Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright and Credits
Web Penetration Testing with Kali Linux Third Edition
Dedication
Packt Upsell
Why subscribe?
PacktPub.com
Contributors
About the authors
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
Introduction to Penetration Testing and Web Applications
Proactive security testing
Different testing methodologies
Ethical hacking
Penetration testing
Vulnerability assessment
Security audits
Considerations when performing penetration testing
Rules of Engagement
The type and scope of testing
Client contact details
Client IT team notifications
Sensitive data handling
Status meeting and reports
The limitations of penetration testing
The need for testing web applications
Reasons to guard against attacks on web applications
Kali Linux
A web application overview for penetration testers
HTTP protocol
Knowing an HTTP request and response
The request header
The response header
HTTP methods
The GET method
The POST method
The HEAD method
The TRACE method
The PUT and DELETE methods
The OPTIONS method
Keeping sessions in HTTP
Cookies
Cookie flow between server and client
Persistent and nonpersistent cookies
Cookie parameters
HTML data in HTTP response
The server-side code
Multilayer web application
Three-layer web application design
Web services
Introducing SOAP and REST web services
HTTP methods in web services
XML and JSON
AJAX
Building blocks of AJAX
The AJAX workflow
HTML5
WebSockets
Summary
Setting Up Your Lab with Kali Linux
Kali Linux
Latest improvements in Kali Linux
Installing Kali Linux
Virtualizing Kali Linux versus installing it on physical hardware
Installing on VirtualBox
Creating the virtual machine
Installing the system
Important tools in Kali Linux
CMS & Framework Identification
WPScan
JoomScan
CMSmap
Web Application Proxies
Burp Proxy
Customizing client interception
Modifying requests on the fly
Burp Proxy with HTTPS websites
Zed Attack Proxy
ProxyStrike
Web Crawlers and Directory Bruteforce
DIRB
DirBuster
Uniscan
Web Vulnerability Scanners
Nikto
w3af
Skipfish
Other tools
OpenVAS
Database exploitation
Web application fuzzers
Using Tor for penetration testing
Vulnerable applications and servers to practice on
OWASP Broken Web Applications
Hackazon
Web Security Dojo
Other resources
Summary
Reconnaissance and Profiling the Web Server
Reconnaissance
Passive reconnaissance versus active reconnaissance
Information gathering
Domain registration details
Whois – extracting domain information
Identifying related hosts using DNS
Zone transfer using dig
DNS enumeration
DNSEnum
Fierce
DNSRecon
Brute force DNS records using Nmap
Using search engines and public sites to gather information
Google dorks
Shodan
theHarvester
Maltego
Recon-ng – a framework for information gathering
Domain enumeration using Recon-ng
Sub-level and top-level domain enumeration
Reporting modules
Scanning – probing the target
Port scanning using Nmap
Different options for port scan
Evading firewalls and IPS using Nmap
Identifying the operating system
Profiling the server
Identifying virtual hosts
Locating virtual hosts using search engines
Identifying load balancers
Cookie-based load balancer
Other ways of identifying load balancers
Application version fingerprinting
The Nmap version scan
The Amap version scan
Fingerprinting the web application framework
The HTTP header
The WhatWeb scanner
Scanning web servers for vulnerabilities and misconfigurations
Identifying HTTP methods using Nmap
Testing web servers using auxiliary modules in Metasploit
Identifying HTTPS configuration and issues
OpenSSL client
Scanning TLS/SSL configuration with SSLScan
Scanning TLS/SSL configuration with SSLyze
Testing TLS/SSL configuration using Nmap
Spidering web applications
Burp Spider
Application login
Directory brute forcing
DIRB
ZAP's forced browse
Summary
Authentication and Session Management Flaws
Authentication schemes in web applications
Platform authentication
Basic
Digest
NTLM
Kerberos
HTTP Negotiate
Drawbacks of platform authentication
Form-based authentication
Two-factor Authentication
OAuth
Session management mechanisms
Sessions based on platform authentication
Session identifiers
Common authentication flaws in web applications
Lack of authentication or incorrect authorization verification
Username enumeration
Discovering passwords by brute force and dictionary attacks
