Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Kali Linux Web Penetration Testing Cookbook

You're reading from   Kali Linux Web Penetration Testing Cookbook Over 80 recipes on how to identify, exploit, and test web application security with Kali Linux 2

Arrow left icon
Product type Paperback
Published in Feb 2016
Publisher
ISBN-13 9781784392918
Length 296 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Gilberto Najera-Gutierrez Gilberto Najera-Gutierrez
Author Profile Icon Gilberto Najera-Gutierrez
Gilberto Najera-Gutierrez
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Setting Up Kali Linux FREE CHAPTER 2. Reconnaissance 3. Crawlers and Spiders 4. Finding Vulnerabilities 5. Automated Scanners 6. Exploitation – Low Hanging Fruits 7. Advanced Exploitation 8. Man in the Middle Attacks 9. Client-Side Attacks and Social Engineering 10. Mitigation of OWASP Top 10 Index

Getting to know web applications on a vulnerable VM

OWASP-bwa contains many web applications, intentionally made vulnerable to the most common attacks. Some of them are focused on the practice of some specific technique while others try to replicate real-world applications that happen to have vulnerabilities.

In this recipe, we will take a tour of our vulnerable_vm and get to know some of the applications it includes.

Getting ready

We need to have our vulnerable_vm running and its network correctly configured. For this book, we will be using 192.168.56.102 as its IP address.

How to do it...

  1. With vulnerable_vm running, open your Kali Linux host's web browser and go to http://192.168.56.102. You will see a list of all applications the server contains:
    How to do it...
  2. Let's go to Damn Vulnerable Web Application.
  3. Use admin as a user name and admin as a password. We can see a menu on the left; this menu contains links to all the vulnerabilities that we can practice in this application: Brute Force, Command Execution, SQL Injection, and so on. Also, the DVWA Security section is where we can configure the security (or complexity) levels of the vulnerable inputs.
    How to do it...
  4. Log out and return to the server's homepage.
  5. Now we click on OWASP WebGoat.NET. This is a .NET application where we will be able to practice file and code injection attacks, cross-site scripting, and encryption vulnerabilities. It also has a WebGoat Coins Customer Portal that simulates a shopping application and can be used to practice not only the exploitation of vulnerabilities but also their identification.
    How to do it...
  6. Now return to the server's home page.
  7. Another interesting application included in this virtual machine is BodgeIt, which is a minimalistic version of an online store based on JSP—it has a list of products that we can add to a shopping basket, a search page with advanced options, a registration form for new users, and a login form. There is no direct reference to vulnerabilities; instead, we will need to look for them.
    How to do it...
  8. We won't be able to look at all the applications in a single recipe, but we will be using some of them in this book.

How it works...

The applications in the home page are organized in the following six groups:

  • Training applications: These are the ones that have sections dedicated to practice-specific vulnerabilities or attack techniques; some of them include tutorials, explanations, or other kind of guidance.
  • Realistic, intentionally vulnerable applications: Applications that act as real-world applications (stores, blogs, and social networks) and are intentionally left vulnerable by their developers for the sake of training.
  • Old (vulnerable) versions of real applications: Old versions of real applications, such as WordPress and Joomla are known to have exploitable vulnerabilities; these are useful to test our vulnerability identification skills.
  • Applications for testing tools: The applications in this group can be used as a benchmark for automated vulnerability scanners.
  • Demonstration pages / small applications: These are small applications that have only one or a few vulnerabilities, for demonstration purposes only.
  • OWASP demonstration application: OWASP AppSensor is an interesting application, it simulates a social network and could have some vulnerabilities in it. But it will log any attack attempts, which is useful when trying to learn; for example, how to bypass some security devices such as a web application firewall.
You have been reading a chapter from
Kali Linux Web Penetration Testing Cookbook
Published in: Feb 2016
Publisher:
ISBN-13: 9781784392918
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime