Black Hat Graphql

Black Hat GraphQL

Author : Nick Aleks

Publisher : No Starch Press

Page : 313 pages

File Size : 19,55 MB

Release : 2023-05-23

Category : Computers

ISBN : 1718502842

Get eBook

Book Description

Written by hackers for hackers, this hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub. Black Hat GraphQL is for anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing. Whether you’re a penetration tester, security analyst, or software engineer, you’ll learn how to attack GraphQL APIs, develop hardening procedures, build automated security testing into your development pipeline, and validate controls, all with no prior exposure to GraphQL required. Following an introduction to core concepts, you’ll build your lab, explore the difference between GraphQL and REST APIs, run your first query, and learn how to create custom queries. You’ll also learn how to: Use data collection and target mapping to learn about targets Defend APIs against denial-of-service attacks and exploit insecure configurations in GraphQL servers to gather information on hardened targets Impersonate users and take admin-level actions on a remote server Uncover injection-based vulnerabilities in servers, databases, and client browsers Exploit cross-site and server-side request forgery vulnerabilities, as well as cross-site WebSocket hijacking, to force a server to request sensitive information on your behalf Dissect vulnerability disclosure reports and review exploit code to reveal how vulnerabilities have impacted large companies This comprehensive resource provides everything you need to defend GraphQL APIs and build secure applications. Think of it as your umbrella in a lightning storm.



Black Hat Go

Author : Tom Steele

Publisher : No Starch Press

Page : 369 pages

File Size : 37,24 MB

Release : 2020-02-04

Category : Computers

ISBN : 1593278667

Get eBook

Book Description

Like the best-selling Black Hat Python, Black Hat Go explores the darker side of the popular Go programming language. This collection of short scripts will help you test your systems, build and automate tools to fit your needs, and improve your offensive security skillset. Black Hat Go explores the darker side of Go, the popular programming language revered by hackers for its simplicity, efficiency, and reliability. It provides an arsenal of practical tactics from the perspective of security practitioners and hackers to help you test your systems, build and automate tools to fit your needs, and improve your offensive security skillset, all using the power of Go. You'll begin your journey with a basic overview of Go's syntax and philosophy and then start to explore examples that you can leverage for tool development, including common network protocols like HTTP, DNS, and SMB. You'll then dig into various tactics and problems that penetration testers encounter, addressing things like data pilfering, packet sniffing, and exploit development. You'll create dynamic, pluggable tools before diving into cryptography, attacking Microsoft Windows, and implementing steganography. You'll learn how to: Make performant tools that can be used for your own security projects Create usable tools that interact with remote APIs Scrape arbitrary HTML data Use Go's standard package, net/http, for building HTTP servers Write your own DNS server and proxy Use DNS tunneling to establish a C2 channel out of a restrictive network Create a vulnerability fuzzer to discover an application's security weaknesses Use plug-ins and extensions to future-proof productsBuild an RC2 symmetric-key brute-forcer Implant data within a Portable Network Graphics (PNG) image. Are you ready to add to your arsenal of security tools? Then let's Go!



Black Hat Bash

Author : Nick Aleks

Publisher : No Starch Press

Page : 345 pages

File Size : 39,38 MB

Release : 2024-10-01

Category : Computers

ISBN : 171850375X

Get eBook

Book Description

Master the art of offensive bash scripting. This highly practical hands-on guide covers chaining commands together, automating tasks, crafting living-off-the-land attacks, and more! In the hands of the penetration tester, bash scripting becomes a powerful offensive security tool. In Black Hat Bash, you’ll learn how to use bash to automate tasks, develop custom tools, uncover vulnerabilities, and execute advanced, living-off-the-land attacks against Linux servers. You’ll build a toolbox of bash scripts that will save you hours of manual work. And your only prerequisite is basic familiarity with the Linux operating system. You’ll learn the basics of bash syntax, then set up a Kali Linux lab to apply your skills across each stage of a penetration test—from initial access to data exfiltration. Along the way, you’ll learn how to perform OS command injection, access remote machines, gather information stealthily, and navigate restricted networks to find the crown jewels. Hands-on exercises throughout will have you applying your newfound skills. Key topics covered include: Bash scripting essentials: From control structures, functions, loops, and text manipulation with grep, awk, and sed. How to set up your lab: Create a hacking environment with Kali and Docker and install additional tools. Reconnaissance and vulnerability scanning: Learn how to perform host discovery, fuzzing, and port scanning using tools like Wfuzz, Nmap, and Nuclei. Exploitation and privilege escalation: Establish web and reverse shells, and maintain continuous access. Defense evasion and lateral movement: Audit hosts for landmines, avoid detection, and move through networks to uncover additional targets. Whether you’re a pentester, a bug bounty hunter, or a student entering the cybersecurity field, Black Hat Bash will teach you how to automate, customize, and optimize your offensive security strategies quickly and efficiently, with no true sorcery required.



