Kali Linux Web Penetration Testing Cookbook

Over 80 recipes on how to identify, exploit, and test web application security with Kali Linux 2
Preview in Mapt

Kali Linux Web Penetration Testing Cookbook

Gilberto Nájera-Gutiérrez

1 customer reviews
Over 80 recipes on how to identify, exploit, and test web application security with Kali Linux 2
Mapt Subscription
FREE
$29.99/m after trial
eBook
$28.00
RRP $39.99
Save 29%
Print + eBook
$49.99
RRP $49.99
What do I get with a Mapt Pro subscription?
  • Unlimited access to all Packt’s 5,000+ eBooks and Videos
  • Early Access content, Progress Tracking, and Assessments
  • 1 Free eBook or Video to download and keep every month after trial
What do I get with an eBook?
  • Download this book in EPUB, PDF, MOBI formats
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
What do I get with Print & eBook?
  • Get a paperback copy of the book delivered to you
  • Download this book in EPUB, PDF, MOBI formats
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
What do I get with a Video?
  • Download this Video course in MP4 format
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
$0.00
$28.00
$49.99
$29.99 p/m after trial
RRP $39.99
RRP $49.99
Subscription
eBook
Print + eBook
Start 30 Day Trial

Frequently bought together


Kali Linux Web Penetration Testing Cookbook Book Cover
Kali Linux Web Penetration Testing Cookbook
$ 39.99
$ 28.00
Kali Linux Wireless Penetration Testing Cookbook Book Cover
Kali Linux Wireless Penetration Testing Cookbook
$ 39.99
$ 28.00
Buy 2 for $35.00
Save $44.98
Add to Cart

Book Details

ISBN 139781784392918
Paperback296 pages

Book Description

Web applications are a huge point of attack for malicious hackers and a critical area for security professionals and penetration testers to lock down and secure. Kali Linux is a Linux-based penetration testing platform and operating system that provides a huge array of testing tools, many of which can be used specifically to execute web penetration testing.

This book will teach you, in the form step-by-step recipes, how to detect a wide array of vulnerabilities, exploit them to analyze their consequences, and ultimately buffer attackable surfaces so applications are more secure, for you and your users.

Starting from the setup of a testing laboratory, this book will give you the skills you need to cover every stage of a penetration test: from gathering information about the system and the application to identifying vulnerabilities through manual testing and the use of vulnerability scanners to both basic and advanced exploitation techniques that may lead to a full system compromise. Finally, we will put this into the context of OWASP and the top 10 web application vulnerabilities you are most likely to encounter, equipping you with the ability to combat them effectively. By the end of the book, you will have the required skills to identify, exploit, and prevent web application vulnerabilities.

