CNIT 129S: Securing Web Applications

32711 501 Thu 2:10 - 5:00 PM

Spring 2021 -- Sam Bowne

Schedule · Lecture Notes · Projects · Links · Grading

Use Twitch

To attend class:
https://twitch.tv/sambowne

The old zoom link was
https://zoom.us/j/4108472927
Password: student1

Course Justification

Industry advisors have repeatedly asked us to teach this class, because every modern business needs a web presence and there are far too few workers qualified to protect them from hackers. There are many jobs available for students who learn how to protect our healthcare, financial, and other confidential data from criminals, spies, and pranksters.

Catalog Description

Techniques used by attackers to breach Web applications, and how to protect them. How to secure authentication, access, databases, and back-end components. How to protect users from each other. How to find common vulnerabilities in compiled code and source code.
Advisory: CNIT 131 and CNIT 120, or comparable familiarity with websites and security concepts

Learning Outcomes

Upon successful completion of this course, the student will be able to:

Explain the current state of Web application security

Analyze basic application functionality

Secure data stores and back-end components

Protect users from other users

Demonstrate common exploits and patch their root causes

Implement servers and firewalls effectively

Textbook

"The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470 Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.
CCSF students should take quizzes in the CCSF online Canvas system: https://ccsf.instructure.com/
Non-CCSF students Enroll Here (reset password, if needed)

Discussion Board

Each CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due.
For the topics and requirements, see the Discussion board in Canvas.

Email

For class-related questions, please send messages inside Canvas, or email cnit.129s@gmail.com

Schedule (subject to revision)
Date	Assignment Due	Topic

Thu 1-21		Ch 1: Web Application (In)security

Thu 1-28	Quiz Ch 1-2 * Proj H 110a *	Ch 2: Core Defense Mechanisms Ch 3: Web Application Technologies

Thu 2-4	Quiz Ch 3 * Proj ED 102 * Discussion 1 *	Project Demonstrations

Thu 2-11	Quiz: Ch 4 Proj ED 103 Discussion 2	Ch 4: Mapping the Application

Thu 2-18	Quiz Ch 5 Proj W 600 Discussion 3	Ch 5: Bypassing Client-Side Controls

Thu 2-25	Quiz: Ch 6 +20 pts of WSA Proj Discussion 4	Ch 6: Attacking Authentication Recommended WSA Topic: Directory Traversal

Thu 3-4	No Quiz +20 pts of WSA Proj Discussion 5	Ch 7: Attacking Session Management Recommended WSA Topic: OS command injection

Thu 3-11	No Quiz due Discussion 6	*Lecture cancelled due to Internet problems*

Thu 3-18	Quiz: Ch 7 & 8 +20 pts of WSA Proj Discussion 7	Ch 8: Attacking Access Controls Ch 9: Attacking Data Stores (Part 1) Recommended WSA Topic: Authentication

Thu 3-25	Quiz: Ch 9 +20 pts of WSA Proj Discussion 8	Ch 9: Attacking Data Stores Recommended WSA Topic: SQL injection

*Fri 4-1*	*Holiday - No Class*

Thu 4-8	Quiz Ch 10 +20 pts of WSA Proj Discussion 9	Ch 10: Attacking Back-End Components Recommended WSA Topic: SQL injection

Thu 4-15	Quiz: Ch 11 +20 pts of WSA Proj Discussion 10	Ch 11: Attacking Application Logic Recommended WSA Topic: Cross-site scripting

Thu 4-22	Quiz Ch 12 +20 pts of WSA Proj Discussion 11	Ch 12: Attacking Users: Cross-Site Scripting Recommended WSA Topic: Cross-site scripting

Thu 4-29	Quiz Ch 13 +20 pts of WSA Proj	Ch 13: Attacking Users: Other Techniques (Part 1) Recommended WSA Topic: Access control vulnerabilities

Thu 5-6	No Quiz +20 pts of WSA Proj	Ch 13: Attacking Users: Other Techniques (Part 2) Recommended WSA Topic: Information disclosure

