Explore these recommended books on the methodology of web application penetration testing and hunting on the web. They provide a foundation in the basics and essentials of penetration testing and bug hunting. As bug bounties frequently involve website targets, our focus will be on initiating your journey into Web Hacking.
Zseano’s methodology
This guide is designed to give you an insight into how Zseano approach discovering vulnerabilities in a web application. It is aimed at those looking for a “flow” to follow when looking for vulnerabilities on a website and this may be beginners or experienced hackers.
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities
Bug Bounty Bootcamp teaches you how to hack web applications. You will learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them. You’ll also learn how to navigate bug bounty programmes set up by companies to reward security professionals for finding bugs in their web applications.
Bug bounty programmes are company-sponsored programmes that invite researchers to search for vulnerabilities on their applications and reward them for their findings. This book is designed to help beginners with little to no security experience learn web hacking, find bugs, and stay competitive in this booming and lucrative industry.
You’ll start by learning how to choose a programme, write quality bug reports, and maintain professional relationships in the industry. Then you’ll learn how to set up a web hacking lab and use a proxy to capture traffic. In Part 3 of the book, you’ll explore the mechanisms of common web vulnerabilities, like XSS, SQL injection, and template injection, and receive detailed advice on how to find them and bypass common protections. You’ll also learn how to chain multiple bugs to maximize the impact of your vulnerabilities.
Hacking APIs: Breaking Web Application Programming Interfaces
You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks. In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll practice: Enumerating APIs users and endpoints using fuzzing techniques; Using Postman to discover an excessive data exposure vulnerability; Performing a JSON Web Token attack against an API authentication process; Combining multiple API attack techniques to perform a NoSQL injection; Attacking a GraphQL API to uncover a broken object level authorization vulnerability. By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You’ll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.
- Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition
- Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more
- Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks
Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.
Black Hat Python, 2nd Edition: Python Programming for Hackers and Pentesters
Fully-updated for Python 3, the second edition of this worldwide bestseller (over 100,000 copies sold) explores the stealthier side of programming and brings you all new strategies for your hacking projects.
When it comes to creating powerful and effective hacking tools, Python is the language of choice for most security analysts. In Black Hat Python, 2nd Edition, you’ll explore the darker side of Python’s capabilities writing network sniffers, stealing email credentials, brute forcing directories, crafting mutation fuzzers, infecting virtual machines, creating stealthy trojans, and more.
The second edition of this bestselling hacking book contains code updated for the latest version of Python 3, as well as new techniques that reflect current industry best practices. You’ll also find expanded explanations of Python libraries such as ctypes, struct, lxml, and BeautifulSoup, and dig deeper into strategies, from splitting bytes to leveraging computer-vision libraries, that you can apply to future hacking projects.
You’ll learn how to:
• Create a trojan command-and-control using GitHub
• Detect sandboxing and automate common malware tasks, like keylogging and screenshotting
• Escalate Windows privileges with creative process control
• Use offensive memory forensics tricks to retrieve password hashes and inject shellcode into a virtual machine
• Extend the popular Burp Suite web-hacking tool
• Abuse Windows COM automation to perform a man-in-the-browser attack
• Exfiltrate data from a network most sneakily
When it comes to offensive security, your ability to create powerful tools on the fly is indispensable. Learn how with the second edition of Black Hat Python.
Linux Basics for Hackers , Getting Started with Networking, Scripting, and Security in Kali
Many aspiring hackers are unfamiliar with Linux, having learned computer basics in a Windows or Mac environment. This can pose the single most important obstacle to mastering the skills to becoming a better hacker; while hacking can be done with Windows or OS X, nearly all hacking tools are developed specifically for Linux. Linux Basics for Hackers aims to provide you with a foundation of Linux skills that every hacker needs. As you progress, you’ll have access to numerous real-world examples and hands-on exercises to apply your new knowledge and bring yourself up to speed.
Burp Suite Cookbook: Practical recipes to help you master web penetration testing with Burp Suite
Burp Suite is a Java-based platform used for testing the security of your web applications, and has been adopted widely by professional enterprise testers. The Burp Suite Cookbook contains recipes to help you tackle challenges related to determining and exploring vulnerabilities in web applications.
The book’s first few sections will help you understand how to uncover security flaws with various test cases for complex environments. After you’ve configured Burp for your environment, you will use Burp tools such as Spider, Scanner, Intruder, Repeater, and Decoder, among others, to resolve specific problems faced by pentesters. You’ll also be able to work with Burp’s various modes, in addition to performing operations on the web. Toward the concluding chapters, you’ll explore recipes that target specific test scenarios and learn how to resolve them using best practices.
By the end of this book, you’ll be up and running with deploying Burp for securing web applications.
What you will learn
- Configure Burp Suite for your web applications
- Perform authentication, authorization, business logic, and data validation testing
- Explore session management and client-side testing
- Understand unrestricted file uploads and server-side request forgery
- Execute XML external entity attacks with Burp
- Perform remote code execution with Burp
Bug Bounty Playbook
Do you like hacking ? Do you like security ? Do you want to make a living doing what you love? Do you want to find vulnerabilities and get paid to do so? If you answered YES to any of these questions then this book is for you. The sole purpose of this book is to teach you the skills needed to successfuly make a living hunting for vulnerabilities and bugs.
The book is divided up by the phases of the bug bounty hunting process. I go over everything like how I pick the best programs to hunt on, how I take notes, how I find targets, how I exploit targets and a lot more.
Bug Bounty Playbook 2
The first version of the Bug Bounty Playbook I went over the recon and fingerprinting phase. This version is all about the exploitation phase. I show you exactly how I go about exploiting fortune 500 companies, start ups, and everything else inbetween.
If you havnt already make sure to read the first version of the book where I discuss the recon and fingerprinting phase
