Black box vs White box testing
white box: access to source code or internal structures
black box: no knowledge about source code etc. (external perspective)
8.2. Web Application Assesment Tools
nmap
wappalyzer
gobuster
burp
8.2.1. Nmap
enumerate web application with basic scripts
8.2.2 Wappalzyer
determine web application technology
8.2.3 Gobuster
directory brute force
8.2.4 Burp
proxy + intruder was covered (only simple brute force logins)
8.3. Web Application Enumeration
Debug console
HTTP headers + Sitemaps
APIs enumeration via gobuster
8.4. Cross-Site-Scripting
stored/persistent: payload stored in databas or cache -> attacking all users
reflected: payload in link -> attacking single user
-> attacker controls web browser of victim
Zuletzt geändertvor einem Jahr