Table of Contents

1. Preface
   1. Who this book is for
   2. What this book covers
   3. To get the most out of this book
      1. Download the color images
      2. Conventions used
   4. Disclaimer
   5. Get in touch
      1. Reviews
1. Introduction
1. Introduction to Web Application Penetration Testing
   1. What is a penetration test?
   2. Types of penetration test
      1. White box penetration test
      2. Black box penetration test
      3. Gray box penetration test
   3. Stages of penetration testing
      1. Reconnaissance and information gathering
      2. Enumeration
      3. Vulnerability assessment and analysis
      4. Exploitation
      5. Reporting
   4. Important terminologies
   5. Penetration testing methodologies
      1. Open Source Security Testing Methodology Manual (OSSTMM)
         1. Operational security metrics
         2. Trust analysis
         3. Human security testing
         4. Physical security testing
         5. Wireless security testing
         6. Telecommunications security testing
         7. Data network security testing
         8. Compliance regulations
         9. Reporting with the STAR
      2. OSSTMM test types 
      3. Information Systems Security Assessment Framework (ISSAF)
      4. Penetration Testing Execution Standard (PTES)
         1. Pre-engagement interactions
         2. Intelligence gathering
         3. Threat modeling
         4. Vulnerability analysis
         5. Exploitation
         6. Post-exploitation
         7. Reporting
   6. Common Weakness Enumeration (CWE)
      1. OWASP Top 10
      2. SANS TOP 25
   7. Summary
   8. Questions
   9. Further reading
2. Metasploit Essentials
   1. Technical requirements
   2. Introduction to Metasploit Framework
   3. Metasploit Framework terminology
   4. Installing and setting up Metasploit
      1. Installing Metasploit Framework on *nix
      2. Installing Metasploit Framework on Windows
   5. Getting started with Metasploit Framework
      1. Interacting with Metasploit Framework using msfconsole
      2. MSF console commands
         1. Customizing global settings
         2. Variable manipulation in MSF
         3. Exploring MSF modules
         4. Running OS commands in MSF
         5. Setting up a database connection in Metasploit Framework
         6. Loading plugins in MSF
         7. Using Metasploit modules
         8. Searching modules in MSF
         9. Checking for hosts and services in MSF
         10. Nmap scanning with MSF
         11. Setting up payload handling in MSF
      3. MSF payload generation
         1. Generating an MSF payload using msfconsole (one-liner)
         2. Generating an MSF payload using msfvenom
   6. Summary
   7. Questions
   8. Further reading
3. The Metasploit Web Interface
   1. Technical requirements
   2. Introduction to the Metasploit web interface
   3. Installing and setting up the web interface
      1. Installing Metasploit Community Edition on Windows
      2. Installing Metasploit Community Edition on Linux/Debian
   4. Getting started with the Metasploit web interface
      1. Interface
         1. Main menu
         2. Project tab bar
         3. Navigational breadcrumbs
         4. Tasks bar
      2. Project creation
         1. Default project
         2. Creating a custom project
      3. Target enumeration
         1. Using the built-in option
         2. Importing scan results
      4. Module selection
         1. Auxiliary module
         2. Using an exploit module
         3. Session interaction
         4. Post-exploitation modules
   5. Summary
   6. Questions
   7. Further reading
2. The Pentesting Life Cycle with Metasploit
4. Using Metasploit for Reconnaissance
   1. Technical requirements
   2. Introduction to reconnaissance
   3. Active reconnaissance
      1. Banner grabbing
      2. HTTP header detection
      3. Web robot page enumeration
      4. Finding hidden Git repos
      5. Open proxy detection
   4. Passive reconnaissance
      1. Archived domain URLs
      2. Censys
      3. SSL recon
   5. Summary
   6. Questions
   7. Further reading
5. Web Application Enumeration Using Metasploit
   1. Technical requirements
   2. Introduction to enumeration
      1. DNS enumeration
      2. Going the extra mile – editing source code
   3. Enumerating files
      1. Crawling and scraping with Metasploit
      2. Scanning virtual hosts
   4. Summary
   5. Questions
   6. Further reading
6. Vulnerability Scanning Using WMAP
   1. Technical requirements
   2. Understanding WMAP
   3. The WMAP scanning process
      1. Data reconnaissance
      2. Loading the scanner
      3. WMAP configuration
      4. Launching WMAP
   4. WMAP module execution order
   5. Adding a module to WMAP
   6. Clustered scanning using WMAP
   7. Summary
   8. Questions
   9. Further reading
7. Vulnerability Assessment Using Metasploit (Nessus)
   1. Technical requirements
   2. Introduction to Nessus
      1. Using Nessus with Metasploit
      2. Nessus authentication via Metasploit
   3. Basic commands
      1. Patching the Metasploit library
