Hands-On Web Penetration Testing with Metasploit
📖 eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

Share book
📖 eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

About This Book

Identify, exploit, and test web application security with ease

Key Features

  • Get up to speed with Metasploit and discover how to use it for pentesting
  • Understand how to exploit and protect your web environment effectively
  • Learn how an exploit works and what causes vulnerabilities

Book Description

Metasploit has been a crucial security tool for many years. However, there are only a few modules that Metasploit has made available to the public for pentesting web applications. In this book, you'll explore another aspect of the framework – web applications – which is not commonly used. You'll also discover how Metasploit, when used with its inbuilt GUI, simplifies web application penetration testing.

The book starts by focusing on the Metasploit setup, along with covering the life cycle of the penetration testing process. Then, you will explore Metasploit terminology and the web GUI, which is available in the Metasploit Community Edition. Next, the book will take you through pentesting popular content management systems such as Drupal, WordPress, and Joomla, which will also include studying the latest CVEs and understanding the root cause of vulnerability in detail. Later, you'll gain insights into the vulnerability assessment and exploitation of technological platforms such as JBoss, Jenkins, and Tomcat. Finally, you'll learn how to fuzz web applications to find logical security vulnerabilities using third-party tools.

By the end of this book, you'll have a solid understanding of how to exploit and validate vulnerabilities by working with various tools and techniques.

What you will learn

  • Get up to speed with setting up and installing the Metasploit framework
  • Gain first-hand experience of the Metasploit web interface
  • Use Metasploit for web-application reconnaissance
  • Understand how to pentest various content management systems
  • Pentest platforms such as JBoss, Tomcat, and Jenkins
  • Become well-versed with fuzzing web applications
  • Write and automate penetration testing reports

Who this book is for

This book is for web security analysts, bug bounty hunters, security professionals, or any stakeholder in the security sector who wants to delve into web application security testing. Professionals who are not experts with command line tools or Kali Linux and prefer Metasploit's graphical user interface (GUI) will also find this book useful. No experience with Metasploit is required, but basic knowledge of Linux and web application pentesting will be helpful.

Access to over 1 million titles for a fair monthly price.

Study more efficiently using our study tools.



Penetration Testing on Technological Platforms - JBoss

The previous chapters of this book explained how to perform penetration tests on Content Management Systems (CMSes). Now that we have a clear understanding of the different CMS architectures and the different ways to go about carrying out a test, let's move on to learning how we can carry out tests on different technologies. In this chapter, we'll learn about JBoss, its architecture, and its exploitation. JBoss is one of the most easily deployable applications for an organization focused on automating deployments of a Java-based application. Due to its flexible architecture, many organizations opt for JBoss, but it is because of its great ease of use to organizations that JBoss is also widely targeted by threat actors. The following topics will be covered in this chapter:
  • An introduction to JBoss
  • Performing reconnaissance on a JBoss - based application server using Metasploit
  • Vulnerability assessments on JBoss
  • Carrying out JBoss exploitation with the help of Metasploit modules

Technical requirements

An introduction to JBoss

JBoss AS is an open source Java Enterprise Edition (Java EE)-based application server. The project was started by Mark Fluery in 1999. Since then, JBoss Group (LLC) was formed in 2001, and in 2004, JBoss became a corporation under the name of JBoss, Inc. In early 2006, Oracle sought to buy JBoss, Inc., but later on in the same year, RedHat succeeded in buying the corporation.
As JBoss AS is based on Java, the application server supports cross-platform installation and, unlike other proprietary software in the market, JBoss offers the same features at very low prices. The following are some of the advantages of JBoss:
  • Flexibility due to plugin-based architecture
  • Ease of installation and setup
  • Provides the full Java EE stack, including Enterprise JavaBeans (EJB), Java Messaging Service (JMS), Java Management Extension (JMX), and Java Naming and Directory Interface (JNDI)
  • Can run an Enterprise Application (EA)
  • Is cost-efficient
Due to the flexible plugin architecture, developers don't have to spend time developing services for their applications. The goal here is to save money and resources so that developers can focus more time on the products they're developing.

The JBoss architecture (JBoss 5)

The JBoss architecture has changed gradually over the last few years and with each major release, new services have been added. In this chapter, we will look at an architectural overview of JBoss AS 5 and cover the exploitation part of the architecture in the JBoss exploitation section later in this chapter. To understand the JBoss AS architecture, refer to the following diagram:
We can divide the architecture into four main components, as follows:
  • User applications: As the name suggests, this component handles user applications and contains the XML config files, Web Application Resource (WAR) files, and so on. This is where user applications are deployed.
  • Component deployers: Deployers are used in JBoss to deploy components. MainDeployer, JARDeployer, and SARDeployer are hardcoded deployers in the JBoss server core. All other deployers are Managed Bean (MBean) services that register themselves as deployers with MainDeployer.
  • Enterprise services: This component is responsible for handling multiple things, such as transactions, security, and the web server.
  • The JBoss microcontainer: This can be used as a standalone container outside of JBoss AS. It is designed to provide an environment to configure and manage Plain Old Java Objects (POJOs).
Now, let's look at the directory structure.

JBoss files and the di...

Table of contents

Citation styles for Hands-On Web Penetration Testing with MetasploitHow to cite Hands-On Web Penetration Testing with Metasploit for your reference list or bibliography: select your referencing style from the list below and hit 'copy' to generate a citation. If your style isn't in the list, you can start a free trial to access over 20 additional styles from the Perlego eReader.
APA 6 Citation
Singh, H., & Sharma, H. (2020). Hands-On Web Penetration Testing with Metasploit (1st ed.). Packt Publishing. Retrieved from https://www.perlego.com/book/1484865/handson-web-penetration-testing-with-metasploit-the-subtle-art-of-using-metasploit-50-for-web-application-exploitation-pdf (Original work published 2020)
Chicago Citation
Singh, Harpreet, and Himanshu Sharma. (2020) 2020. Hands-On Web Penetration Testing with Metasploit. 1st ed. Packt Publishing. https://www.perlego.com/book/1484865/handson-web-penetration-testing-with-metasploit-the-subtle-art-of-using-metasploit-50-for-web-application-exploitation-pdf.
Harvard Citation
Singh, H. and Sharma, H. (2020) Hands-On Web Penetration Testing with Metasploit. 1st edn. Packt Publishing. Available at: https://www.perlego.com/book/1484865/handson-web-penetration-testing-with-metasploit-the-subtle-art-of-using-metasploit-50-for-web-application-exploitation-pdf (Accessed: 14 October 2022).
MLA 7 Citation
Singh, Harpreet, and Himanshu Sharma. Hands-On Web Penetration Testing with Metasploit. 1st ed. Packt Publishing, 2020. Web. 14 Oct. 2022.