Web Penetration Testing with Kali Linux - Third Edition电子书

Title Page

Copyright and Credits

Web Penetration Testing with Kali Linux Third Edition

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Introduction to Penetration Testing and Web Applications

Proactive security testing

Different testing methodologies

Ethical hacking

Penetration testing

Vulnerability assessment

Security audits

Considerations when performing penetration testing

Rules of Engagement

The type and scope of testing

Client contact details

Client IT team notifications

Sensitive data handling

Status meeting and reports

The limitations of penetration testing

The need for testing web applications

Reasons to guard against attacks on web applications

Kali Linux

A web application overview for penetration testers

HTTP protocol

Knowing an HTTP request and response

The request header

The response header

HTTP methods

The GET method

The POST method

The HEAD method

The TRACE method

The PUT and DELETE methods

The OPTIONS method

Keeping sessions in HTTP

Cookies

Cookie flow between server and client

Persistent and nonpersistent cookies

Cookie parameters

HTML data in HTTP response

The server-side code

Multilayer web application

Three-layer web application design

Web services

Introducing SOAP and REST web services

HTTP methods in web services

XML and JSON

AJAX

Building blocks of AJAX

The AJAX workflow

HTML5

WebSockets

Summary

Setting Up Your Lab with Kali Linux

Kali Linux

Latest improvements in Kali Linux

Installing Kali Linux

Virtualizing Kali Linux versus installing it on physical hardware

Installing on VirtualBox

Creating the virtual machine

Installing the system

Important tools in Kali Linux

CMS & Framework Identification

WPScan

JoomScan

CMSmap

Web Application Proxies

Burp Proxy

Customizing client interception

Modifying requests on the fly

Burp Proxy with HTTPS websites

Zed Attack Proxy

ProxyStrike

Web Crawlers and Directory Bruteforce

DIRB

DirBuster

Uniscan

Web Vulnerability Scanners

Nikto

w3af

Skipfish

Other tools

OpenVAS

Database exploitation

Web application fuzzers

Using Tor for penetration testing

Vulnerable applications and servers to practice on

OWASP Broken Web Applications

Hackazon

Web Security Dojo

Other resources

Summary

Reconnaissance and Profiling the Web Server

Reconnaissance

Passive reconnaissance versus active reconnaissance

Information gathering

Domain registration details

Whois – extracting domain information

Identifying related hosts using DNS

Zone transfer using dig

DNS enumeration

DNSEnum

Fierce

DNSRecon

Brute force DNS records using Nmap

Using search engines and public sites to gather information

Google dorks

Shodan

theHarvester

Maltego

Recon-ng – a framework for information gathering

Domain enumeration using Recon-ng

Sub-level and top-level domain enumeration

Reporting modules

Scanning – probing the target

Port scanning using Nmap

Different options for port scan

Evading firewalls and IPS using Nmap

Identifying the operating system

Profiling the server

Identifying virtual hosts

Locating virtual hosts using search engines

Identifying load balancers

Cookie-based load balancer

Other ways of identifying load balancers

Application version fingerprinting

The Nmap version scan

The Amap version scan

Fingerprinting the web application framework

The HTTP header

The WhatWeb scanner

Scanning web servers for vulnerabilities and misconfigurations

Identifying HTTP methods using Nmap

Testing web servers using auxiliary modules in Metasploit

Identifying HTTPS configuration and issues

OpenSSL client

Scanning TLS/SSL configuration with SSLScan

Scanning TLS/SSL configuration with SSLyze

Testing TLS/SSL configuration using Nmap

Spidering web applications

Burp Spider

Application login

Directory brute forcing

DIRB

ZAP's forced browse

Summary

Authentication and Session Management Flaws

Authentication schemes in web applications

Platform authentication

Basic

Digest

NTLM

Kerberos

HTTP Negotiate

Drawbacks of platform authentication

Form-based authentication

Two-factor Authentication

OAuth

Session management mechanisms

Sessions based on platform authentication

Session identifiers

Common authentication flaws in web applications

Lack of authentication or incorrect authorization verification

Username enumeration

Discovering passwords by brute force and dictionary attacks

