Mastering Kali Linux for Web Penetration Testing
eBook - ePub

Mastering Kali Linux for Web Penetration Testing

  1. 338 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Mastering Kali Linux for Web Penetration Testing

About this book

Master the art of exploiting advanced web penetration techniques with Kali Linux 2016.2About This Bookā€¢ Make the most out of advanced web pen-testing techniques using Kali Linux 2016.2ā€¢ Explore how Stored (a.k.a. Persistent) XSS attacks work and how to take advantage of themā€¢ Learn to secure your application by performing advanced web based attacks.ā€¢ Bypass internet security to traverse from the web to a private network. Who This Book Is ForThis book targets IT pen testers, security consultants, and ethical hackers who want to expand their knowledge and gain expertise on advanced web penetration techniques. Prior knowledge of penetration testing would be beneficial.What You Will Learnā€¢ Establish a fully-featured sandbox for test rehearsal and risk-free investigation of applicationsā€¢ Enlist open-source information to get a head-start on enumerating account credentials, mapping potential dependencies, and discovering unintended backdoors and exposed informationā€¢ Map, scan, and spider web applications using nmap/zenmap, nikto, arachni, webscarab, w3af, and NetCat for more accurate characterizationā€¢ Proxy web transactions through tools such as Burp Suite, OWASP's ZAP tool, and Vega to uncover application weaknesses and manipulate responsesā€¢ Deploy SQL injection, cross-site scripting, Java vulnerabilities, and overflow attacks using Burp Suite, websploit, and SQLMap to test application robustnessā€¢ Evaluate and test identity, authentication, and authorization schemes and sniff out weak cryptography before the black hats doIn DetailYou will start by delving into some common web application architectures in use, both in private and public cloud instances. You will also learn about the most common frameworks for testing, such as OWASP OGT version 4, and how to use them to guide your efforts. In the next section, you will be introduced to web pentesting with core tools and you will also see how to make web applications more secure through rigorous penetration tests using advanced features in open source tools. The book will then show you how to better hone your web pentesting skills in safe environments that can ensure low-risk experimentation with the powerful tools and features in Kali Linux that go beyond a typical script-kiddie approach. After establishing how to test these powerful tools safely, you will understand how to better identify vulnerabilities, position and deploy exploits, compromise authentication and authorization, and test the resilience and exposure applications possess.By the end of this book, you will be well-versed with the web service architecture to identify and evade various protection mechanisms that are used on the Web today. You will leave this book with a greater mastery of essential test techniques needed to verify the secure design, development, and operation of your customers' web applications.Style and approachAn advanced-level guide filled with real-world examples that will help you take your web application's security to the next level by using Kali Linux 2016.2.

Tools to learn more effectively

Saving Books

Saving Books

Keyword Search

Keyword Search

Annotating Text

Annotating Text

Listen to it instead

Listen to it instead

Information

Publisher
Packt Publishing
Year
2017
eBook ISBN
9781784396213
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Proxy Operations with OWASP ZAP and Burp Suite

Web servers and applications are exposed to the internet more than most other enterprise applications: they have to be available and serve their end customers. Because of this, defenders have been taught to view user traffic (surfing the site, interacting with the dynamic content, and so on) as normal, so long as it follows behavioral norms. Their defenses will focus on broad-based interactions while letting the slow trickle of normal user activity slide. Effective pen testers will mimic this behavior whenever possible to learn as much as they can about their target before launching later, more intrusive stages of the Kill Chain.
As we noted in Chapter 4, Scanning for Vulnerabilities with Arachni, specialized scanning tools can be a double-edged sword. For one thing, most scanners, Arachni included, specialize in looking for vulnerabilities by both passive and active means. Both are helpful, but as you are probably well aware, they come at the expense of cost in time and stealth in the case of active scans. In addition to the resource needs and timing required, we must also consider our own workflows versus the level of stealth required. Significant intelligence can be gleaned, but if the tailoring of the profiles isn't precise, you risk alerting your target's operators and being detected. Too often, early-in-career pen testers will unleash an Nmap scan or some other active recon tool only to discover that their noise has ruined their chances of going further.
Scanning-focused tools also require some conversion of findings into later-phase operations, and they also have holes in their ability to detect. Most scanning tools will not take action on your behalf. These caveats may be okay in a white-box testing scenario where you are handed carte blanche to test a web application without the fear of being caught. In black-box scenarios, where the pen test is more likely to be conducted by a Red Team (acting as an outside attacker), more surgical precision is warranted. Many of you may have noticed that most scanning or spidering tools have blind spots, especially around new content delivery paradigms such as those encountered with JavaScript or Ajax,which dynamically create the content rather than relying on stored HTML. For these cases and many others, it makes sense for us all to to have an alternative toolset or two in your arsenal.
The Proxy-based tools offers us a complimentary tool that cannot only conduct scans but also pivot into exploits and access within the same tool. These products act as a proxy between the client-side (browser) and server-side (the web tier) elements . By sitting in the middle of this critical link, we're able to scour the message traffic between the two sides and observe or even modify and attack. Proxy tools have the added benefit of allowing us to modify requests after they have passed some validation, so we can evade some of the basic JavaScript and HTML restrictions the application may have in place.
You may already be using some of these tools in your arsenal; there is no doubt that the market is saturated with both open source and commercial alternatives. Our goal in this chapter will be to go a little further with two of the most popular alternatives included with Kali Linux ā€“ Burp Suite by https://portswigger.net/ and OWASPs own Zed Attack Proxy (ZAP). Both tools are free to use with the included binaries, but we'll also see just how much the Burp Suite Professional version can add to the mix. It is my hope that we'll cover some more advanced techniques for leveraging these proxy-based tools that you can then use to improve your own process, deliver better results, and help secure your customers more effectively.
Keeping these high-level goals in mind, in this chapter we'll cover the following:
  • Contrasting the differences between the two leading proxy tools, Burp Suite, and OWASP ZAP (formerly zaproxy) with Paros
  • Diving into using Burp's Proxy and Scanner and ZAP to scope and detect vulnerabilities in the OWASP Top 10
  • Learning how to leverage Burp's Active tools to enumerate information and exploit vulnerabilities
  • Testing access control and session management through fuzzing and Burp Repeater
  • Uncovering and exploiting injection flaws, input validation, and application logic vulnerabilities using Burp Suite