Attacking basic authentication with THC Hydra
Attacking form-based authentication
Using Burp Suite Intruder
Using THC Hydra
The password reset functionality
Recovery instead of reset
Common password reset flaws
Vulnerabilities in 2FA implementations
Detecting and exploiting improper session management
Using Burp Sequencer to evaluate the quality of session IDs
Predicting session IDs
Session Fixation
Preventing authentication and session attacks
Authentication guidelines
Session management guidelines
Summary
Detecting and Exploiting Injection-Based Flaws
Command injection
Identifying parameters to inject data
Error-based and blind command injection
Metacharacters for command separator
Exploiting shellshock
Getting a reverse shell
Exploitation using Metasploit
SQL injection
An SQL primer
The SELECT statement
Vulnerable code
SQL injection testing methodology
Extracting data with SQL injection
Getting basic environment information
Blind SQL injection
Automating exploitation
sqlninja
BBQSQL
sqlmap
Attack potential of the SQL injection flaw
XML injection
XPath injection
XPath injection with XCat
The XML External Entity injection
The Entity Expansion attack
NoSQL injection
Testing for NoSQL injection
Exploiting NoSQL injection
Mitigation and prevention of injection vulnerabilities
Summary
Finding and Exploiting Cross-Site Scripting (XSS) Vulnerabilities
An overview of Cross-Site Scripting
Persistent XSS
Reflected XSS
DOM-based XSS
XSS using the POST method
Exploiting Cross-Site Scripting
Cookie stealing
Website defacing
Key loggers
Taking control of the user's browser with BeEF-XSS
Scanning for XSS flaws
XSSer
XSS-Sniper
Preventing and mitigating Cross-Site Scripting
Summary
Cross-Site Request Forgery, Identification, and Exploitation
Testing for CSRF flaws
Exploiting a CSRF flaw
Exploiting CSRF in a POST request
CSRF on web services
Using Cross-Site Scripting to bypass CSRF protections
Preventing CSRF
Summary
Attacking Flaws in Cryptographic Implementations
A cryptography primer
Algorithms and modes
Asymmetric encryption versus symmetric encryption
Symmetric encryption algorithm
Stream and block ciphers
Initialization Vectors
Block cipher modes
Hashing functions
Salt values
Secure communication over SSL/TLS
Secure communication in web applications
TLS encryption process
Identifying weak implementations of SSL/TLS
The OpenSSL command-line tool
SSLScan
SSLyze
Testing SSL configuration using Nmap
Exploiting Heartbleed
POODLE
Custom encryption protocols
Identifying encrypted and hashed information
Hashing algorithms
hash-identifier
Frequency analysis
Entropy analysis
Identifying the encryption algorithm
Common flaws in sensitive data storage and transmission
Using offline cracking tools
Using John the Ripper
Using Hashcat
Preventing flaws in cryptographic implementations
Summary
AJAX, HTML5, and Client-Side Attacks
Crawling AJAX applications
AJAX Crawling Tool
Sprajax
The AJAX Spider – OWASP ZAP
Analyzing the client-side code and storage
Browser developer tools
The Inspector panel
The Debugger panel
The Console panel
The Network panel
The Storage panel
The DOM panel
HTML5 for penetration testers
New XSS vectors
New elements
New properties
Local storage and client databases
Web Storage
IndexedDB
Web Messaging
WebSockets
Intercepting and modifying WebSockets
Other relevant features of HTML5
Cross-Origin Resource Sharing (CORS)
Geolocation
Web Workers
Bypassing client-side controls
Mitigating AJAX, HTML5, and client-side vulnerabilities
Summary
Other Common Security Flaws in Web Applications
Insecure direct object references
Direct object references in web services
Path traversal
File inclusion vulnerabilities
Local File Inclusion
Remote File Inclusion
HTTP parameter pollution
Information disclosure
Mitigation
Insecure direct object references
File inclusion attacks
HTTP parameter pollution
Information disclosure
Summary
Using Automated Scanners on Web Applications
Considerations before using an automated scanner
Web application vulnerability scanners in Kali Linux
Nikto
Skipfish
Wapiti
OWASP-ZAP scanner
Content Management Systems scanners
WPScan
JoomScan
CMSmap
Fuzzing web applications
Using the OWASP-ZAP fuzzer
Burp Intruder
Post-scanning actions
Summary
Other Books You May Enjoy
Leave a review – let other readers know what you think
← Prev
Back
Next →
← Prev
Back
Next →