You are previewing Web Penetration Testing with Kali Linux - Second Edition.
O'Reilly logo
Web Penetration Testing with Kali Linux - Second Edition

Book Description

Build your defense against web attacks with Kali Linux 2.0

About This Book

  • Gain a deep understanding of the flaws in web applications and exploit them in a practical manner

  • Get hands-on web application hacking experience with a range of tools in Kali Linux 2.0

  • Develop the practical skills required to master multiple tools in the Kali Linux 2.0 toolkit

  • Who This Book Is For

    If you are already working as a network penetration tester and want to expand your knowledge of web application hacking, then this book tailored for you. Those who are interested in learning more about the Kali Sana tools that are used to test web applications will find this book a thoroughly useful and interesting guide.

    What You Will Learn

  • Set up your lab with Kali Linux 2.0

  • Identify the difference between hacking a web application and network hacking

  • Understand the different techniques used to identify the flavor of web applications

  • Expose vulnerabilities present in web servers and their applications using server-side attacks

  • Use SQL and cross-site scripting (XSS) attacks

  • Check for XSS flaws using the burp suite proxy

  • Find out about the mitigation techniques used to negate the effects of the Injection and Blind SQL attacks

  • In Detail

    Kali Linux 2.0 is the new generation of the industry-leading BackTrack Linux penetration testing and security auditing Linux distribution. It contains several hundred tools aimed at various information security tasks such as penetration testing, forensics, and reverse engineering.

    At the beginning of the book, you will be introduced to the concepts of hacking and penetration testing and will get to know about the tools used in Kali Linux 2.0 that relate to web application hacking. Then, you will gain a deep understanding of SQL and command injection flaws and ways to exploit the flaws. Moving on, you will get to know more about scripting and input validation flaws, AJAX, and the security issues related to AJAX.

    At the end of the book, you will use an automated technique called fuzzing to be able to identify flaws in a web application. Finally, you will understand the web application vulnerabilities and the ways in which they can be exploited using the tools in Kali Linux 2.0.