   4. Performing a Nessus scan via Metasploit
      1. Using the Metasploit DB for Nessus scan
      2. Importing Nessus scan in the Metasploit DB
   5. Summary
   6. Questions
   7. Further reading
3. Pentesting Content Management Systems (CMSes)
8. Pentesting CMSes - WordPress
   1. Technical requirements
   2. Introduction to WordPress
      1. WordPress architecture
      2. File/directory structure
         1. Base folder
            1. wp-includes
            2. wp-admin
            3. wp-content
   3. WordPress reconnaissance and enumeration
      1. Version detection
         1. Readme.html
         2. Meta generator
         3. Getting the version via JavaScript and CSS files
         4. Getting the version via the feed
         5. Using Outline Processor Markup Language (OPML)
         6. Unique/advanced fingerprinting
      2. WordPress reconnaissance using Metasploit
      3. WordPress enumeration using Metasploit
   4. Vulnerability assessment for WordPress
   5. WordPress exploitation part 1 – WordPress Arbitrary File Deletion
      1. Vulnerability flow and analysis
      2. Exploiting the vulnerability using Metasploit
   6. WordPress exploitation part 2 – unauthenticated SQL injection
      1. Vulnerability flow and analysis
      2. Exploiting the vulnerability using Metasploit
   7. WordPress exploitation part 3 – WordPress 5.0.0 Remote Code Execution
      1. Vulnerability flow and analysis
      2. Exploiting the vulnerability using Metasploit
   8. Going the extra mile – customizing the Metasploit exploit
   9. Summary
   10. Questions
   11. Further reading
9. Pentesting CMSes - Joomla
   1. Technical requirements
   2. An introduction to Joomla
   3. The Joomla architecture
      1. The file and directory structure
   4. Reconnaissance and enumeration
      1. Version detection
         1. Detection via a meta tag
         2. Detection via server headers
         3. Detection via language configurations
         4. Detection via README.txt
         5. Detection via the manifest file
         6. Detection via unique keywords
      2. Joomla reconnaissance using Metasploit
   5. Enumerating Joomla plugins and modules using Metasploit
      1. Page enumeration
      2. Plugin enumeration
   6. Performing vulnerability scanning with Joomla
   7. Joomla exploitation using Metasploit
      1. How does the exploit work? 
   8. Joomla shell upload
   9. Summary 
   10. Questions
   11. Further reading
10. Pentesting CMSes - Drupal
    1. Technical requirements
    2. Introduction to Drupal and its architecture
       1. Drupal's architecture
       2. Directory structure
    3. Drupal reconnaissance and enumeration
       1. Detection via README.txt
       2. Detection via meta tags
       3. Detection via server headers
       4. Detection via CHANGELOG.txt
       5. Detection via install.php
       6. Plugin, theme, and module enumeration
    4. Drupal vulnerability scanning using droopescan
    5. Exploiting Drupal
       1. Exploiting Drupal using Drupalgeddon2
          1. Understanding the Drupalgeddon vulnerability
          2. Exploiting Drupalgeddon2 using Metasploit
       2. The RESTful Web Services exploit – unserialize()
          1. Understanding serialization
          2. What is a POP chain?
          3. Deserializing the payload
          4. Exploiting RESTful Web Services RCE via unserialize() using Metasploit
    6. Summary
    7. Questions
    8. Further reading
4. Performing Pentesting on Technological Platforms
11. Penetration Testing on Technological Platforms - JBoss
    1. Technical requirements
    2. An introduction to JBoss
       1. The JBoss architecture (JBoss 5)
       2. JBoss files and the directory structure
    3. Reconnaissance and enumeration
       1. Detection via the home page
       2. Detection via the error page
       3. Detection via the title HTML tag
       4. Detection via X-Powered-By
       5. Detection via hashing favicon.ico
       6. Detection via stylesheets (CSS)
       7. Carrying out a JBoss status scan using Metasploit
       8. JBoss service enumeration
    4. Performing a vulnerability assessment on JBoss AS
       1. Vulnerability scanning using JexBoss
       2. Vulnerable JBoss entry points
    5. JBoss exploitation
       1. JBoss exploitation via the administration console
       2. Exploitation via the JMX console (the MainDeployer method)
       3. Exploitation via the JMX console using Metasploit (MainDeployer)
       4. Exploitation via the JMX console (BSHDeployer)
       5. Exploitation via the JMX console using Metasploit (BSHDeployer)
       6. Exploitation via the web console (Java applet)
       7. Exploitation via the web console (the Invoker method)
          1. Creating BSH scripts
          2. Deploying the BSH script using webconsole_invoker.rb
          3. Exploitation via JMXInvokerServlet (JexBoss)
       8. Exploitation via JMXInvokerServlet using Metasploit
    6. Summary
    7. Questions
    8. Further reading
12. Penetration Testing on Technological Platforms - Apache Tomcat
    1. Technical requirements
