This course takes you through the complex world of full-stack web exploitation, focusing on real-world attack vectors used in modern web applications. You will begin with an overview of web security challenges and progress to advanced techniques such as bypassing Content Security Policy (CSP) with various methods. Each section provides practical demonstrations that showcase vulnerabilities found in popular web frameworks and libraries.
As the course progresses, you'll delve into exploiting web applications through PDFs, images, and links, including XSS attacks and token hijacking. You'll also explore AngularJS vulnerabilities, such as template injection and scope hacking, which are often exploited in Single Page Applications (SPAs). Detailed case studies and examples provide a deep understanding of how these attacks are executed and prevented in real-world applications.
Finally, the course covers full-stack attacks, including HTTP parameter pollution, subdomain takeover, and race condition exploits. Through hands-on labs, you'll get the chance to apply your knowledge and explore cutting-edge exploitation techniques. By the end of the course, you’ll have developed the ability to identify, exploit, and mitigate a wide range of web application vulnerabilities.
This course is designed for web developers, security professionals, and penetration testers looking to enhance their expertise in web application security. Prior knowledge of basic web technologies, HTTP, and JavaScript is recommended. Familiarity with core concepts of web security is beneficial but not required.
Overview
Syllabus
- Introduction to the Course
- In this module, we will introduce the course, outlining the major sections and the key concepts learners will explore. You will gain an understanding of how this course is structured to enhance your knowledge of web application security.
- Bypassing Content Security Policy in Modern Web Applications
- In this module, we will delve into various methods for bypassing Content Security Policy (CSP) in modern web applications. You will explore several techniques using ajax.googleapis.com, Flash files, polyglot files, and AngularJS to better understand the vulnerabilities CSP can introduce.
- Hacking Web Applications through PDFs, Images, and Links
- In this module, we will explore the exploitation of web applications using PDFs, images, and links. Through practical examples, you will learn how token hijacking and XSS attacks work and how attackers manipulate user redirection, focusing on key vulnerabilities like tabnabbing.
- Hacking AngularJS Applications
- In this module, we will investigate the vulnerabilities found in AngularJS applications. You will learn about template injection, $scope hacking, and how these weaknesses can be exploited by attackers. Additionally, we will explore techniques that go beyond $scope and demonstrate hacking static templates.
- Exploiting Race Conditions in Web Applications
- In this module, we will explore the concept of race conditions in web applications and how attackers exploit them. Through case studies, including multithreading attacks to steal money and abuse discount codes, you will learn how race conditions create critical vulnerabilities in web systems.
- Full-Stack Attacks on Modern Web Applications
- In this module, we will cover full-stack attacks on modern web applications, focusing on HTTP parameter pollution, subdomain takeovers, and account takeovers through clickjacking. You will gain hands-on experience with these critical vulnerabilities and learn mitigation strategies to protect web applications.
Taught by
Packt - Course Instructors
