Web Penetration Testing With Kali Linux by Ansari, Juned Ahmed -- Read -- Imperial Library of Trantor

Index

Web Penetration Testing with Kali Linux Second Edition

Table of Contents Web Penetration Testing with Kali Linux Second Edition Credits About the Author About the Reviewers www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe? Free access for Packt account holders

Preface

What this book covers What you need for this book Who this book is for Conventions Reader feedback Customer support

Downloading the example code Downloading the color images of this book Errata Piracy Questions

1. Introduction to Penetration Testing and Web Applications

Proactive security testing

Who is a hacker? Different testing methodologies

Ethical hacking Penetration testing Vulnerability assessment Security audits

Rules of engagement

Black box testing or Gray box testing Client contact details Client IT team notifications Sensitive data handling Status meeting

The limitations of penetration testing The need for testing web applications Social engineering attacks

Training employees to defeat social engineering attacks

A web application overview for penetration testers

HTTP protocol Request and response header

The request header The response header

Important HTTP methods for penetration testing

The GET/POST method The HEAD method The TRACE method The PUT and DELETE methods The OPTIONS method

Session tracking using cookies

Cookie Cookie flow between server and client Persistent and non-persistent cookies Cookie parameters

HTML data in HTTP response Multi-tier web application

Summary

2. Setting up Your Lab with Kali Linux

Kali Linux

Improvements in Kali Linux 2.0 Installing Kali Linux

USB mode VMware and ARM images of Kali Linux Kali Linux on Amazon cloud Installing Kali Linux on a hard drive

Kali Linux-virtualizing versus installing on physical hardware

Important tools in Kali Linux

Web application proxies

Burp proxy

Customizing client interception Modifying requests on the fly Burp proxy with SSL-based websites

WebScarab and Zed Attack Proxy ProxyStrike

Web vulnerability scanner

Nikto Skipfish Web Crawler – Dirbuster OpenVAS Database exploitation

CMS identification tools Web application fuzzers

Using Tor for penetration testing

Steps to set up Tor and connect anonymously Visualization of a web request through Tor Final words for Tor

Summary

3. Reconnaissance and Profiling the Web Server

Reconnaissance

Passive reconnaissance versus active reconnaissance Reconnaissance – information gathering

Domain registration details

Whois – extracting domain information

Identifying hosts using DNS

Zone transfer using dig Brute force DNS records using Nmap

The Recon-ng tool – a framework for information gathering

Domain enumeration using recon-ng

Sub-level and top-level domain enumeration

Reporting modules

Scanning – probing the target

Port scanning using Nmap

Different options for port scan Evading firewalls and IPS using Nmap Spotting a firewall using back checksum option in Nmap

Identifying the operating system using Nmap Profiling the server

Application version fingerprinting

The Nmap version scan The Amap version scan

Fingerprinting the web application framework

The HTTP header The Whatweb scanner

Identifying virtual hosts

Locating virtual hosts using search engines The virtual host lookup module in Recon-ng

Identifying load balancers

Cookie-based load balancer Other ways of identifying load balancers

Scanning web servers for vulnerabilities and misconfigurations

Identifying HTTP methods using Nmap Testing web servers using auxiliary modules in Metasploit Automating scanning using the WMAP web scanner plugin Vulnerability scanning and graphical reports – the Skipfish web application scanner

Spidering web applications

The Burp spider Application login

Summary

4. Major Flaws in Web Applications

Information leakage

Directory browsing

Directory browsing using DirBuster Comments in HTML code Mitigation

Authentication issues

Authentication protocols and flaws

Basic authentication Digest authentication Integrated authentication Form-based authentication

Brute forcing credentials

Hydra – a brute force password cracker

Path traversal

Attacking path traversal using Burp proxy

Mitigation

Injection-based flaws

Command injection SQL injection

Cross-site scripting

Attack potential of cross-site scripting attacks

Cross-site request forgery Session-based flaws

Different ways to steal tokens

Brute forcing tokens Sniffing tokens and man-in-the-middle attacks Stealing session tokens using XSS attack Session token sharing between application and browser

