Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Kali Linux Web Penetration Testing Cookbook
Kali Linux Web Penetration Testing Cookbook

Kali Linux Web Penetration Testing Cookbook: Over 80 recipes on how to identify, exploit, and test web application security with Kali Linux 2

Arrow left icon
Profile Icon Gilberto Najera-Gutierrez
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (4 Ratings)
Paperback Feb 2016 296 pages 1st Edition
eBook
$29.99 $43.99
Paperback
$54.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Gilberto Najera-Gutierrez
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (4 Ratings)
Paperback Feb 2016 296 pages 1st Edition
eBook
$29.99 $43.99
Paperback
$54.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$29.99 $43.99
Paperback
$54.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Kali Linux Web Penetration Testing Cookbook

Chapter 1. Setting Up Kali Linux

In this chapter, we will cover:

  • Updating and upgrading Kali Linux
  • Installing and running OWASP Mantra
  • Setting up the Iceweasel browser
  • Installing VirtualBox
  • Creating a vulnerable virtual machine
  • Creating a client virtual machine
  • Configuring virtual machines for correct communication
  • Getting to know web applications on a vulnerable VM

Introduction

In the first chapter, we will cover how to prepare our Kali Linux installation to be able to follow all the recipes in the book and set up a laboratory with vulnerable web applications using virtual machines.

Updating and upgrading Kali Linux

Before we start testing web applications' security, we need to be sure that we have all the necessary up-to-date tools. This recipe covers the basic task of keeping Kali Linux and its tools at their most recent versions.

Getting ready

We start from having Kali Linux installed as the main operating system on a computer with Internet access; the version that we will be using through this book is 2.0. You can download the live CD and installer from https://www.kali.org/downloads/.

How to do it...

Once you have a working instance of Kali Linux up and running, perform the following steps:

  1. Log in as a root on Kali Linux; the default password is "toor", without the quotes. You can also use su to switch the user or sudo to execute single commands if using a regular user is preferred instead of root.
  2. Open a terminal.
  3. Run the apt-get update command. This will download the updated list of packages (applications and tools) that are available to install.
    apt-get update
    
    How to do it...
  4. Once the update is finished, run the following command to update non-system packages to their last stable version:
    apt-get upgrade
    
    How to do it...
  5. When asked to continue, press Y and then press Enter.
  6. Next, let's upgrade our system. Type the following command and press Enter:
    apt-get dist-upgrade
    
    How to do it...
  7. Now, we have our Kali Linux up-to-date and ready to continue.

How it works...

In this recipe, we have covered a basic procedure for package update in Debian-based systems (such as Kali Linux). The first call to apt-get with the update parameter downloaded the most recent list of packages available for our specific system in the configured repositories. After it downloads and installs all the packages that have the most recent versions in the repository, the dist-upgrade parameter downloads and installs system packages (such as kernel and kernel modules) not installed with upgrade.

Tip

In this book, we assume that Kali Linux is installed as the main operating system on the computer; there is also the option of installing it in a virtual machine. In such a case, skip the recipe called Installing VirtualBox and configure the network options of your Kali VM as stated in Configuring virtual machines for correct communication.

There's more...

There are tools, such as the Metasploit Framework, that have their own update commands; these can be executed after following this recipe. The command is as follows:

msfupdate

Installing and running OWASP Mantra

People in OWASP (Open Web Application Security Project, https://www.owasp.org/) have put together a Mozilla Firefox mod with plenty of add-ons aimed at helping penetration testers and developers to test web applications for bugs or security flaws. In this recipe, we will install OWASP-Mantra (http://www.getmantra.com/) in our Kali Linux, run it for the first time, and see some of its features.