Penetration Testing

Author : Georgia Weidman

Publisher : No Starch Press

Page : 531 pages

File Size : 40,67 MB

Release : 2014-06-14

Category : Computers

ISBN : 1593275641

Get eBook

Book Description

Penetration testers simulate cyber attacks to find security weaknesses in networks, operating systems, and applications. Information security experts worldwide use penetration techniques to evaluate enterprise defenses. In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. Using a virtual machine–based lab that includes Kali Linux and vulnerable operating systems, you’ll run through a series of practical lessons with tools like Wireshark, Nmap, and Burp Suite. As you follow along with the labs and launch attacks, you’ll experience the key stages of an actual assessment—including information gathering, finding exploitable vulnerabilities, gaining access to systems, post exploitation, and more. Learn how to: –Crack passwords and wireless network keys with brute-forcing and wordlists –Test web applications for vulnerabilities –Use the Metasploit Framework to launch exploits and write your own Metasploit modules –Automate social-engineering attacks –Bypass antivirus software –Turn access to one machine into total control of the enterprise in the post exploitation phase You’ll even explore writing your own exploits. Then it’s on to mobile hacking—Weidman’s particular area of research—with her tool, the Smartphone Pentest Framework. With its collection of hands-on lessons that cover key tools and strategies, Penetration Testing is the introduction that every aspiring hacker needs.



Hacking APIs

Author : Corey J. Ball

Publisher : No Starch Press

Page : 362 pages

File Size : 46,85 MB

Release : 2022-07-05

Category : Computers

ISBN : 1718502451

Get eBook

Book Description

Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure. Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure. You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks. In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll practice: • Enumerating APIs users and endpoints using fuzzing techniques • Using Postman to discover an excessive data exposure vulnerability • Performing a JSON Web Token attack against an API authentication process • Combining multiple API attack techniques to perform a NoSQL injection • Attacking a GraphQL API to uncover a broken object level authorization vulnerability By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.



Bug Bounty Bootcamp

Author : Vickie Li

Publisher : No Starch Press

Page : 444 pages

File Size : 30,31 MB

Release : 2021-11-16

Category : Computers

ISBN : 1718501552

Get eBook

Book Description

Bug Bounty Bootcamp teaches you how to hack web applications. You will learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them. You’ll also learn how to navigate bug bounty programs set up by companies to reward security professionals for finding bugs in their web applications. Bug bounty programs are company-sponsored programs that invite researchers to search for vulnerabilities on their applications and reward them for their findings. This book is designed to help beginners with little to no security experience learn web hacking, find bugs, and stay competitive in this booming and lucrative industry. You’ll start by learning how to choose a program, write quality bug reports, and maintain professional relationships in the industry. Then you’ll learn how to set up a web hacking lab and use a proxy to capture traffic. In Part 3 of the book, you’ll explore the mechanisms of common web vulnerabilities, like XSS, SQL injection, and template injection, and receive detailed advice on how to find them and bypass common protections. You’ll also learn how to chain multiple bugs to maximize the impact of your vulnerabilities. Finally, the book touches on advanced techniques rarely covered in introductory hacking books but that are crucial to understand to hack web applications. You’ll learn how to hack mobile apps, review an application’s source code for security issues, find vulnerabilities in APIs, and automate your hacking process. By the end of the book, you’ll have learned the tools and techniques necessary to be a competent web hacker and find bugs on a bug bounty program.



Learning GraphQL

Author : Eve Porcello

Publisher : "O'Reilly Media, Inc."

Page : 195 pages

File Size : 50,92 MB

Release : 2018-08-09

Category : Computers

ISBN : 1492044865

Get eBook

Book Description

Why is GraphQL the most innovative technology for fetching data since Ajax? By providing a query language for your APIs and a runtime for fulfilling queries with your data, GraphQL presents a clear alternative to REST and ad hoc web service architectures. With this practical guide, Alex Banks and Eve Porcello deliver a clear learning path for frontend web developers, backend engineers, and project and product managers looking to get started with GraphQL. Youâ??ll explore graph theory, the graph data structure, and GraphQL types before learning hands-on how to build a schema for a photo-sharing application. This book also introduces you to Apollo Client, a popular framework you can use to connect GraphQL to your user interface. Explore graph theory and review popular graph examples in use today Learn how GraphQL applies database querying methods to the internet Create a schema for a PhotoShare application that serves as a roadmap and a contract between the frontend and backend teams Use JavaScript to build a fully functioning GraphQL service and Apollo to implement a client Learn how to prepare GraphQL APIs and clients for production



