Practical Web Penetration Testing

By : Gus Khawaja

Practical Web Penetration Testing

By: Gus Khawaja

Overview of this book

Companies all over the world want to hire professionals dedicated to application security. Practical Web Penetration Testing focuses on this very trend, teaching you how to conduct application security testing using real-life scenarios. To start with, you’ll set up an environment to perform web application penetration testing. You will then explore different penetration testing concepts such as threat modeling, intrusion test, infrastructure security threat, and more, in combination with advanced concepts such as Python scripting for automation. Once you are done learning the basics, you will discover end-to-end implementation of tools such as Metasploit, Burp Suite, and Kali Linux. Many companies deliver projects into production by using either Agile or Waterfall methodology. This book shows you how to assist any company with their SDLC approach and helps you on your journey to becoming an application security specialist. By the end of this book, you will have hands-on knowledge of using different tools for penetration testing.

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Disclaimer

Free Chapter

Building a Vulnerable Web Application Lab

Downloading Mutillidae

Installing Mutillidae on Windows

Installing Mutillidae on Linux

Using Mutillidae

Summary

Kali Linux Installation

Introducing Kali Linux

Installing Kali Linux from scratch

Installing Kali on VMware

Installing Kali on VirtualBox

Bridged versus NAT versus Internal Network

Updating Kali Linux

Summary

Delving Deep into the Usage of Kali Linux

The Kali filesystem structure

Handling applications and packages

Handling the filesystem in Kali

Security management

Secure shell protocol

Configuring network services in Kali

Process management commands

System info commands

Summary

All About Using Burp Suite

An introduction to Burp Suite

A quick example

Visualizing the application structure using Burp Target

Intercepting the requests/responses using Burp Proxy

Crawling the web application using Burp Spider

Looking for web vulnerabilities using the scanner

Replaying web requests using the Repeater tab

Fuzzing web requests using the Intruder tab

Installing third-party apps using Burp Extender

Summary

Understanding Web Application Vulnerabilities

File Inclusion

Cross-Site Scripting

Cross-Site Request Forgery

SQL Injection

Command Injection

OWASP Top 10

Summary

Application Security Pre-Engagement

Introduction

The first meeting

Non-Disclosure Agreement

Kick-off meeting

Time and cost estimation

Statement of work

Penetration Test Agreement

External factors

Summary

Application Threat Modeling

Software development life cycle

Application Threat Modeling at a glance

Application Threat Modeling in real life

Application Threat Modeling document parts

Practical example

Summary

Source Code Review

Programming background

Enterprise secure coding guidelines

Static code analysis – manual scan versus automatic scan

Secure coding checklist

Summary

Network Penetration Testing

Passive information gathering – reconnaissance – OSINT

Active information gathering – services enumeration

Vulnerability assessment

Exploitation

Privilege escalation

Summary

Web Intrusion Tests

Web Intrusion Test workflow

Identifying hidden contents

Common web page checklist

Special pages checklist

Reporting

Summary

Pentest Automation Using Python

Python IDE

Penetration testing automation

Summary

Nmap Cheat Sheet

Target specification

Host discovery

Scan types and service versions

Port specification and scan order

Script scan

Timing and performance

Firewall/IDS evasion and spoofing

Output

Metasploit Cheat Sheet

Metasploit framework

Netcat Cheat Sheet

Netcat command flags

Practical examples

Networking Reference Section

Network subnets

Port numbers and services

Python Quick Reference

Quick Python language overview

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Practical Web Penetration Testing

By : Gus Khawaja

Practical Web Penetration Testing

By: Gus Khawaja

Overview of this book

Related Content you might be interested in

Current Title:

Practical Web Penetration Testing

Burp Suite Cookbook.

Kali Linux Web Penetration Testing Cookbook

Learn Penetration Testing