Subscription

Explore Products

Best Sellers

New Releases

Books

Videos

Audiobooks

Learning Hub

Conferences

Free Learning

You're reading from Improving your Penetration Testing Skills Strengthen your defense against web attacks with Kali Linux and Metasploit

Product type Course

Published in Jul 2019

Publisher Packt

ISBN-13 9781838646073

Length 712 pages

Edition 1st Edition

Languages

Ruby

Tools

Kali Linux

Concepts

Penetration Testing

Authors (4):

Daniel Teixeira

Juned Ahmed Ansari

Abhinav Singh

Gilberto Najera-Gutierrez

View More author details

Table of Contents (24) Chapters

Title Page

Improving your Penetration Testing Skills

About Packt

Contributors

Preface

1. Introduction to Penetration Testing and Web Applications FREE CHAPTER

2. Setting Up Your Lab with Kali Linux

3. Reconnaissance and Profiling the Web Server

4. Authentication and Session Management Flaws

5. Detecting and Exploiting Injection-Based Flaws

6. Finding and Exploiting Cross-Site Scripting (XSS) Vulnerabilities

7. Cross-Site Request Forgery, Identification, and Exploitation

8. Attacking Flaws in Cryptographic Implementations

9. Using Automated Scanners on Web Applications

10. Metasploit Quick Tips for Security Professionals

11. Information Gathering and Scanning

12. Server-Side Exploitation

13. Meterpreter

14. Post-Exploitation

15. Using MSFvenom

16. Client-Side Exploitation and Antivirus Bypass

17. Social-Engineer Toolkit

18. Working with Modules for Penetration Testing

1. Other Books You May Enjoy

Leave a review - let other readers know what you think

Preventing CSRF

Preventing CSRF is all about ensuring that the authenticated user is the person requesting the operation. Due to the way browsers and web applications work, the best choice is to use a token to validate operations, or, when possible, use a CAPTCHA control.

A CSRF attack is easier to execute when the vulnerable parameter is passed through the GET method. Therefore, avoid it in the first place and use the POST method wherever possible. It does not fully mitigate the attack, but it makes the attacker's task more difficult.

As attackers will try to break token generation or validation systems, it is very important to produce them securely; that is, in a way that attackers cannot guess them. You must also make them unique for each user and each operation, because reusing them voids their purpose. These tokens are usually included in a header field in every request...

The rest of the chapter is locked

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at €18.99/month. Cancel anytime

Authors (4)

Gilberto Najera-Gutierrez

Gilberto Najera-Gutierrez is an experienced penetration tester currently working for one of the top security testing service providers in Australia. He obtained leading security and penetration testing certifications, namely Offensive Security Certified Professional (OSCP), EC-Council Certified Security Administrator (ECSA), and GIAC Exploit Researcher and Advanced Penetration Tester (GXPN).

See other products by Gilberto Najera-Gutierrez

Abhinav Singh

Abhinav Singh is a well-known information security researcher. He is the author of Metasploit Penetration Testing Cookbook (first and second editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community—paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences—Black Hat and RSA. His areas of expertise include malware research, reverse engineering, and cloud security.

See other products by Abhinav Singh

Daniel Teixeira

Daniel Teixeira is an IT security expert, author, and trainer, specializing in red team engagements, penetration testing, and vulnerability assessments. His main areas of focus are adversary simulation, emulation of modern adversarial tactics, techniques and procedures; vulnerability research, and exploit development.

See other products by Daniel Teixeira

Juned Ahmed Ansari

Juned Ahmed Ansari is a cyber security researcher based out of Mumbai. He currently leads the penetration testing and offensive security team in a prodigious MNC. Juned has worked as a consultant for large private sector enterprises, guiding them on their cyber security program. He has also worked with start-ups, helping them make their final product secure. Juned has conducted several training sessions on advanced penetration testing, which were focused on teaching students stealth and evasion techniques in highly secure environments. His primary focus areas are penetration testing, threat intelligence, and application security research.

See other products by Juned Ahmed Ansari