Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

Practical Web Penetration Testing

By : Khawaja

4.2 (5)

Practical Web Penetration Testing

4.2 (5)

By: Khawaja

Overview of this book

Companies all over the world want to hire professionals dedicated to application security. Practical Web Penetration Testing focuses on this very trend, teaching you how to conduct application security testing using real-life scenarios. To start with, you’ll set up an environment to perform web application penetration testing. You will then explore different penetration testing concepts such as threat modeling, intrusion test, infrastructure security threat, and more, in combination with advanced concepts such as Python scripting for automation. Once you are done learning the basics, you will discover end-to-end implementation of tools such as Metasploit, Burp Suite, and Kali Linux. Many companies deliver projects into production by using either Agile or Waterfall methodology. This book shows you how to assist any company with their SDLC approach and helps you on your journey to becoming an application security specialist. By the end of this book, you will have hands-on knowledge of using different tools for penetration testing.

Preface

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Disclaimer

Free Chapter

Building a Vulnerable Web Application Lab

Building a Vulnerable Web Application Lab

Downloading Mutillidae

Installing Mutillidae on Windows

Installing Mutillidae on Linux

Using Mutillidae

Summary

Kali Linux Installation

Kali Linux Installation

Introducing Kali Linux

Installing Kali Linux from scratch

Installing Kali on VMware

Installing Kali on VirtualBox

Bridged versus NAT versus Internal Network

Updating Kali Linux

Summary

Delving Deep into the Usage of Kali Linux

Delving Deep into the Usage of Kali Linux

The Kali filesystem structure

Handling applications and packages

Handling the filesystem in Kali

Security management

Secure shell protocol

Configuring network services in Kali

Process management commands

System info commands

Summary

All About Using Burp Suite

All About Using Burp Suite

An introduction to Burp Suite

A quick example

Visualizing the application structure using Burp Target

Intercepting the requests/responses using Burp Proxy

Crawling the web application using Burp Spider

Looking for web vulnerabilities using the scanner

Replaying web requests using the Repeater tab

Fuzzing web requests using the Intruder tab

Installing third-party apps using Burp Extender

Summary

Understanding Web Application Vulnerabilities

Understanding Web Application Vulnerabilities

File Inclusion

Cross-Site Scripting

Cross-Site Request Forgery

SQL Injection

Command Injection

OWASP Top 10

Summary

Application Security Pre-Engagement

Application Security Pre-Engagement

Introduction

The first meeting

Non-Disclosure Agreement

Kick-off meeting

Time and cost estimation

Statement of work

Penetration Test Agreement

External factors

Summary

Application Threat Modeling

Application Threat Modeling

Software development life cycle

Application Threat Modeling at a glance

Application Threat Modeling in real life

Application Threat Modeling document parts

Practical example

Summary

Source Code Review

Source Code Review

Programming background

Enterprise secure coding guidelines

Static code analysis – manual scan versus automatic scan

Secure coding checklist

Summary

Network Penetration Testing

Network Penetration Testing

Passive information gathering – reconnaissance – OSINT

Active information gathering – services enumeration

Vulnerability assessment

Exploitation

Privilege escalation

Summary

Web Intrusion Tests

Web Intrusion Tests

Web Intrusion Test workflow

Identifying hidden contents

Common web page checklist

Special pages checklist

Reporting

Summary

Pentest Automation Using Python

Pentest Automation Using Python

Python IDE

Penetration testing automation

Summary

Nmap Cheat Sheet

Nmap Cheat Sheet

Target specification

Host discovery

Scan types and service versions

Port specification and scan order

Script scan

Timing and performance

Firewall/IDS evasion and spoofing

Output

Metasploit Cheat Sheet

Metasploit Cheat Sheet

Metasploit framework

Netcat Cheat Sheet

Netcat Cheat Sheet

Netcat command flags

Practical examples

Networking Reference Section

Networking Reference Section

Network subnets

Port numbers and services

Python Quick Reference

Python Quick Reference

Quick Python language overview

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Quick Python language overview

It's time to start learning Python. I included this section in the book for two reasons. The first is that I want you to use it as a reference for when you develop your Python scripts in the future. The second reason is that I want to refresh your memory about this amazing programming language. It is important to note that I can't fit all the information about this programming language in an appendix, so I will include the most important elements of Python that will help you to achieve the most results in your career. You can enjoy learning and experimenting with the following examples using your Terminal window's Python interpreter—just type Python in your terminal window and you're ready to go.

Basics of Python

...

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Practical Web Penetration Testing

Search

Your notes and bookmarks