Table of Contents

Chapter 1: Setting Up Kali Linux
Introduction
Updating and upgrading Kali Linux
Installing and running OWASP Mantra
Setting up the Iceweasel browser
Installing VirtualBox
Creating a vulnerable virtual machine
Creating a client virtual machine
Configuring virtual machines for correct communication
Getting to know web applications on a vulnerable VM
Chapter 2: Reconnaissance
Introduction
Scanning and identifying services with Nmap
Identifying a web application firewall
Watching the source code
Using Firebug to analyze and alter basic behavior
Obtaining and modifying cookies
Taking advantage of robots.txt
Finding files and folders with DirBuster
Password profiling with CeWL
Using John the Ripper to generate a dictionary
Finding files and folders with ZAP
Chapter 3: Crawlers and Spiders
Introduction
Downloading a page for offline analysis with Wget
Downloading the page for offline analysis with HTTrack
Using ZAP's spider
Using Burp Suite to crawl a website
Repeating requests with Burp's repeater
Using WebScarab
Identifying relevant files and directories from crawling results
Chapter 4: Finding Vulnerabilities
Introduction
Using Hackbar add-on to ease parameter probing
Using Tamper Data add-on to intercept and modify requests
Using ZAP to view and alter requests
Using Burp Suite to view and alter requests
Identifying cross-site scripting (XSS) vulnerabilities
Identifying error based SQL injection
Identifying a blind SQL Injection
Identifying vulnerabilities in cookies
Obtaining SSL and TLS information with SSLScan
Looking for file inclusions
Identifying POODLE vulnerability
Chapter 5: Automated Scanners
Introduction
Scanning with Nikto
Finding vulnerabilities with Wapiti
Using OWASP ZAP to scan for vulnerabilities
Scanning with w3af
Using Vega scanner
Finding Web vulnerabilities with Metasploit's Wmap
Chapter 6: Exploitation – Low Hanging Fruits
Introduction
Abusing file inclusions and uploads
Exploiting OS Command Injections
Exploiting an XML External Entity Injection
Brute-forcing passwords with THC-Hydra
Dictionary attacks on login pages with Burp Suite
Obtaining session cookies through XSS
Step by step basic SQL Injection
Finding and exploiting SQL Injections with SQLMap
Attacking Tomcat's passwords with Metasploit
Using Tomcat Manager to execute code
Chapter 7: Advanced Exploitation
Introduction
Searching Exploit-DB for a web server's vulnerabilities
Exploiting Heartbleed vulnerability
Exploiting XSS with BeEF
Exploiting a Blind SQLi
Using SQLMap to get database information
Performing a cross-site request forgery attack
Executing commands with Shellshock
Cracking password hashes with John the Ripper by using a dictionary
Cracking password hashes by brute force using oclHashcat/cudaHashcat
Chapter 8: Man in the Middle Attacks
Introduction
Setting up a spoofing attack with Ettercap
Being the MITM and capturing traffic with Wireshark
Modifying data between the server and the client
Setting up an SSL MITM attack
Obtaining SSL data with SSLsplit
Performing DNS spoofing and redirecting traffic
Chapter 9: Client-Side Attacks and Social Engineering
Introduction
Creating a password harvester with SET
Using previously saved pages to create a phishing site
Creating a reverse shell with Metasploit and capturing its connections
Using Metasploit's browser_autpwn2 to attack a client
Attacking with BeEF
Tricking the user to go to our fake site
Chapter 10: Mitigation of OWASP Top 10
Introduction
A1 – Preventing injection attacks
A2 – Building proper authentication and session management
A3 – Preventing cross-site scripting
A4 – Preventing Insecure Direct Object References
A5 – Basic security configuration guide
A6 – Protecting sensitive data
A7 – Ensuring function level access control
A8 – Preventing CSRF
A9 – Where to look for known vulnerabilities on third-party components
A10 – Redirect validation

What You Will Learn

  • Set up a penetration testing laboratory in a secure way
  • Find out what information is useful to gather when performing penetration tests and where to look for it
  • Use crawlers and spiders to investigate an entire website in minutes
  • Discover security vulnerabilities in web applications in the web browser and using command-line tools
  • Improve your testing efficiency with the use of automated vulnerability scanners
  • Exploit vulnerabilities that require a complex setup, run custom-made exploits, and prepare for extraordinary scenarios
  • Set up Man in the Middle attacks and use them to identify and exploit security flaws within the communication between users and the web server
  • Create a malicious site that will find and exploit vulnerabilities in the user's web browser
  • Repair the most common web vulnerabilities and understand how to prevent them becoming a threat to a site's security