Thu 5-13	No Quiz All Extra Credit Proj Due	Last Class: Velociraptor

Wed 5-19 - Wed 5-26	Final Exam available online throughout the week. You can only take it once.
	All Quizzes due 30 min. before class * No late penalty until 2-11

Lectures

Grading Policy · First Day Handout
Ch 1: Web Application (In)security &
Ch 2: Core Defense Mechanisms · KEY · PDF
Ch 3: Web Application Technologies · KEY · PDF
How to Burp (PDF)
Ch 4: Mapping the Application · KEY · PDF
Ch 5: Bypassing Client-Side Controls · KEY · PDF
Ch 6: Attacking Authentication · KEY · PDF
Ch 7: Attacking Session Management · KEY · PDF
Ch 8: Attacking Access Controls · KEY · PDF
Ch 9: Attacking Data Stores (Part 1 of 2) · KEY · PDF
Ch 9: Attacking Data Stores (Part 2 of 2) · KEY · PDF
Ch 10: Attacking Back-End Components · KEY · PDF
Ch 11: Attacking Application Logic · KEY · PDF
Ch 12: Attacking Users: Cross-Site Scripting · KEY · PDF
Ch 13: Attacking Users: Other Techniques (Part 1 of 2) · KEY · PDF
Ch 13: Attacking Users: Other Techniques (Part 2 of 2) · KEY · PDF
Ch 14: Automating Customized Attacks
Ch 15: Exploiting Information Disclosure

To get PPT files, use Cloud Convert.

Projects

Submitting Projects

CCSF students must do these things to get credit:

Perform the project steps until you find a flag
Capture a whole-desktop image showing the flag
Submit the image in the appropriate Project in Canvas
Type the flag into the text field

H 110a: Linux Journey (20 pts + 63 extra)
ED 102: Command Injection (20 pts + 40 extra)
ED 103: SQLI Challenges (30 pts + 155 pts extra)
W 100: KONTRA (25 pts extra)
W 600: Burp & Web Security Academy (20 pts)
IR 370: Velociraptor (30 pts extra)

Links
Links for Chapter Lectures Ch 1a: Highly Secure Dogfood Ch 1b: Online Voting - Follow My Vote - 100% Secure Ch 1c: Android Apps Vulnerable to Code Modification Ch 1d: Security Problems at Colleges Ch 1e: CMS Vulnerabilities are Decreasing Ch 1f: Attention SinVR users \| Continuous Cyber Security \| UK \| Digital Interruption (Jan 17, 2018) Ch 2a: SOAP Examples Ch 3a: RESTful Resource Naming Ch 3b: SOAP Examples Ch 3c: HTML form enctype Attribute Ch 3d: Microsoft Edge Browser won't support ActiveX, VBScript, other Internet Explorer features Ch 3e: VBScript is no longer supported in IE11 edge mode (Windows) Ch 3f: JavaScript HTML DOM Ch 3g: DOM example Ch 3h: Map; example of Ajax Ch 3i: Simple Google Maps API Example - Jayway Ch 3k: XMLHttpRequest - Wikipedia Ch 3l: HTTP Status Dogs Ch 4a: Using Burp Spider Ch 4b: How To Burp -- Slides from David Brown Ch 4c: Web Common Directories and Filenames - Word Lists Collection Ch 4d: GitHub - spinkham/skipfish: Web application security scanner created by lcamtuf for google - Unofficial Mirror Ch 4e: Skipfish project instructions Ch 4f: OWASP DirBuster Project Ch 4g: GitHub - sensepost/wikto Ch 4h: httprecon project - advanced http fingerprinting Ch 4i: Electronic & Transactional Content Management \| OpenText, Vignette Ch 4j: httprint download (from 2005) Ch 4k: Web Application Fingerprint (OWASP-IG-004) Ch 4l: How to use Httprint on Kali Linux Ch 4m: Using HTTP Methods (GET, POST, PUT, etc.) in Web API Ch 4n: OWASP DirBuster -- Replaced by Zed Attack Proxy Ch 4o: OWASP Zed Attack Proxy Ch 5a: HTTP ETag - Wikipedia Ch 5b: JavaScript Form Validation Ch 5c: Serialization - Wikipedia Ch 5d: JAVA De-serialization: It can't get any simpler than this !! Ch 5e: WCF Binary Soap Plug-In forï¿½Burp (for Silverlight) Ch 5f: JAD Java Decompiler Download Mirror Ch 5g: Flasm Flash decompiler Ch 5h: Flare Flash decompiler Ch 5i: WebInspect: Dynamic Analysis, DAST, Penetration Testing Tools \| Hewlett Packard Enterprise Ch 5j: .NET Decompiler: Decompile Any .NET Code \| .NET Reflector Ch 5k: Code refactoring - Wikipedia Ch 5l: Java Optimize and Decompile Environment (JODE) Ch 5m: JavaSnoop Download Ch 5n: Hacking Java Applications using JavaSnoop - InfoSec Resources Ch 6a: Microsoft Passport and Windows Hello Ch 6b: Obama's Internet Plan Sounds an Awful Lot Like a National Internet ID (from 2011) Ch 6c: How Weev's prosecutors are making up the rules (2013) Ch 6d: Errata Security: AT&T provides free user information yet again Ch 6e: Secret Microsoft policy limited Hotmail passwords to 16 characters (2012) Ch 6f: Basic access authentication - Wikipedia Ch 6g: Digest access authentication - Wikipedia Ch 7a: ASP.NET View State Overview Ch 7b: Samy Kamkar - phpwn: Attack on PHP Sessions and Random Numbers Ch 7c: How to fix a website with blocked mixed content Ch 7d: HttpOnly - OWASP Ch 7e: PHP: setcookie - Manual Ch 7f: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity" Ch 7g: HTTP Strict Transport Security Cheat Sheet - OWASP Ch 7h: Usage Statistics of HTTP Strict Transport Security for Websites Ch 7i: Bypassing HSTS or HPKP in Chrome is a badidea Ch 7l: X-XSS-Protection - HTTP \| MDN Ch 7j: Hack Yourself First: FREE COURSE -- HIGHLY RECOMMENDED Ch 7k: I figured out a way to hack any of Facebook's 2 billion accounts, and they paid me a $15,000 bounty Ch 8a: IBM Knowledge Center - HTTP session manager troubleshooting tips Ch 8b: Vulnerable USA Colleges Ch 9a: escaping - How to escape apostrophe (') in MySql? Ch 9b: javascript - Which Logic Operator Takes Precedence Ch 10a: Microsoft retires Filemon and Regmon from Sysinternals Ch 