Kali Linux Web Penetration Testing Cookbook
eBook - ePub

Kali Linux Web Penetration Testing Cookbook

Identify, exploit, and prevent web application vulnerabilities with Kali Linux 2018.x, 2nd Edition

  1. 404 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Kali Linux Web Penetration Testing Cookbook

Identify, exploit, and prevent web application vulnerabilities with Kali Linux 2018.x, 2nd Edition

Book details
Book preview
Table of contents
Citations

About This Book

Discover the most common web vulnerabilities and prevent them from becoming a threat to your site's security

Key Features

  • Familiarize yourself with the most common web vulnerabilities
  • Conduct a preliminary assessment of attack surfaces and run exploits in your lab
  • Explore new tools in the Kali Linux ecosystem for web penetration testing

Book Description

Web applications are a huge point of attack for malicious hackers and a critical area for security professionals and penetration testers to lock down and secure. Kali Linux is a Linux-based penetration testing platform that provides a broad array of testing tools, many of which can be used to execute web penetration testing.

Kali Linux Web Penetration Testing Cookbook gives you the skills you need to cover every stage of a penetration test – from gathering information about the system and application, to identifying vulnerabilities through manual testing. You will also cover the use of vulnerability scanners and look at basic and advanced exploitation techniques that may lead to a full system compromise. You will start by setting up a testing laboratory, exploring the latest features of tools included in Kali Linux and performing a wide range of tasks with OWASP ZAP, Burp Suite and other web proxies and security testing tools.

As you make your way through the book, you will learn how to use automated scanners to find security flaws in web applications and understand how to bypass basic security controls. In the concluding chapters, you will look at what you have learned in the context of the Open Web Application Security Project (OWASP) and the top 10 web application vulnerabilities you are most likely to encounter, equipping you with the ability to combat them effectively.

By the end of this book, you will have acquired the skills you need to identify, exploit, and prevent web application vulnerabilities.

What you will learn

  • Set up a secure penetration testing laboratory
  • Use proxies, crawlers, and spiders to investigate an entire website
  • Identify cross-site scripting and client-side vulnerabilities
  • Exploit vulnerabilities that allow the insertion of code into web applications
  • Exploit vulnerabilities that require complex setups
  • Improve testing efficiency using automated vulnerability scanners
  • Learn how to circumvent security controls put in place to prevent attacks

Who this book is for

Kali Linux Web Penetration Testing Cookbook is for IT professionals, web developers, security enthusiasts, and security professionals who want an accessible reference on how to find, exploit, and prevent security vulnerabilities in web applications. The basics of operating a Linux environment and prior exposure to security technologies and tools are necessary.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Kali Linux Web Penetration Testing Cookbook by Gilberto Najera-Gutierrez in PDF and/or ePUB format, as well as other popular books in Computer Science & Operating Systems. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2018
ISBN
9781789134179
Edition
2
Topic
Computer Science
Subtopic
Operating Systems
Index
Computer Science

Testing Authentication and Session Management

In this chapter, we will cover:
  • Username enumeration
  • Dictionary attack on login pages with Burp Suite
  • Brute forcing basic authentication with Hydra
  • Attacking Tomcat's passwords with Metasploit
  • Manually identifying vulnerabilities in cookies
  • Attacking a session fixation vulnerability
  • Evaluating a session identifier's quality with Burp Sequencer
  • Abusing insecure direct object references
  • Performing a Cross-Site Request Forgery attack

Introduction

When the information managed by an application is not meant to be public, a mechanism is required to verify that a user is allowed to see certain data; this is called authentication. The most common authentication method in web applications nowadays is the use of a username or identifier and a secret password combination.
HTTP is a stateless protocol, which means it treats all requests as unique and doesn't have a way of relating two as belonging to the same user, so the application also requires a way of distinguishing requests from different users and allowing them to perform tasks that may require a series of requests performed by the same user and multiple users connected at the same time. This is called session management. Session identifiers in cookies are the most used session management method in modern web applications, although bearer tokens (values containing user identification information sent in the Authorization header of each request) are growing in popularity in certain types of applications, such as backend web services.
In this chapter, we will cover the procedures to detect some of the most common vulnerabilities in web application authentication and session management, and how an attacker may abuse such vulnerabilities in order to gain access to restricted information.

