What this book covers

Chapter 1, Introduction to Penetration Testing and Web Applications, covers the different testing methodologies and rules that security professionals follow when performing an assessment of a web application. We also gain an overview of the building blocks of a web applications and the HTTP protocol.

Chapter 2, Setting up Your Lab with Kali Linux, introduces the changes and improvements in Kali 2.0. We will learn about the different ways to install Kali Linux and also install it in a lab environment. Next we have a walk-through of the important tools in Kali Linux and then set up Tor to connect anonymously.

Chapter 3, Reconnaissance and Profiling the Web Server, focuses on the information gathering phase. We use different tools in Kali Linux to perform passive and active reconnaissance. Next we profile the web server identifying the OS, application version, and additional information that help us in the later stages of the penetration test.

Chapter 4, Major Flaws in Web Applications, covers the different security flaws that affect web applications at various levels. We start by describing the less serious security flaws such as information leakage and then move on to the more severe ones, such as injection flaws. The chapter briefly touches all the major flaws that exist in real-world web applications.

Chapter 5, Attacking the Server Using Injection-based Flaws, is all about command injection and SQL injection flaws. We gain a deep understanding of the command injection flaw and exploit it using Metasploit. We also learn about the attack potential of a SQL injection flaw and use different tools in Kali Linux to exploit it.

Chapter 6, Exploiting Clients Using XSS and CSRF Flaws, focuses on cross-site scripting attack. We learn about the origin of the flaw and different types of XSS. We use different tools in Kali Linux to automate the scanning of the web application for XSS flaws. In the CSRF section we cover the attack methodology and the tools to exploit the flaw.

Chapter 7, Attacking SSL-based Websites, explores the importance of SSL in web applications. We learn different techniques to identify weak SSL implementations and then use the man-in-the-middle technique to hack into an SSL connection.

Chapter 8, Exploiting the Client Using Attack Frameworks, discusses different techniques and tricks to gain control over a client computer. In this chapter we use the Social Engineering Toolkit (SET) from Kali Linux to execute a phishing attack. In the second part of the chapter, we use the Browser exploitation framework (BeEF) to gain control of a user's browser by exploiting a XSS flaw. We also explore the different modules in BeEF.

Chapter 9, AJAX and Web Services – Security Issues, covers security flaws affecting an AJAX application and the challenges faced when performing a security assessment of it. Web services are also introduced in this chapter along with the security issues it faces.

Chapter 10, Fuzzing Web Applications, introduces the different types of fuzzing techniques. We learn the different ways in which fuzzing can identify flaws in web applications. Next we explore different fuzzers in Kali Linux and use Burp intruder to fuzz a web application.