12w: Memory Forensics: Mandiant Redline Ch 12x: Forensic Investigation with Redline Ch 12a: apache.org incident report for 04/09/2010 Ch 12b: MySpace Worm Explanation Ch 12c: StrongWebmail CEO's mail account hacked via XSS Ch 12d: Two XSS Worms Slam Twitter Ch 12e: Null Byte Injection in PHP Ch 12f: Window atob() Method Ch 12g: Saying goodbye to ActiveX, VBScript, attachEvent-- \| Microsoft Edge Dev Blog Ch 12h: Javascript Packer Ch 12i: Why were Javascript `atob()` and `btoa()` named like that? - Stack Overflow Ch 13a: About IFRAME and clickjacking Ch 13b: AJAX Introduction Ch 13C: XMLHttpRequest Demo Ch 13d: HTTP Response Splitting - OWASP Ch 13e: Report: Microsoft Edge leaks private browsing data locally Ch 13f: Privacy and the :visited selector Ch 13g: The power of DNS rebinding: stealing WiFi passwords with a website Ch 13h: GitHub - taviso/rbndr: Simple DNS Rebinding Service Ch 13i: rbndr.us dns rebinding service Ch 13j: Dear developers, beware of DNS Rebinding Miscellaneous Links Xtreme Vulnerable Web Application (XVWA) -- GOOD FOR PROJECTS SQL Injection Videos - YouTube DVWA - Damn Vulnerable Web Application XVWA Reddit explaining why it exists rapid7/hackazon · GitHub OWASP Broken Web Applications Project hackazon Installation Guide.pdf OWASP Vulnerable Web Applications Directory Project Hackazon -- Public hosted server! Hackazon: Stop hacking like its 1999 - Dan Kuykendall - OWASP AppSec California 2015 - YouTube Hackazon Test Site Review - CyberSecology Wikto XVWA - Xtreme Vulnerable Web Application -- SERVER TO HACK Hackazon -- SERVER TO HACK HTML "text-indent: -9999px" and holding the line Incident Response for an SEO Spammed Website Website Security: How Do Websites Get Hacked? 7 Security Measures to Protect Your Servers \| DigitalOcean Stop Forum Spam -- Useful for WordPress Sites WS-Attacker · SOAP and XML attacks for web app pentesting -- USEFUL FOR PROJECTS securityheaders.io -- USEFUL INFO Security Archive - Case Study: phpbb.com Compromised (from 2009) phpBB.com Hacked in Dec. 2014 dsnextgen.com iframe hack Sfisaca.org ISACA San Francisco -- Domain is 46 years old? Google Flagged My Site as Malware Best Open Source Web Application Vulnerability Scanners - InfoSec Resources WPScan -- Vuln Scanner for Wordpress Sites How To: Use Thug Honeyclient to Investigate a Malicious Website Thug - Python low-interaction honeyclient Welcome to Thug's documentation! Removing a PHP Redirector Security Engineering - VERY USEFUL VULNERABILITY FIXES LifeSize Room Exploits; \"skiplogin\" parameter FTW OWASP VBScan is a Black Box vBulletin Vulnerability Scanner GitHub\'s CSP journey Victor Santoyo: How To Know If You\'ve Been Hacked \| WordPress.tv wordpress-exploit-framework Vulnerable Web Application - bWAPP Weaponized WordPress How Google helps 600,000 webmasters re-secure their hacked sites every year Online CSRF PoC Generator: A web alternative to the Burp Suite Pro and ZAP CSRF PoC generators urlquery.net - Free URL scanner CMSmap automates the process of detecting security flaws of the most popular CMSs In Q1/2016 the most hacked platforms were #WordPress, #Joomla and #Magento. Get our full report here SQLmap POST request injection Joomla : Products and vulnerabilities -- 178 RCE vulns! Wordpress : Products and vulnerabilities -- 53 RCE Vulns Top 10 content management systems CMS Vulnerabilities -- Security is Improving in Recent Years Joomla 1.5 ( 3.4.5 - Object Injection RCE X-Forwarded-For Header (CVE-2015-8562) -- USE FOR PROJECT UNIX / Linux Tutorial for Beginners RingZer0 CTF -- GOOD FOR PRACTICE Javascript without letters or numbers JavaScript written