Exploitology: Web Apps Exploits
Free!
Minimum price
$29.00
Suggested price

Exploitology: Web Apps Exploits

Exploitation strategies for pentesters

About the Book

"Exploitology: Web Apps Exploits" explores web app security, focusing on vulnerabilities, exploitation methods, and advanced strategies. With practical examples and real-world scenarios, this book helps readers understand, exploit, and defend against web app threats. Whether you're new to security or an experienced pro, it sharpens your penetration testing skills for the evolving cybersecurity world.

  • Share this book

  • Categories

    • Computer Security
    • Computers and Programming
    • APIs
    • JavaScript
    • PHP
    • Python
    • HTML

  • Feedback

    Email the Author(s)

  • License

About the Author

Mahdi Alemi
Mahdi Alemi

Mahdi Alemi is a penetration tester, security researcher, and educator with a deep passion for web application security. With years of hands-on experience in ethical hacking, he has conducted real-world penetration tests, led security team, and contributed to the cybersecurity community through exploit development and vulnerability research. His expertise spans web security and advanced exploitation techniques, making him a valuable asset in offensive security.

Beyond practical experience, he actively participates in Capture The Flag (CTF) competitions and ranked among the top 3% on TryHackMe. He is constantly exploring new attack vectors, refining exploitation techniques, and staying ahead in the ever-evolving cybersecurity landscape. His contributions to security research include developing proof-of-concept (PoC) exploits, some of which have been recognized as CVEs and are publicly available on his GitHub.