Most of the web application penetration testing is done through a web browser; that's the reason why we need to have one with the correct set of tools to perform such a task. The OWASP Mantra includes a collection of add-ons to perform tasks, such as:

  • Sniffing and intercepting HTTP requests
  • Debugging client-side code
  • Viewing and modifying cookies
  • Gathering information about sites and applications

Getting ready

Fortunately for us, OWASP Mantra is included in the default Kali Linux repositories. So, to make sure that we get the latest version of the browser, we need to update the packages list:

apt-get update

How to do it...

  1. Open a terminal and run:
    apt-get install owasp-mantra-ff
    
    How to do it...
  2. After the installation is finished, navigate to menu: Applications | 03 - Web Application Analysis | Web Vulnerability Scanners | owasp-mantra-ff to start Mantra for the first time. Or use a terminal with the following command:
    owasp-mantra-ff
    
    How to do it...
  3. With the new browser open, click on the OWASP logo How to do it... and then Tools. Here we can access all the tools that OWASP Mantra includes.
    How to do it...
  4. We will use some of these tools in later chapters.

See also

You may also be interested in Mantra on Chromium (MoC), which is an alternative release of Mantra based on the Chromium web browser. Currently, it is only available for windows: http://www.getmantra.com/mantra-on-chromium.html

Setting up the Iceweasel browser

If we don't like OWASP Mantra, we can use the latest version of Firefox and install our own selection of testing-related add-ons. Kali Linux includes Iceweasel, another variant of Firefox, which we will use in this recipe to see how to install our testing tools in a browser.

How to do it...

  1. Open Iceweasel and navigate to Tools | Add-ons, as shown in the following screenshot:
    How to do it...
  2. In the search box, type tamper data and hit Enter.
    How to do it...
  3. Click on Install in the Tamper Data add-on.
  4. A dialog box will pop up, asking us to accept the EULA; click on Accept and Install...

    Note

    You might have to restart your browser to complete the installation of certain add-ons.

  5. Next, we search for cookies manager+ in the search box.
  6. Click on Install in the Cookies Manager+ add-on.
  7. Now, search and install Firebug.
  8. Search and install Hackbar.
  9. Search and install HTTP Requester.
  10. Search and install Passive Recon.

How it works...

So far we've just installed some tools on our web browser but what are these tools good for when it comes to penetration-testing a web application?

  • Cookies Manager+: This add-on will allow us to view and sometimes modify the value of cookies the browser receives from applications.
  • Firebug: This is a must-have for any web developer; its main function is to be an in-line debugger for web pages. It will also be useful when you have to perform some client-side modifications to pages.
  • Hackbar: This is a very simple add-on that helps us to try different input values without having to change or rewrite the full URL. We will be using this a lot when doing manual checks for Cross-site scripting and injections.
  • Http Requester: With this tool it is possible to craft HTTP requests including GET, POST, and PUT methods and watch the raw response from the server.
  • Passive Recon: It allows us to get public information about the website being visited by querying DNS records, Whois, and searching information, such as email addresses, links, and collaborators in Google, among other things.
  • Tamper Data: This add-on has the ability to capture any request on the server just after it is sent by the browser, thus giving us the chance to modify the data after introducing it in the application's forms and before it reaches the server.

There's more...

Other add-ons that could prove useful for web application penetration testing are:

  • XSS Me
  • SQL Inject Me
  • FoxyProxy
  • iMacros
  • FirePHP
  • RESTClient
  • Wappalyzer

Installing VirtualBox

This is the first of the four recipes that will help us to get a virtual laboratory up and running to practice our penetration tests. We will use a VirtualBox to run the virtual machines in such a laboratory. In this recipe, we will see how to install VirtualBox and get it working.

Getting ready

Before we install anything in Kali Linux, we must make sure that we have the latest version of package lists:

apt-get update

How to do it...

  1. Our first step is the actual installation of VirtualBox:
    apt-get install virtualbox
    
    How to do it...
  2. After the installation finishes, we will find VirtualBox in the menu by navigating to Applications | Usual applications | Accessories | VirtualBox. Alternatively, we can call it from a terminal:
    virtualbox
    
    How to do it...