Authors

Table of Contents

Chapter 1: Setting Up Kali Linux
Introduction
Updating and upgrading Kali Linux
Installing and running OWASP Mantra
Setting up the Iceweasel browser
Installing VirtualBox
Creating a vulnerable virtual machine
Creating a client virtual machine
Configuring virtual machines for correct communication
Getting to know web applications on a vulnerable VM
Chapter 2: Reconnaissance
Introduction
Scanning and identifying services with Nmap
Identifying a web application firewall
Watching the source code
Using Firebug to analyze and alter basic behavior
Obtaining and modifying cookies
Taking advantage of robots.txt
Finding files and folders with DirBuster
Password profiling with CeWL
Using John the Ripper to generate a dictionary
Finding files and folders with ZAP
Chapter 3: Crawlers and Spiders
Introduction
Downloading a page for offline analysis with Wget
Downloading the page for offline analysis with HTTrack
Using ZAP's spider
Using Burp Suite to crawl a website
Repeating requests with Burp's repeater
Using WebScarab
Identifying relevant files and directories from crawling results
Chapter 4: Finding Vulnerabilities
Introduction
Using Hackbar add-on to ease parameter probing
Using Tamper Data add-on to intercept and modify requests
Using ZAP to view and alter requests
Using Burp Suite to view and alter requests
Identifying cross-site scripting (XSS) vulnerabilities
Identifying error based SQL injection
Identifying a blind SQL Injection
Identifying vulnerabilities in cookies
Obtaining SSL and TLS information with SSLScan
Looking for file inclusions
Identifying POODLE vulnerability
Chapter 5: Automated Scanners
Introduction
Scanning with Nikto
Finding vulnerabilities with Wapiti
Using OWASP ZAP to scan for vulnerabilities
Scanning with w3af
Using Vega scanner
Finding Web vulnerabilities with Metasploit's Wmap
Chapter 6: Exploitation – Low Hanging Fruits
Introduction
Abusing file inclusions and uploads
Exploiting OS Command Injections
Exploiting an XML External Entity Injection
Brute-forcing passwords with THC-Hydra
Dictionary attacks on login pages with Burp Suite
Obtaining session cookies through XSS
Step by step basic SQL Injection
Finding and exploiting SQL Injections with SQLMap
Attacking Tomcat's passwords with Metasploit
Using Tomcat Manager to execute code
Chapter 7: Advanced Exploitation
Introduction
Searching Exploit-DB for a web server's vulnerabilities
Exploiting Heartbleed vulnerability
Exploiting XSS with BeEF
Exploiting a Blind SQLi
Using SQLMap to get database information
Performing a cross-site request forgery attack
Executing commands with Shellshock
Cracking password hashes with John the Ripper by using a dictionary
Cracking password hashes by brute force using oclHashcat/cudaHashcat
Chapter 8: Man in the Middle Attacks
Introduction
Setting up a spoofing attack with Ettercap
Being the MITM and capturing traffic with Wireshark
Modifying data between the server and the client
Setting up an SSL MITM attack
Obtaining SSL data with SSLsplit
Performing DNS spoofing and redirecting traffic
Chapter 9: Client-Side Attacks and Social Engineering
Introduction
Creating a password harvester with SET
Using previously saved pages to create a phishing site
Creating a reverse shell with Metasploit and capturing its connections
Using Metasploit's browser_autpwn2 to attack a client
Attacking with BeEF
Tricking the user to go to our fake site
Chapter 10: Mitigation of OWASP Top 10
Introduction
A1 – Preventing injection attacks
A2 – Building proper authentication and session management
A3 – Preventing cross-site scripting
A4 – Preventing Insecure Direct Object References
A5 – Basic security configuration guide
A6 – Protecting sensitive data
A7 – Ensuring function level access control
A8 – Preventing CSRF
A9 – Where to look for known vulnerabilities on third-party components
A10 – Redirect validation

Book Details

ISBN 139781784392918
Paperback296 pages
Read More
From 1 reviews

Read More Reviews

Recommended for You

Kali Linux 2 - Assuring Security by Penetration Testing - Third Edition Book Cover
Kali Linux 2 - Assuring Security by Penetration Testing - Third Edition
$ 35.99
$ 25.20
Mastering Kali Linux Wireless Pentesting Book Cover
Mastering Kali Linux Wireless Pentesting
$ 39.99
$ 28.00
Learning Penetration Testing with Python Book Cover
Learning Penetration Testing with Python
$ 39.99
$ 28.00
Mastering Metasploit - Second Edition Book Cover
Mastering Metasploit - Second Edition
$ 39.99
$ 28.00
Applied Network Security Book Cover
Applied Network Security
$ 35.99
$ 25.20
Learning Linux Shell Scripting Book Cover
Learning Linux Shell Scripting
$ 39.99
$ 28.00