only with brackets? Tripwire Open Source vs. OSSEC : Which Is Right For You? Downloads -- OSSEC Intricately -- fingerprints sites A Beginner's Guide to HTTP/2 and its Importance Practical Website Hacking CTF Practical Web Hacking CTF by InfoSecInstitute Write-up -- Ibrahim M. El-Sayed (the_storm) Hack I-Bank Pro -- Burp defeating authentication Google CTF -- Web Write-Ups (11/15) \| Brett Buerhaus Web Application Pen-testing Tutorials With Mutillidae (Hacking Illustrated Series InfoSec Tutorial Videos) PHP Security: SUHOSIN Over 78% of All PHP Installs Are Insecure (from 2014) How to write insecure code - OWASP PHP Tips, Resources and Best Practices for 2015 10 Most Common Mistakes That PHP Developers Make 7 More Mistakes Commonly Made by PHP Developers 18 Critical Oversights in Web Development BApp Store: Burp Plugins PHP-CGI Exploitation by Example Remote code execution via PHP [Unserialize] PHP Object Injection - OWASP GitHub Pull Request Tutorial Wiley: Evaluation Copies and Desk Copies Secret, forbidden, black-hat technique of obtaining the textbook (DO NOT CLICK THIS LINK) My Python Mirai Honeypot Script WAHH Methodology desktop background for Web Application hackers How to Prevent Windows 10 From Automatically Downloading Updates Rails SQL Injection Examples Common Rails Security Pitfalls and Their Solutions UXSS on Microsoft Edge -- Adventures in a Domainless World Netgear starts patching routers affected by a critical flaw US-CERT: Stop using your remotely exploitable Netgear routers Attacking WordPress SQL Injection in Rails: Live Demonstrations How To Scan And Check A WordPress Website Security Using WPScan, Nmap, And Nikto \| Unixmen Penetration Testing Your WordPress Site - WordPress Security Complete Set Of CGI-BIN Exploits and what they do Article \| Hellbound Hackers INFOSEC INSTITUTE CTF - capture the flag hacking exercises Hacker101 -- Free Web App Security Class -- GOOD FOR PROJECTS Using the Requests Library in Python Amazon Cookie Re-Use Convert cURL command syntax to Python requests Reverse Engineering APIs: Coffee Meets Bagel -- Nik Patel -- Medium Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them Bypassing SAML 2.0 SSO with XML Signature Attacks JavaSerialKiller: Burp extension to perform Java Deserialization Attacks Java Deserialization Attacks with Burp Marshalling Pickles by frohoff Marshalling Pickles - Chris Frohoff & Gabriel Lawrence - OWASP AppSec California 2015 - YouTube On Breaking SAML: Be Whoever You Want to Be Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution) Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792) New Unsorted Links The New zANTI: Mobile Penetration & Security Analysis Toolkit -- USE FOR PROJECTS Burp Hacks for Bounty Hunters - YouTube Web Application Firewalls Reviews Ch 3m: Client-side validation Better API Penetration Testing with Postman Using OWASP ZAP GUI to scan your Applications for security OWASP API Security Top 10 Ch 4p: Google Dorks List 2019 - A Complete Cheat Sheet (New) Google Maps Platform -- Protecting API keys Find Secret API-Keys Keyfinder is a tool that let you find keys while surfing the web! 2020-03-09: REST Assured: Penetration Testing REST APIs Using Burp Suite: Part 1 Blind Cross Site Scripting (XSS) Overview - Bug Bounty Hunting GET YOUR BUG REPORT TRIAGED FASTER! - YouTube Learning path \| Web Security Academy - PortSwigger GitHub - Audi-1/sqli-labs: SQLI labs to test error based, Blind boolean based, Time based. Burp Scanner - Web Vulnerability Scanner from PortSwigger 2023-05-16: Lab: Exploiting Java deserialization with Apache Commons \| Web Security Academy