Now, we have VirtualBox running and we are ready to set up the virtual machines to make our own testing laboratory.

How it works...

VirtualBox will allow us to run multiple machines inside our Kali Linux computer through virtualization. With this, we can mount a full laboratory with different computers using different operating systems and run them in parallel as far as the memory resources and processing power of our Kali host allow us to.

There's more...

The VirtualBox Extension Pack gives the VirtualBox's virtual machine extra features, such as USB 2.0/3.0 support and Remote Desktop capabilities. It can be downloaded from https://www.virtualbox.org/wiki/Downloads. After it is downloaded, just double click on it and VirtualBox will do the rest.

See also

There are some other virtualization options out there. If you don't feel comfortable using VirtualBox, you may want to try:

  • VMware Player/Workstation
  • Qemu
  • Xen
  • KVM

Creating a vulnerable virtual machine

Now we are ready to create our first virtual machine, it will be the server that will host the web applications we'll use to practice and improve our penetration testing skills.

We will use a virtual machine called OWASP-bwa (OWASP Broken Web Apps) that is a collection of vulnerable web applications specially set up to perform security testing.

How to do it...

  1. Go to http://sourceforge.net/projects/owaspbwa/files/ and download the latest release's .ova file. At the time of writing, it is OWASP_Broken_Web_Apps_VM_1.1.1.ova.
    How to do it...
  2. Wait for the download to finish and then open the file.
  3. VirtualBox's import dialog will launch. If you want to change the machine's name or description, you can do it by double-clicking on the values. We will name it vulnerable_vm.and leave the rest of the options as they are. Click on Import.
    How to do it...
  4. The import should take a minute and after that we will see our virtual machine displayed in VirtualBox's list. Let's select it and click on Start.
  5. After the machine starts, we will be asked for login and password, type root as the login and owaspbwa as the password and we are set.
    How to do it...

How it works...

OWASP-bwa is a project aimed at providing security professionals and enthusiasts with a safe environment to develop attacking skills and identify and exploit vulnerabilities in web applications, in order to be able to help developers and administrators fix and prevent them.

This virtual machine includes different types of web applications, some of them are based on PHP, some in Java; we even have a couple of .NET-based vulnerable applications. There are also some vulnerable versions of known applications, such as WordPress or Joomla.

See also

There are many options when we talk about vulnerable applications and virtual machines. A remarkable website that holds a great collection of such applications is VulnHub (https://www.vulnhub.com/). It also has walkthroughs that will help you to solve some challenges and develop your skills.

In this book, we will use another virtual machine for some recipes: bWapp Bee-box, which can also be downloaded from VulnHub: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/.

Creating a client virtual machine

When we get to the man in the middle (MITM) and client-side attacks, we will need another machine to make requests to the already set up server. In this recipe, we will download a Microsoft Windows virtual machine and import it to VirtualBox.

How to do it...

  1. First we need to go to the download site http://dev.modern.ie/tools/vms/#downloads.
  2. Through this book we will use the IE8 on Win7 virtual machine.
    How to do it...
  3. After the file is downloaded, we need to unzip it. Go to where it was downloaded.
  4. Right-click on it and then click on Extract Here.
  5. Once extracted, open the .ova file and import it in VirtualBox.
    How to do it...
  6. Now, start the virtual machine (named IE8 - Win7) and we will have our client ready:
    How to do it...

How it works...

Microsoft provides these virtual machines for developers to test their applications with the help of different versions of Windows and Internet Explorer with a free license limited to 30 days, which is enough for us to practice.

As penetration testers, it is important to be aware that real-world applications can be multiplatform and that users of those applications may have a lot of different systems and web browsers to communicate with them; knowing this, we should be prepared to perform successful tests with any of the client-server infrastructure combinations.

