Practical Web Penetration Testing
eBook - ePub

Practical Web Penetration Testing

Secure web applications using Burp Suite, Nmap, Metasploit, and more

  1. 294 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Practical Web Penetration Testing

Secure web applications using Burp Suite, Nmap, Metasploit, and more

About this book

Learn how to execute web application penetration testing end-to-endAbout This Book• Build an end-to-end threat model landscape for web application security• Learn both web application vulnerabilities and web intrusion testing• Associate network vulnerabilities with a web application infrastructureWho This Book Is ForPractical Web Penetration Testing is for you if you are a security professional, penetration tester, or stakeholder who wants to execute penetration testing using the latest and most popular tools. Basic knowledge of ethical hacking would be an added advantage.What You Will Learn• Learn how to use Burp Suite effectively• Use Nmap, Metasploit, and more tools for network infrastructure tests• Practice using all web application hacking tools for intrusion tests using Kali Linux• Learn how to analyze a web application using application threat modeling• Know how to conduct web intrusion tests• Understand how to execute network infrastructure tests• Master automation of penetration testing functions for maximum efficiency using PythonIn DetailCompanies all over the world want to hire professionals dedicated to application security. Practical Web Penetration Testing focuses on this very trend, teaching you how to conduct application security testing using real-life scenarios.To start with, you'll set up an environment to perform web application penetration testing. You will then explore different penetration testing concepts such as threat modeling, intrusion test, infrastructure security threat, and more, in combination with advanced concepts such as Python scripting for automation. Once you are done learning the basics, you will discover end-to-end implementation of tools such as Metasploit, Burp Suite, and Kali Linux. Many companies deliver projects into production by using either Agile or Waterfall methodology. This book shows you how to assist any company with their SDLC approach and helps you on your journey to becoming an application security specialist.By the end of this book, you will have hands-on knowledge of using different tools for penetration testing.Style and approachIn this book, you will learn and understand the workflow of application security testing. Starting from analysis using threat modeling until the testing phase and before the web project goes into production, you will be able conduct effective penetrating testing using web intrusion tests, network infrastructure tests, and code review.

Tools to learn more effectively

Saving Books

Saving Books

Keyword Search

Keyword Search

Annotating Text

Annotating Text

Listen to it instead

Listen to it instead

Information

Publisher
Packt Publishing
Year
2018
eBook ISBN
9781788628723
Edition
1
Topic
Ciencia de la computación
Subtopic
Ciberseguridad

Application Threat Modeling

I have dedicated a whole chapter to this topic because people underestimate the importance of Application Threat Modeling (ATM). If you're an employee or a consultant in application security, you will always encounter projects that will deliver new releases of their product, and you will need to make sure to test these projects before they are deployed into the production servers. ATM happens at the beginning when the project is still in the Architecture phase. In fact, ATM is a security architecture document that allows you to identify future threats and to pinpoint the different pentest activities that need to be executed in the future deployment of the web application project.
Here's the plan for this amazing chapter:
  • Introducing the software development life cycle
  • Application Threat Modeling at a glance
  • Application Threat Modeling in real life
  • Application Threat Modeling document structure and contents
  • A practical example of an Application Threat Modeling document
A lot of principles in this chapter (and this book, as well) can be found at the OWASP website. I highly recommend that you keep the OWASP website in mind for your application security daily tasks: http://www.owasp.org.

Software development life cycle

Every application proceeds into a development life cycle before it is deployed into production. First, the project team comes up with an idea for a new product (a website) that allows the business to earn more money and clients. This is the Analysis/Architecture phase, where everyone sits around the table to discuss all the challenges of this new project. At the end of this phase, an Architecture document will be produced and presented to the Architecture Board who will approve it if the project meets the company's policies. After the approval, the project will start in the Development phase, where a team of developers and quality assurance engineers will join together to deliver the product. After a few sprints, a stable release will be ready for deployment into the production; the team will test this application and make sure that it's free of bugs. If everything is good (gating), then the team will proceed and deploy the web application into the production environment:
You, as an application security professional, play an important role in this workflow. During the first Architecture/Analysis stage, you are required to attend the meetings to understand the new application. Once the architecture document is completed, you will create your ATM document. Later, during the Development phase, you will execute all the penetration tests activities (Source Code Review, Web Intrusion Tests, and Infrastructure Security Tests) based on the ATM document that you wrote at the beginning.

Application Threat Modeling at a glance

ATM is a methodology for analyzing the security posture of an application and it aims to help you lay out the foundations before starting the penetration testing activities. The document should address the security risks during the Architecture phase by identifying and quantifying them before project reaches the Development phase. You will see so many approaches out there for how to handle the threat modeling document (the best one that I recommend is the OWASP Application Threat Modeling document; check it out yourself and you will understand what I mean), but from my personal experience, I suggest you make it as simple as possible and don't waste your time over-describing the security risks of the ap...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. Packt Upsell
  4. Contributors
  5. Preface
  6. Building a Vulnerable Web Application Lab
  7. Kali Linux Installation
  8. Delving Deep into the Usage of Kali Linux
  9. All About Using Burp Suite
  10. Understanding Web Application Vulnerabilities
  11. Application Security Pre-Engagement
  12. Application Threat Modeling
  13. Source Code Review
  14. Network Penetration Testing
  15. Web Intrusion Tests
  16. Pentest Automation Using Python
  17. Nmap Cheat Sheet
  18. Metasploit Cheat Sheet
  19. Netcat Cheat Sheet
  20. Networking Reference Section
  21. Python Quick Reference
  22. Other Books You May Enjoy

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Practical Web Penetration Testing by Gus Khawaja in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Ciberseguridad. We have over one million books available in our catalogue for you to explore.