Table of Contents

    • Introduction
    • About the Author
    • Prerequisites
    • Subdomain Takeover
      • Understanding Subdomain Takeover
      • Why Subdomain Takeover Matters
      • CNAME Takeover
      • A Record Takeover
      • NS Record Takeover
      • DNS Server Configuration Guide
      • Mitigation Techniques
    • Cookies and Session Management
      • Understanding Cookies
      • Cookie-Less Authentication
      • Improper Cookie-Based Authentication
      • Cookie-Based Validation Mechanisms
      • Session-Based State Handling
      • Controlling Cookies with Attributes
      • Exploring the SameSite Attribute
      • Mitigation Techniques
    • Cross-Site Scripting (XSS)
      • Understanding Cross-Site Scripting
      • Understanding Cross-Site Scripting (XSS) Variants
      • Exploring Reflected XSS with Example
      • Understanding SELF-XSS with Example
      • Understanding Stored XSS with Example
      • Blind XSS Exploitation
      • Client-Side DOM XSS Attacks
      • Exploring Sources and Sinks in DOM
      • Exploiting DOM with location.search and innerHTML
      • Leveraging localStorage and eval for DOM XSS
      • DOM XSS via document.cookie and document.write
      • DOM XSS via location.hash and innerHTML
      • XSS as a Gateway to Account Takeover
      • Another Reflected XSS Example
      • XSS in HTML Title Tag
      • Injecting XSS into Hidden Inputs
      • Injecting XSS into Cookies
      • XSS via User-Agent Manipulation
      • Injecting Malicious Code into JS Variables
      • XSS via href Attribute Manipulation
      • XSS via Malicious SVG File Uploads
      • XSS via Event Handlers and Quote Removal
      • Bypassing XSS with Quote Escaping
      • XSS Bypass via alert Keyword Removal
      • XSS Bypass with Write Sink and Malicious Symbol Sanitization
      • XSS Exploitation with Dot Removal Defense
      • XSS Bypass with Parentheses Removal
      • Mitigation Techniques
    • Session Fixation
      • Understanding Session Fixation
      • Session Fixation Workflow
      • Exploitation Process
      • Session Fixation Techniques
      • URL-Based Session Fixation
      • Session Fixation via XSS-Based Cookie Theft
      • Session Fixation via XSS Cookie Injection
      • Mitigations Techniques
    • Session Hijacking
      • Understanding Session Hijacking
      • Session Hijacking Techniques
      • Hijacking Sessions with Reflected XSS
      • Hijacking Sessions with Stored XSS
      • Mitigations Techniques
    • Cross-Site Tracing (XST)
      • Understanding Cross-Site Tracing (XST)
      • XST and HttpOnly Bypass
      • Why XST is Rare Today
      • Configuring TRACE in Apache
      • Exploitation Steps
      • Mitigation Techniques
    • Browser Security
      • Browser Security Features
      • Cross-Origin Cookie Exposure - An Example
      • Understanding the Same Origin Policy
      • SOP Bypass Techniques
      • Cross-Origin Resource Sharing (CORS)
      • CORS Access Denied Example
      • Same Origin CORS Access Granted
      • CORS and Wildcard Origin Access
      • Managing Cookies with ACAO and Allow-Credentials in CORS
      • Understanding Simple vs. Preflight Cross-Origin HTTP Requests
      • Exploring JSONP for Cross-Origin Requests
      • Understanding postMessage for Safe Data Exchange
      • Simple Communication with postMessage
      • Leveraging postMessage for XSS Attacks
      • Handling JSON Data via postMessage
      • Exploiting Improper Origin Validation in postMessage
      • Sending Multiple Parameters via postMessage
      • Introduction to Content Security Policy
    • Cross-Site Request Forgery - CSRF
      • Understanding Cross-Site Request Forgery
      • Techniques to Force Malicious HTTP Requests
      • Exploring XHR for HTTP Request
      • HTTP Requests with Fetch API
      • CSRF Exploitation Lab
      • CSRF Protection Mechanisms
      • Bypassing Anti-CSRF Tokens via XSS
      • Mitigation Tecniques
    • CORS Misconfiguration
      • Understanding CORS Misconfiguration
      • The Risk Behind CORS Misconfiguration
      • CORS Setup Pitfalls
      • Patterns of CORS Vulnerabilities
      • Origin Header Reflection Playground
      • Simulating Origin Indexing Issues
      • Understanding Null Origin Behavior
      • Exploiting Misconfigured Whitelist Domains
      • Mitigation Techniques
    • Content-Security-Policy (CSP) Bypasses
      • Understanding Content-Security-Policy (CSP)?
      • Exploring Content Security Policy Directives
      • Basic CSP Examples
      • Understanding CSP Misconfigurations and Their Exploits
