بی‌شک یکی از بهترین وبسایت های دنیا در زمینه تست نفوذ، وبسایت OWASP می‌باشد که این وبسایت طبق استاندارد هایی که امتحان خود را طی بیست سال پس داده اند، آموزش هایی در زمینه تست نفوذ ارائه می‌دهد و راه را به ما نشان می‌دهد. از این رو این آموزش‌های بی‌نظیر (ولی پراکنده که درک مطلب را برای خواننده سخت کرده است) را از حالت پراکندگی مطالب خارج ساختم و همه مطالب را در یک کتاب به صورت PDF جمع آوری کردم تا روند پیشرفت و درک مطلب، برای خواننده راحت باشد.

این متون صرفا کپی متون اصلی بوده و تغییری در آن ایجاد نشده است ولی صفحاتی که به صورت ارجاعات از وبسایت OWASP (نه دیگر وبسایت ها) در این آموزش بوده است را جمع آوری کرده و به این کتاب افزوده ام. همچنین از مراجع دیگر، مطالبی جهت سهولت کار و درک این کتاب عظیم برای شما فراهم کرده‌ام تا به برخی سوالات اساسی شما در حین خواندن پاسخ داده باشم. به طور مثال نام ابزار هایی که برای جنبه های مختلف تست نفوذ مورد استفاده قرار می‌گیرد به همراه توضیح مختصری از آن‌ها، از مراجع معتبر برای شما آورده شده است. همچنین انواع حملات و آسیب پذیری ها به همراه توضیحات آنها از سایت OWASP آورده شده است.

این کتاب به پیاده سازی حملات نمی‌پردازد ولی به شما دانش کارشناسی امنیت می‌دهد و شما را با انواع حملات، آسیب پذیری‌ها و کانسپت پشت آنها آشنا می‌کند.

نکته : این کتاب دارای لینک هایی می‌باشد که در حین خواندن می‌توانید به آن ها سر بزنید و درباره آنها مطالعه کنید. این لینک ها شامل کتاب ها، سایت های معتبر در حوزه امنیت، فیلم هایی از youtube و… می‌باشند.

اختار: به هیچ وجه مثال‌ها و حملات این کتاب را انجام ندهید که بسیار خطرناک می‌باشند و عواقب انجام حملات و مثال های کتاب به عهده خود شخص بوده و احمد هاشمی پور هیچگونه مسئولیتی در این باره ندارد.

مشخصات کتاب:

زبان : انگلیسی

تعداد صفحات : 2376

گردآورنده : احمد هاشمی پور

نویسنده اغلب قسمت های کتاب : Eoin Keary

دارای عکس رنگی : بلی

دارای cheat sheet : بلی (همه cheat sheet ها آورده نشده اند ولی لینک آن ها موجود است)

فرمت فایل دانلودی : PDF

حجم فایل : 21.3 مگابایت

پیش‌نیاز ها :

دانش زبان انگلیسی

دانش برنامه نویسی

دانش سیستم عامل لینوکس (مبتدی)

دانش مبانی کامپیوتر

دانش شبکه (مبتدی)

سر فصل‌ها :

