Web Penetration Testing With Kali Linux by Najera-Gutierrez, Gilberto -- Read -- Imperial Library of Trantor

Index

Title Page Copyright and Credits

Web Penetration Testing with Kali Linux Third Edition

Dedication Packt Upsell

Why subscribe? PacktPub.com

Contributors

About the authors About the reviewer Packt is searching for authors like you

Preface

Who this book is for What this book covers To get the most out of this book

Download the example code files Download the color images Conventions used

Get in touch

Reviews

Introduction to Penetration Testing and Web Applications

Proactive security testing

Different testing methodologies

Ethical hacking Penetration testing Vulnerability assessment Security audits

Considerations when performing penetration testing

Rules of Engagement

The type and scope of testing Client contact details Client IT team notifications Sensitive data handling Status meeting and reports

The limitations of penetration testing The need for testing web applications Reasons to guard against attacks on web applications

Kali Linux A web application overview for penetration testers

HTTP protocol Knowing an HTTP request and response

The request header The response header HTTP methods

The GET method The POST method The HEAD method The TRACE method The PUT and DELETE methods The OPTIONS method

Keeping sessions in HTTP

Cookies Cookie flow between server and client Persistent and nonpersistent cookies Cookie parameters

HTML data in HTTP response

The server-side code

Multilayer web application

Three-layer web application design Web services Introducing SOAP and REST web services HTTP methods in web services XML and JSON AJAX

Building blocks of AJAX The AJAX workflow

HTML5 WebSockets

Summary

Setting Up Your Lab with Kali Linux

Kali Linux

Latest improvements in Kali Linux Installing Kali Linux

Virtualizing Kali Linux versus installing it on physical hardware Installing on VirtualBox

Creating the virtual machine Installing the system

Important tools in Kali Linux

CMS & Framework Identification

WPScan JoomScan CMSmap

Web Application Proxies

Burp Proxy

Customizing client interception Modifying requests on the fly Burp Proxy with HTTPS websites

Zed Attack Proxy ProxyStrike

Web Crawlers and Directory Bruteforce

DIRB DirBuster Uniscan

Web Vulnerability Scanners

Nikto w3af Skipfish

Other tools

OpenVAS Database exploitation Web application fuzzers Using Tor for penetration testing

Vulnerable applications and servers to practice on

OWASP Broken Web Applications Hackazon Web Security Dojo Other resources

Summary

Reconnaissance and Profiling the Web Server

Reconnaissance

Passive reconnaissance versus active reconnaissance

Information gathering

Domain registration details

Whois – extracting domain information

Identifying related hosts using DNS

Zone transfer using dig DNS enumeration

DNSEnum Fierce DNSRecon Brute force DNS records using Nmap

Using search engines and public sites to gather information

Google dorks Shodan theHarvester Maltego

Recon-ng – a framework for information gathering

Domain enumeration using Recon-ng

Sub-level and top-level domain enumeration

Reporting modules

Scanning – probing the target

Port scanning using Nmap

Different options for port scan Evading firewalls and IPS using Nmap Identifying the operating system

Profiling the server

Identifying virtual hosts

Locating virtual hosts using search engines Identifying load balancers Cookie-based load balancer Other ways of identifying load balancers

Application version fingerprinting

The Nmap version scan The Amap version scan

Fingerprinting the web application framework

The HTTP header The WhatWeb scanner

Scanning web servers for vulnerabilities and misconfigurations

Identifying HTTP methods using Nmap Testing web servers using auxiliary modules in Metasploit Identifying HTTPS configuration and issues

OpenSSL client Scanning TLS/SSL configuration with SSLScan Scanning TLS/SSL configuration with SSLyze Testing TLS/SSL configuration using Nmap

Spidering web applications

Burp Spider

Application login

Directory brute forcing

DIRB ZAP's forced browse

Summary

Authentication and Session Management Flaws

Authentication schemes in web applications

Platform authentication

Basic Digest NTLM Kerberos HTTP Negotiate Drawbacks of platform authentication

Form-based authentication Two-factor Authentication OAuth

Session management mechanisms

Sessions based on platform authentication Session identifiers

Common authentication flaws in web applications

Lack of authentication or incorrect authorization verification Username enumeration Discovering passwords by brute force and dictionary attacks

