Ethical Hacker’s Penetration Testing Guide

Introduction

Overview of Web and Related Technologies and Understanding the Application

• Introduction
• Static vs dynamic web application, cookies
• Static web application: No cookies, no state/session
• Dynamic web application (web application with session)
• Web technologies: HTTP methods, response codes, and importance
• Introduction to HTTP2
• Representational state transfer (REST)
• Google Dorking/Google hacking
• Web application architecture and understanding the application (Recon)
• Basic Linux/Windows commands
• Conclusion

Web Penetration Testing – Through Code Review

• Introduction
• OWASP survey on effective detection methods for web vulnerabilities
• OWASP top 10 vulnerabilities
• Attack surface
• Code review: Things to look for while reviewing
• URL encoding and Same Origin Policy (SOP)
• URL encoding and escaping: The key is "In which order things are done"
• URL, encoding, and escaping: Things to review
• Same Origin Policy (SOP)
• Code viewing for Cross Site Scripting (XSS)
• SQL injection: The deadliest beast
• IDOR/BOLA/Auth bypass is the new pandemic
• Code review: Unrestricted file upload
• Code review: Scary mistakes
• Code review: Cryptography, hashing, and salt: Nothing is secure forever
• Code review: Unvalidated URL Redirects
• Conclusion

Web Penetration Testing – Injection Attacks

• Introduction
• Basic usages of Burp Proxy in pentesting
• Proxying REST API request using Postman and Burp Proxy
• Pentesting for XSS
• XSS in HTML context
• XSS in HTML attribute context
• XSS in URL context (works on PHP based application)
• XSS in JavaScript context
• XSS with headers and cookies: Application which processes header information
• XSS with certificate request or SSL certificate information
• DOM XSS
• Pentesting for SQL Injection
• Important usages of SQLMap for detecting SQL Injection
• SQLMapper/CO2 extension for Burp Suite
• Pentesting for Command Injection
• Conclusion

Fuzzing, Dynamic Scanning of REST API, and Web Application

• Introduction
• Fuzzing Web Application and REST API
• Fuzz Faster U Fool (Ffuf): A fast web fuzzer written in Go
• Fuzzing REST API by adding various HTTP Headers
• Fuzzing authenticated pages/REST API end points with cookies
• Various usage options of Ffuf
• Using Burp Suite Turbo Intruder (Fuzzer that supports HTTP2)
• Basic tricks in analyzing the output of fuzzing to conclude our findings
• Dynamic scanning of REST API and web application with OWASP ZAP
• Pentest REST API using OWASP ZAP
• Various setting and tricks while using OWASP ZAP
• Various Active scan settings for Input Vectors in OWAZP ZAP
• Other advanced settings of ZAP
• Why will automation without your brain not get any good result?
• Conclusion

Web Penetration Testing – Unvalidated Redirects/Forwards, SSRF

• Introduction
• Pen testing for unvalidated redirects or forwards
• Pentesting for Server-Side Request Forgery (SSRF)
• Conclusion

Pentesting for Authentication, Authorization Bypass, and Business Logic Flaws

• Introduction
• Authentication bypass
• Authorization issues
• Tricking authentication, authorization, and business logic
• Business logic bypass test scenarios
• Pen testing for HTTP 403 or Access Denied bypass
• Conclusion

Pentesting for Sensitive Data, Vulnerable Components, Security Monitoring

• Introduction
• Sensitive data in log, URL, DB, config, default credentials
• Discovering components with known vulnerabilities
• Implement security logging and monitoring: Splunk Alerts
• Conclusion

Exploiting File Upload Functionality and XXE Attack

• Introduction
• Pentesting for unrestricted file upload with REST API
• Unrestricted file upload: XSS: File name having XSS payload
• Unrestricted file upload: Remote Code Execution (RCE) attack
• Unrestricted file upload: XSS: File metadata having malicious payload
• Use null byte in file extension to bypass file extension checks
• Use double extension of file to bypass file extension checks
• Bypass Blacklisted extension check in file upload: Remote Code Execution (RCE) attack scenario
• Bypass php gd() checks for file upload
• XML and XXE attacks
• Protection against XXE attack
• Conclusion

Web Penetration Testing: Thick Client

• Introduction
• Thick Client application architecture
• Understanding the Thick Client application
• Perform reconnaissance of the Thick Client application
• Reverse engineering the Thick Client application
• Sensitive data in registry
• Sensitive data in config file
• Sensitive data in communication
• Username/password/keys in memory
• SQL Injection vulnerability
• Conclusion

Introduction to Network Pentesting

• Introduction
• Setting up of pentest lab
• Various phases of pentesting
• Host discovery and service detection using Nmap
• Exploiting the vulnerabilities using Metasploit and other tools
• Scanning for vulnerabilities using Nessus Essentials/Home
• Conclusion

Introduction to Wireless Pentesting

• Introduction
• Reconnaissance to identify wireless network
• Conclusion

Penetration Testing - Mobile App

• Introduction
• Android application security architecture
• OWASP Top 10 mobile risks
• Setting up lab for pentesting mobile App
• Reverse engineering or analyze APK file 
• Embedded secrets in application code
• Sensitive data printed on log
• Sensitive data disclosure via SQLite DB
• Insecure data storage
• Extracting sensitive internal file through URL scheme hijacking
• Debug enabled
• SQL Injection vulnerability
• Static Analysis using mobile security framework
• Introducing dynamic analysis on MobSF
• Conclusion

Security Automation for Web Pentest

• Introduction
• Prerequisite
• Scenario 1: Brute Forcing Login Page
• Scenario 2: Simple SQL Injection Checker
• Scenario 3: Simple Privilege Escalation Checker
• Scenario 4: Indirect Object Reference (IDOR) Checker
• Conclusion

Setting Up Pentest Lab

• Host machine: Windows 11 laptop
• Download and install Python, pip, and other required modules
• Download and install XAMM and DVWA
• Setting up insecure thick client application, DVTA and other required tools