Outline.md - jlareaux/sec542-study-guide GitHub Wiki

SEC542 Outline

An outline of the SEC542 course. This outline is exhaustive and covers 100% of the course study material.

Legend:

    ↓ Chapter
### Why the Web
• **Overview** - b *1* p *5-10*
    • Why the Web - b *1*  p *6*
      ╰╴Section     ╰╴Book ╰╴Page(s)

View the...

Appendix, Cheatsheets, Glossary, Index, Labs.

View the...

Home page of the study guide.
Appendix of concepts and methods in the SEC542 course.
Cheatsheets for quick reference of the SEC542 course.
Glossary of terms in the SEC542 course.
Index of terms in the SEC542 course.
Labs in the SEC542 course, abridged versions.

542.1 Introduction and Information Gathering
542.2 Configuration, Identity and Authentication Testing
542.3 Injection
542.4 JavaScript and XSS
542.5 CSRF, Logic Flaws and Advanced Tools

542.1 Introduction and Information Gathering

Why the Web

Overview - b 1 p 5-10
- Why the Web - b 1 p 6
- The Tangled Web - b 1 p 7
- Current Web App Security Testing Is Often Limited - b 1 p 8
- Increased Functionality with Web 2.0 - b 1 p 9
- Cloud Basaed Applications - b 1 p 10

:top:

Understanding the Web

Overview - b 1 p 11-15
- Understanding the Web - b 1 p 12
- Characteristics of a Solid Web App Pen Testing Methodology - b 1 p 13
- Knowledge of Tools - b 1 p 14
- Permission to Test - b 1 p 15

:top:

Course Logistics

Overview - b 1 p 16-22
- Laptop Requirements - b 1 p 17
- Lab Set Up - b 1 p 18
- Log In - b 1 p 19
- Links and QR Codes - b 1 p 20
- OWASP Testing Guide - b 1 p 21
- OTG: Testing Categories - b 1 p 22

:top:

Web App Pen Tester's Toolkit

Overview - b 1 p 23-28
- Web Application Pen Tester's Toolkit - b 1 p 24
- Attack Platform - b 1 p 25-26
- Web Application Security Scanner - b 1 p 27
- Browsers - b 1 p 28

:top:

Interception Proxies

Overview - b 1 p 29-51
- Interception Proxies - b 1 p 30
- Interception Tools - b 1 p 31
- Setting up Interception Methods - b 1 p 32
- Fiddler - b 1 p 33-34
- OWASP Zed Attack Proxy (ZAP) - b 1 p 35
- The ZAP Interface - b 1 p 36
- ZAP's Attack Menu - b 1 p 37
- Burp Suite - b 1 p 38
- Burp Suite Components - b 1 p 39
- Burp Target - b 1 p 40
- Filtering - b 1 p 41
- Scope - b 1 p 42
- Burp Proxy - b 1 p 43
- Proxy Options - b 1 p 44
- Web Interface - b 1 p 45
- Burp Spider - b 1 p 46
- Burp Intruder - b 1 p 47
- Burp Repeater - b 1 p 48
- Burp Sequencer - b 1 p 49
- Burp Decoder - b 1 p 50
- Burp Comparer - b 1 p 51

:top:

WHOIS and DNS

Overview - b 1 p 52-67
- WHOIS Protocol - b 1 p 53
- WHOIS Client Output - b 1 p 54
- DNS - b 1 p 55
- DNS Zone Transfers - b 1 p 56
- When Zone Transfers Aren't Available - b 1 p 57
- Reverse DNS Scan - b 1 p 58
- DNS Brute Force Scans - b 1 p 59
- Useful DNS Reconnaissance Tools - b 1 p 60
- nslookup - b 1 p 61
- dig - b 1 p 62
- dig Syntax - b 1 p 63
- Nmap DNS NSE Scripts - b 1 p 64
- DNSRecon - b 1 p 65
- DNSRecon Output - b 1 p 66
- Metasploit - b 1 p 67

:top:

Exercise: DNS Harvesting

Overview - b 1 p 69-77
- DNS Harvesting Exercise - b 1 p 69
- DNS Recon Lab: No Hints - b 1 p 70
- dig - b 1 p 71
- Zone Transfer - b 1 p 72
- DNS Brute Force - b 1 p 73
- Let's try dnsrecon.py - b 1 p 74
- Interesting CNAMEs - b 1 p 75
- Finally: Perform a Reverse (PTR) Scan - b 1 p 76
- Why Metasploit - b 1 p 77

:top:

Open Source Information

Overview - b 1 p 78-104
- Open Source Information - b 1 p 79
- Search Engines - b 1 p 80
- Search Directives - b 1 p 81
- Modifiers to Focus Searches, - b 1 p 82
- Google Hacking - b 1 p 83
- Automating Google Searches - b 1 p 84
- Social Networks - b 1 p 85
- Shodan - b 1 p 86
- Shodan SCADA Example: "Allen-Bradley 1763" - b 1 p 87
- Micrologix 1100 Embedded Web Server - b 1 p 88
- Searching Shodan for Pentesters - b 1 p 89
- FOCA - b 1 p 90
- FOCA Metadata - b 1 p 91
- FOCA Example: Users - b 1 p 92
- theHarvester - b 1 p 93
- Maltego - b 1 p 94-95
- Limitation of Maltego Community Edition - b 1 p 96
- Recon-ng - b 1 p 97
- Recon-ng: Recon-ng Modules - b 1 p 98
- show info - b 1 p 99
- Recon-ng: Recon Modules - b 1 p 100
- Recon-ng: Modules for Contacts - b 1 p 101
- Recon-ng: Modules for Creds - b 1 p 102
- Recon-ng Sample Modules for Hosts - b 1 p 103
- Recon-ng Sample Modules for Geo-Location - b 1 p 104

:top:

HTTP Protocol

Overview - b 1 p 105-118
- Set the Wayback Machine to 1989 - b 1 p 107
- The Web, v1 - b 1 p 108
- HTTP/0.9 - b 1 p 109
- HTTP/1.0 - b 1 p 110
- HTTP/1.1 - b 1 p 111
  - Example HTTP 1.1 Request - b 1 p 114
  - Example HTTP 1.1 Response - b 1 p 116
- HTTP/2 - b 1 p 112-113
- In the Beginning - b 1 p 106
- Query String Formats - b 1 p 118
- Uniform Resource Identifier (URIs) - b 1 p 117
- User-Agent - b 1 p 115

:top:

HTTP Methods

Overview - b 1 p 119-124
- CONNECT Method - b 1 p 123
- GET/HEAD/POST Methods - b 1 p 121
- HTTP Request Methods - b 1 p 120
- PUT/DELETE Methods - b 1 p 124
- TRACE/OPTIONS Methods - b 1 p 122

:top:

HTTP Status Codes

Overview - b 1 p 125-127

:top:

WebSocket

Overview - b 1 p 128-132
- Attacker's Perspective of HTTP - b 1 p 132
- WebSocket - b 1 p 129
- WebSocket Implementation - b 1 p 130
- WebSocket Tools - b 1 p 131

:top:

Exercise: Examining HTTP Requests and Responses

Overview - b 1 p 133-141
- Exercise Setup: Examining HTTP Requests and Responses Exercise - b 1 p 134
- Examining HTTP Requests and Responses Exercise - b 1 p 135-141

:top:

HTTPS

Overview - b 1 p 142-145
- Encrypting HTTP in Transit - b 1 p 143
- Certificate Trusts - b 1 p 144
- Attacker's Perspective - b 1 p 145

:top:

Testing for Weak Ciphers

Overview - b 1 p 146-152
- OTG-CRYPST-001: Testing for Weak SSL/TSL Ciphers - b 1 p 147
- Analyzing HTTPS Support of Target Machines - b 1 p 148
- Scripting OpenSSL - b 1 p 149
- Using nmap to Evaluate HTTPS Support - b 1 p 150
- Qualys SSL Labs - b 1 p 151
- Evaluating HTTPS Support on Targets - b 1 p 152

:top:

Exercise: Testing HTTPS

Overview - b 1 p 153-157
- Testing HTTPS Exercise - b 1 p 154
- Test https://www.sec542.org - b 1 p 155
- Test https://heart.bleed - b 1 p 156
- Find the weak cipher - b 1 p 157

:top:

Heartbleed

Overview - b 1 p 158-163
- Heartbleed - b 1 p 159
- Effect of the Vulnerability - b 1 p 160
- The CloudFlare Challenge - b 1 p 161
- Heartbleed Exploit Output - b 1 p 162
- CHS Heartbleed Compromise - b 1 p 163

:top:

Exercise: Exploiting Heartbleed

Overview - b 1 p 164-173
- Heartbleed Exercise - b 1 p 165
- Open a terminal - b 1 p 166
- ssl-heartbleed.nse sec542.org - b 1 p 167
- ssl-heartbleed.nse heart.bleed - b 1 p 168
- Browse to https://heart.bleed - b 1 p 169
- Enter a Username and Password - b 1 p 170
- Run heartbleed.py - b 1 p 171
- Enter a different Username and Password - b 1 p 172
- First Username and Password Revealed - b 1 p 173

:top:

Demo: Burp Suite Introduction

Overview - b 1 p 174-176
- Burp Suite Demo - b 1 p 175
- Burp vs Snake - b 1 p 176

542.2 Configuration, Identity and Authentication Testing

:top:

Scanning with Nmap

Overview - b 2 p 5-14
- Nmap Port Scanner - b 2 p 6
- Nmap Example - b 2 p 7
- Server Profiling - b 2 p 8
- Server Version - b 2 p 9
- Nmap - b 2 p 10
- Using Netcat to Grab Server Connection Strings - b 2 p 11
- Netcat Server Version - b 2 p 12
- Netcraft Detection - b 2 p 13
- Netcraft Example - b 2 p 14

:top:

Exercise: Gathering Server Info

Overview - b 2 p 15-18
- Gathering Server Info Exercise - b 2 p 16
- Gathering Server Info: Running Netcat - b 2 p 17
- Gathering Server Info: Running Nmap - b 2 p 18

:top:

Testing Software Configuration

Overview - b 2 p 19-26
- OTG-INFO-002: Fingerprint Web Server - b 2 p 20
- OTG-CONFIG-006: Test HTTP Methods - b 2 p 21
- Software Configuration - b 2 p 22
- Supported HTTP Request Methods - b 2 p 23
- Using Netcat to Determine Supported HTTP Request Methods - b 2 p 24
- Default Pages - b 2 p 25
- Nikto - b 2 p 26

:top:

Shellshock

Overview - b 2 p 27-37
- Software Configuration Flaws - b 2 p 28
- Configuration Flaws Gone Wild - b 2 p 29
- Shellshock - b 2 p 30
- Shellshocking - b 2 p 31
- Shellshock and the Web? - b 2 p 32
- Shellshock Payloads - b 2 p 33
- Injection Explained - b 2 p 34-35
- Execution and Impact - b 2 p 36
- Shellshocked HTTP Visualized - b 2 p 37

:top:

Exercise: Shellshock

Overview - b 2 p 38-49
- View the cgi-bin Source Code - b 2 p 40
- Shellshock: Running Burp - b 2 p 41
- Set Burp Intercept - b 2 p 42
- The Intercepted Request - b 2 p 43
- Change the User-Agent - b 2 p 44
- /etc/passwd Displayed in the Browser - b 2 p 45
- Let's Run /usr/bin/id - b 2 p 46
- Let's Use curl - b 2 p 47
- /usr/bin/id via curl - b 2 p 48
- Final Step - b 2 p 49

:top:

Spidering Web Applications

Overview - b 2 p 50-64
- Application Information Gathering: Spidering - b 2 p 51
- Spidering the Target Site - b 2 p 52
- Spidering Methods - b 2 p 53
- Robot Control - b 2 p 54
- Automated Spidering with ZAP - b 2 p 55-56
- Wappalyzer - b 2 p 57
- Wappalyzer + Browsers - b 2 p 58
- ZAP + Wappalyzer - b 2 p 59
- ZAP: Technology Detection - b 2 p 60
- ZAP Forced Browse - b 2 p 61
- Automated Spidering with the Burp Suite - b 2 p 62
- Automated Spidering with Wget - b 2 p 63
- Specialized Spidering Tools - b 2 p 64