      • Bypassing CSP with JSONP Endpoints
      • Leveraging Trusted Types to Bypass CSP
      • Mitigation Techniques
    • Clickjacking
      • Understanding Clickjacking
      • The Invisible Trap of Clickjacking
      • The Free Trip to Germany Case Study
      • Technical Analysis of Clickjacking in the Germany Trip Case
      • Understanding Clickjacking through Code
      • Mitigation Techniques
    • Security Misconfiguration
      • Understanding Security Misconfiguration
      • Categories of Security Misconfiguration
      • Directory Listing Vulnerability
      • Error Handling Flaws and Stack Trace Exposure
      • Full Path Disclosure Vulnerability
      • Sensitive Data Exposure
      • Web Parameter Tampering
      • Forced Browsing
      • S3 Bucket Misconfiguration
      • Mitigation Techniques
    • OS Command Injection
      • Understanding OS Command Injection
      • Command Injection Variants by Result
      • Phase of Detection
      • Basic Command Injection
      • Command Injection via Blacklist Separators
      • Regex Bypass in Command Injection
      • Command Injection via Space Stripping
      • Command Injection via Word Removal
      • Command Injection via Quoted Input
      • Header-Based Command Injection
      • Out-of-Band Exploitation Techniques
      • Basic Indirect Command Injection
      • Subshell-Based Command Injection
      • Command Injection via File Upload
      • Command Injection with Partial Execution
      • Reverse Shell
      • Mitigation Techniques
    • Remote Code Execution (RCE)
      • Understanding Remote Code Execution
      • Breaking & Fixing: A Common Pitfall
      • Comparing RCE and Command Injection
      • Basic Remote Code Execution
      • Remote Code Execution via Blacklist Bypass
      • Remote Code Execution via File Writing
      • Input Length Restriction in RCE
      • Remote Code Execution in Python
      • Blind Remote Code Execution: Indirect Exploitation
      • Exploiting Blind RCE in Python
      • Mitigation Techniques
    • Unrestricted File Upload
      • Understanding Unrestricted File Upload
      • Limitations of File Upload Defenses
      • Analysis of Uploaded Files
      • File Execution After Upload
      • Implementing a Safe File Uploader
      • Bypassing File Upload Security Controls
      • Bypassing Client-Side Validation in File Uploads
      • Bypassing File Extension Blacklist with Case Sensitivity
      • File Extension Blacklist Evasion via Alternative Extensions
      • File Upload Bypass via .htaccess Custom Extensions
      • Bypassing Whitelist Filtering with Double Extensions
      • Bypassing File Type Filtering with MIME Type Evasion
      • Bypassing File Content Filters with Magic Numbers
      • XSS via Malicious File Uploads
      • PHP Backup Maker
      • PHP Database Downloader
      • Mitigation Techniques
    • Path Traversal
      • Understanding Path Traversal
      • How Path Traversal Leverages User Input
      • Potential Gains for Attackers
      • Path Traversal Techniques and Variations
      • Directory Listing with opendir()
      • Reading Files with file_get_contents()
      • Hurdles in File Reading
      • File Reading via Image MIME Type
      • Arbitrary File Download
      • Bypassing Filtered Dot-Dot-Slashes
      • Exploiting Arbitrary File Write for RCE
      • Mitigation Techniques
    • File Inclusion
      • Understanding File Inclusion
      • Local File Inclusion Vulnerabilities Explained
      • Remote File Inclusion Vulnerabilities Explained
      • Exploring PHP File Inclusion Functions
      • LFI and RFI Exploitation Methods
      • Using PHP Wrappers in File Inclusion
      • PHP Directives for File Inclusion
      • RFI and Extension Appending Techniques
      • Overcoming HTTP/FTP Wrapper Removal
      • LFI Vulnerabilities via Path Traversal
      • Leveraging php:// Wrapper for LFI
      • LFI via Uploaded Files
      • Mitigation Techniques
    • SQL Injection
      • Understanding SQL Injection
      • Objectives Behind SQL Injection
      • Breaking Context, Fixing Logic
      • Web and SQL Interaction
        • Direct Data Retrieval
        • Indirect Data Processing
        • No Visible Data Return
      • General Exploitation Workflow
      • UNION-Based Injection
      • Error-Based XPath Injection
      • Boolean-Based SQL Injection
      • Time-Based SQL Injection
      • SQL Injection for Authentication Bypass
      • SQL Sort Order Injection
      • SQL Insert Injection
      • SQL Update Injection
      • SQL Injection for File Read/Write
      • Mitigation Techniques