Links

Links for Chapter Lectures
Ch 1a: Highly Secure Dogfood
Ch 1b: Online Voting - Follow My Vote - 100% Secure
Ch 1c: Android Apps Vulnerable to Code Modification
Ch 1d: Security Problems at Colleges
Ch 1e: CMS Vulnerabilities are Decreasing
Ch 1f: Attention SinVR users | Continuous Cyber Security | UK | Digital Interruption (Jan 17, 2018)

Ch 2a: SOAP Examples

Ch 3a: RESTful Resource Naming
Ch 3b: SOAP Examples
Ch 3c: HTML form enctype Attribute
Ch 3d: Microsoft Edge Browser won't support ActiveX, VBScript, other Internet Explorer features
Ch 3e: VBScript is no longer supported in IE11 edge mode (Windows)
Ch 3f: JavaScript HTML DOM
Ch 3g: DOM example
Ch 3h: Map; example of Ajax
Ch 3i: Simple Google Maps API Example - Jayway
Ch 3k: XMLHttpRequest - Wikipedia
Ch 3l: HTTP Status Dogs

Ch 4a: Using Burp Spider
Ch 4b: How To Burp -- Slides from David Brown
Ch 4c: Web Common Directories and Filenames - Word Lists Collection
Ch 4d: GitHub - spinkham/skipfish: Web application security scanner created by lcamtuf for google - Unofficial Mirror
Ch 4e: Skipfish project instructions
Ch 4f: OWASP DirBuster Project
Ch 4g: GitHub - sensepost/wikto
Ch 4h: httprecon project - advanced http fingerprinting
Ch 4i: Electronic & Transactional Content Management | OpenText, Vignette
Ch 4j: httprint download (from 2005)
Ch 4k: Web Application Fingerprint (OWASP-IG-004)
Ch 4l: How to use Httprint on Kali Linux
Ch 4m: Using HTTP Methods (GET, POST, PUT, etc.) in Web API
Ch 4n: OWASP DirBuster -- Replaced by Zed Attack Proxy
Ch 4o: OWASP Zed Attack Proxy

Ch 5a: HTTP ETag - Wikipedia
Ch 5b: JavaScript Form Validation
Ch 5c: Serialization - Wikipedia
Ch 5d: JAVA De-serialization: It can't get any simpler than this !!
Ch 5e: WCF Binary Soap Plug-In forï¿½Burp (for Silverlight)
Ch 5f: JAD Java Decompiler Download Mirror
Ch 5g: Flasm Flash decompiler
Ch 5h: Flare Flash decompiler
Ch 5i: WebInspect: Dynamic Analysis, DAST, Penetration Testing Tools | Hewlett Packard Enterprise
Ch 5j: .NET Decompiler: Decompile Any .NET Code | .NET Reflector
Ch 5k: Code refactoring - Wikipedia
Ch 5l: Java Optimize and Decompile Environment (JODE)
Ch 5m: JavaSnoop Download
Ch 5n: Hacking Java Applications using JavaSnoop - InfoSec Resources

Ch 6a: Microsoft Passport and Windows Hello
Ch 6b: Obama's Internet Plan Sounds an Awful Lot Like a National Internet ID (from 2011)
Ch 6c: How Weev's prosecutors are making up the rules (2013)
Ch 6d: Errata Security: AT&T provides free user information yet again
Ch 6e: Secret Microsoft policy limited Hotmail passwords to 16 characters (2012)
Ch 6f: Basic access authentication - Wikipedia
Ch 6g: Digest access authentication - Wikipedia

Ch 7a: ASP.NET View State Overview
Ch 7b: Samy Kamkar - phpwn: Attack on PHP Sessions and Random Numbers
Ch 7c: How to fix a website with blocked mixed content
Ch 7d: HttpOnly - OWASP
Ch 7e: PHP: setcookie - Manual
Ch 7f: [WEB SECURITY] Technical Note by Amit Klein: "Path Insecurity"
Ch 7g: HTTP Strict Transport Security Cheat Sheet - OWASP
Ch 7h: Usage Statistics of HTTP Strict Transport Security for Websites
Ch 7i: Bypassing HSTS or HPKP in Chrome is a badidea
Ch 7l: X-XSS-Protection - HTTP | MDN
Ch 7j: Hack Yourself First: FREE COURSE -- HIGHLY RECOMMENDED
Ch 7k: I figured out a way to hack any of Facebook's 2 billion accounts, and they paid me a $15,000 bounty

Ch 8a: IBM Knowledge Center - HTTP session manager troubleshooting tips
Ch 8b: Vulnerable USA Colleges

Ch 9a: escaping - How to escape apostrophe (') in MySql?
Ch 9b: javascript - Which Logic Operator Takes Precedence

Ch 10a: Microsoft retires Filemon and Regmon from Sysinternals

Ch 12w: Memory Forensics: Mandiant Redline
Ch 12x: Forensic Investigation with Redline
Ch 12a: apache.org incident report for 04/09/2010
Ch 12b: MySpace Worm Explanation
Ch 12c: StrongWebmail CEO's mail account hacked via XSS
Ch 12d: Two XSS Worms Slam Twitter
Ch 12e: Null Byte Injection in PHP
Ch 12f: Window atob() Method
Ch 12g: Saying goodbye to ActiveX, VBScript, attachEvent-- | Microsoft Edge Dev Blog
Ch 12h: Javascript Packer
Ch 12i: Why were Javascript `atob()` and `btoa()` named like that? - Stack Overflow