    Style and approach

    This step-by-step guide covers each topic with detailed practical examples. Every concept is explained with the help of illustrations using the tools available in Kali Linux 2.0.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. Web Penetration Testing with Kali Linux Second Edition
      1. Table of Contents
      2. Web Penetration Testing with Kali Linux Second Edition
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Downloading the color images of this book
          3. Errata
          4. Piracy
          5. Questions
      8. 1. Introduction to Penetration Testing and Web Applications
        1. Proactive security testing
          1. Who is a hacker?
          2. Different testing methodologies
            1. Ethical hacking
            2. Penetration testing
            3. Vulnerability assessment
            4. Security audits
        2. Rules of engagement
          1. Black box testing or Gray box testing
          2. Client contact details
          3. Client IT team notifications
          4. Sensitive data handling
          5. Status meeting
        3. The limitations of penetration testing
        4. The need for testing web applications
        5. Social engineering attacks
          1. Training employees to defeat social engineering attacks
        6. A web application overview for penetration testers
          1. HTTP protocol
          2. Request and response header
            1. The request header
            2. The response header
          3. Important HTTP methods for penetration testing
            1. The GET/POST method
            2. The HEAD method
            3. The TRACE method
            4. The PUT and DELETE methods
            5. The OPTIONS method
          4. Session tracking using cookies
            1. Cookie
            2. Cookie flow between server and client
            3. Persistent and non-persistent cookies
            4. Cookie parameters
          5. HTML data in HTTP response
          6. Multi-tier web application
        7. Summary
      9. 2. Setting up Your Lab with Kali Linux
        1. Kali Linux
          1. Improvements in Kali Linux 2.0
          2. Installing Kali Linux
            1. USB mode
            2. VMware and ARM images of Kali Linux
            3. Kali Linux on Amazon cloud
            4. Installing Kali Linux on a hard drive
          3. Kali Linux-virtualizing versus installing on physical hardware
        2. Important tools in Kali Linux
          1. Web application proxies
            1. Burp proxy
              1. Customizing client interception
              2. Modifying requests on the fly
              3. Burp proxy with SSL-based websites
            2. WebScarab and Zed Attack Proxy
            3. ProxyStrike
          2. Web vulnerability scanner
            1. Nikto
            2. Skipfish
            3. Web Crawler – Dirbuster
            4. OpenVAS
            5. Database exploitation
          3. CMS identification tools
          4. Web application fuzzers
        3. Using Tor for penetration testing
          1. Steps to set up Tor and connect anonymously
          2. Visualization of a web request through Tor
          3. Final words for Tor
        4. Summary
      10. 3. Reconnaissance and Profiling the Web Server
        1. Reconnaissance
          1. Passive reconnaissance versus active reconnaissance
          2. Reconnaissance – information gathering
            1. Domain registration details
              1. Whois – extracting domain information
            2. Identifying hosts using DNS
              1. Zone transfer using dig
              2. Brute force DNS records using Nmap
            3. The Recon-ng tool – a framework for information gathering
              1. Domain enumeration using recon-ng
                1. Sub-level and top-level domain enumeration
              2. Reporting modules
        2. Scanning – probing the target
          1. Port scanning using Nmap
            1. Different options for port scan
            2. Evading firewalls and IPS using Nmap
            3. Spotting a firewall using back checksum option in Nmap
          2. Identifying the operating system using Nmap
          3. Profiling the server
            1. Application version fingerprinting
              1. The Nmap version scan
              2. The Amap version scan
            2. Fingerprinting the web application framework
              1. The HTTP header
              2. The Whatweb scanner
            3. Identifying virtual hosts
              1. Locating virtual hosts using search engines
              2. The virtual host lookup module in Recon-ng
            4. Identifying load balancers
              1. Cookie-based load balancer
              2. Other ways of identifying load balancers
            5. Scanning web servers for vulnerabilities and misconfigurations
              1. Identifying HTTP methods using Nmap
              2. Testing web servers using auxiliary modules in Metasploit
              3. Automating scanning using the WMAP web scanner plugin
              4. Vulnerability scanning and graphical reports – the Skipfish web application scanner
            6. Spidering web applications
              1. The Burp spider
              2. Application login
        3. Summary
      11. 4. Major Flaws in Web Applications
        1. Information leakage
          1. Directory browsing
            1. Directory browsing using DirBuster
            2. Comments in HTML code
            3. Mitigation
        2. Authentication issues
          1. Authentication protocols and flaws
            1. Basic authentication
            2. Digest authentication
            3. Integrated authentication
            4. Form-based authentication
          2. Brute forcing credentials
            1. Hydra – a brute force password cracker
        3. Path traversal
          1. Attacking path traversal using Burp proxy
            1. Mitigation
        4. Injection-based flaws
          1. Command injection
          2. SQL injection
        5. Cross-site scripting
          1. Attack potential of cross-site scripting attacks
        6. Cross-site request forgery
