5 p 50
    • Why Python? - b 5 p 48

:top:

Qualys

  • Introduction - b 1 p 151

:top:

Query String Formats

  • Introduction - b 1 p 118

:top:

Recon-ng

  • Overview - b 1 p 97-104
  • Introduction - b 1 p 97
  • Modules - b 1 p 98
    • Contacts - b 1 p 101
    • Credentials - b 1 p 102
    • Recon - b 1 p 100
    • Sample for Geo-Location - b 1 p 104
    • Sample for Hosts - b 1 p 103
  • Show Module Info - b 1 p 99
  • Index: Maltego

:top:

Reporting

  • Overview - b 5 p 163-170

:top:

Robots

  • Robot Control - b 2 p 54

:top:

Search Engines

  • Introduction - b 1 p 80
  • Google
    • Automating Searches - b 1 p 84
    • Hacking - b 1 p 83
  • Search Directives - b 1 p 81
  • Search Modifiers, - b 1 p 82

:top:

Server

  • Default Pages - b 2 p 2
  • Profiling - b 2 p 8
  • Software Configuration - b 2 p 22
  • Version - b 2 p 9

:top:

Sessions

  • Fixation - b 3 p 14-23
    • Index: Burp > Components > Sequencer > Session Analysis
  • Tracking - b 3 p 5-12

:top:

Shellshock

  • Overview - b 2 p 28-37
  • Introduction - b 2 p 30
  • Payloads - b 2 p 33
  • Index: Command Injection

:top:

Shodan

  • Overview - b 1 p 86-89
  • Searching - b 1 p 89

:top:

Spidering

  • Overview - b 2 p 51-64
  • Analyzing Results - b 2 p 76-81
  • Automated Spidering
  • Methods - b 2 p 53
  • Specialized Tools
  • Index: Robots

:top:

SQL

  • Data Types - b 3 p 84
  • Query Modifiers - b 3 p 83
  • Special Characters - b 3 p 85
  • Verbs - b 3 p 82

:top:

SQL Injection

  • Overview - b 3 p 79-81
  • Introduction - b 3 p 79-81
  • Discovering - b 3 p 97-117
    • Binary/Boolean Interface Injection - b 3 p 113
    • Blind Timing Interfaces - b 3 p 115
    • Equivalent String Injections - b 3 p 110
    • Increasing Blindness - b 3 p 114
    • Inject For Comment - b 3 p 111-112
    • Input Locations - b 3 p 98
    • Without DB Errors - b 3 p 109
  • Examples - b 3 p 86-91
  • Exploiting - b 3 p 129-149
    • Databases/Tables/Columns - b 3 p 131
    • DB Fingerprinting - b 3 p 129
    • (Meta)Database Info - b 3 p 130
    • Stacked Queries - b 3 p 133-135
    • UNIONizing - b 3 p 137-138
      • Using NULL - b 3 p 141
      • Data Types - b 3 p 142
    • Blind Boolean Inference Exfiltration - b 3 p 145
  • Methodology - b 3 p 92-95
  • Tools - b 3 p 151-166

:top:

sqlmap

  • Overview - b 3 p 153-166
  • Introduction - b 3 p 153-156
  • Auth/Sessions/Proxies - b 3 p 158
  • Beyond DB Data Exfil - b 3 p 165-166
  • DB Data Exfil - b 3 p 164
  • DB Enumeration - b 3 p 163
  • HTTP Headers - b 3 p 162
  • Initial Targeting - b 3 p 157
  • Proxies and Active Sessions - b 3 p 159
  • Riding ZAP/Burp Sessions - b 3 p 160-161
  • Index: Metasploit > Integrations > Sqlmap <-> Metasploit

:top:

SSL/TSL

:top:

theHarvester

  • Introduction - b 1 p 93

:top:

Tools

  • When Tools Fail - b 5 p 127-132

:top:

URI

  • Introduction - b 1 p 117

:top:

w3af

  • Overview - b 5 p 80-92
  • Introduction - b 5 p 80
  • Console - b 5 p 82
  • Exploitation - b 5 p 92
  • GUI - b 5 p 81
  • Plugins - b 5 p 84
    • Audit - b 5 p 87
    • Brute Force - b 5 p 89
    • Crawling - b 5 p 85
    • Evasion - b 5 p 86
    • Grep - b 5 p 88
  • Running w3af - b 5 p 90
    • Results - b 5 p 91
  • Scripting - b 5 p 83

:top:

Wget

  • Automated Spidering - b 2 p 63

:top:

User-Agent

  • Introduction - b 1 p 115

:top:

Username Harvesting

  • Introduction - b 2 p 176
  • Authentication Pages - b 2 p 177
    • Results to Look for - b 2 p 178
  • Side Channel Attacks - b 2 p 179
    • Practical Attacks - b 2 p 180
    • Timing Attacks - b 2 p 181
      • Practical Attacks - b 2 p 183
  • Slow Hashing - b 2 p 182

:top:

Web

  • Understanding the Web - b 1 p 12-15
    • Introduction - b 1 p 12
    • Characteristics of a Solid Methodology - b 1 p 13
    • Knowledge of Tools - b 1 p 14
  • Why the Web - b 1 p 6-10
    • Introduction - b 1 p 6
    • Cloud Basaed Applications - b 1 p 10
    • Current Security Testing Is Often Limited - b 1 p 8
    • Increased Functionality with Web 2.0 - b 1 p 9
    • The Tangled Web - b 1 p 7
  • Index: HTTP

:top:

Web App Pen Testing

  • Creating Custom Scripts - b 5 p 47
  • Methods - b 5 p 146-152
    • Automated - b 5 p 151
    • Black Box - b 5 p 146
    • Grey Box - b 5 p 148
    • Hybrid - b 5 p 152
    • Manual - b 5 p 150
    • Manual vs. Automated - b 5 p 149
    • White Box - b 5 p 147
  • Preparation - b 5 p 154-161
    • Communications Planning - b 5 p 161
    • Establishing the Test Scope - b 5 p 156
    • Gathering Required Information - b 5 p 157
    • Identifying Tester Traffic and Data in the App - b 5 p 159
    • Managing a Test - b 5 p 155
    • Permission to Test - b 1 p 15
    • Rules of Engagement - b 5 p 158
    • Test Preparation - b 5 p 154
    • Testing Time Windows - b 5 p 160
  • Toolkit
    • Introduction - b 1 p 24
    • Attack Platform - b 1 p 25-26
    • Web Application Security Scanner - b 1 p 27
    • Browsers - b 1 p 28

:top:

Wappalyzer

  • Introduction - b 2 p 57
  • Browser Extention - b 2 p 58
  • Index: ZAP > Wappalyzer

:top:

WebSocket

  • Introduction - b 1 p 129
  • Implementation - b 1 p 130
  • Tools - b 1 p 131

:top:

WHOIS

  • Protocol - b 1 p 53
  • Client Output - b 1 p 54

:top:

WPScan

  • Introduction - b 5 p 66-67

:top:

XSS

  • Introduction - b 4 p 33-47
    • Parts of an XSS Attack - b 4 p 34
    • Same Origin Policy - b 4 p 35
    • Why Same Origin Policy? - b 4 p 36
    • Enforcing the Same Origin Policy - b 4 p 37
    • Discovering XSS - b 4 p 38
    • XSS and Parameters - b 4 p 39
    • Filtering - b 4 p 40-41
    • Types of XSS - b 4 p 42-47
  • Exploitation - b 4 p 96-105
    • Cookie Catcher - b 4 p 100
    • Evasion - b 4 p 103-105
    • External Scripts - b 4 p 102
    • GET -> POST XSS Flaws - b 4 p 97
    • Reading Cookies - b 4 p 99
    • Redirecting a User - b 4 p 101
  • Fuzzing - b 4 p 63-74
    • Introduction - b 4 p 63
    • Browser False Positives - b 4 p 71-72
    • Burp Intruder: Reflection Tests - b 4 p 64
      • Battering Ram - b 4 p 65
      • Grep: Payloads - b 4 p 66
      • Initial Reflection Test Results - b 4 p 67
      • Follow-Up Sniper Attack - b 4 p 68
    • Bypassing Browser Filters - b 4 p 73
    • Filter Bypass/Evasion - b 4 p 70
    • Filter Tests - b 4 p 69
    • XSS POC Payloads - b 4 p 74
  • Tools - b 4 p 55-61
  • Index: Interception Proxies

:top:

XSScrapy

  • Introduction - b 4 p 61

:top:

XSSer

  • Introduction - b 4 p 59-60

:top:

xsssniper

  • Introduction - b 4 p 57-58

:top:

ZAP

  • Introduction - b 1 p 35
  • Attack Menu - b 1 p 37
  • Automated Spidering - b 2 p 55-56
  • CSRF Test Forms - b 5 p 13
  • Forced Browse - b 2 p 61
  • Interface - b 1 p 36
  • Wappalyzer - b 2 p 59
    • Technology Detection Extention - b 2 p 60
  • Index: sqlmap > Riding ZAP/Burp Sessions

:top:

Study Guide: Home, Outline, Labs, Glossary, Appendix or Cheatsheets.