Tools to analyze tokens Session fixation attack Mitigation for session fixation

File inclusion vulnerability

Remote file include Local file include Mitigation for file inclusion attacks

HTTP parameter pollution

Mitigation

HTTP response splitting

Mitigation

Summary

5. Attacking the Server Using Injection-based Flaws

Command injection

Identifying parameters to inject data Error-based and blind command injection Metacharacters for command separator Scanning for command injection

Creating a cookie file for authentication Executing Wapiti

Exploiting command injection using Metasploit

PHP shell and Metasploit

Exploiting shellshock

Overview of shellshock Scanning – dirb Exploitation – Metasploit

SQL injection

SQL statements

The UNION operator The SQL query example

Attack potential of the SQL injection flaw Blind SQL injection SQL injection testing methodology

Scanning for SQL injection Information gathering

Sqlmap – automating exploitation BBQSQL – the blind SQL injection framework Sqlsus – MySQL injection Sqlninja – MS SQL injection

Summary

6. Exploiting Clients Using XSS and CSRF Flaws

The origin of cross-site scripting

Introduction to JavaScript

An overview of cross-site scripting Types of cross-site scripting

Persistent XSS Reflected XSS DOM-based XSS

Defence against DOM-based XSS

XSS using the POST Method

XSS and JavaScript – a deadly combination

Cookie stealing Key logger Website defacing

Scanning for XSS flaws

Zed Attack Proxy

Scoping and selecting modes Modes of operation Scan policy and attack

Xsser

Features

W3af

Plugins Graphical interface

Cross-site request forgery

Attack dependencies Attack methodology Testing for CSRF flaws CSRF mitigation techniques

Summary

7. Attacking SSL-based Websites

Secure socket layer

SSL in web applications SSL encryption process Asymmetric encryption versus symmetric encryption

Asymmetric encryption algorithms Symmetric encryption algorithm

Hashing for message integrity Identifying weak SSL implementations

OpenSSL command-line tool SSLScan SSLyze Testing SSL configuration using Nmap

SSL man-in-the-middle attack

SSL MITM tools in Kali Linux

SSLsplit SSLstrip

SSL stripping limitations

Summary

8. Exploiting the Client Using Attack Frameworks

Social engineering attacks Social engineering toolkit Spear-phishing attack Website attack

Java applet attack Credential harvester attack Web jacking attack Metasploit browser exploit Tabnabbing attack

Browser exploitation framework

Introducing BeEF BeEF hook injection

Browser reconnaissance Exploit modules Host information gathering Persistence module Network recon Inter-protocol exploitation and communication

Exploiting the mutillidae XSS flaw using BeEF Injecting the BeEF hook using MITM

Summary

9. AJAX and Web Services – Security Issues

Introduction to AJAX

Building blocks of AJAX The AJAX workflow AJAX security issues

Increase in attack surface Exposed programming logic of the application Insufficient access control

Challenges of pentesting AJAX applications Crawling AJAX applications

AJAX crawling tool Sprajax AJAX spider – OWASP ZAP

Analyzing client-side code – Firebug

The Script panel The Console panel The Network panel

Web services

Introducing SOAP and RESTful web services Securing web services

Insecure direct object reference vulnerability

Summary

10. Fuzzing Web Applications

Fuzzing basics Types of fuzzing techniques

Mutation fuzzing Generation fuzzing Applications of fuzzing

Network protocol fuzzing File fuzzing User interface fuzzing Web application fuzzing Web browser fuzzing

Fuzzer frameworks Fuzzing steps Testing web applications using fuzzing

Fuzzing input in web applications

Request URI Headers Form fields

Detecting result of fuzzing

Web application fuzzers in Kali Linux

Fuzzing using Burp intruder PowerFuzzer tool

Summary

Index

← Prev
Back
Next →

← Prev
Back
Next →