        7. Session-based flaws
          1. Different ways to steal tokens
            1. Brute forcing tokens
            2. Sniffing tokens and man-in-the-middle attacks
            3. Stealing session tokens using XSS attack
            4. Session token sharing between application and browser
          2. Tools to analyze tokens
          3. Session fixation attack
          4. Mitigation for session fixation
        8. File inclusion vulnerability
          1. Remote file include
          2. Local file include
          3. Mitigation for file inclusion attacks
        9. HTTP parameter pollution
          1. Mitigation
        10. HTTP response splitting
          1. Mitigation
        11. Summary
      12. 5. Attacking the Server Using Injection-based Flaws
        1. Command injection
          1. Identifying parameters to inject data
          2. Error-based and blind command injection
          3. Metacharacters for command separator
          4. Scanning for command injection
            1. Creating a cookie file for authentication
            2. Executing Wapiti
          5. Exploiting command injection using Metasploit
            1. PHP shell and Metasploit
          6. Exploiting shellshock
            1. Overview of shellshock
            2. Scanning – dirb
            3. Exploitation – Metasploit
        2. SQL injection
          1. SQL statements
            1. The UNION operator
            2. The SQL query example
          2. Attack potential of the SQL injection flaw
          3. Blind SQL injection
          4. SQL injection testing methodology
            1. Scanning for SQL injection
            2. Information gathering
          5. Sqlmap – automating exploitation
          6. BBQSQL – the blind SQL injection framework
          7. Sqlsus – MySQL injection
          8. Sqlninja – MS SQL injection
        3. Summary
      13. 6. Exploiting Clients Using XSS and CSRF Flaws
        1. The origin of cross-site scripting
          1. Introduction to JavaScript
        2. An overview of cross-site scripting
        3. Types of cross-site scripting
          1. Persistent XSS
          2. Reflected XSS
          3. DOM-based XSS
            1. Defence against DOM-based XSS
          4. XSS using the POST Method
        4. XSS and JavaScript – a deadly combination
          1. Cookie stealing
          2. Key logger
          3. Website defacing
        5. Scanning for XSS flaws
          1. Zed Attack Proxy
            1. Scoping and selecting modes
            2. Modes of operation
            3. Scan policy and attack
          2. Xsser
            1. Features
          3. W3af
            1. Plugins
            2. Graphical interface
        6. Cross-site request forgery
          1. Attack dependencies
          2. Attack methodology
          3. Testing for CSRF flaws
          4. CSRF mitigation techniques
        7. Summary
      14. 7. Attacking SSL-based Websites
        1. Secure socket layer
          1. SSL in web applications
          2. SSL encryption process
          3. Asymmetric encryption versus symmetric encryption
            1. Asymmetric encryption algorithms
            2. Symmetric encryption algorithm
          4. Hashing for message integrity
          5. Identifying weak SSL implementations
            1. OpenSSL command-line tool
            2. SSLScan
            3. SSLyze
            4. Testing SSL configuration using Nmap
          6. SSL man-in-the-middle attack
            1. SSL MITM tools in Kali Linux
              1. SSLsplit
              2. SSLstrip
                1. SSL stripping limitations
        2. Summary
      15. 8. Exploiting the Client Using Attack Frameworks
        1. Social engineering attacks
        2. Social engineering toolkit
        3. Spear-phishing attack
        4. Website attack
          1. Java applet attack
          2. Credential harvester attack
          3. Web jacking attack
          4. Metasploit browser exploit
          5. Tabnabbing attack
        5. Browser exploitation framework
          1. Introducing BeEF
          2. BeEF hook injection
            1. Browser reconnaissance
            2. Exploit modules
            3. Host information gathering
            4. Persistence module
            5. Network recon
            6. Inter-protocol exploitation and communication
          3. Exploiting the mutillidae XSS flaw using BeEF
          4. Injecting the BeEF hook using MITM
        6. Summary
      16. 9. AJAX and Web Services – Security Issues
        1. Introduction to AJAX
          1. Building blocks of AJAX
          2. The AJAX workflow
          3. AJAX security issues
            1. Increase in attack surface
            2. Exposed programming logic of the application
            3. Insufficient access control
          4. Challenges of pentesting AJAX applications
          5. Crawling AJAX applications
            1. AJAX crawling tool
            2. Sprajax
            3. AJAX spider – OWASP ZAP
          6. Analyzing client-side code – Firebug
            1. The Script panel
            2. The Console panel
            3. The Network panel
        2. Web services
          1. Introducing SOAP and RESTful web services
          2. Securing web services
            1. Insecure direct object reference vulnerability
        3. Summary
      17. 10. Fuzzing Web Applications
        1. Fuzzing basics
        2. Types of fuzzing techniques
          1. Mutation fuzzing
          2. Generation fuzzing
          3. Applications of fuzzing
            1. Network protocol fuzzing
            2. File fuzzing
            3. User interface fuzzing
            4. Web application fuzzing
            5. Web browser fuzzing
          4. Fuzzer frameworks
          5. Fuzzing steps
          6. Testing web applications using fuzzing
            1. Fuzzing input in web applications
              1. Request URI
              2. Headers
              3. Form fields
            2. Detecting result of fuzzing
          7. Web application fuzzers in Kali Linux
            1. Fuzzing using Burp intruder
            2. PowerFuzzer tool
        3. Summary
      18. Index