See also

As for server and client virtual machines, if you are not comfortable using an already built configuration, you can always build and configure your own virtual machines. Here is some information about how to do it: https://www.virtualbox.org/manual/.

Configuring virtual machines for correct communication

To be able to communicate with our virtual server and client, we need to be in the same network segment; however, having virtual machines with known vulnerabilities in our local network may pose an important security risk. To avoid this risk, we will perform a special configuration in VirtualBox to allow us to communicate with both server and client virtual machines from our Kali Linux host without exposing them to the network.

Getting ready

Before we proceed, open VirtualBox and make sure that the vulnerable server and client virtual machines are turned off.

How to do it...

  1. In VirtualBox navigate to File | Preferences… | Network.
  2. Select the Host-only Networks tab.
  3. Click on the (How to do it...) button to add a new network.
  4. The new network (vboxnet0) will be created and its "details window" will pop up. If it doesn't, select the network and click on the (How to do it...) button to edit its properties.
    How to do it...
  5. In this dialog box, you can specify the network configuration, if it doesn't interfere with your local network configuration, leave it as it is. You may change it and use some other address in the segments reserved for local networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  6. After proper configuration is done, click OK.
  7. The next step is to configure the vulnerable virtual machine (vulnerable_vm). Select it and go to its settings.
  8. Click Network and, in the Attached to: drop-down menu, select Host-only Adapter.
  9. In Name, select vboxnet0.
  10. Click OK.
    How to do it...
  11. Follow steps 7 to 10 in the client virtual machine (IE8 - Win7).
  12. After having both virtual machines configured, let's test if they can actually communicate. Start both the machines.
  13. Let's see the network configuration of our host system: open a terminal and type:
    ifconfig
    
    How to do it...
  14. We can see that we have a network adapter called vboxnet0 and it has the IP address 192.168.56.1. Depending on the configuration you used, this may vary.
  15. Log into vulnerable_vm and check its IP address for adapter eth0:
    ifconfig
    
  16. Now, let's go to our client machine IE8 - Win7; open a command prompt and type:
    ipconfig
    
  17. Now, we have the IP addresses of our three machines:
    • 192.168.56.1 for the host
    • 192.168.56.102 for vulnerable_vm
    • 192.168.56.103 for IE8 - Win7
  18. To test the communication, we are going to ping both virtual machines from our host:
    ping -c 4 192.168.56.102
    ping -c 4 192.168.56.103
    
    How to do it...

    Ping sends an ICMP request to the destination and waits for the reply; this is useful to test whether communication is possible between two nodes in the network.

  19. We do the same from both the virtual machines thus checking communication to the server and the other virtual machine.
  20. The IE8 - Win7 machine may not respond to pings; that's normal because Windows 7 is configured by default to not respond to ping requests. To check connectivity in this case, we can use arping from the Kali host:
    arping –c 4 192.168.56.103
    

How it works...

A host-only network is a virtual network that acts as a LAN but its reach is limited to the host that is running the virtual machines without exposing them to external systems. This kind of network also provides a virtual adapter for the host to communicate with the virtual machines as if they were in the same network segment.

With the configuration we just made, we will be able to communicate between a client and server and both of them can communicate with the Kali Linux host, which will act as the attacking machine.

Getting to know web applications on a vulnerable VM

OWASP-bwa contains many web applications, intentionally made vulnerable to the most common attacks. Some of them are focused on the practice of some specific technique while others try to replicate real-world applications that happen to have vulnerabilities.

In this recipe, we will take a tour of our vulnerable_vm and get to know some of the applications it includes.

Getting ready

We need to have our vulnerable_vm running and its network correctly configured. For this book, we will be using 192.168.56.102 as its IP address.

How to do it...