WSTG Contents
• 0. Foreword by Eoin Keary
• 1. Frontispiece
• 2. Introduction
• 2.1 The OWASP Testing Project
• 2.2 Principles of Testing
• 2.3 Testing Techniques Explained
• 2.4 Manual Inspections and Reviews
• 2.5 Threat Modeling
• 2.6 Source Code Review
• 2.7 Penetration Testing
• 2.8 The Need for a Balanced Approach
• 2.9 Deriving Security Test Requirements
• 2.10 Security Tests Integrated in Development and Testing
Workflows
• 2.11 Security Test Data Analysis and Reporting
• 3. The OWASP Testing Framework
• 3.1 The Web Security Testing Framework
• 3.2 Phase 1 Before Development Begins
• 3.3 Phase 2 During Definition and Design
• 3.4 Phase 3 During Development
• 3.5 Phase 4 During Deployment
• 3.6 Phase 5 During Maintenance and Operations
• 3.7 A Typical SDLC Testing Workflow
• 3.8 Penetration Testing Methodologies
• 4. Web Application Security Testing
• 4.0 Introduction and Objectives
• 4.1 Information Gathering
• 4.1.1 Conduct Search Engine Discovery Reconnaissance for
Information Leakage
• 4.1.2 Fingerprint Web Server
• 4.1.3 Review Webserver Metafiles for Information Leakage
• 4.1.4 Enumerate Applications on Webserver
• 4.1.5 Review Webpage Content for Information Leakage
• 4.1.6 Identify Application Entry Points
• 4.1.7 Map Execution Paths Through Application
• 4.1.8 Fingerprint Web Application Framework
• 4.1.9 Fingerprint Web Application
• 4.1.10 Map Application Architecture3
• 4.2 Configuration and Deployment Management Testing
• 4.2.1 Test Network Infrastructure Configuration
• 4.2.2 Test Application Platform Configuration
• 4.2.3 Test File Extensions Handling for Sensitive Information
• 4.2.4 Review Old Backup and Unreferenced Files for Sensitive
Information
• 4.2.5 Enumerate Infrastructure and Application Admin Interfaces
• 4.2.6 Test HTTP Methods
• HttpOnly
• DOM Based XSS
• 4.2.7 Test HTTP Strict Transport Security
• 4.2.8 Test RIA Cross Domain Policy
• 4.2.9 Test File Permission
• 4.2.10 Test for Subdomain Takeover
• 4.2.11 Test Cloud Storage
• 4.3 Identity Management Testing
• 4.3.1 Test Role Definitions
• 4.3.2 Test User Registration Process
• 4.3.3 Test Account Provisioning Process
• 4.3.4 Testing for Account Enumeration and Guessable User Account
• 4.3.5 Testing for Weak or Unenforced Username Policy
• 4.4 Authentication Testing
• 4.4.1 Testing for Credentials Transported over an Encrypted Channel
• 4.4.2 Testing for Default Credentials
• 4.4.3 Testing for Weak Lock Out Mechanism
• 4.4.4 Testing for Bypassing Authentication Schema
• 4.4.5 Testing for Vulnerable Remember Password
• 4.4.6 Testing for Browser Cache Weaknesses
• 4.4.7 Testing for Weak Password Policy
• 4.4.8 Testing for Weak Security Question Answer
• 4.4.9 Testing for Weak Password Change or Reset Functionalities
• 4.4.10 Testing for Weaker Authentication in Alternative Channel
• 4.5 Authorization Testing
• 4.5.1 Testing Directory Traversal File Include
• 4.5.2 Testing for Bypassing Authorization Schema
• 4.5.3 Testing for Privilege Escalation
• 4.5.4 Testing for Insecure Direct Object References
• 4.6 Session Management Testing
• 4.6.1 Testing for Session Management Schema
• 4.6.2 Testing for Cookies Attributes4
• 4.6.3 Testing for Session Fixation
• 4.6.4 Testing for Exposed Session Variables
• 4.6.5 Testing for Cross Site Request Forgery
• 4.6.6 Testing for Logout Functionality
• 4.6.7 Testing Session Timeout
• 4.6.8 Testing for Session Puzzling