Ch 13a: About IFRAME and clickjacking
Ch 13b: AJAX Introduction
Ch 13C: XMLHttpRequest Demo
Ch 13d: HTTP Response Splitting - OWASP
Ch 13e: Report: Microsoft Edge leaks private browsing data locally
Ch 13f: Privacy and the :visited selector
Ch 13g: The power of DNS rebinding: stealing WiFi passwords with a website
Ch 13h: GitHub - taviso/rbndr: Simple DNS Rebinding Service
Ch 13i: rbndr.us dns rebinding service
Ch 13j: Dear developers, beware of DNS Rebinding

Miscellaneous Links
Xtreme Vulnerable Web Application (XVWA) -- GOOD FOR PROJECTS
SQL Injection Videos - YouTube
DVWA - Damn Vulnerable Web Application
XVWA Reddit explaining why it exists
rapid7/hackazon · GitHub
OWASP Broken Web Applications Project
hackazon Installation Guide.pdf
OWASP Vulnerable Web Applications Directory Project
Hackazon -- Public hosted server!
Hackazon: Stop hacking like its 1999 - Dan Kuykendall - OWASP AppSec California 2015 - YouTube
Hackazon Test Site Review - CyberSecology
Wikto
XVWA - Xtreme Vulnerable Web Application -- SERVER TO HACK
Hackazon -- SERVER TO HACK
HTML "text-indent: -9999px" and holding the line
Incident Response for an SEO Spammed Website
Website Security: How Do Websites Get Hacked?
7 Security Measures to Protect Your Servers | DigitalOcean
Stop Forum Spam -- Useful for WordPress Sites
WS-Attacker · SOAP and XML attacks for web app pentesting -- USEFUL FOR PROJECTS
securityheaders.io -- USEFUL INFO
Security Archive - Case Study: phpbb.com Compromised (from 2009)
phpBB.com Hacked in Dec. 2014
dsnextgen.com iframe hack
Sfisaca.org ISACA San Francisco -- Domain is 46 years old?
Google Flagged My Site as Malware
Best Open Source Web Application Vulnerability Scanners - InfoSec Resources
WPScan -- Vuln Scanner for Wordpress Sites
How To: Use Thug Honeyclient to Investigate a Malicious Website
Thug - Python low-interaction honeyclient
Welcome to Thug's documentation!
Removing a PHP Redirector
Security Engineering - VERY USEFUL VULNERABILITY FIXES
LifeSize Room Exploits; \"skiplogin\" parameter FTW
OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
GitHub\'s CSP journey
Victor Santoyo: How To Know If You\'ve Been Hacked | WordPress.tv
wordpress-exploit-framework
Vulnerable Web Application - bWAPP
Weaponized WordPress
How Google helps 600,000 webmasters re-secure their hacked sites every year
Online CSRF PoC Generator: A web alternative to the Burp Suite Pro and ZAP CSRF PoC generators
urlquery.net - Free URL scanner
CMSmap automates the process of detecting security flaws of the most popular CMSs
In Q1/2016 the most hacked platforms were #WordPress, #Joomla and #Magento. Get our full report here
SQLmap POST request injection
Joomla : Products and vulnerabilities -- 178 RCE vulns!
Wordpress : Products and vulnerabilities -- 53 RCE Vulns
Top 10 content management systems
CMS Vulnerabilities -- Security is Improving in Recent Years
Joomla 1.5 ( 3.4.5 - Object Injection RCE X-Forwarded-For Header (CVE-2015-8562) -- USE FOR PROJECT
UNIX / Linux Tutorial for Beginners
RingZer0 CTF -- GOOD FOR PRACTICE
Javascript without letters or numbers
JavaScript written only with brackets?
Tripwire Open Source vs. OSSEC : Which Is Right For You?
Downloads -- OSSEC
Intricately -- fingerprints sites
A Beginner's Guide to HTTP/2 and its Importance
Practical Website Hacking CTF