  1. With vulnerable_vm running, open your Kali Linux host's web browser and go to http://192.168.56.102. You will see a list of all applications the server contains:
    How to do it...
  2. Let's go to Damn Vulnerable Web Application.
  3. Use admin as a user name and admin as a password. We can see a menu on the left; this menu contains links to all the vulnerabilities that we can practice in this application: Brute Force, Command Execution, SQL Injection, and so on. Also, the DVWA Security section is where we can configure the security (or complexity) levels of the vulnerable inputs.
    How to do it...
  4. Log out and return to the server's homepage.
  5. Now we click on OWASP WebGoat.NET. This is a .NET application where we will be able to practice file and code injection attacks, cross-site scripting, and encryption vulnerabilities. It also has a WebGoat Coins Customer Portal that simulates a shopping application and can be used to practice not only the exploitation of vulnerabilities but also their identification.
    How to do it...
  6. Now return to the server's home page.
  7. Another interesting application included in this virtual machine is BodgeIt, which is a minimalistic version of an online store based on JSP—it has a list of products that we can add to a shopping basket, a search page with advanced options, a registration form for new users, and a login form. There is no direct reference to vulnerabilities; instead, we will need to look for them.
    How to do it...
  8. We won't be able to look at all the applications in a single recipe, but we will be using some of them in this book.

How it works...

The applications in the home page are organized in the following six groups:

  • Training applications: These are the ones that have sections dedicated to practice-specific vulnerabilities or attack techniques; some of them include tutorials, explanations, or other kind of guidance.
  • Realistic, intentionally vulnerable applications: Applications that act as real-world applications (stores, blogs, and social networks) and are intentionally left vulnerable by their developers for the sake of training.
  • Old (vulnerable) versions of real applications: Old versions of real applications, such as WordPress and Joomla are known to have exploitable vulnerabilities; these are useful to test our vulnerability identification skills.
  • Applications for testing tools: The applications in this group can be used as a benchmark for automated vulnerability scanners.
  • Demonstration pages / small applications: These are small applications that have only one or a few vulnerabilities, for demonstration purposes only.
  • OWASP demonstration application: OWASP AppSensor is an interesting application, it simulates a social network and could have some vulnerabilities in it. But it will log any attack attempts, which is useful when trying to learn; for example, how to bypass some security devices such as a web application firewall.
Left arrow icon Right arrow icon

Key benefits

  • Familiarize yourself with the most common web vulnerabilities a web application faces, and understand how attackers take advantage of them
  • Set up a penetration testing lab to conduct a preliminary assessment of attack surfaces and run exploits
  • Learn how to prevent vulnerabilities in web applications before an attacker can make the most of it

Description

Web applications are a huge point of attack for malicious hackers and a critical area for security professionals and penetration testers to lock down and secure. Kali Linux is a Linux-based penetration testing platform and operating system that provides a huge array of testing tools, many of which can be used specifically to execute web penetration testing. This book will teach you, in the form step-by-step recipes, how to detect a wide array of vulnerabilities, exploit them to analyze their consequences, and ultimately buffer attackable surfaces so applications are more secure, for you and your users. Starting from the setup of a testing laboratory, this book will give you the skills you need to cover every stage of a penetration test: from gathering information about the system and the application to identifying vulnerabilities through manual testing and the use of vulnerability scanners to both basic and advanced exploitation techniques that may lead to a full system compromise. Finally, we will put this into the context of OWASP and the top 10 web application vulnerabilities you are most likely to encounter, equipping you with the ability to combat them effectively. By the end of the book, you will have the required skills to identify, exploit, and prevent web application vulnerabilities.

Who is this book for?

This book is for IT professionals, web developers, security enthusiasts, and security professionals who want an accessible reference on how to find, exploit, and prevent security vulnerabilities in web applications. You should know the basics of operating a Linux environment and have some exposure to security technologies and tools.