    • MongoDB injection
      • Introduction to MongoDB
        • MongoDB Setup
        • MongoDB in Practice
      • MongoDB Lab Setup
      • Authentication Bypass (Normal case)
      • Authentication Bypass (JSON Request)
      • Brute Forcing Logins
      • Mitigation Techniques
    • Open Redirect
      • Understanding Open Redirect
      • The Dangers of Open Redirects in Web Security
      • Open Redirect Vulnerability Types
      • Techniques for Bypassing Protections
      • Crafting Payloads for Open Redirect
      • Mitigation Techniques
    • Host Header Injection
      • Understanding Host Header Injection
      • Common Locations for Host Header Injection
      • Exploiting Host Header Injection
      • Leveraging Host Header Injection for Exploits
      • Impact of Host Header Injection on Security
      • Exploiting Host Header Injection via Host Header
      • Exploiting Host Header Injection via X-Forwarded-For
      • Mitigation Techniques
    • Server-side Template Injection (SSTI)
      • MVC Design Pattern Overview
      • Non-MVC Code Example
      • Template Engines Overview
      • Basic MVC with PHP & Twig
      • Understanding SSTI Vulnerability
      • SSTI Exploitation Process
      • SSTI Detection Techniques
      • Vulnerable Jinja2 Example
      • Exploitation by Template Type
      • Exploiting PHP with Smarty
      • Exploiting Python with Tornado
      • Exploiting Jinja2 in Python
      • Exploiting Pug in NodeJS
      • Mitigation Techniques
    • Server-Side Request Forgery (SSRF)
      • Understanding Server-Side Request Forgery (SSRF)
      • SSRF Exploitation Flow
      • Simulating an SSRF Attack
      • Detecting SSRF Vulnerabilities
      • SSRF Attack via URL Schemes
      • Exploiting SSRF via HTTP/HTTPS Schemes
      • Exploiting SSRF with file:// for Local File Access
      • TCP Connection Exploitation in SSRF with dict:// and gopher://
      • Exploiting Redis for RCE and Session Hijacking
      • SSRF Bypass Techniques
      • Mitigation Techniques
    • XML External Entity (XXE)
      • Comparing XML and JSON for Data
      • DTDs in XML Documents
      • Exploring XML Entities
        • Internal Entities in XML
        • External Entities in XML
        • Parameter Entities in XML
      • Internal Subset DTD Restrictions
      • Handling Illegal XML Characters
        • CDATA for Dirty Input
        • Using php:// for Illegal XML Characters
      • Local File Read via XXE
      • SSRF Through XML Entities
      • Injecting Commands with XXE
      • Out-of-Band Blind XXE Exploitation
        • Blind XXE with php://filter in PHP
        • Global XXE Exploitation with xxeserv
      • Exploiting XXE in Python
      • Mitigation Techniques
    • Business Logic Vulnerabilities
      • Understanding Business Logic Vulnerabilities
      • Uncovering Hidden Logic Bugs
      • Manipulating Order Freezing
      • Account Suspension Abuse
      • Price Manipulation
      • Unlimited Discount
      • Double Spending
      • Additional Business Logic Vulnerability Types
      • Understanding Race Condition
      • Mitigation Techniques
    • Broken Authentication
      • Understanding Authentication
      • Traditional vs Modern Authentication Models
      • Authentication Mechanisms in HTTP
      • Cookies and Sessions in Authentication
      • Authentication Based on Tokens (JWT)
      • Common Authentication Vulnerabilities
      • Introduction to Cryptography
      • Comparing Symmetric and Asymmetric Cryptography
      • Understanding Data Encoding
      • Secure Storage Methods for User Passwords
      • The Dangers of Using Weak Crypto Keys
      • Mitigation Techniques
    • Broken Access Control
      • Understanding Broken Access Control?
      • Understanding Access Control Concepts
      • The Difference Between Authentication and Authorization
      • Understanding IDOR and its Risks
      • Building a Simple IDOR Lab
      • Exploiting IDOR in Ticket Systems
      • Understanding JSON Web Tokens (JWT)
      • Accepting arbitrary signatures in JWT
      • Accepting tokens with no signature in JWT
      • JWT Weak Secret Key Vulnerability
      • Injecting self-signed JWTs via the jwk parameter
      • Injecting self-signed JWTs via the jku parameter
      • Injecting self-signed JWTs via the kid parameter
      • Mitigation Techniques
    • Insecure Deserialization
      • Object Oriented Programming
      • Class Constructors in OOP
      • Access Modifiers in OOP
      • OOP Magic Methods
      • Serialization & Deserialization in OOP
      • Magic Methods & Deserialization