:top:

Exercise: Spidering

Overview - b 2 p 65-75
- Web Spidering Exercise - b 2 p 66
- Web Spidering: Running Wget - b 2 p 67
- Web Spidering: Running ZAP- b 2 p 68
- Web Spidering: Configure Firefox - b 2 p 69
- Web Spidering: ZAP Spidering - b 2 p 70
- Web Spidering: Running Burp - b 2 p 71
- Web Spidering: Spider the Site with Burp - b 2 p 72
- Web Spidering: Examine Results - b 2 p 73
- Web Spidering: Running CeWL - b 2 p 74
- Web Spidering: Final Step - b 2 p 75

:top:

Analyzing Spidering Results

Overview - b 2 p 76-81
- Analyzing Spidering Results: What to Look for - b 2 p 77
- HTML Comments - b 2 p 78
- Disabled Functionality - b 2 p 79
- Types of Disabled Functionality - b 2 p 80-81

:top:

Exercise: ZAP Forced Browse

Overview - b 2 p 82-89
- Launch ZAP - b 2 p 83
- Configure Firefox - b 2 p 84
- ZAP Forced Browse Exercise - b 2 p 85
- ZAP Forced Browse Exercise: No Hints - b 2 p 86
- Begin the Forced Browse - b 2 p 87
- ZAP Forced Browse Results - b 2 p 88
- View the Newly Discovered URLs - b 2 p 89

:top:

Fuzzing

Overview - b 2 p 90-96
- Fuzzing - b 2 p 91
- Examining Results - b 2 p 92
- FuzzDB - b 2 p 93
- Burp Intruder - b 2 p 94
- Fuzzing (Attack) Types - b 2 p 95
- Payloads - b 2 p 96

:top:

Exercise: Burp Fuzzing

Overview - b 2 p 97-106
- Burp Fuzzing: Launching Burp - b 2 p 98
- Burp Sniper Fuzzing Lab - b 2 p 99
- Burp Fuzzing: Step-by-Step - b 2 p 100
- Burp Fuzzing: Switch to Burp - b 2 p 101
- Burp Intruder - b 2 p 102
- Add the Password - b 2 p 103
- Choose the Password List and Start the Attack - b 2 p 104
- Burp Results - b 2 p 105
- Final Step - b 2 p 106

:top:

Information Leakage

Overview - b 2 p 107-114
- OTG-CONFIG-004: Review Unreferenced Files for Sensitive Information - b 2 p 108
- Information Leakage - b 2 p 109
- Types of Information Leakage - b 2 p 110
- Directory Browsing - b 2 p 111
- Google Searching for Directory Browsing - b 2 p 112
- Searching for Information Leakage Flaws - b 2 p 113
- Automated Discovery of Directory Browsing - b 2 p 114

:top:

Exercise: Directory Browsing

Overview - b 2 p 115-131
- Directory Browsing Exercise - b 2 p 116
- Directory Browsing Exercise: Goal - b 2 p 117
- Directory Browsing Script find_accounts - b 2 p 118
- Exercise Preperation Step: Create a List of Last Names - b 2 p 119
- Directory Browsing Challenge - b 2 p 120
- Run find_accounts - b 2 p 121
- Launch ZAP - b 2 p 122
- Configure Firefox - b 2 p 123
- Surf to www.sec542.org/~adent/ - b 2 p 124
- Switch to ZAP - b 2 p 125
- Fuzz the First Initial - b 2 p 126
- Add the Payload - b 2 p 127
- Fuzz the last name - b 2 p 128
- Add the Payload - b 2 p 129
- Start the Fuzzer - b 2 p 120
- The Fuzzing - b 2 p 131

:top:

Authentication

Overview - b 2 p 132-153
- Authentication - b 2 p 133
- HTTP Basic Authentication - b 2 p 134
- HTTP Basic Authentication Illustrated - b 2 p 135
- Attacker's Perspective of HTTP Basic Authentication - b 2 p 136
- HTTP Digest Authentication - b 2 p 137
- HTTP Digest Authentication Illustrated - b 2 p 138
- Attacker's Perspective of HTTP Digest Authentication - b 2 p 139
- Integrated Windows Authentication - b 2 p 140
- Attacker's Perspective of HTTP Integrated Windows Authentication - b 2 p 141
- Forms-based Authentication - b 2 p 142
- Pieces of Forms-based Authentication - b 2 p 143
- Forms-based Authentication Illustrated - b 2 p 144
- Attacker's Perspective of Forms-based Authentication - b 2 p 145
- OAuth - b 2 p 146
- How OAuth Works - b 2 p 147-149
- OAuth 1.0 - b 2 p 150
- OAuth 2.0 - b 2 p 151
- Example OAuth Requests - b 2 p 152
- Attacker's View of OAuth - b 2 p 153

:top:

Exercise: Authentication

Overview - b 2 p 154-173
- Authentication Exercise - b 2 p 155
- Client Authentication: Running ZAP - b 2 p 156
- Client Authentication: Configure Firefox - b 2 p 157
- Client Authentication: ZAP - Basic Authentication - b 2 p 158-165
- Client Authentication: ZAP - Digest Authentication - b 2 p 166-168
- Client Authentication: ZAP - Forms-Based Authentication - b 2 p 169-172
- Final Step - b 2 p 173

:top:

Username Harvesting

Overview - b 2 p 174-183
- OTG-IDENT-004: Testing for Account Enumeration - b 2 p 175
- Username Harvesting - b 2 p 176
- Harvesting Usernames from Authentication Pages - b 2 p 177
- Results to Look for - b 2 p 178
- Side Channel Attacks - b 2 p 179
- Practical Side Channel Attacks - b 2 p 180
- Timing Attacks - b 2 p 181
- Slow Hashing - b 2 p 182
- Practical Side Channel Timing Attacks - b 2 p 183