What you will learn

  • Set up a penetration testing laboratory in a secure way
  • Find out what information is useful to gather when performing penetration tests and where to look for it
  • Use crawlers and spiders to investigate an entire website in minutes
  • Discover security vulnerabilities in web applications in the web browser and using command-line tools
  • Improve your testing efficiency with the use of automated vulnerability scanners
  • Exploit vulnerabilities that require a complex setup, run custom-made exploits, and prepare for extraordinary scenarios
  • Set up Man in the Middle attacks and use them to identify and exploit security flaws within the communication between users and the web server
  • Create a malicious site that will find and exploit vulnerabilities in the user s web browser
  • Repair the most common web vulnerabilities and understand how to prevent them becoming a threat to a site s security

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Feb 29, 2016
Length: 296 pages
Edition : 1st
Language : English
ISBN-13 : 9781784392918
Vendor :
Offensive Security
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Feb 29, 2016
Length: 296 pages
Edition : 1st
Language : English
ISBN-13 : 9781784392918
Vendor :
Offensive Security
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 164.97
Web Penetration Testing with Kali Linux 2.0, Second Edition
$54.99
Kali Linux Web Penetration Testing Cookbook
$54.99
Mastering Kali Linux Wireless Pentesting
$54.99
Total $ 164.97 Stars icon