      • Understanding Insecure Deserialization
      • RCE via Pickle in Python
      • RCE via node-serialize in Node.js
      • Leveraging Magic Methods in PHP
      • PHP __wakeup Method
      • RCE via PHP __wakeup
      • RCE via PHP __destruct
      • Another RCE via Python pickle
      • RCE via Python YAML
      • Another RCE via Node.js node-serialize
      • Mitigation Techniques
    • Prototype Pollution
      • The Threat of Prototype Pollution
      • Prototypal Inheritance and the Prototype Chain in JavaScript
      • Object.prototype and Its Role in JavaScript Inheritance
      • The Spread of Prototype Pollution
      • Identifying Prototype Pollution Vulnerabilities
      • Node.js RCE with Prototype Pollution
      • XSS via Client-Side Prototype Pollution
      • Mitigation Techniques
    • Padding Oracle Attack
      • Understanding Padding in Cryptographic Algorithms
      • Understanding Padding Oracle Vulnerability
      • Detecting Padding Oracle Vulnerability
      • Exploiting Padding Oracle with Padre Tool
      • Practical Padding Oracle Attack Lab
      • Mitigation Techniques
    • Single Sign-On (SSO) Vulnerabilities
      • Understanding Single Sign-On (SSO)
      • Exploring Single Sign-On (SSO) Architectures
      • SSO Redirect Flow
      • Building an SSO Redirect Flow
      • SSO CORS Flow and SOP Bypass
      • Token Hijacking in SSO CORS Flow via CORS Misconfiguration
      • Token hijacking in SSO CORS Flow via XSS
      • Cross-Origin SSO via JSONP
      • Token Hijacking in SSO JSONP Flow
      • Mitigation Techniques
    • Web Cache Vulnerabilities
      • Understanding Web Cache?
      • Understanding the Basics of Caching
      • Understanding Web Caching Headers
      • Understanding Web Cache Deception
      • Exploiting Nginx for Web Cache Deception
      • Understanding Web Cache Poisoning
      • Nginx Cache Poisoning Exploit
      • Mitigation Techniques
    • HTTP Request Smuggling
      • Understanding HTTP Keep-Alive and Pipelining
      • The Importance of Transfer-Encoding in Data Handling
      • The Role of Chunked Transfer Encoding in HTTP Smuggling
      • Understanding HTTP Request Smuggling
      • Request Queue Poisoning in HTTP Smuggling
      • Types of HTTP Request Smuggling
        • CL.TE (Content-Length / Transfer-Encoding)
        • TE.CL (Transfer-Encoding / Content-Length)
        • TE.TE (Transfer-Encoding / Transfer-Encoding)
      • Mitigation Techniques
    • WebSocket Vulnerabilities
      • Understanding WebSocket
      • Real-Time Customer Support with WebSocket
      • Building a Multi-User Chatbot with WebSocket
      • Manipulating WebSocket Traffic with Burp Suite
      • Exploiting Input Validation Vulnerabilities in WebSocket
      • Exploiting XSS in WebSocket Connections
      • Cross-Site WebSocket Hijacking (CSWSH)
      • Hands-on CSWSH Exploiting
      • Mitigation Techniques
    • Web Services & API Security
      • Understanding Application Programming Interfaces
      • What Makes APIs and Web Services Different
      • Evolution of APIs from RPC to GraphQL
      • API Communication via JSON-RPC
      • Building Web Services with XML-RPC
      • Building SOAP Web Services using nusoap
      • Exploiting Command Injection in SOAP Web Services
      • Understanding the API Security Landscape
        • API 01:2023 Broken Object Level Authorization (BOLA)
        • API 02:2023 Broken Authentication
        • API 03:2023 Broken Object Property Level Authorization (BOPLA)
        • API 04:2023 Unrestricted Resource Consumption
        • API 05:2023 Broken Function Level Authorization
        • API 06:2023 Unrestricted Access to Sensitive Business Flows
        • API 07:2023 Server-Side Request Forgery (SSRF)
        • API 08:2023 Security Misconfiguration
        • API 09:2023 Improper Inventory Management
        • API 10:2023 Unsafe Consumption of APIs
      • Common GraphQL Vulnerabilities and Defenses
      • Understanding GraphQL Queries and Mutations
      • Discovering API Structure with Introspection
        • Understanding the __typename Meta-field
        • Full Schema Discovery with __schema
        • Bypassing Introspection Filters
      • Hands-On with GraphQL
      • Mitigations Techniques

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub

Publish Early, Publish Often

  • Path
  • There are many paths, but the one you're on right now on Leanpub is...
  • › Exploitologyweb

*   *   *

Leanpub is copyright © 2010-2025 Ruboss Technology Corp.
All rights reserved.

This site is protected by reCAPTCHA
and the Google Privacy Policy and Terms of Service apply.