• 4.6.9 Testing for Session Hijacking
• 4.7 Input Validation Testing
• 4.7.1 Testing for Reflected Cross Site Scripting
• 4.7.2 Testing for Stored Cross Site Scripting
• 4.7.3 Testing for HTTP Verb Tampering
• 4.7.4 Testing for HTTP Parameter Pollution
• 4.7.5 Testing for SQL Injection
• 4.7.5.1 Testing for Oracle
• 4.7.5.2 Testing for MySQL
• 4.7.5.3 Testing for SQL Server
• 4.7.5.4 Testing PostgreSQL
• 4.7.5.5 Testing for MS Access
• 4.7.5.6 Testing for NoSQL Injection
• 4.7.5.7 Testing for ORM Injection
• 4.7.5.8 Testing for Client-side
• 4.7.6 Testing for LDAP Injection
• 4.7.7 Testing for XML Injection
• 4.7.8 Testing for SSI Injection
• 4.7.9 Testing for XPath Injection
• 4.7.10 Testing for IMAP SMTP Injection
• 4.7.11 Testing for Code Injection
• 4.7.11.1 Testing for Local File Inclusion
• 4.7.11.2 Testing for Remote File Inclusion
• 4.7.12 Testing for Command Injection
• 4.7.13 Testing for Format String Injection
• Fuzzing
• 4.7.14 Testing for Incubated Vulnerability
• 4.7.15 Testing for HTTP Splitting Smuggling
• 4.7.16 Testing for HTTP Incoming Requests
• 4.7.17 Testing for Host Header Injection
• 4.7.18 Testing for Server-side Template Injection
• 4.7.19 Testing for Server-Side Request Forgery
• 4.8 Testing for Error Handling
• 4.8.1 Testing for Improper Error Handling5
• C10: Handle all Errors and Exceptions
• 4.8.2 Testing for Stack Traces
• 4.9 Testing for Weak Cryptography
• 4.9.1 Testing for Weak Transport Layer Security
• 4.9.2 Testing for Padding Oracle
• 4.9.3 Testing for Sensitive Information Sent via Unencrypted
Channels
• 4.9.4 Testing for Weak Encryption
• 4.10 Business Logic Testing
• 4.10.0 Introduction to Business Logic
• 4.10.1 Test Business Logic Data Validation
• C5: Validate All Inputs
• Mass Assignment Cheat Sheet
• Cross Site Scripting Prevention Cheat Sheet
• SQL Injection Prevention Cheat Sheet
• Input Validation Cheat Sheet
• 4.10.2 Test Ability to Forge Requests
• 4.10.3 Test Integrity Checks
• 4.10.4 Test for Process Timing
• 4.10.5 Test Number of Times a Function Can Be Used Limits
• 4.10.6 Testing for the Circumvention of Work Flows
• 4.10.7 Test Defenses Against Application Misuse
• 4.10.8 Test Upload of Unexpected File Types
• 4.10.9 Test Upload of Malicious Files
• 4.11 Client-side Testing
• 4.11.1 Testing for DOM-Based Cross Site Scripting
• 4.11.2 Testing for JavaScript Execution
• 4.11.3 Testing for HTML Injection
• 4.11.4 Testing for Client-side URL Redirect
• 4.11.5 Testing for CSS Injection
• 4.11.6 Testing for Client-side Resource Manipulation
• 4.11.7 Testing Cross Origin Resource Sharing
• 4.11.8 Testing for Cross Site Flashing
• 4.11.9 Testing for Clickjacking
• 4.11.10 Testing WebSockets
• 4.11.11 Testing Web Messaging
• 4.11.12 Testing Browser Storage
• 4.11.13 Testing for Cross Site Script Inclusion
• 4.12 API Testing
• 4.12.1 Testing GraphQL6
• 5. Reporting
• Appendix A. Testing Tools Resource
• Appendix B. Suggested Reading
• Appendix C. Fuzz Vectors
• Appendix D. Encoded Injection
• Appendix E. History
• Appendix F. Leveraging Dev Tools
• Penetration test kali tools listing
• Information Gathering
• ace-voip
• Amap
• APT2
• arp-scan
• Automater
• bing-ip2hosts
• braa
• CaseFile
• CDPSnarf
• cisco-torch
• copy-router-config
• DMitry
• dnmap
• dnsenum
• dnsmap
• DNSRecon
• dnstracer
• dnswalk
• DotDotPwn
• enum4linux
• enumIAX
• EyeWitness
• Faraday
• Fierce
• Firewalk7
• fragroute