Table of Contents

11 Chapters
1. Setting Up Kali Linux Chevron down icon Chevron up icon
2. Reconnaissance Chevron down icon Chevron up icon
3. Crawlers and Spiders Chevron down icon Chevron up icon
4. Finding Vulnerabilities Chevron down icon Chevron up icon
5. Automated Scanners Chevron down icon Chevron up icon
6. Exploitation – Low Hanging Fruits Chevron down icon Chevron up icon
7. Advanced Exploitation Chevron down icon Chevron up icon
8. Man in the Middle Attacks Chevron down icon Chevron up icon
9. Client-Side Attacks and Social Engineering Chevron down icon Chevron up icon
10. Mitigation of OWASP Top 10 Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5
(4 Ratings)
5 star 50%
4 star 50%
3 star 0%
2 star 0%
1 star 0%
jfranz Dec 08, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The book is a great example of a seasoned Web Pentester and his methodologies for auditing web applications. The chapters examples are clearly outlined with corresponding modules that "walk" the user through all phases of a web pentest. He makes web pentesting available to anyone with a little bit of time, a Kali VM and OWASP project VM. If your a novice looking for a solid foundation intro into web pentesting then I would highly recommend this book.
Amazon Verified review Amazon
alicia bianca carew Mar 17, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great Kali Linux Book Step By Step
Amazon Verified review Amazon
Beau Bullock Mar 30, 2016
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
I perform pentests against web applications on a regular basis amongst other types of pentesting including internal network assessments, external network assessments, phishing, wireless, C2, pivot tests and more. In the past two years I've pentested around 40 different web applications for various organizations. I read the Kali Linux Web Penetration Testing Cookbook, and wanted to share my thoughts on the book.TL;DRThis is a great book for introducing webapp attack vectors to new pentesters. There might be a section or two that seasoned pentesters find useful. I felt the author did a great job describing the tools and techniques in the book. The book lacks details into the underlying web protocols so don't expect to be an "expert" of all the intricacies involved in web applications after reading this book. I also feel there were a few items included that were a bit off topic and probably should not have been included in this book. That said, I give this book a 4 out of 5.-----------Ok... the longer version is next. I've provided a brief outline of what is included in each chapter below, as well as what I felt was either awesome about the chapter or what I felt was missing in the "Comments" section.PREFACE-The author describes the book as being designed for many types of readers including those who want to go beyond general computer science study, application developers, and even seasoned security pros.-States the book will include some possible intermediate or advanced exploitation by chaining attacks together.Chapter 1 - Setting Up Kali-Downlading Kali, and updating it-Using OWASP Mantra - firefox plugin-Setup Iceweasal with addons (tamperdata etc.)-Using Owasp-bwa vm and BWapp Bee-box as target vuln machines-Download Windows 7 IE8 VM as client for MitM attacksComments:There were no instructions on installing Kali. The book jumps straight from downloading it to updating it. Some readers might have trouble installing it. Also, the book is focused on installing Kali as the host OS. I would bet that the majority of readers who are jumping into web application pentesting will probably want to install Kali as VM. I was very happy to see that the author is putting the modern.ie VM's to good use.Chapter 2 - Reconnaissance-Nmap - shows basic network scan-WAF detection with Nmap script http-waf-detect, http-waf-fingerprint, and wafw00f-Looking at the source code of a page to identify vulnerabilities. Locating hidden fields that might be alterable-Cookies manager+ to edit cookie values-Looking in robots.txt for hidden dirs.-Dirbuster to find hidden dirs - demos a basic wordlist but doesn't mention Dirbuster's wordlists (mentioned later when demoing Zap proxy forced browse)-Cewl for creating wordlists from site content.-Using John and the wordlist generated by Cewl to mangle a more complex wordlist with John's rules.-Zap forced browseComments:This chapter does a decent job of covering recon for a webapp but I might add that during recon for a webapp Google can be your best friend. I discuss that in more detail in the next comments section. Also, Builtwith.com is a good resource for finding what technologies a webapp is utilizing.Chapter 3 - Crawlers and Spiders-Use wget and HTTrack to download website for offline analysis-Using Zap and Burp to spider a site-Burp's repeater to repeat requests-Using webscarab to spiderComments:Three different tools were demonstrated to perform the same task of spidering a site. Two tools were demonstrated to make a local copy of the site. The author did not mention what the purpose of creating a copy of the site was for or why this is useful. This section could be improved by spending less time on separate tools and more on focusing the spider engine. There are times where sites are so big that you may want to limit the spider's scope to only a certain directory and to only recurse a certain depth.I would also add that Google has already done a good job of this. Using "Google hacking" techniques a pentester can find sensitive directories, and files without spidering at all. This can be a most valuable technique when the goal is to be stealthy.Chapter 4 - Finding Vulnerabilities-Hackbar Firefox addon - second address bar that is not affected by redirections, and allows POST modification-TamperData to modify requests-Using Zap and Burp to intercept and modify requests-Identifying XSS-Uses DVWA XSS reflection exercise with basic alert script-Error based SQLi with DVWA-Blind SQLi-Session cookie vulns - Mentions secure and httponly flag-Using sslscan to get SSL info from a site-Testing for LFI and RFI-Detecting Poodle with Nmap scriptComments:While some more demonstrative examples are included later on in the book there was no information about why XSS is bad in this section. It could have provided