Pulling back the curtain with ZAP

OWASP's suite of tools are well worth learning ā€“ their platform-agnostic approach means you can use these tools anytime, anywhere without worrying about which operating system you are on. Luckily for us, Kali bundles it by default. Even more helpful to us as testers is OWASP's leadership in the Web Application Security arena. Their insights and guidance make it into each iteration of the ZAP (https://www.owasp.org/index.php/ZAP) tool, so we can be certain that we're getting leading edge vulnerability and exploit information incorporated into the tool as it is discovered.
As with any tool in Kali, you've likely already used ZAP in your studies or work, but there are some advanced techniques that can be employed to improve the reach and efficacy of ZAP in your toolset. ZAP can either actively scan the target (which is the approach used by their Quick Start tab) or can be used as a proxy tool to capture, iterate, and fuzz sites.
ZAP's proxy functionality scan can be extended through its Tools menu to scan, spider, or fuzz applications as well. ZAP is acting as a web proxy, typically on the same host as the tester's browser.

The following screenshot shows how ZAP fits into the architecture:
OWASP's ZAP is our MITM that can slow down and replay server-client interactions.
While most web application black-box scenarios can be tackled by deploying our proxy MITM on the same host, it should be noted that with the advent of the internet of Things and a move toward using web applications to serve these devices, we may use ZAP or Burp in proxy mode, where the client is actually an embedded web client on a smart device (for example, television, camera, thermostat, SCADA sensor, pump or motor, and so on). Some companies are predicting that the internet will see 50 billion devices connected by the year 2020, and while that was initially dismissed as overzealous, it may actually be quite understated. Given just how many manufacturers seem to be having mixed luck in securing them (see the Mirai Botnet, for instance), it is worth considering this use case for when the opportunity arises. Hackers are nothing if not entrepreneurial!

Quick refresher on launching ZAP scans

Before we can get into the more advanced functions of ZAP, let's quickly get a baseline project up-and-running with a persistent project (which saves data between sessions). Assuming you have already configured your browser to point to ZAP as the proxy (mine is configured for localhost:8080), we'll target the Mutillidae application, which is similar to the DVWA but offers some greater depth, located at http://172.16.30.129/mutillidae/. I have also configured my client to trust certificates from ZAP by importing its Root certificate to ensure that I do not run into issues with SSL/TLS, although this is not ...

Table of contents

  1. Title Page
  2. Copyright
  3. Credits
  4. About the Author
  5. About the Reviewers
  6. www.PacktPub.com
  7. Customer Feedback
  8. Preface
  9. Common Web Applications and Architectures
  10. Guidelines for Preparation and Testing
  11. Stalking Prey Through Target Recon
  12. Scanning for Vulnerabilities with Arachni
  13. Proxy Operations with OWASP ZAP and Burp Suite
  14. Infiltrating Sessions via Cross-Site Scripting
  15. Injection and Overflow Testing
  16. Exploiting Trust Through Cryptography Testing
  17. Stress Testing Authentication and Session Management
  18. Launching Client-Side Attacks
  19. Breaking the Application Logic
  20. Educating the Customer and Finishing Up

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, weā€™ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Mastering Kali Linux for Web Penetration Testing by Michael McPhee in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.