• fragrouter

• Ghost Phisher

• GoLismero

• goofile

• hping3

• ident-user-enum

• InSpy

• InTrace

• iSMTP

• lbd

• Maltego Teeth

• masscan

• Metagoofil

• Miranda

• nbtscan-unixwiz

• Nikto

• Nmap

• ntop

• OSRFramework

• p0f

• Parsero

• Recon-ng

• SET

• SMBMap

• smtp-user-enum

• snmp-check

• SPARTA

• sslcaudit

• SSLsplit

• sslstrip

• SSLyze

• Sublist3r8

• THC-IPV6
• theHarvester
• TLSSLed
• twofi
• Unicornscan
• URLCrazy
• Wireshark
• WOL-E
• Xplico
• Vulnerability Analysis
• BBQSQL
• BED
• cisco-auditing-tool
• cisco-global-exploiter
• cisco-ocs
• cisco-torch
• copy-router-config
• Doona
• DotDotPwn
• HexorBase
• jSQL Injection
• Lynis
• Nmap
• ohrwurm
• openvas
• Oscanner
• Powerfuzzer
• sfuzz
• SidGuesser
• SIPArmyKnife
• sqlmap
• Sqlninja
• sqlsus9
• THC-IPV6
• tnscmd10g
• unix-privesc-check
• Yersinia
• Exploitation Tools
• Armitage
• Backdoor Factory
• BeEF
• cisco-auditing-tool
• cisco-global-exploiter
• cisco-ocs
• cisco-torch
• Commix
• crackle
• exploitdb
• jboss-autopwn
• Linux Exploit Suggester
• Maltego Teeth
• Metasploit Framework
• MSFPC
• RouterSploit
• SET
• ShellNoob
• sqlmap
• THC-IPV6
• Yersinia
• Wireless Attacks
• Airbase-ng
• Aircrack-ng
• Airdecap-ng and Airdecloak-ng
• Aireplay-ng
• airgraph-ng
• Airmon-ng10
• Airodump-ng
• airodump-ng-oui-update
• Airolib-ng
• Airserv-ng
• Airtun-ng
• Asleap
• Besside-ng
• Bluelog
• BlueMaho
• Bluepot
• BlueRanger
• Bluesnarfer
• Bully
• coWPAtty
• crackle
• eapmd5pass
• Easside-ng
• Fern Wifi Cracker
• FreeRADIUS-WPE
• Ghost Phisher
• GISKismet
• Gqrx
• gr-scan
• hostapd-wpe
• ivstools
• kalibrate-rtl
• KillerBee
• Kismet
• makeivs-ng
• mdk3
• mfcuk
• mfoc
• mfterm11
• Multimon-NG
• Packetforge-ng
• PixieWPS
• Pyrit
• Reaver
• redfang
• RTLSDR Scanner
• Spooftooph
• Tkiptun-ng
• Wesside-ng
• Wifi Honey
• wifiphisher
• Wifitap
• Wifite
• wpaclean
• Forensics Tools
• Binwalk
• bulk-extractor
• Capstone
• chntpw
• Cuckoo
• dc3dd
• ddrescue
• DFF
• diStorm3
• Dumpzilla
• extundelete
• Foremost
• Galleta
• Guymager
• iPhone Backup Analyzer
• p0f
• pdf-parser12
• pdfid

• pdgmail

• peepdf

• RegRipper

• Volatility

• Xplico

• Web Applications

• apache-users

• Arachni

• BBQSQL

• BlindElephant

• Burp Suite

• CutyCapt

• DAVTest

• deblaze

• DIRB

• DirBuster

• fimap

• FunkLoad

• Gobuster

• Grabber

• hURL

• jboss-autopwn

• joomscan

• jSQL Injection

• Maltego Teeth

• Nikto

• PadBuster

• Paros

• Parsero

• plecost

• Powerfuzzer

• ProxyStrike13
• Recon-ng
• Skipfish
• sqlmap
• Sqlninja
• sqlsus
• ua-tester
• Uniscan
• w3af
• WebScarab
• Webshag
• WebSlayer
• WebSploit
• Wfuzz
• WhatWeb
• WPScan
• XSSer
• zaproxy
• Stress Testing
• DHCPig
• FunkLoad
• iaxflood
• Inundator
• inviteflood
• ipv6-toolkit
• mdk3
• Reaver
• rtpflood
• SlowHTTPTest
• t50
• Termineter
• THC-IPV6
• THC-SSL-DOS
• Sniffing & Spoofing14
• bettercap