    2. An introduction to Tomcat
    3. The Apache Tomcat architecture
    4. Files and their directory structures
    5. Detecting Tomcat installations
       1. Detection via the HTTP response header – X-Powered-By
       2. Detection via the HTTP response header – WWW-Authenticate
       3. Detection via HTML tags – the title tag
       4. Detection via HTTP 401 Unauthorized error
       5. Detection via unique fingerprinting (hashing)
       6. Detection via directories and files
    6. Version detection
       1. Version detection via the HTTP 404 error page
       2. Version disclosure via Release-Notes.txt
       3. Version disclosure via Changelog.html
    7. Exploiting Tomcat
       1. The Apache Tomcat JSP upload bypass vulnerability
       2. Tomcat WAR shell upload (authenticated)
    8. An introduction to Apache Struts
       1. Understanding OGNL
       2. OGNL expression injection
       3. Testing for remote code execution via OGNL injection
       4. Testing for blind remote code execution via OGNL injection
       5. Testing for OGNL out-of-band injection
       6. Struts 2 exploitation using Metasploit
    9. Summary
    10. Questions
    11. Further reading
13. Penetration Testing on Technological Platforms - Jenkins
    1. Technical requirements
    2. Introduction to Jenkins
    3. Jenkins terminology
       1. The Stapler library
       2. URL routing
       3. Apache Groovy
       4. Meta-programming
       5. Abstract syntax tree
       6. Pipeline
    4. Jenkins reconnaissance and enumeration
       1. Detecting Jenkins using favicon hashes
       2. Detecting Jenkins using HTTP response headers
       3. Jenkins enumeration using Metasploit
    5. Exploiting Jenkins
       1. Jenkins ACL bypass
       2. Understanding Jenkins unauthenticated RCE
    6. Summary
    7. Questions
    8. Further reading
5. Logical Bug Hunting
14. Web Application Fuzzing - Logical Bug Hunting
    1. Technical requirements
    2. What is fuzzing?
    3. Fuzzing terminology
    4. Fuzzing attack types
       1. Application fuzzing
       2. Protocol fuzzing
       3. File-format fuzzing
    5. Introduction to web app fuzzing
       1. Fuzzer installation (Wfuzz)
       2. Fuzzer installation (ffuf)
    6. Identifying web application attack vectors
       1. HTTP request verbs
          1. Fuzzing HTTP methods/verbs using Wfuzz
          2. Fuzzing HTTP methods/verbs using ffuf
          3. Fuzzing HTTP methods/verbs using Burp Suite Intruder
       2. HTTP request URIs
          1. Fuzzing an HTTP request URl path using Wfuzz
          2.  Fuzzing an HTTP request URl path using ffuf
          3. Fuzzing an HTTP request URl path using Burp Suite Intruder
          4. Fuzzing HTTP request URl filenames and file extensions using Wfuzz
          5. Fuzzing HTTP request URl filenames and file extensions using ffuf
          6. Fuzzing HTTP request URl filenames and file extensions using Burp Suite Intruder
          7. Fuzzing an HTTP request URl using Wfuzz (GET parameter + value)
          8. Fuzzing an HTTP request URl using Burp Suite Intruder (GET parameter + value)
       3. HTTP request headers
          1. Fuzzing standard HTTP headers using Wfuzz, ffuf, and Burp Suite
             1. Scenario 1 – Cookie header fuzzing
             2. Scenario 2 – User-defined cookie header fuzzing
          2. Fuzzing a custom header using Wfuzz, ffuf, and Burp Suite
             1. Scenario 3 – Custom header fuzzing
    7. Summary
    8. Questions
    9. Further reading
15. Writing Penetration Testing Reports
    1. Technical requirements
    2. Introduction to report writing 
       1. Writing executive reports
          1. Title page
          2. Document version control
          3. Table of contents
          4. Objective
          5. Defined scope
          6. Key findings (impact)
          7. Issue overview
          8. Strategic recommendations
       2. Writing detailed technical reports
          1. Title page
          2. Document version control
          3. Table of contents
          4. Report summary
          5. Defined scope
          6. Methodology used
          7. CVSS
          8. Vulnerability summary
          9. Conclusion
          10. Appendix
    3. Introduction to Dradis Framework
       1. Pre-installation configuration
       2. Installation and setup
       3. Getting started with Dradis
       4. Importing third-party reports into Dradis
       5. Defining the security testing methodology in Dradis
       6. Organizing reports using Dradis
       7. Exporting reports in Dradis
    4. Working with Serpico 
       1. Installation and setup
       2. Getting started with Serpico
       3. Importing data from Metasploit to Serpico
       4. Importing third-party reports into Serpico 
       5. User management in Serpico
       6. Managing templates in Serpico
       7. Generating reports in multiple formats
    5. Summary
    6. Questions
    7. Further reading
16. Assessment
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
17. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think