Web Penetration Testing with Kali Linux - Second Edition电子书

Web Penetration Testing with Kali Linux Second Edition

Table of Contents

Web Penetration Testing with Kali Linux Second Edition

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

1. Introduction to Penetration Testing and Web Applications

Proactive security testing

Who is a hacker?

Different testing methodologies

Ethical hacking

Penetration testing

Vulnerability assessment

Security audits

Rules of engagement

Black box testing or Gray box testing

Client contact details

Client IT team notifications

Sensitive data handling

Status meeting

The limitations of penetration testing

The need for testing web applications

Social engineering attacks

Training employees to defeat social engineering attacks

A web application overview for penetration testers

HTTP protocol

Request and response header

The request header

The response header

Important HTTP methods for penetration testing

The GET/POST method

The HEAD method

The TRACE method

The PUT and DELETE methods

The OPTIONS method

Session tracking using cookies

Cookie

Cookie flow between server and client

Persistent and non-persistent cookies

Cookie parameters

HTML data in HTTP response

Multi-tier web application

Summary

2. Setting up Your Lab with Kali Linux

Kali Linux

Improvements in Kali Linux 2.0

Installing Kali Linux

USB mode

VMware and ARM images of Kali Linux

Kali Linux on Amazon cloud

Installing Kali Linux on a hard drive

Kali Linux-virtualizing versus installing on physical hardware

Important tools in Kali Linux

Web application proxies

Burp proxy

Customizing client interception

Modifying requests on the fly

Burp proxy with SSL-based websites

WebScarab and Zed Attack Proxy

ProxyStrike

Web vulnerability scanner

Nikto

Skipfish

Web Crawler – Dirbuster

OpenVAS

Database exploitation

CMS identification tools

Web application fuzzers

Using Tor for penetration testing

Steps to set up Tor and connect anonymously

Visualization of a web request through Tor

Final words for Tor

Summary

3. Reconnaissance and Profiling the Web Server

Reconnaissance

Passive reconnaissance versus active reconnaissance

Reconnaissance – information gathering

Domain registration details

Whois – extracting domain information

Identifying hosts using DNS

Zone transfer using dig

Brute force DNS records using Nmap

The Recon-ng tool – a framework for information gathering

Domain enumeration using recon-ng

Sub-level and top-level domain enumeration

Reporting modules

Scanning – probing the target

Port scanning using Nmap

Different options for port scan

Evading firewalls and IPS using Nmap

Spotting a firewall using back checksum option in Nmap

Identifying the operating system using Nmap

Profiling the server

Application version fingerprinting

The Nmap version scan

The Amap version scan

Fingerprinting the web application framework

The HTTP header

The Whatweb scanner

Identifying virtual hosts

Locating virtual hosts using search engines

The virtual host lookup module in Recon-ng

Identifying load balancers

Cookie-based load balancer

Other ways of identifying load balancers

Scanning web servers for vulnerabilities and misconfigurations

Identifying HTTP methods using Nmap

Testing web servers using auxiliary modules in Metasploit

Automating scanning using the WMAP web scanner plugin

Vulnerability scanning and graphical reports – the Skipfish web application scanner