a test case to demonstrate risk. There are a number of vulnerabilities that could be discovered through manual testing that were left out from this section. None of the following vulnerabilities were covered: CSRF (covered in advanced exploit chapter later on, but how to discover it), username harvesting, account lockout controls, session fixation, weak session token entropy, privilege escalation across access roles, insecure direct object reference (again, included later on in the book), etc.I really like how the author is demonstrating some manual techniques prior to jumping into automated scanning.Chapter 5 - Automated Scanners-Nikto scanner-Wapiti scanner-Zap automated scanner-Using w3af scanner-w3af has command line interface in addition to GUI-vega vulnerability scanner - has ability to do auth to webapp but lacks reporting-Using wmap as a scannerComments:Automated scanners can help speed up the process of a pentest. Being familiar with different types of scanners can help in various situations so I appreciate the inclusion of multiple tools. Although many tools were listed, I didn't feel that any real insight into what to do with the output of the scans was given.Chapter 6 - Exploitation - Low Hanging Fruits-Uploading a PHP webshell to execute commands on the server-Command injection - appending system commands to get Netcat shell is demonstrated-XML External Entity Injection - very nice description and example of XXE. Also, the author demonstrates how it can be used to run commands when combined with a webshell upload vuln.-Brute forcing passwords with THC-HYDRA-Brute forcing passwords with Burp Intruder and wordlists-Exploiting stored XSS to get a victims browser to visit an attacker hosted webserver with a PHP script to store cookies-Nice manual SQLi walkthrough-SQLMap for automated sqli-Bruteforcing Tomcat logins with Metasploit module-Tomcat war file upload with Laudanum web shellComments:I thought this section was probably the most valuable of the entire book with the next chapter being second. Good examples of some common exploit vectors were provided. Later on in the book the author dives into man-in-the-middle attacks and social engineering. I feel that these sections could have been left out and the author could have expanded chapters 6 and 7 as these two are truly the core of webapp testing. Having real world scenarios and potential exploit techniques really can help demonstrate to a reader what the risk is with certain vulnerabilities. I think the author did a fantastic job here.Chapter 7 - Advanced Exploitation-Using Searchsploit to locate exploits in ExploitDB-Exploiting Heartbleed-Hooking a browser with Beef-Manual blind SQL injection-Using Sqlmap to gather data like current DB user and password hashes-Decent CSRF walkthrough-Decent Shellshock walkthrough-Cracking passwords with John and oclHashcatComments:More good examples were provided as in chapter 6. I think more information could have been provided regarding discovering particular vulnerabilities such as ShellShock, and CSRF.Chapter 8 - MitM attacks-Using Ettercap to arp poison the network to MitM two systems-Capturing packets with Wireshark-Ettercap filters to replace data in web requests-Use sslsplit to decrypt traffic after mitm (victim gets cert error)-Spoofing dns to redirect requestsComments:I'm not sure that I feel this chapter was necessary in this book. When approaching a web application pentest it is rare that the tester would need to demonstrate the risk of a MitM attack. The fact a user system can be attacked to create a MitM situation does not mean a vulnerability in the web application being tested exists. These are really "Network Pentest" techniques.Chapter 9 - Client Side Attacks and Social Engineering-Harvesting login credentials with a scraped site using SET-Creating a login harvester that actually logs the user into the real site.-Creating a reverse shell Meterpreter exe-Browser autopwn Metasploit module-Social engineering a user to run a malicious beef hookComments:Again, I'm not sure this chapter belongs here. There is a section in this chapter that explains how to create a Meterpreter payload, host the payload on an attacker's webserver, and then get a target to download it via social engineering. What does this have to do with webapp testing? I think between this chapter and the last the author could have expanded quite a bit on both webapp attack vectors, and the underlying protocols at use.Chapter 10 - Fixing OWASP Top 10-This chapter walks through the OWASP top 10 vulnerabilities and how to fix them.Comments: This chapter redeemed chapters 8 and 9 for me. It is rare that a "pentesting" book includes a very detailed chapter on actually fixing the vulnerabilities discovered through the techniques presented in the book. This chapter does this. As penetration testers we need to not only find the vulnerabilities, but also provide the best recommendations we can to fix them to the clients we are working with.Conclusion -The Good:-The author portrays each concept taught in the book very well. His teaching style is very easy to understand and I think anyone can pick this book up and start learning.-Many tools related to webapp pentesting that are built into Kali Linux are demonstrated.-The majority of common vulnerabilities found in web applications are demonstrated.-New web application testers will learn a ton!-Seasoned web application testers might find a new trick or two.-Great demonstrations of manual exploit techniques.-For each of the tools demonstrated the author provides a number of additional options that may be useful.-Chapter on fixing OWASP top 10 vulnerabilities is awesome. More pentesting books should include recommendations for fixing the vulnerabilities we find.The Bad:-No steps to install Kali-No mention of Google Hacking-Some common vulnerabilities were left out of the vulnerability discovery section including username harvesting, account lockout controls, session fixation, etc.-No WPScan (Wordpress attack tool)-MitM and Social Engineering chapters could have been replaced by more web application testing content
Amazon Verified review Amazon
Amazon Customer Jul 07, 2016
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
not bad
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.