Practical Web Hacking CTF by InfoSecInstitute Write-up -- Ibrahim M. El-Sayed (the_storm)
Hack I-Bank Pro -- Burp defeating authentication
Google CTF -- Web Write-Ups (11/15) | Brett Buerhaus
Web Application Pen-testing Tutorials With Mutillidae (Hacking Illustrated Series InfoSec Tutorial Videos)
PHP Security: SUHOSIN
Over 78% of All PHP Installs Are Insecure (from 2014)
How to write insecure code - OWASP
PHP Tips, Resources and Best Practices for 2015
10 Most Common Mistakes That PHP Developers Make
7 More Mistakes Commonly Made by PHP Developers
18 Critical Oversights in Web Development
BApp Store: Burp Plugins
PHP-CGI Exploitation by Example
Remote code execution via PHP [Unserialize]
PHP Object Injection - OWASP
GitHub Pull Request Tutorial
Wiley: Evaluation Copies and Desk Copies
Secret, forbidden, black-hat technique of obtaining the textbook (DO NOT CLICK THIS LINK)
My Python Mirai Honeypot Script
WAHH Methodology desktop background for Web Application hackers
How to Prevent Windows 10 From Automatically Downloading Updates
Rails SQL Injection Examples
Common Rails Security Pitfalls and Their Solutions
UXSS on Microsoft Edge -- Adventures in a Domainless World
Netgear starts patching routers affected by a critical flaw
US-CERT: Stop using your remotely exploitable Netgear routers
Attacking WordPress
SQL Injection in Rails: Live Demonstrations
How To Scan And Check A WordPress Website Security Using WPScan, Nmap, And Nikto | Unixmen
Penetration Testing Your WordPress Site - WordPress Security
Complete Set Of CGI-BIN Exploits and what they do Article | Hellbound Hackers
INFOSEC INSTITUTE CTF - capture the flag hacking exercises
Hacker101 -- Free Web App Security Class -- GOOD FOR PROJECTS
Using the Requests Library in Python
Amazon Cookie Re-Use
Convert cURL command syntax to Python requests
Reverse Engineering APIs: Coffee Meets Bagel -- Nik Patel -- Medium
Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
Bypassing SAML 2.0 SSO with XML Signature Attacks
JavaSerialKiller: Burp extension to perform Java Deserialization Attacks
Java Deserialization Attacks with Burp
Marshalling Pickles by frohoff
Marshalling Pickles - Chris Frohoff & Gabriel Lawrence - OWASP AppSec California 2015 - YouTube
On Breaking SAML: Be Whoever You Want to Be
Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)

New Unsorted Links
The New zANTI: Mobile Penetration & Security Analysis Toolkit -- USE FOR PROJECTS
Burp Hacks for Bounty Hunters - YouTube
Web Application Firewalls Reviews
Ch 3m: Client-side validation
Better API Penetration Testing with Postman
Using OWASP ZAP GUI to scan your Applications for security
OWASP API Security Top 10
Ch 4p: Google Dorks List 2019 - A Complete Cheat Sheet (New)
Google Maps Platform -- Protecting API keys
Find Secret API-Keys
Keyfinder is a tool that let you find keys while surfing the web!
2020-03-09: REST Assured: Penetration Testing REST APIs Using Burp Suite: Part 1
Blind Cross Site Scripting (XSS) Overview - Bug Bounty Hunting
GET YOUR BUG REPORT TRIAGED FASTER! - YouTube
Learning path | Web Security Academy - PortSwigger
GitHub - Audi-1/sqli-labs: SQLI labs to test error based, Blind boolean based, Time based.
Burp Scanner - Web Vulnerability Scanner from PortSwigger
2023-05-16: Lab: Exploiting Java deserialization with Apache Commons | Web Security Academy

Last updated: 5-13-21 6:10 pm