Book description
Identify, exploit, and test web application security with ease
Key Features
- Get up to speed with Metasploit and discover how to use it for pentesting
- Understand how to exploit and protect your web environment effectively
- Learn how an exploit works and what causes vulnerabilities
Book Description
Metasploit has been a crucial security tool for many years. However, there are only a few modules that Metasploit has made available to the public for pentesting web applications. In this book, you'll explore another aspect of the framework – web applications – which is not commonly used. You'll also discover how Metasploit, when used with its inbuilt GUI, simplifies web application penetration testing.
The book starts by focusing on the Metasploit setup, along with covering the life cycle of the penetration testing process. Then, you will explore Metasploit terminology and the web GUI, which is available in the Metasploit Community Edition. Next, the book will take you through pentesting popular content management systems such as Drupal, WordPress, and Joomla, which will also include studying the latest CVEs and understanding the root cause of vulnerability in detail. Later, you'll gain insights into the vulnerability assessment and exploitation of technological platforms such as JBoss, Jenkins, and Tomcat. Finally, you'll learn how to fuzz web applications to find logical security vulnerabilities using third-party tools.
By the end of this book, you'll have a solid understanding of how to exploit and validate vulnerabilities by working with various tools and techniques.
What you will learn
- Get up to speed with setting up and installing the Metasploit framework
- Gain first-hand experience of the Metasploit web interface
- Use Metasploit for web-application reconnaissance
- Understand how to pentest various content management systems
- Pentest platforms such as JBoss, Tomcat, and Jenkins
- Become well-versed with fuzzing web applications
- Write and automate penetration testing reports
Who this book is for
This book is for web security analysts, bug bounty hunters, security professionals, or any stakeholder in the security sector who wants to delve into web application security testing. Professionals who are not experts with command line tools or Kali Linux and prefer Metasploit's graphical user interface (GUI) will also find this book useful. No experience with Metasploit is required, but basic knowledge of Linux and web application pentesting will be helpful.
Table of contents
- Title Page
- Copyright and Credits
- About Packt
- Contributors
- Preface
- Introduction
-
Introduction to Web Application Penetration Testing
- What is a penetration test?
- Types of penetration test
- Stages of penetration testing
- Important terminologies
- Penetration testing methodologies
- Common Weakness Enumeration (CWE)
- Summary
- Questions
- Further reading
-
Metasploit Essentials
- Technical requirements
- Introduction to Metasploit Framework
- Metasploit Framework terminology
- Installing and setting up Metasploit
-
Getting started with Metasploit Framework
- Interacting with Metasploit Framework using msfconsole
-
MSF console commands
- Customizing global settings
- Variable manipulation in MSF
- Exploring MSF modules
- Running OS commands in MSF
- Setting up a database connection in Metasploit Framework
- Loading plugins in MSF
- Using Metasploit modules
- Searching modules in MSF
- Checking for hosts and services in MSF
- Nmap scanning with MSF
- Setting up payload handling in MSF
- MSF payload generation
- Summary
- Questions
- Further reading
- The Metasploit Web Interface
- The Pentesting Life Cycle with Metasploit
- Using Metasploit for Reconnaissance
- Web Application Enumeration Using Metasploit
- Vulnerability Scanning Using WMAP
- Vulnerability Assessment Using Metasploit (Nessus)
- Pentesting Content Management Systems (CMSes)
-
Pentesting CMSes - WordPress
- Technical requirements
- Introduction to WordPress
- WordPress reconnaissance and enumeration
- Vulnerability assessment for WordPress
- WordPress exploitation part 1 – WordPress Arbitrary File Deletion
- WordPress exploitation part 2 – unauthenticated SQL injection
- WordPress exploitation part 3 – WordPress 5.0.0 Remote Code Execution
- Going the extra mile – customizing the Metasploit exploit
- Summary
- Questions
- Further reading
- Pentesting CMSes - Joomla
- Pentesting CMSes - Drupal
- Performing Pentesting on Technological Platforms
-
Penetration Testing on Technological Platforms - JBoss
- Technical requirements
- An introduction to JBoss
- Reconnaissance and enumeration
- Performing a vulnerability assessment on JBoss AS
-
JBoss exploitation
- JBoss exploitation via the administration console
- Exploitation via the JMX console (the MainDeployer method)
- Exploitation via the JMX console using Metasploit (MainDeployer)
- Exploitation via the JMX console (BSHDeployer)
- Exploitation via the JMX console using Metasploit (BSHDeployer)
- Exploitation via the web console (Java applet)
- Exploitation via the web console (the Invoker method)
- Exploitation via JMXInvokerServlet using Metasploit
- Summary
- Questions
- Further reading
- Penetration Testing on Technological Platforms - Apache Tomcat
- Penetration Testing on Technological Platforms - Jenkins
- Logical Bug Hunting
-
Web Application Fuzzing - Logical Bug Hunting
- Technical requirements
- What is fuzzing?
- Fuzzing terminology
- Fuzzing attack types
- Introduction to web app fuzzing
-
Identifying web application attack vectors
- HTTP request verbs
-
HTTP request URIs
- Fuzzing an HTTP request URl path using Wfuzz
- Fuzzing an HTTP request URl path using ffuf
- Fuzzing an HTTP request URl path using Burp Suite Intruder
- Fuzzing HTTP request URl filenames and file extensions using Wfuzz
- Fuzzing HTTP request URl filenames and file extensions using ffuf
- Fuzzing HTTP request URl filenames and file extensions using Burp Suite Intruder
- Fuzzing an HTTP request URl using Wfuzz (GET parameter + value)
- Fuzzing an HTTP request URl using Burp Suite Intruder (GET parameter + value)
- HTTP request headers
- Summary
- Questions
- Further reading
- Writing Penetration Testing Reports
- Assessment
- Other Books You May Enjoy
Product information
- Title: Hands-On Web Penetration Testing with Metasploit
- Author(s):
- Release date: May 2020
- Publisher(s): Packt Publishing
- ISBN: 9781789953527
You might also like
book
Kali Linux Web Penetration Testing Cookbook - Second Edition
Discover the most common web vulnerabilities and prevent them from becoming a threat to your site's …
book
Hands-On Penetration Testing on Windows
Master the art of identifying vulnerabilities within the Windows OS and develop the desired solutions for …
book
Quick Start Guide to Penetration Testing: With NMAP, OpenVAS and Metasploit
Get started with NMAP, OpenVAS, and Metasploit in this short book and understand how NMAP, OpenVAS, …
book
Metasploit Penetration Testing Cookbook - Third Edition
Over 100 recipes for penetration testing using Metasploit and virtual machines About This Book Special focus …