Attacking basic authentication with THC Hydra Attacking form-based authentication

Using Burp Suite Intruder Using THC Hydra

The password reset functionality

Recovery instead of reset Common password reset flaws

Vulnerabilities in 2FA implementations

Detecting and exploiting improper session management

Using Burp Sequencer to evaluate the quality of session IDs Predicting session IDs Session Fixation

Preventing authentication and session attacks

Authentication guidelines Session management guidelines

Summary

Detecting and Exploiting Injection-Based Flaws

Command injection

Identifying parameters to inject data

Error-based and blind command injection Metacharacters for command separator

Exploiting shellshock

Getting a reverse shell Exploitation using Metasploit

SQL injection

An SQL primer

The SELECT statement

Vulnerable code SQL injection testing methodology Extracting data with SQL injection

Getting basic environment information Blind SQL injection

Automating exploitation

sqlninja BBQSQL sqlmap

Attack potential of the SQL injection flaw

XML injection

XPath injection

XPath injection with XCat

The XML External Entity injection The Entity Expansion attack

NoSQL injection

Testing for NoSQL injection Exploiting NoSQL injection

Mitigation and prevention of injection vulnerabilities Summary

Finding and Exploiting Cross-Site Scripting (XSS) Vulnerabilities

An overview of Cross-Site Scripting

Persistent XSS Reflected XSS DOM-based XSS XSS using the POST method

Exploiting Cross-Site Scripting

Cookie stealing Website defacing Key loggers Taking control of the user's browser with BeEF-XSS

Scanning for XSS flaws

XSSer XSS-Sniper

Preventing and mitigating Cross-Site Scripting Summary

Cross-Site Request Forgery, Identification, and Exploitation

Testing for CSRF flaws Exploiting a CSRF flaw

Exploiting CSRF in a POST request CSRF on web services Using Cross-Site Scripting to bypass CSRF protections

Preventing CSRF Summary

Attacking Flaws in Cryptographic Implementations

A cryptography primer

Algorithms and modes

Asymmetric encryption versus symmetric encryption

Symmetric encryption algorithm

Stream and block ciphers Initialization Vectors Block cipher modes

Hashing functions

Salt values

Secure communication over SSL/TLS

Secure communication in web applications

TLS encryption process

Identifying weak implementations of SSL/TLS

The OpenSSL command-line tool SSLScan SSLyze Testing SSL configuration using Nmap Exploiting Heartbleed POODLE

Custom encryption protocols

Identifying encrypted and hashed information

Hashing algorithms

hash-identifier

Frequency analysis Entropy analysis Identifying the encryption algorithm

Common flaws in sensitive data storage and transmission

Using offline cracking tools

Using John the Ripper Using Hashcat

Preventing flaws in cryptographic implementations Summary

AJAX, HTML5, and Client-Side Attacks

Crawling AJAX applications

AJAX Crawling Tool Sprajax The AJAX Spider – OWASP ZAP

Analyzing the client-side code and storage

Browser developer tools

The Inspector panel The Debugger panel The Console panel The Network panel The Storage panel The DOM panel

HTML5 for penetration testers

New XSS vectors

New elements New properties

Local storage and client databases

Web Storage IndexedDB

Web Messaging WebSockets

Intercepting and modifying WebSockets

Other relevant features of HTML5

Cross-Origin Resource Sharing (CORS) Geolocation Web Workers

Bypassing client-side controls Mitigating AJAX, HTML5, and client-side vulnerabilities Summary

Other Common Security Flaws in Web Applications

Insecure direct object references

Direct object references in web services Path traversal

File inclusion vulnerabilities

Local File Inclusion Remote File Inclusion

HTTP parameter pollution Information disclosure Mitigation

Insecure direct object references File inclusion attacks HTTP parameter pollution Information disclosure

Summary

Using Automated Scanners on Web Applications

Considerations before using an automated scanner Web application vulnerability scanners in Kali Linux

Nikto Skipfish Wapiti OWASP-ZAP scanner

Content Management Systems scanners

WPScan JoomScan CMSmap

Fuzzing web applications

Using the OWASP-ZAP fuzzer Burp Intruder

Post-scanning actions Summary

Other Books You May Enjoy

Leave a review – let other readers know what you think

← Prev
Back
Next →

← Prev
Back
Next →