Hands-On Web Penetration Testing with Metasploit
eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

Share book
  1. 544 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

Book details
Book preview
Table of contents
Citations

About This Book

Identify, exploit, and test web application security with ease

Key Features

  • Get up to speed with Metasploit and discover how to use it for pentesting
  • Understand how to exploit and protect your web environment effectively
  • Learn how an exploit works and what causes vulnerabilities

Book Description

Metasploit has been a crucial security tool for many years. However, there are only a few modules that Metasploit has made available to the public for pentesting web applications. In this book, you'll explore another aspect of the framework – web applications – which is not commonly used. You'll also discover how Metasploit, when used with its inbuilt GUI, simplifies web application penetration testing.

The book starts by focusing on the Metasploit setup, along with covering the life cycle of the penetration testing process. Then, you will explore Metasploit terminology and the web GUI, which is available in the Metasploit Community Edition. Next, the book will take you through pentesting popular content management systems such as Drupal, WordPress, and Joomla, which will also include studying the latest CVEs and understanding the root cause of vulnerability in detail. Later, you'll gain insights into the vulnerability assessment and exploitation of technological platforms such as JBoss, Jenkins, and Tomcat. Finally, you'll learn how to fuzz web applications to find logical security vulnerabilities using third-party tools.

By the end of this book, you'll have a solid understanding of how to exploit and validate vulnerabilities by working with various tools and techniques.

What you will learn

  • Get up to speed with setting up and installing the Metasploit framework
  • Gain first-hand experience of the Metasploit web interface
  • Use Metasploit for web-application reconnaissance
  • Understand how to pentest various content management systems
  • Pentest platforms such as JBoss, Tomcat, and Jenkins
  • Become well-versed with fuzzing web applications
  • Write and automate penetration testing reports

Who this book is for

This book is for web security analysts, bug bounty hunters, security professionals, or any stakeholder in the security sector who wants to delve into web application security testing. Professionals who are not experts with command line tools or Kali Linux and prefer Metasploit's graphical user interface (GUI) will also find this book useful. No experience with Metasploit is required, but basic knowledge of Linux and web application pentesting will be helpful.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Hands-On Web Penetration Testing with Metasploit an online PDF/ePUB?
Yes, you can access Hands-On Web Penetration Testing with Metasploit by Harpreet Singh, Himanshu Sharma in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Year
2020
ISBN
9781789951639

Penetration Testing on Technological Platforms - JBoss

The previous chapters of this book explained how to perform penetration tests on Content Management Systems (CMSes). Now that we have a clear understanding of the different CMS architectures and the different ways to go about carrying out a test, let's move on to learning how we can carry out tests on different technologies. In this chapter, we'll learn about JBoss, its architecture, and its exploitation. JBoss is one of the most easily deployable applications for an organization focused on automating deployments of a Java-based application. Due to its flexible architecture, many organizations opt for JBoss, but it is because of its great ease of use to organizations that JBoss is also widely targeted by threat actors. The following topics will be covered in this chapter:
  • An introduction to JBoss
  • Performing reconnaissance on a JBoss - based application server using Metasploit
  • Vulnerability assessments on JBoss
  • Carrying out JBoss exploitation with the help of Metasploit modules

Technical requirements

The following are the prerequisites for this chapter:
  • A JBoss Application Server (AS) instance (https://jbossas.jboss.org/)
  • The Metasploit Framework (https://www.metasploit.com/)
  • JexBoss, which is a third-party tool (https://github.com/joaomatosf/jexboss)

An introduction to JBoss

JBoss AS is an open source Java Enterprise Edition (Java EE)-based application server. The project was started by Mark Fluery in 1999. Since then, JBoss Group (LLC) was formed in 2001, and in 2004, JBoss became a corporation under the name of JBoss, Inc. In early 2006, Oracle sought to buy JBoss, Inc., but later on in the same year, RedHat succeeded in buying the corporation.
As JBoss AS is based on Java, the application server supports cross-platform installation and, unlike other proprietary software in the market, JBoss offers the same features at very low prices. The following are some of the advantages of JBoss:
  • Flexibility due to plugin-based architecture
  • Ease of installation and setup
  • Provides the full Java EE stack, including Enterprise JavaBeans (EJB), Java Messaging Service (JMS), Java Management Extension (JMX), and Java Naming and Directory Interface (JNDI)
  • Can run an Enterprise Application (EA)
  • Is cost-efficient
Due to the flexible plugin architecture, developers don't have to spend time developing services for their applications. The goal here is to save money and resources so that developers can focus more time on the products they're developing.

The JBoss architecture (JBoss 5)

The JBoss architecture has changed gradually over the last few years and with each major release, new services have been added. In this chapter, we will look at an architectural overview of JBoss AS 5 and cover the exploitation part of the architecture in the JBoss exploitation section later in this chapter. To understand the JBoss AS architecture, refer to the following diagram:
We can divide the architecture into four main components, as follows:
  • User applications: As the name suggests, this component handles user applications and contains the XML config files, Web Application Resource (WAR) files, and so on. This is where user applications are deployed.
  • Component deployers: Deployers are used in JBoss to deploy components. MainDeployer, JARDeployer, and SARDeployer are hardcoded deployers in the JBoss server core. All other deployers are Managed Bean (MBean) services that register themselves as deployers with MainDeployer.
  • Enterprise services: This component is responsible for handling multiple things, such as transactions, security, and the web server.
  • The JBoss microcontainer: This can be used as a standalone container outside of JBoss AS. It is designed to provide an environment to configure and manage Plain Old Java Objects (POJOs).
Now, let's look at the directory structure.

JBoss files and the di...

Table of contents