:top:

Exercise: Username Harvesting

Overview - b 2 p 184-201
- Username Harvesting Exercise - b 2 p 185
- Your Challenge: No Hints - b 2 p 186
- Username Harvesting: Test the Login Form - b 2 p 187
- Username Harvesting: Enumerating Users - b 2 p 188-189
- Combine Two Wordlists - b 2 p 190
- Let's Try the Second Form - b 2 p 191
- Launch ZAP - b 2 p 192
- Configure Firefox - b 2 p 193
- Let's Fuzz - b 2 p 194
- ZAP Fuzzer Menu- b 2 p 195
- Add the Payload - b 2 p 196
- Fuzz the last name - b 2 p 197
- Add the Payload - b 2 p 198
- Start the Fuzzer - b 2 p 199
- Now: Find the Valid Users - b 2 p 200
- Why Does This Timing Attack Work? - b 2 p 201

:top:

542.3 Injection

:top:

Session Tracking

Overview - b 3 p 4-12
- Stateless as a Way of Life - b 3 p 5
- Session Tracking - b 3 p 6
- Type of Session: Client-Side vs Server-Side - b 3 p 7
- Popular Tracking - b 3 p 8
- Cookies - b 3 p 9
- URI Parameters - b 3 p 10
- Hidden Form Fields - b 3 p 11
- Attacker's Perspective of Session State - b 3 p 12

:top:

Session Fixation

Overview - b 3 p 13-23
- Session Token Gathering - b 3 p 14
- Session Token Variables - b 3 p 15
- Identifying Session Tokens - b 3 p 16
- Session Token Predictability - b 3 p 17
- Manually Collecting Session Credentials - b 3 p 18
- Collecting Session Credentials via Customized Scripts - b 3 p 19
- Burp Sequencer Session Analysis - b 3 p 20
- Session Flaws beyond Math - b 3 p 21
- Session Fixation - b 3 p 22
- Discovering/Exploiting Session Fixation - b 3 p 23

:top:

Bypass Flaws

Overview - b 3 p 24-26
- Authentication Bypass - b 3 p 25
- Bypass Methods - b 3 p 26

:top:

Exercise: Authentication Bypass

Overview - b 3 p 27-32
- Authentication Bypass Exercise - b 3 p 28
- Authentication Bypass: Examine the Code in BASE - b 3 p 29
- Authentication Bypass: Create an HTML Exploit - b 3 p 30
- Authentication Bypass: Build HTML Exploit - b 3 p 31
- Authentication Bypass: Testing Bypass Flaw - b 3 p 32

:top:

Vulnerable Web Apps: Mutillidae

Overview - b 3 p 33-39
- Multillidae - b 3 p 34
- Multillidae's OWASP 2013 Coverage - b 3 p 35
- Multillidae Security Levels - b 3 p 36
- Multillidae Hints - b 3 p 37
- Level 2 Hints - b 3 p 38
- Reset DB - b 3 p 39

:top:

Command Injection

Overview - b 3 p 40-44
- OTG-INPVAL-013: Testing for Command Injection - b 3 p 41
- Command Injection - b 3 p 42
- Discovering Command Injection - b 3 p 43
- Command Injection Results - b 3 p 44

:top:

Exercise: Command Injection

Overview - b 3 p 45-55
- Command Injection Exercise - b 3 p 46
- Exercise: Setup - b 3 p 47
- Exercise: Challenges - b 3 p 48
- Exercise: Step 1 - b 3 p 49
- Command Injection Results - b 3 p 50
- Step 2: Discover the Privileges of the Running User - b 3 p 51
- Step 3: Ping 127.0.0.1 - b 3 p 52
- Ping Results - b 3 p 53
- Step 4: Open a Backdoor Shell - b 3 p 54
- Our Shell - b 3 p 55

:top:

File Inclusion and Directory Traversal

Overview - b 3 p 56-64
- OTG-INPVAL-012: Testing for Code Injection: LFI/RFI - b 3 p 57
- Local and Remote File Include - b 3 p 58
- Directory Traversal and File Inclusion - b 3 p 59
- Traditional Example - b 3 p 60
- Application Example - b 3 p 61
- Testing for Directory Traversal and File Include Flaws - b 3 p 62
- Obvious Parameters - b 3 p 63
- Building Blocks - b 3 p 64

:top:

Exercise: Local/Remote File Inclusion

Overview - b 3 p 65-77
- Local/Remote File Inclusion Exercise - b 3 p 66
- Exercise: Setup 1 - b 3 p 67
- Exercise: Challenges - b 3 p 68
- Step 1: Local File Inclusion (LFI) - b 3 p 69
- Step 2: Local File Inclusion (LFI) - b 3 p 70
- Step 3: Remote File Inclusion - b 3 p 71
- Step 4: PHP Crash Course - b 3 p 72
- Step 5: Create /var/www/html/id.txt - b 3 p 73
- Step 6: Launch the RFI - b 3 p 74
- Step 7: Create a Backdoor - b 3 p 75
- Step 8: Run the Backdoor - b 3 p 76
- The Backdoor - b 3 p 77

:top:

SQL Injection Primer

Overview - b 3 p 78-95
- Introduction to SQL Injection - b 3 p 79
- Origin of SQL Injection - b 3 p 80
- Relational Databases - b 3 p 81
- Key SQL Verbs - b 3 p 82
- SQL Query Modifiers - b 3 p 83
- Important SQL Data Types - b 3 p 84
- SQL Special Characters - b 3 p 85
- SQL Injection Example: Code - b 3 p 86
- SQL Injection Example: Normal Input/Query - b 3 p 87
- SQL Injection Example: Injected Input/Query - b 3 p 88
- SQL Injection Example: Injected Input 2/Query 2 - b 3 p 89
- ' or 1=1; -- - b 3 p 90
- SQL Injection Example: ' or 1=1; -- Injected - b 3 p 91
- SQLi Balancing Act - b 3 p 92
- Quote Balancing - b 3 p 93
- Balancing Column Numbers - b 3 p 94
- Data Type Balancing - b 3 p 95

:top:

Discovering SQLi

Overview - b 3 p 96-117
- Discovering SQL Injection - b 3 p 97
- Input Locations - b 3 p 98
- Classes of SQLi - b 3 p 99
- In-Band/Inline SQLi - b 3 p 100
- Blind SQL Injection - b 3 p 101
- Varying Degrees of Blindness - b 3 p 102
- Database Error Messages - b 3 p 103
- DB Error Message Example - b 3 p 104
- Learn from Your Mistakes - b 3 p 105
- Custom Error Messages - b 3 p 106
- Custom Error Message Example - b 3 p 107
- Custom Errors and SQLi - b 3 p 108
- Without DB Errors - b 3 p 109
- Equivalent String Injections - b 3 p 110
- Inject For Comment - b 3 p 111-112
- Binary/Boolean Interface Injection - b 3 p 113
- Increasing Blindness - b 3 p 114
- Blind Timing Interfaces - b 3 p 115
- Utter Blindness: Out-of-Band SQLi - b 3 p 116
- Out-of-Band Channels - b 3 p 117

:top:

Exercise: Error-Based SQLi

Overview - b 3 p 118-127
- Error-Based SQL Injection - b 3 p 119
- Exercise: Setup 1 - b 3 p 120
- Exercise: Setup 2 - b 3 p 121
- Exercise: Choose Your Own Adventure - b 3 p 122
- Exercise: Induce an Error Message - b 3 p 123
- Exercise: Return All Rows Using Comment - b 3 p 124
- Exercise: Return All Rows Without Comment - b 3 p 125
- Exercise: Determine Number of Columns Using ORDER BY - b 3 p 126
- Exercise: Current Query Disclosure - b 3 p 127

:top:

Exploiting SQLi

Overview - b 3 p 128-149
- DB Fingerprinting - b 3 p 129
- (Meta)Database Info - b 3 p 130
- Databases/Tables/Columns - b 3 p 131
- Exploiting In-Band/Inline - b 3 p 132
- Stacked Queries - b 3 p 133
- Stacked Query Example - b 3 p 134-135
- Why Stacking Matters - b 3 p 136
- UNIONizing SQL Injection - b 3 p 137
- UNION Prerequisites - b 3 p 138
- FROMless SELECT - b 3 p 139
- The Power of NULL - b 3 p 140
- UNION+NULL - b 3 p 141
- Data Types - b 3 p 142
- UNION and Data Exfiltration - b 3 p 143
- Blind Data Exfiltration - b 3 p 144
- Blind Boolean Inference Exfiltration - b 3 p 145
- Beyond DB Data Exfiltration - b 3 p 146
- SQLi Potential Attacks - b 3 p 147
- SQLi -> Write File -> Shell - b 3 p 148
- SQLi Cheat Sheets - b 3 p 149

:top:

SQLi Tools

Overview - b 3 p 150-166
- SQLi Tools - b 3 p 151
- BBQSQL - b 3 p 152
- sqlmap - b 3 p 153
- For All Your SQLi Needs - b 3 p 154
- sqlmap Integrations - b 3 p 155
- sqlmap: -h and -hh - b 3 p 156
- sqlmap: Initial Targeting - b 3 p 157
- sqlmap: Auth/Sessions/Proxies - b 3 p 158
- sqlmap: Proxies and Active Sessions - b 3 p 159
- sqlmap: Riding ZAP/Burp Sessions - b 3 p 160-161
- sqlmap: HTTP Headers - b 3 p 162
- sqlmap: DB Enumeration - b 3 p 163
- sqlmap: DB Data Exfil - b 3 p 164
- Key Switches: Beyond DB Data Exfil - b 3 p 165-166

:top:

Exercise: sqlmap + ZAP

Overview - b 3 p 167-182
- sqlmap + ZAP - b 3 p 168
- Exercise Setup 1 - b 3 p 169
- Exercise Setup 2 - b 3 p 170
- Exercise Setup 3 - b 3 p 171
- Exercise: Your Challenge - b 3 p 172
- Exercise: Verify SQL Flaw - b 3 p 173
- Exercise: ZAP Cookie -> sqlmap - b 3 p 174
- Exercise: sqlmap with --cookie(s) - b 3 p 175
- Exercise: sqlmap SQLi Methods - b 3 p 176
- Exercise: sqlmap User Agent - b 3 p 177
- Exercise: Sensitive Table Entries - b 3 p 178
- Exercise: zbeeblebrox uid - b 3 p 179
- Exercise: DB Users and Passwords - b 3 p 180
- Exercise: my_wiki Password Search - b 3 p 181
- Bonus MSF Shell - b 3 p 182

:top:

542.4 JavaScript and XSS

:top:

JavaScript

Overview - b 4 p 4-15
- Why JavaScript for Web App Pen Testers? - b 4 p 5
- JavaScript - b 4 p 6
- JavaScript Use in Web Pages - b 4 p 7
- JavaScript Fundamentals - b 4 p 8
- Conditional Statements - b 4 p 9
- Control Statements - b 4 p 10
- JavaScript Variables - b 4 p 11
- Functions - b 4 p 12
- Events - b 4 p 13
- Using Events in Attacks: Ideas for Pen Testers - b 4 p 14
- Using Events in Attacks: More Ideas for Pen Testers - b 4 p 15

:top:

Document Object Model (DOM)

Overview - b 4 p 16-22
- Document Object Model (DOM) - b 4 p 17
- DOM Nodes - b 4 p 18
- JavaScript Object Methods and Properties - b 4 p 19
- Objects and Their Associated Properties and Methods - b 4 p 20
- Selecting and Changing Content - b 4 p 21
- Interacting with Cookies - b 4 p 22

:top:

Exercise: JavaScript

Overview - b 4 p 23-31
- JavaScript Exercise - b 4 p 24
- Attack Usage - b 4 p 25
- JavaScript Exercise: Setup - b 4 p 26
- JavaScript: Add Script Blocks- b 4 p 27
- JavaScript: Reference Separate File - b 4 p 28
- JavaScript: Edit attack.js - b 4 p 29
- JavaScript: Edit index.html - b 4 p 30
- Reload index.html - b 4 p 31

:top:

Cross-Site Scripting

Overview - b 4 p 32-47
- Cross-Site Scripting - b 4 p 33
- Parts of an XSS Attack - b 4 p 34
- Same Origin Policy - b 4 p 35
- Why Same Origin Policy? - b 4 p 36
- Enforcing the Same Origin Policy - b 4 p 37
- Discovering XSS - b 4 p 38
- XSS and Parameters - b 4 p 39
- Filtering - b 4 p 40
- Bypassing Filters - b 4 p 41
- Types of XSS - b 4 p 42
- Reflected XSS - b 4 p 43
- Persistent XSS - b 4 p 44
- DOM-Based XSS - b 4 p 45
- DOM-Based XSS Explanation - b 4 p 46
- Persistent (Admin) - b 4 p 47

:top:

Exercise: Reflective XSS

Overview - b 4 p 48-53
- Reflective XSS Exercise - b 4 p 49
- Reflective XSS: Test the Application - b 4 p 50
- Reflective XSS: Test XSS Flaw - b 4 p 51
- Reflective XSS: Exploit Code - b 4 p 52
- Reflective XSS: Exploiting phpMyAdmin - b 4 p 53

:top:

XSS Tools

Overview - b 4 p 54-61
- XSS Tools - b 4 p 55
- Interception Proxies - b 4 p 56
- xsssniper - b 4 p 57-58
- XSSer - b 4 p 59-60
- XSScrapy - b 4 p 61

:top:

XSS Fuzzing

Overview - b 4 p 62-74
- XSS Fuzzing - b 4 p 63
- Burp Intruder: Reflection Tests - b 4 p 64
- Battering Ram - b 4 p 65
- Grep: Payloads - b 4 p 66
- Initial Reflection Test Results - b 4 p 67
- Follow-Up Sniper Attack - b 4 p 68
- Filter Tests - b 4 p 69
- Filter Bypass/Evasion - b 4 p 70
- Browser False Positives - b 4 p 71-72
- Bypassing Browser Filters - b 4 p 73
- XSS POC Payloads - b 4 p 74

:top:

Exercise: HTML Injection

Overview - b 4 p 75-95
- OTG-CLIENT-003: Test for HTML Injection - b 4 p 76
- HTML Injection Exercise - b 4 p 77
- Exercise: Setup 1 - b 4 p 78
- Exercise: Setup 2 - b 4 p 79
- Exercise: Challenges - b 4 p 80
- Exercise: Step 1 HTML Injection - b 4 p 81
- So What? - b 4 p 82
- Step 2: Image Injection - b 4 p 83
- The Earth, Actual Size - b 4 p 84
- Step 3: iframe Inject an Entire Web Page - b 4 p 85
- Step 4: iframe Inject an Entire Web Page - b 4 p 86
- Blog in the Blog - b 4 p 87
- iframe Page Redirection - b 4 p 88
- Please Log In! - b 4 p 89
- Step 6: XSS b- b 4 p 90
- Step 7: XSS to Display the Cookie - b 4 p 91
- Step 8: Persistent Admin XSS- b 4 p 92
- Step 9: Create an Unusual Log Entry - b 4 p 93
- Step 10: Inject the Script - b 4 p 94
- Step 11: View the Log - b 4 p 95

:top:

XSS Exploitation

Overview - b 4 p 96-105
- GET -> POST XSS Flaws - b 4 p 97
- Typical Exploits with XSS - b 4 p 98
- Reading Cookies - b 4 p 99
- Cookie Catcher - b 4 p 100
- Redirecting a User - b 4 p 101
- External Scripts - b 4 p 102
- Evasion - b 4 p 103
- Evasion Example - b 4 p 104-105

:top:

BeEf

Overview - b 4 p 106-115
- BeEf - b 4 p 107
- BeEf Interface - b 4 p 108
- Zombie Control - b 4 p 109
- BeEf Functionality - b 4 p 110
- History Browsing - b 4 p 111
- Request Initiation - b 4 p 112
- Port Scanning - b 4 p 113
- Browser Exploitation - b 4 p 114
- interprotocol Exploitation - b 4 p 115

:top:

Exercise: BeEf

Overview - b 4 p 116-128
- BeEF Exercise - b 4 p 117
- BeEF Exercise - b 4 p 118
- Hook Chrome - b 4 p 119
- View Hooked Browser Details - b 4 p 120
- Widen That Browser! - b 4 p 121
- Hooked Browser Commands - b 4 p 122
- BeEf: Challenges - b 4 p 123
- Alerts Dialogue - b 4 p 124
- Prompt Dialogue - b 4 p 125
- Redirect the Browser - b 4 p 126
- Deface the Page - b 4 p 127
- Hee Hee! - b 4 p 128

:top:

AJAX

Overview - b 4 p 129-140
- Asynchronous JavaScript and XML (AJAX) - b 4 p 130
- The Mighty XMLHttpRequest - b 4 p 131
- readyState - b 4 p 132
- XMLHttpRequest Example - b 4 p 133
- Mash-Ups - b 4 p 134
- Same Origin - b 4 p 135
- Mash-Up Proxy Features - b 4 p 136
- Mash-Up Proxy Issues - b 4 p 137
- AJAX Attack Surface - b 4 p 138
- AJAX Mapping - b 4 p 139
- AJAX Exploitation - b 4 p 140

:top:

API Attacks

Overview - b 4 p 141-146
- JavaScript Libraries/Frameworks - b 4 p 142
- Framework Files - b 4 p 143
- Third-Party Frameworks - b 4 p 144
- Discovering Frameworks - b 4 p 145
- Exploiting Framework Flaws - b 4 p 146

:top:

Data Attacks

Overview - b 4 p 147-154
- Data Attacks - b 4 p 148
- Data Formats - b 4 p 149
- JSON - b 4 p 150
- JSON Format - b 4 p 151
- Exploiting JSON - b 4 p 152
- JSON Injection - b 4 p 154

:top:

Exercise: AJAX XSS

Overview - b 4 p 155-173
- AJAX JSON XSS - b 4 p 156
- AJAX Exercise Setup 1: Running Burp - b 4 p 157
- AJAX Exercise: Setup 2 - b 4 p 158
- AJAX Exercise: Setup 3 - b 4 p 159
- AJAX Exercise: Setup 4 - b 4 p 160
- AJAX Exercise: Setup 5 - b 4 p 161
- AJAX Exercise: Setup 6 - b 4 p 162
- AJAX Exercise Challenge - b 4 p 163
- AJAX Exercise Hints - b 4 p 164
- AJAX XSS Step 1 - b 4 p 165
- AJAX XSS Step 2 - b 4 p 166
- AJAX XSS Step 3 - b 4 p 167
- AJAX XSS Step 4 - b 4 p 168
- AJAX XSS Step 5 - b 4 p 169
- AJAX XSS Step 6 - b 4 p 170
- AJAX XSS Step 7 - b 4 p 171
- AJAX XSS Step 8 - b 4 p 172
- Final Step - b 4 p 173

:top:

542.5 CSRF, Logic Flaws and Advanced Tools

:top:

Cross-Site Request Forgery

Overview - b 5 p 5-13
- OTG-SESS-005: Test for Cross-Site Request Forgery - b 5 p 6
- Cross-Site Request Forgery - b 5 p 7
- CSRF Attack Walk-Through - b 5 p 8
- CSRF Walk-Through - b 5 p 9-10
- Detecting CSRF - b 5 p 11
- Attacking CSRF - b 5 p 12
- ZAP + CSRF - b 5 p 13

:top:

Exercise: CSRF

Overview - b 5 p 14-25
- CSRF Exploitation Exercise - b 5 p 15
- CSRF Exploitation: Running ZAP - b 5 p 16
- CSRF: Configure Firefox - b 5 p 17
- Create an Anonymous Post - b 5 p 18
- Anonymous Post Content - b 5 p 19
- Inspect Post Variables - b 5 p 20
- Create anti CSRF test Form - b 5 p 21
- Copy Form and Log In - b 5 p 22
- Fall for the CSRF Trap - b 5 p 23
- View the CSRF Post - b 5 p 24
- Final Step - b 5 p 25

:top:

Logic Attacks

Overview - b 5 p 26-29
- Logic Attacks - b 5 p 27
- Logic Attack Example - b 5 p 28
- Discovering Logic Flaws - b 5 p 29

:top:

Exercise: Mobile MITM

Overview - b 5 p 30-45
- Mobile MITM - b 5 p 31
- MITM: The Players - b 5 p 32
- Mobile MITM Exercise - b 5 p 33
- Load the Base-AndroidLabs App - b 5 p 34
- The App - b 5 p 35
- Check Your Balences - b 5 p 36
- Transfer Funds - b 5 p 37
- View the Transfer in Burp - b 5 p 38
- Your Challenge - b 5 p 39
- Step-by-Step Instructions - b 5 p 40
- Change the Transfer - b 5 p 41
- Success! - b 5 p 42
- The Bonus - b 5 p 43
- The Power of Negative Thinking - b 5 p 44
- One Miiiiilion Dollars - b 5 p 45

:top:

Python for Web App Pen Testers

Overview - b 5 p 46-57
- Creating Custom Scripts for Penetration Testing - b 5 p 47
- Why Python for Web App Pen Testers? - b 5 p 48
- Python - b 5 p 49
- Python Variables - b 5 p 50
- Comments and Code Blocks - b 5 p 51
- Python If Statement - b 5 p 52
- Python Looping Structures - b 5 p 53
- Python Functions - b 5 p 54
- Python Standard Library - b 5 p 55
- Making HTTP Requests within Python - b 5 p 56
- Accessing Files in Python - b 5 p 57

:top:

Exercise: Python

Overview - b 5 p 58-64
- Python Scripting Exercise - b 5 p 59
- Python Scripting: Create the Script - b 5 p 60
- Python Scripting: Add HTTP Request Functionality - b 5 p 61
- Python Scripting: Print Various Header Values - b 5 p 62
- Python Scripting: Iterate through Page IDs - b 5 p 63
- Python Scripting: Write Results to a File - b 5 p 64

:top:

WPScan

Overview - b 5 p 65-67
- WPScan - b 5 p 66
- WPScan Details - b 5 p 67

:top:

Exercise: WPScan

Overview - b 5 p 68-78
- WPScan and Off-the-Shelf Exploits - b 5 p 69
- Exercise: Challenge - b 5 p 70
- Exercise: Run WPScan - b 5 p 71
- Exercise: Off-the-Shelf Exploits - b 5 p 72
- Exercise: Customize the Exploit - b 5 p 73
- Exercise: Run the Exploit - b 5 p 74
- Exercise: Crack the Password - b 5 p 75
- Exercise: Log In with Cracked Creds - b 5 p 76
- Exercise: Cookie Review - b 5 p 77
- Exercise: sqlmap Shortcut - b 5 p 78

:top:

w3af

Overview - b 5 p 79-92
- Web Application Attack and Audit Framework - b 5 p 80
- The w3af GUI- b 5 p 81
- The w3af Console - b 5 p 82
- w3af Scripting - b 5 p 83
- w3af Plugins - b 5 p 84
- w3af Crawl Plugins - b 5 p 85
- w3af Evasion Plugins - b 5 p 86
- w3af Audit Plugins - b 5 p 87
- w3af Grep Plugins - b 5 p 88
- w3af Brute Force Plugins - b 5 p 89
- Running w3af - b 5 p 90
- w3af Results - b 5 p 91
- w3af Exploitation - b 5 p 92

:top:

Exercise: w3af

Overview - b 5 p 93-100
- w3af Exercise - b 5 p 94
- w3af: Configure and Start the Scan - b 5 p 95
- w3af Running Results - b 5 p 96
- w3af Results -> URLs - b 5 p 97
- w3af Results -> KB Browser - b 5 p 98
- w3af os_commanding - b 5 p 99
- w3af Use the Shell - b 5 p 100

:top:

Metasploit

Overview - b 5 p 101-116
- Metasploit - b 5 p 102
- Metasploit and Web Testing - b 5 p 103
- Seeding Metasploit Database - b 5 p 104
- db_import - b 5 p 105
- WMAP - b 5 p 106
- Metasploit Integration - b 5 p 107
- BeEf + Metasploit - b 5 p 108-109
- Sqlmap <-> Metasploit - b 5 p 110
- Metasploit and Known Vulnerabilities - b 5 p 111
- Drupal - b 5 p 112
- Drupalgeddon - b 5 p 113-114
- Drupalgeddon (Gory) Details - b 5 p 115
- Metasploit + Drupalgeddon - b 5 p 116

:top:

Exercise: Metasploit

Overview - b 5 p 117-125
- Exercise: Metasploit/Drupalgeddon/Shellshock - b 5 p 118
- Your Challenge: Three Levels of Difficulty - b 5 p 119
- Metasploit/Drupalgeddon Step-by-Step - b 5 p 120
- Type php meterpreter Commands - b 5 p 121
- Next up: Shellshock - b 5 p 122
- Metasploit/Shellshock Step-by-Step - b 5 p 123
- View the Exploit in Burp - b 5 p 124
- What Is Metasploit Doing? - b 5 p 125

:top:

When Tools Fail

Overview - b 5 p 126-132
- When Tools Fail - b 5 p 127
- Taking It to the Next Level - b 5 p 128
- CVE 2014-1610 - b 5 p 129
- Research the Flaw - b 5 p 130
- The Exploit - b 5 p 131
- Back to Metasploit - b 5 p 132

:top:

Exercise: When Tools Fail

Overview - b 5 p 133-144
- Revisiting cust42.sec542.com - b 5 p 134
- Metasploit - b 5 p 135-136
- Unhappy pwning!! - b 5 p 137
- What Happened? - b 5 p 138
- Log in to the Site - b 5 p 139
- Upload a PDF - b 5 p 140
- Next: Manualy Exploit the Vulnerability - b 5 p 141
- Submit the URL - b 5 p 142
- Happy pwning!! - b 5 p 143
- Back to Metasploit - b 5 p 144

:top:

Web App Pen Testing Methods

Overview - b 5 p 145-152
- Black Box Penetration Testing - b 5 p 146
- White Box Penetration Testing - b 5 p 147
- Grey Box Penetration Testing - b 5 p 148
- Testing Methods: Manual vs. Automated Testing - b 5 p 149
- Manual Web App Penetration Testing - b 5 p 150
- Automated Web App Penetration Testing - b 5 p 151
- Hybrid Web App Penetration Testing - b 5 p 152

:top:

Web App Pen Test Preparation

Overview - b 5 p 153-161
- Web App Pen Test Preparation - b 5 p 154
- Managing a Web App Penetration Test - b 5 p 155
- Establishing the Test Scope - b 5 p 156
- Gathering Information Required for the Test - b 5 p 157
- Rules of Engagement - b 5 p 158
- Identifying Tester Traffic and Data in the Application - b 5 p 159
- Testing Time Windows - b 5 p 160
- Communications Planning - b 5 p 161

:top:

Reporting and Presenting

Overview - b 5 p 162-170
- Reporting - b 5 p 163
- Report Pieces - b 5 p 164
  - 1. Executive Summary - b 5 p 165
  - 1. Introduction - b 5 p 166
  - 1. Methodology - b 5 p 167
  - 1. Findings - b 5 p 168
  - 1. Conclusions - b 5 p 169
  - 1. Presentation - b 5 p 170

:top:

See the Appendix, Cheatsheets, Glossary, Index or Outline.

Outline.md - jlareaux/sec542-study-guide GitHub Wiki

SEC542 Outline

Legend:

View the...

Table of Contents

542.1 Introduction and Information Gathering

Why the Web

Understanding the Web

Course Logistics

Web App Pen Tester's Toolkit

Interception Proxies

WHOIS and DNS

Exercise: DNS Harvesting

Open Source Information

HTTP Protocol

HTTP Methods

HTTP Status Codes

WebSocket

Exercise: Examining HTTP Requests and Responses

HTTPS

Testing for Weak Ciphers

Exercise: Testing HTTPS

Heartbleed

Exercise: Exploiting Heartbleed

Demo: Burp Suite Introduction

542.2 Configuration, Identity and Authentication Testing

Scanning with Nmap

Exercise: Gathering Server Info

Testing Software Configuration

Shellshock

Exercise: Shellshock

Spidering Web Applications

Exercise: Spidering

Analyzing Spidering Results

Exercise: ZAP Forced Browse

Fuzzing

Exercise: Burp Fuzzing

Information Leakage

Exercise: Directory Browsing

Authentication

Exercise: Authentication

Username Harvesting

Exercise: Username Harvesting

542.3 Injection

Session Tracking

Session Fixation

Bypass Flaws

Exercise: Authentication Bypass

Vulnerable Web Apps: Mutillidae

Command Injection

Exercise: Command Injection

File Inclusion and Directory Traversal

Exercise: Local/Remote File Inclusion

SQL Injection Primer

Discovering SQLi

Exercise: Error-Based SQLi

Exploiting SQLi

SQLi Tools

Exercise: sqlmap + ZAP

542.4 JavaScript and XSS

JavaScript

Document Object Model (DOM)

Exercise: JavaScript

Cross-Site Scripting

Exercise: Reflective XSS

XSS Tools

XSS Fuzzing

Exercise: HTML Injection

XSS Exploitation

BeEf

Exercise: BeEf

AJAX

API Attacks

Data Attacks

Exercise: AJAX XSS

542.5 CSRF, Logic Flaws and Advanced Tools

Cross-Site Request Forgery

Exercise: CSRF

Logic Attacks

Exercise: Mobile MITM