O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Mastering Kali Linux for Web Penetration Testing

Book Description

Master the art of exploiting advanced web penetration techniques with Kali Linux 2016.2

About This Book

  • Make the most out of advanced web pen-testing techniques using Kali Linux 2016.2
  • Explore how Stored (a.k.a. Persistent) XSS attacks work and how to take advantage of them
  • Learn to secure your application by performing advanced web based attacks.
  • Bypass internet security to traverse from the web to a private network.

Who This Book Is For

This book targets IT pen testers, security consultants, and ethical hackers who want to expand their knowledge and gain expertise on advanced web penetration techniques. Prior knowledge of penetration testing would be beneficial.

What You Will Learn

  • Establish a fully-featured sandbox for test rehearsal and risk-free investigation of applications
  • Enlist open-source information to get a head-start on enumerating account credentials, mapping potential dependencies, and discovering unintended backdoors and exposed information
  • Map, scan, and spider web applications using nmap/zenmap, nikto, arachni, webscarab, w3af, and NetCat for more accurate characterization
  • Proxy web transactions through tools such as Burp Suite, OWASP's ZAP tool, and Vega to uncover application weaknesses and manipulate responses
  • Deploy SQL injection, cross-site scripting, Java vulnerabilities, and overflow attacks using Burp Suite, websploit, and SQLMap to test application robustness
  • Evaluate and test identity, authentication, and authorization schemes and sniff out weak cryptography before the black hats do

In Detail

You will start by delving into some common web application architectures in use, both in private and public cloud instances. You will also learn about the most common frameworks for testing, such as OWASP OGT version 4, and how to use them to guide your efforts. In the next section, you will be introduced to web pentesting with core tools and you will also see how to make web applications more secure through rigorous penetration tests using advanced features in open source tools. The book will then show you how to better hone your web pentesting skills in safe environments that can ensure low-risk experimentation with the powerful tools and features in Kali Linux that go beyond a typical script-kiddie approach. After establishing how to test these powerful tools safely, you will understand how to better identify vulnerabilities, position and deploy exploits, compromise authentication and authorization, and test the resilience and exposure applications possess.

By the end of this book, you will be well-versed with the web service architecture to identify and evade various protection mechanisms that are used on the Web today. You will leave this book with a greater mastery of essential test techniques needed to verify the secure design, development, and operation of your customers' web applications.

Style and approach

An advanced-level guide filled with real-world examples that will help you take your web application's security to the next level by using Kali Linux 2016.2.