Android Security Internals

Author : Nikolay Elenkov

Publisher : No Starch Press

Page : 434 pages

File Size : 31,94 MB

Release : 2014-10-14

Category : Computers

ISBN : 1593275811

Get eBook

Book Description

There are more than one billion Android devices in use today, each one a potential target. Unfortunately, many fundamental Android security features have been little more than a black box to all but the most elite security professionals—until now. In Android Security Internals, top Android security expert Nikolay Elenkov takes us under the hood of the Android security sys­tem. Elenkov describes Android security archi­tecture from the bottom up, delving into the imple­mentation of major security-related components and subsystems, like Binder IPC, permissions, cryptographic providers, and device administration. You’ll learn: –How Android permissions are declared, used, and enforced –How Android manages application packages and employs code signing to verify their authenticity –How Android implements the Java Cryptography Architecture (JCA) and Java Secure Socket Extension (JSSE) frameworks –About Android’s credential storage system and APIs, which let applications store cryptographic keys securely –About the online account management framework and how Google accounts integrate with Android –About the implementation of verified boot, disk encryption, lockscreen, and other device security features –How Android’s bootloader and recovery OS are used to perform full system updates, and how to obtain root access With its unprecedented level of depth and detail, Android Security Internals is a must-have for any security-minded Android developer.



Real-World Bug Hunting

Author : Peter Yaworski

Publisher : No Starch Press

Page : 265 pages

File Size : 18,32 MB

Release : 2019-07-09

Category : Computers

ISBN : 1593278616

Get eBook

Book Description

Learn how people break websites and how you can, too. Real-World Bug Hunting is the premier field guide to finding software bugs. Whether you're a cyber-security beginner who wants to make the internet safer or a seasoned developer who wants to write secure code, ethical hacker Peter Yaworski will show you how it's done. You'll learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. Using real-life case studies of rewarded vulnerabilities from applications like Twitter, Facebook, Google, and Uber, you'll see how hackers manage to invoke race conditions while transferring money, use URL parameter to cause users to like unintended tweets, and more. Each chapter introduces a vulnerability type accompanied by a series of actual reported bug bounties. The book's collection of tales from the field will teach you how attackers trick users into giving away their sensitive information and how sites may reveal their vulnerabilities to savvy users. You'll even learn how you could turn your challenging new hobby into a successful career. You'll learn: How the internet works and basic web hacking concepts How attackers compromise websites How to identify functionality commonly associated with vulnerabilities How to find bug bounty programs and submit effective vulnerability reports Real-World Bug Hunting is a fascinating soup-to-nuts primer on web security vulnerabilities, filled with stories from the trenches and practical wisdom. With your new understanding of site security and weaknesses, you can help make the web a safer place--and profit while you're at it.



GraphQL in Action

Author : Samer Buna

Publisher : Manning Publications

Page : 382 pages

File Size : 38,56 MB

Release : 2021-03-09

Category : Computers

ISBN : 161729568X

Get eBook

Book Description

GraphQL in Action gives you the tools to get comfortable with the GraphQL language, build and optimize a data API service, and use it in a front-end client application. Summary Reduce bandwidth demands on your APIs by getting only the results you need—all in a single request! The GraphQL query language simplifies interactions with web servers, enabling smarter API queries that can hugely improve the efficiency of data requests. In GraphQL in Action, you'll learn how to bring those benefits to your own APIs, giving your clients the power to ask for exactly what they need from your server, no more, no less. Practical and example-driven, this book teaches everything you need to get started with GraphQL—from design principles and syntax right through to performance optimization. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology GraphQL APIs are fast, efficient, and easy to maintain. They reduce app latency and server cost while boosting developer productivity. This powerful query layer offers precise control over API requests and returns, making apps faster and less prone to error. About the book GraphQL in Action gives you the tools to get comfortable with the GraphQL language, build and optimize a data API service, and use it in a front-end client application. By working through set up, security, and error handling you'll learn to create a complete GraphQL server. You'll also unlock easy ways to incorporate GraphQL into your existing codebase so you can build simple, scalable data APIs. What's inside Define a GraphQL schema for relational and document databases Implement GraphQL types using both the schema language and object constructor methods Optimize GraphQL resolvers with data caching and batching Design GraphQL fragments that match UI components' data requirements Consume GraphQL API queries, mutations, and subscriptions with and without a GraphQL client library About the reader For web developers familiar with client-server applications. About the author Samer Buna has over 20 years of experience in software development including front-ends, back-ends, API design, and scalability. Table of Contents PART 1- EXPLORING GRAPHQL 1 Introduction to GraphQL 2 Exploring GraphQL APIs 3 Customizing and organizing GraphQL operations PART 2 - BUILDING GRAPHQL APIs 4 Designing a GraphQL schema 5 Implementing schema resolvers 6 Working with database models and relations 7 Optimizing data fetching 8 Implementing mutations PART 3 - USING GRAPHQL APIs 9 Using GraphQL APIs without a client library 10 Using GraphQL APIs with Apollo client