• Burp Suite

• DNSChef

• fiked

• hamster-sidejack

• HexInject

• iaxflood

• inviteflood

• iSMTP

• isr-evilgrade

• mitmproxy

• ohrwurm

• protos-sip

• rebind

• responder

• rtpbreak

• rtpinsertsound

• rtpmixsound

• sctpscan

• SIPArmyKnife

• SIPp

• SIPVicious

• SniffJoke

• SSLsplit

• sslstrip

• THC-IPV6

• VoIPHopper

• WebScarab

• Wifi Honey

• Wireshark

• xspy

• Yersinia

• zaproxy15
• Password Attacks
• BruteSpray
• Burp Suite
• CeWL
• chntpw
• cisco-auditing-tool
• CmosPwd
• creddump
• crowbar
• crunch
• findmyhash
• gpp-decrypt
• hash-identifier
• Hashcat
• HexorBase
• THC-Hydra
• John the Ripper
• Johnny
• keimpx
• Maltego Teeth
• Maskprocessor
• multiforcer
• Ncrack
• oclgausscrack
• ophcrack
• PACK
• patator
• phrasendrescher
• polenum
• RainbowCrack
• rcracki-mt
• RSMangler
• SecLists16
• SQLdict
• Statsprocessor
• THC-pptp-bruter
• TrueCrack
• WebScarab
• wordlists
• zaproxy
• Maintaining Access
• CryptCat
• Cymothoa
• dbd
• dns2tcp
• HTTPTunnel
• Intersect
• Nishang
• polenum
• PowerSploit
• pwnat
• RidEnum
• sbd
• shellter
• U3-Pwn
• Webshells
• Weevely
• Winexe
• Hardware Hacking
• android-sdk
• apktool
• Arduino
• dex2jar
• Sakis3G
• smali
• Reverse Engineering17
• apktool
• dex2jar
• diStorm3
• edb-debugger
• jad
• javasnoop
• JD-GUI
• OllyDbg
• smali
• Valgrind
• YARA
• Reporting Tools
• CaseFile
• cherrytree
• CutyCapt
• dos2unix
• Dradis
• MagicTree
• Metagoofil
• Nipper-ng
• pipal
• RDPY
• OWASP Risk Rating Methodology
• Threat Modeling
• List of Controls
• Blocking Brute Force Attacks by Esheridan
• Slow down online guessing attacks with device cookies
• Bytecode Obfuscation by Pierre Parrend
• Certificate and Public Key Pinning by Jeffery Walton, JohnSteven, Jim
Manico, Kevin Wall, Ricardo Iramar
• Content Security Policy by Dominique RIGHETTO
• Detect Profiling Phase by Dominique RIGHETTO
• Intrusion Detection
• Session Fixation Protection by RoganDawes
• Static Code Analysis by Ryan Dewhurst18
• Source Code Analysis Tools
• Free for Open Source Application Security Tools
• List of Attacks
• Binary Planting
• Blind SQL Injection
• Blind XPath Injection
• Brute Force Attack
• Buffer Overflow via Environment Variables
• Buffer Overflow Attack
• CORS OriginHeaderScrutiny
• CORS RequestPreflightScrutiny by Dominique RIGHETTO
• CSV Injection
• Cache Poisoning by Weilin Zhong, Rezos
• Cash Overflow by psiinon
• Clickjacking by Gustav Rydstedt
• Code Injection by Weilin Zhong, Rezos
• Command Injection by Weilin Zhong
• Comment Injection Attack by Weilin Zhong, Rezos
• Content Spoofing by Andrew Smith
• Cornucopia – Ecommerce Website Edition – Wiki Deck by Darío De
Filippis
• Credential stuffing by Neal Mueller
• Cross-User Defacement
• Cross Site Scripting (XSS) by KirstenS
• Types of XSS
• XSS Filter Evasion Cheat Sheet
• Cross Frame Scripting
• Cross Site History Manipulation (XSHM)
• Cross Site Tracing
• Cryptanalysiss
• Custom Special Character Injection
• Denial of Service
• Direct Dynamic Code Evaluation – Eval Injection