Username enumeration

The first step to defeating a common user/password authentication mechanism is to discover valid usernames. One way of doing this is by enumeration; enumerating users in web applications is done by analyzing the responses when usernames are submitted in places such as login, registration, and password recovery pages.
In this recipe, we will use a list of common usernames to submit multiple requests to an application and figure out which of the submitted names belongs to an existing user by comparing the responses.

Getting ready

For this recipe, we will use the WebGoat application in the vulnerable virtual machine vm_1 and Burp Suite as proxy to our browser in Kali Linux.

How to do it...

Almost all applications offer the user the possibility of recovering or resetting their password when it is forgotten. It's not uncommon to find that these applications also tell when a non-existent username has been provided; this can be used to figure out a list of existing names:
  1. From Kali Linux, browse to WebGoat (http://192.168.56.11/WebGoat/attack), and, if a login dialog pops up, use webgoat as both the username and password.
  2. Once in WebGoat, go to Authentication Flaws | Forgot Password. If we submit any random username and that user does not exist in the database, we will receive a message saying that the username is not valid:
  1. We can then assume that the response will be different when a valid username is provided. To test this, send the request to Intruder. In Burp's history, it should be a POST request to http://192.168.56.11/WebGoat/attack?Screen=64&menu=500.
  1. Once in Intruder, leave the username as the only insertion position:
  1. Then, go to Payloads to set the list of users we will use in the attack. Leave the type as Simple List and click on the Load button to load the /usr/share/wordlists/metasploit/http_default_users.txt file:
  1. Now that we know the message when a user doesn't exist, we can use Burp to tell us when that message appears in the results. Go to Options | Grep - Match and clear the list.
  1. Add a new string to match Not a valid username:
  1. Now, start the attack. Notice how there are some names, such as admin, in which the message of an invalid username is not marked by Burp Suite; those are the ones that are valid names within the application:

How it works...

If we are testing a web application that requires a username and password to perform any task, we need to evaluate how an attacker could discover valid usernames and passwords. The slightest difference in responses to valid and invalid users in the login, registration, and password recovery pages will let us find the first piece of information.
Analyzing the differences in responses to similar requests is a task we will always be performing as penetration testers. Here, we used Burp Suite's tools, such as a proxy to record the original request, and Intruder to repeat it many times with variations in the value of a variable (username). Intruder also allowed us to automatically search for a string and indicated to us in which responses that string was found.

Dictionary attack on login pages with Burp Suite

Once we have a list of valid usernames for our target application, we can try a brute force attack, which tries all possible character combinations until a valid password is found. Brute force attacks are not feasible in web applications due to the enormous number of combinations and the response times between client and server.
A more realistic solution is a dictionary attack, which takes a reduced list of highly probable passwords and tries them with a valid username.
In this recipe, we will use Burp Suite Intruder to attempt a dictionary attack over a login page.

How to do it...

We'll use the WackoPicko admin section login to test this attack:
  1. First, we set up Burp Suite as a proxy to our browser.
  2. Browse to http://192.168.56.102/WackoPicko/admin/index.php?page=login.
  3. We will see a login form. Let's try test for both username and password.
  4. Now, go to Proxy's history and look for the POST request we just made with the login attempt and send it to Intruder.
  5. Click on Clear § to clear the pre-selected insertion positions.
  6. Now, we add insertion positions on the values of the two POST parameters (adminname and password) by highlighting the value of the parameter and clicking Add §:
  1. As we want our list of...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. Packt Upsell
  4. Contributors
  5. Preface
  6. Setting Up Kali Linux and the Testing Lab
  7. Reconnaissance
  8. Using Proxies, Crawlers, and Spiders
  9. Testing Authentication and Session Management
  10. Cross-Site Scripting and Client-Side Attacks
  11. Exploiting Injection Vulnerabilities
  12. Exploiting Platform Vulnerabilities
  13. Using Automated Scanners
  14. Bypassing Basic Security Controls
  15. Mitigation of OWASP Top 10 Vulnerabilities
  16. Other Books You May Enjoy