Spidering web applications

The Burp spider

Application login

Summary

4. Major Flaws in Web Applications

Information leakage

Directory browsing

Directory browsing using DirBuster

Comments in HTML code

Mitigation

Authentication issues

Authentication protocols and flaws

Basic authentication

Digest authentication

Integrated authentication

Form-based authentication

Brute forcing credentials

Hydra – a brute force password cracker

Path traversal

Attacking path traversal using Burp proxy

Mitigation

Injection-based flaws

Command injection

SQL injection

Cross-site scripting

Attack potential of cross-site scripting attacks

Cross-site request forgery

Session-based flaws

Different ways to steal tokens

Brute forcing tokens

Sniffing tokens and man-in-the-middle attacks

Stealing session tokens using XSS attack

Session token sharing between application and browser

Tools to analyze tokens

Session fixation attack

Mitigation for session fixation

File inclusion vulnerability

Remote file include

Local file include

Mitigation for file inclusion attacks

HTTP parameter pollution

Mitigation

HTTP response splitting

Mitigation

Summary

5. Attacking the Server Using Injection-based Flaws

Command injection

Identifying parameters to inject data

Error-based and blind command injection

Metacharacters for command separator

Scanning for command injection

Creating a cookie file for authentication

Executing Wapiti

Exploiting command injection using Metasploit

PHP shell and Metasploit

Exploiting shellshock

Overview of shellshock

Scanning – dirb

Exploitation – Metasploit

SQL injection

SQL statements

The UNION operator

The SQL query example

Attack potential of the SQL injection flaw

Blind SQL injection

SQL injection testing methodology

Scanning for SQL injection

Information gathering

Sqlmap – automating exploitation

BBQSQL – the blind SQL injection framework

Sqlsus – MySQL injection

Sqlninja – MS SQL injection

Summary

6. Exploiting Clients Using XSS and CSRF Flaws

The origin of cross-site scripting

Introduction to JavaScript

An overview of cross-site scripting

Types of cross-site scripting

Persistent XSS

Reflected XSS

DOM-based XSS

Defence against DOM-based XSS

XSS using the POST Method

XSS and JavaScript – a deadly combination

Cookie stealing

Key logger

Website defacing

Scanning for XSS flaws

Zed Attack Proxy

Scoping and selecting modes

Modes of operation

Scan policy and attack

Xsser

Features

W3af

Plugins

Graphical interface

Cross-site request forgery

Attack dependencies

Attack methodology

Testing for CSRF flaws

CSRF mitigation techniques

Summary

7. Attacking SSL-based Websites

Secure socket layer

SSL in web applications

SSL encryption process

Asymmetric encryption versus symmetric encryption

Asymmetric encryption algorithms

Symmetric encryption algorithm

Hashing for message integrity

Identifying weak SSL implementations

OpenSSL command-line tool

SSLScan

SSLyze

Testing SSL configuration using Nmap

SSL man-in-the-middle attack

SSL MITM tools in Kali Linux

SSLsplit

SSLstrip

SSL stripping limitations

Summary

8. Exploiting the Client Using Attack Frameworks

Social engineering attacks

Social engineering toolkit

Spear-phishing attack

Website attack

Java applet attack

Credential harvester attack

Web jacking attack

Metasploit browser exploit

Tabnabbing attack

Browser exploitation framework

Introducing BeEF

BeEF hook injection

Browser reconnaissance

Exploit modules

Host information gathering

Persistence module

Network recon

Inter-protocol exploitation and communication

Exploiting the mutillidae XSS flaw using BeEF

Injecting the BeEF hook using MITM

Summary

9. AJAX and Web Services – Security Issues

Introduction to AJAX

Building blocks of AJAX

The AJAX workflow

AJAX security issues

Increase in attack surface

Exposed programming logic of the application

Insufficient access control

Challenges of pentesting AJAX applications

Crawling AJAX applications

AJAX crawling tool

Sprajax

AJAX spider – OWASP ZAP

Analyzing client-side code – Firebug

The Script panel

The Console panel

The Network panel

Web services

Introducing SOAP and RESTful web services

Securing web services

Insecure direct object reference vulnerability

Summary

10. Fuzzing Web Applications

Fuzzing basics

Types of fuzzing techniques

Mutation fuzzing

Generation fuzzing

Applications of fuzzing

Network protocol fuzzing

File fuzzing

User interface fuzzing

Web application fuzzing

Web browser fuzzing

Fuzzer frameworks

Fuzzing steps

Testing web applications using fuzzing

Fuzzing input in web applications

Request URI

Headers

Form fields

Detecting result of fuzzing

Web application fuzzers in Kali Linux

Fuzzing using Burp intruder

PowerFuzzer tool

Summary

Index