Attacking basic authentication with THC Hydra

Attacking form-based authentication

Using Burp Suite Intruder

Using THC Hydra

The password reset functionality

Recovery instead of reset

Common password reset flaws

Vulnerabilities in 2FA implementations

Detecting and exploiting improper session management

Using Burp Sequencer to evaluate the quality of session IDs

Predicting session IDs

Session Fixation

Preventing authentication and session attacks

Authentication guidelines

Session management guidelines

Summary

Detecting and Exploiting Injection-Based Flaws

Command injection

Identifying parameters to inject data

Error-based and blind command injection

Metacharacters for command separator

Exploiting shellshock

Getting a reverse shell

Exploitation using Metasploit

SQL injection

An SQL primer

The SELECT statement

Vulnerable code

SQL injection testing methodology

Extracting data with SQL injection

Getting basic environment information

Blind SQL injection

Automating exploitation

sqlninja

BBQSQL

sqlmap

Attack potential of the SQL injection flaw

XML injection

XPath injection

XPath injection with XCat

The XML External Entity injection

The Entity Expansion attack

NoSQL injection

Testing for NoSQL injection

Exploiting NoSQL injection

Mitigation and prevention of injection vulnerabilities

Summary

Finding and Exploiting Cross-Site Scripting (XSS) Vulnerabilities

An overview of Cross-Site Scripting

Persistent XSS

Reflected XSS

DOM-based XSS

XSS using the POST method

Exploiting Cross-Site Scripting

Cookie stealing

Website defacing

Key loggers

Taking control of the user's browser with BeEF-XSS

Scanning for XSS flaws

XSSer

XSS-Sniper

Preventing and mitigating Cross-Site Scripting

Summary

Cross-Site Request Forgery, Identification, and Exploitation

Testing for CSRF flaws

Exploiting a CSRF flaw

Exploiting CSRF in a POST request

CSRF on web services

Using Cross-Site Scripting to bypass CSRF protections

Preventing CSRF

Summary

Attacking Flaws in Cryptographic Implementations

A cryptography primer

Algorithms and modes

Asymmetric encryption versus symmetric encryption

Symmetric encryption algorithm

Stream and block ciphers

Initialization Vectors

Block cipher modes

Hashing functions

Salt values

Secure communication over SSL/TLS

Secure communication in web applications

TLS encryption process

Identifying weak implementations of SSL/TLS

The OpenSSL command-line tool

SSLScan

SSLyze

Testing SSL configuration using Nmap

Exploiting Heartbleed

POODLE

Custom encryption protocols

Identifying encrypted and hashed information

Hashing algorithms

hash-identifier

Frequency analysis

Entropy analysis

Identifying the encryption algorithm

Common flaws in sensitive data storage and transmission

Using offline cracking tools

Using John the Ripper

Using Hashcat

Preventing flaws in cryptographic implementations

Summary

AJAX, HTML5, and Client-Side Attacks

Crawling AJAX applications

AJAX Crawling Tool

Sprajax

The AJAX Spider – OWASP ZAP

Analyzing the client-side code and storage

Browser developer tools

The Inspector panel

The Debugger panel

The Console panel

The Network panel

The Storage panel

The DOM panel

HTML5 for penetration testers

New XSS vectors

New elements

New properties

Local storage and client databases

Web Storage

IndexedDB

Web Messaging

WebSockets

Intercepting and modifying WebSockets

Other relevant features of HTML5

Cross-Origin Resource Sharing (CORS)

Geolocation

Web Workers

Bypassing client-side controls

Mitigating AJAX, HTML5, and client-side vulnerabilities

Summary

Other Common Security Flaws in Web Applications

Insecure direct object references

Direct object references in web services

Path traversal

File inclusion vulnerabilities

Local File Inclusion

Remote File Inclusion

HTTP parameter pollution

Information disclosure

Mitigation

Insecure direct object references

File inclusion attacks

HTTP parameter pollution

Information disclosure

Summary

Using Automated Scanners on Web Applications

Considerations before using an automated scanner

Web application vulnerability scanners in Kali Linux

Nikto

Skipfish

Wapiti

OWASP-ZAP scanner

Content Management Systems scanners

WPScan

JoomScan

CMSmap

Fuzzing web applications

Using the OWASP-ZAP fuzzer

Burp Intruder

Post-scanning actions

Summary

Other Books You May Enjoy

Leave a review – let other readers know what you think