Book Image

Practical Web Penetration Testing

By : Gus Khawaja
Book Image

Practical Web Penetration Testing

By: Gus Khawaja

Overview of this book

Companies all over the world want to hire professionals dedicated to application security. Practical Web Penetration Testing focuses on this very trend, teaching you how to conduct application security testing using real-life scenarios. To start with, you’ll set up an environment to perform web application penetration testing. You will then explore different penetration testing concepts such as threat modeling, intrusion test, infrastructure security threat, and more, in combination with advanced concepts such as Python scripting for automation. Once you are done learning the basics, you will discover end-to-end implementation of tools such as Metasploit, Burp Suite, and Kali Linux. Many companies deliver projects into production by using either Agile or Waterfall methodology. This book shows you how to assist any company with their SDLC approach and helps you on your journey to becoming an application security specialist. By the end of this book, you will have hands-on knowledge of using different tools for penetration testing.

Related Content you might be interested in

Current Title:

Small book image
Practical Web Penetration Testing
Gus Khawaja
Jun, 2018 | 294 pages
Small book image
Burp Suite Cookbook.
Dr Sunny Wear
Sep, 2018 | 358 pages
Small book image
Kali Linux Web Penetration Testing Cookbook
Gilberto NajeraGutierrez
Aug, 2018 | 404 pages
Small book image
Learn Penetration Testing
Rishalin Pillay
May, 2019 | 424 pages
Table of Contents (18 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Disclaimer
Free Chapter
1
Building a Vulnerable Web Application Lab
Building a Vulnerable Web Application Lab
Downloading Mutillidae
Installing Mutillidae on Windows
Installing Mutillidae on Linux
Using Mutillidae
Summary
2
Kali Linux Installation
Kali Linux Installation
Introducing Kali Linux
Installing Kali Linux from scratch
Installing Kali on VMware
Installing Kali on VirtualBox
Bridged versus NAT versus Internal Network
Updating Kali Linux
Summary
3
Delving Deep into the Usage of Kali Linux
Delving Deep into the Usage of Kali Linux
The Kali filesystem structure
Handling applications and packages
Handling the filesystem in Kali
Security management
Secure shell protocol
Configuring network services in Kali
Process management commands
System info commands
Summary
4
All About Using Burp Suite
All About Using Burp Suite
An introduction to Burp Suite
A quick example
Visualizing the application structure using Burp Target
Intercepting the requests/responses using Burp Proxy
Crawling the web application using Burp Spider
Looking for web vulnerabilities using the scanner
Replaying web requests using the Repeater tab
Fuzzing web requests using the Intruder tab
Installing third-party apps using Burp Extender
Summary
5
Understanding Web Application Vulnerabilities
Understanding Web Application Vulnerabilities
File Inclusion
Cross-Site Scripting
Cross-Site Request Forgery
SQL Injection
Command Injection
OWASP Top 10
Summary
6
Application Security Pre-Engagement
Application Security Pre-Engagement
Introduction
The first meeting
Non-Disclosure Agreement
Kick-off meeting
Time and cost estimation
Statement of work
Penetration Test Agreement
External factors
Summary
7
Application Threat Modeling
Application Threat Modeling
Software development life cycle
Application Threat Modeling at a glance
Application Threat Modeling in real life
Application Threat Modeling document parts
Practical example
Summary
8
Source Code Review
Source Code Review
Programming background
Enterprise secure coding guidelines
Static code analysis – manual scan versus automatic scan
Secure coding checklist
Summary
9
Network Penetration Testing
Network Penetration Testing
Passive information gathering – reconnaissance – OSINT
Active information gathering – services enumeration
Vulnerability assessment
Exploitation
Privilege escalation
Summary
10
Web Intrusion Tests
Web Intrusion Tests
Web Intrusion Test workflow
Identifying hidden contents
Common web page checklist
Special pages checklist
Reporting
Summary
11
Pentest Automation Using Python
Pentest Automation Using Python
Python IDE
Penetration testing automation
Summary
12
Nmap Cheat Sheet
Nmap Cheat Sheet
Target specification
Host discovery
Scan types and service versions
Port specification and scan order
Script scan
Timing and performance
Firewall/IDS evasion and spoofing
Output
13
Metasploit Cheat Sheet
Metasploit Cheat Sheet
Metasploit framework
14
Netcat Cheat Sheet
Netcat Cheat Sheet
Netcat command flags
Practical examples
15
Networking Reference Section
Networking Reference Section
Network subnets
Port numbers and services
16
Python Quick Reference
Python Quick Reference
Quick Python language overview
17
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

To get the most out of this book

To get the most out of this book you need to know the basics of ethical hacking and you will need to build a lab. You will need a virtual machine software (for example, VirtualBox or VMware) for the virtualization of the lab environment. To follow the examples, you will also need to install Kali Linux. Don't worry, I will discuss how to do it in Chapter 2, Kali Linux Installation. Kali Linux will be the attacker machine that we will use to test the security of the victim's machine. Speaking of the victim host, I encourage you to install a Windows 7 virtual machine where you will install a vulnerable web application called Mutillidae. Again, I will walk you through all the steps of building the vulnerable host in Chapter 1, Building a Vulnerable Web Application Lab. Finally, I will be using Burp Suite Professional Edition, but you can follow along with the free edition of this tool. That being said, all the tools that we are going to use for the security tests are already installed by default on Kali Linux.

Download the example code files

You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

  1. Log in or register at www.packtpub.com.
  2. Select the SUPPORT tab.
  3. Click on Code Downloads & Errata.
  4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

  • WinRAR/7-Zip for Windows
  • Zipeg/iZip/UnRarX for Mac
  • 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Practical-Web-Penetration-Testing. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The -y in the upgrade command will accept the prompts automatically."

A block of code is set as follows:

class ServiceDTO:
    # Class Constructor
    def __init__(self, port, name, description):
        self.description = description
        self.port = port
        self.name = name

Any command-line input or output is written as follows:

meterpreter > getsystem

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on Continue, and your system will reboot."

Warnings or important notes appear like this.
Tips and tricks appear like this.
Previous Section
Next Section