Table of Contents

  1. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Conventions
    5. Reader feedback
    6. Customer support
      1. Downloading the example code
      2. Downloading the color images of this book
      3. Errata
      4. Piracy
      5. Questions
  2. Common Web Applications and Architectures
    1. Common architectures
      1. Standalone models
      2. Three-tier models
      3. Model-View-Controller design
    2. Web application hosting
      1. Physical hosting
      2. Virtual hosting
      3. Cloud hosting
      4. Containers – a new trend
    3. Application development cycles
      1. Coordinating with development teams
      2. Post deployment - continued vigilance
    4. Common weaknesses – where to start
    5. Web application defenses
      1. Standard defensive elements
      2. Additional layers
    6. Summary
  3. Guidelines for Preparation and Testing
    1. Picking your favorite testing framework
      1. Frameworks through a product
      2. Train like you play
        1. The EC-Council approach
        2. The GIAC/SANS approach
        3. The Offensive Security approach
      3. Open source methodologies and frameworks
        1. ISECOM's OSSTMM
        2. ISSAF
        3. NIST publications
        4. OWASP's OTG
    2. Keeping it legal and ethical
      1. What is legal?
      2. What is ethical?
    3. Labbing - practicing what we learn
      1. Creating a virtualized environment
      2. Our penetration testing host
      3. Creating a target-rich environment
        1. Finding gullible servers
        2. Unwitting clients
    4. Summary
  4. Stalking Prey Through Target Recon
    1. The imitation game
      1. Making (then smashing) a mirror with HTTrack
        1. Making a stealthy initial archive
        2. Tuning stealthier archives
        3. Is the mirror complete and up-to-date?
        4. Touring the target environment
    2. Open source awesomeness
      1. Open source Intel with Google and the Google hacking database
        1. Tuning your Google search skills
        2. Work smarter with the Google hacking DB and Netcraft
      2. Mastering your own domain
        1. Digging up the dirt
          1. Digging record types
        2. Getting fierce
        3. Next steps with Nikto
      3. Employing Maltego to organize
    3. Being social with your target
    4. Summary
  5. Scanning for Vulnerabilities with Arachni
    1. Walking into spider webs
      1. Optimal Arachni deployment tips
    2. An encore for stacks and frameworks
    3. The Arachni test scenario
      1. Profiles for efficiency
        1. Creating a new profile
        2. Scoping and auditing options
        3. Converting social engineering into user input and mobile platform emulation
        4. Fingerprinting and determining platforms
        5. Checks (please)
        6. Plugging into Arachni extensions and third-party add-ons
        7. Browser clusters
      2. Kicking off our custom scan
      3. Reviewing the results
    4. Summary
  6. Proxy Operations with OWASP ZAP and Burp Suite
    1. Pulling back the curtain with ZAP
      1. Quick refresher on launching ZAP scans
        1. Going active with ZAP
        2. Passive ZAP scanning
        3. Getting fuzzy with ZAP
    2. Taking it to a new level with Burp Suite
      1. Recon with Burp Suite
        1. Stay on target!
        2. Getting particular with proxy
        3. Going active with Spider
      2. Activating Burp Suite
        1. Scanning for life (or vulnerabilities)
          1. Passive scans are a no brainer
          2. Active scanning – Use with care!
        2. The flight of the intruder
          1. Stop, enumerate, and listen!
          2. Select, attack, highlight, and repeat!
    3. Summary
  7. Infiltrating Sessions via Cross-Site Scripting
    1. The low-down on XSS types
      1. Should XSS stay or should it go?
      2. Location, location, and location!
      3. XSS targeting and the delivery
    2. Seeing is believing
      1. Don't run with XSSer(s)!
      2. Stored XSS with BeEF
      3. Here, phishy phishy!
      4. Let's go Metasploiting
        1. Building your own payload
        2. Every good payload needs a handler
        3. Seal the deal – Delivering shell access
      5. Metasploit's web-focused cousin – Websploit
    3. Summary
  8. Injection and Overflow Testing
    1. Injecting some fun into your testing
    2. Is SQL any good?
      1. A crash course in DBs gone bad
      2. Types of SQLI
        1. In-band or classic SQLI
        2. Blind SQLI
        3. Stacked or compound SQLI
      3. SQLI tool school
        1. Old-school SQLI via browsers
        2. Stepping it up with SQLMap
        3. Cooking up some menu-driven SQLI with BBQSQL
      4. SQLI goes high-class with Oracle
    3. The X-factor - XML and XPath injections
      1. XML injection
      2. XPath injection
    4. Credential Jedi mind tricks
    5. Going beyond persuasion – Injecting for execution
      1. Code injections
      2. Overflowing fun
      3. Commix - Not-so-funny command injections
    6. Down with HTTP?
    7. Summary
  9. Exploiting Trust Through Cryptography Testing
    1. How secret is your secret?
    2. Assessing encryption like a pro
      1. SSLyze - it slices, it scans…
      2. SSLscan can do it!
      3. Nmap has SSL skills too
    3. Exploiting the flaws
      1. POODLE – all bark, no bite (usually)
      2. Heartbleed-ing out
      3. DROWNing HTTPS
      4. Revisiting the classics
    4. Hanging out as the Man-in-the-Middle
      1. Scraping creds with SSLstrip
      2. Looking legit with SSLsniff and SSLsplit
        1. SSLsniff
        2. SSLsplit
        3. Alternate MITM motives
    5. Summary
  10. Stress Testing Authentication and Session Management
    1. Knock knock, who's there?
      1. Does authentication have to be hard?
      2. Authentication 2.0 - grabbing a golden ticket
        1. The basic authentication
        2. Form-based authentication
        3. Digest-based authentication
      3. Trust but verify
    2. This is the session you are looking for
      1. Munching on some cookies?
      2. Don't eat fuzzy cookies
      3. Jedi session tricks
    3. Functional access level control
    4. Refining a brute's vocabulary
    5. Summary
  11. Launching Client-Side Attacks
    1. Why are clients so weak?
      1. DOM, Duh-DOM DOM DOM!!
      2. Malicious misdirection
      3. Catch me if you can!
    2. Picking on the little guys
      1. Sea-surfing on someone else's board
        1. Simple account takeovers
        2. Don't you know who I am? Account creation
      2. Trust me, I know the way!
    3. I don't need your validation
    4. Trendy hacks come and go
      1. Clickjacking (bWAPP)
      2. Punycode
      3. Forged or hijacked certificates
    5. Summary
  12. Breaking the Application Logic
    1. Speed-dating your target
      1. Cashing in with e-commerce
      2. Financial applications - Show me the money
      3. Hacking human resources
      4. Easter eggs of evil
      5. So many apps to choose from…
    2. Functional Feng Shui
      1. Basic validation checks
      2. Sometimes, less is more?
      3. Forgery shenanigans
      4. What does this button do?
      5. Timing is everything
      6. Reaching your functional limits
      7. Do we dare to accept files?
    3. Summary
  13. Educating the Customer and Finishing Up
    1. Finishing up
      1. Avoiding surprises with constant contact
        1. Establishing periodic updates
        2. When to hit the big red button
      2. Weaving optimism with your action plan
        1. The executive summary
        2. Introduction
        3. Highlights, scoring, and risk recap
          1. More on risk
        4. Guidance - earning your keep
        5. Detailed findings
      3. The Dradis framework
      4. MagicTree
      5. Other documentation and organization tools
      6. Graphics for your reports
    2. Bringing best practices
      1. Baking in security
        1. Honing the SDLC
        2. Role-play - enabling the team
        3. Picking a winner
      2. Plans and programs
        1. More on change management
        2. Automate and adapt
    3. Assessing the competition
      1. Backbox Linux
      2. Samurai web testing framework
      3. Fedora Security Spin
      4. Other Linux pen test distros
      5. What About Windows and macOS?
    4. Summary