• Embedding Null Code by Nsrav
• Execution After Redirect (EAR) by Robert Gilbert (amroot)
• Forced browsing
• Form action hijacking by Robert Gilbert (amroot)
• Format string attack
• Full Path Disclosure
• Function Injection
• HTTP Response Splitting19
• LDAP Injection
• Log Injection
• Man-in-the-browser attack
• Manipulator-in-the-middle attack
• Mobile code invoking untrusted mobile code
• Mobile code non-final public field
• Mobile code object hijack
• Parameter Delimiter
• Path Traversal
• Qrljacking
• Reflected DOM Injection
• Regular expression Denial of Service – ReDoS by Adar Weidman
• Repudiation Attack
• Resource Injection
• Reverse Tabnabbing
• SQL Injection
• SQL Injection Bypassing WAF
• Double Encoding
• Server-Side Includes (SSI) Injection by Weilin Zhong, Nsrav
• Injection Flaws
• Server Side Request Forgery
• Session Prediction
• Session fixation
• Session hijacking attack
• Setting Manipulation
• Special Element Injection
• Spyware
• Traffic flood
• Trojan Horse
• Unicode Encoding
• Web Parameter Tampering
• Windows ::DATA Alternate Data Stream
• XPATH Injection
• XSRF
• XSS in subtitle by Mohammad MortazaviZade
• Cross Site Request Forgery (CSRF) by KirstenS
• Reviewing Code for Cross-Site Request Forgery Issues
• List of Vulnerabilities
• Allowing Domains or Accounts to Expire
• Buffer Overflow
• Business logic vulnerability20
• CRLF Injection
• CSV Injection
• Catch NullPointerException
• Covert storage channel
• Deserialization of untrusted data
• Directory Restriction Error
• Doubly freeing memory
• Empty String Password
• Expression Language Injection
• Full Trust CLR Verification issue Exploiting Passing Reference Types by
Reference
• Heartbleed Bug
• Improper Data Validation
• Improper pointer subtraction
• Information exposure through query strings in url by Robert Gilbert
(amroot)
• Injection problem
• Insecure Compiler Optimization
• Insecure Randomness
• Insecure Temporary File
• Insecure Third Party Domain Access
• Insecure Transport
• Insufficient Entropy
• Insufficient Session-ID Length
• Least Privilege Violation
• Memory leak
• Missing Error Handling
• Missing XML Validation
• Multiple admin levels
• Null Dereference
• OWASP .NET Vulnerability Research
• Overly Permissive Regular Expression
• PHP File Inclusion
• PHP Object Injection by Egidio Romano
• PRNG Seed Error
• Password Management Hardcoded Password
• Password Plaintext Storage
• Poor Logging Practice
• Portability Flaw
• Privacy Violation
• Process Control21
• Return Inside Finally Block
• Session Variable Overloading
• String Termination Error
• Unchecked Return Value Missing Check against Null
• Undefined Behavior
• Unreleased Resource
• Unrestricted File Upload
• Unsafe JNI
• Unsafe Mobile Code
• Unsafe function call from a signal handler
• Unsafe use of Reflection
• Use of Obsolete Methods
• Use of hard-coded password
• Using a broken or risky cryptographic algorithm
• Using freed memory
• Vulnerability template
• XML External Entity (XXE) Processing