Kali Linux Web Penetration Testing Cookbook
Second Edition
Identify, exploit, and prevent web application vulnerabilities with Kali Linux 2018.x
Gilberto Najera-Gutierrez
BIRMINGHAM - MUMBAI
Kali Linux Web Penetration Testing CookbookSecond Edition
Copyright 2018 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Commissioning Editor: Gebin George
Acquisition Editor: Rahul Nair
Content Development Editor: Priyanka Deshpande
Technical Editor: Komal Karne
Copy Editor: Safis Editing
Project Coordinator: Drashti Panchal
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Graphics: Tom Scaria
Production Coordinator: Arvindkumar Gupta
First published: October 2016
Second edition: August 2018
Production reference: 1310818
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78899-151-3
www.packtpub.com
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
PacktPub.com
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.
At www.PacktPub.com , you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Contributors
About the author
Gilberto Najera-Gutierrez is an experienced penetration tester currently working for one of the best security testing teams in Australia. He has successfully conducted penetration tests on networks and web applications for top corporations, government agencies, and financial institutions in Mexico and Australia.
Gilberto also holds world-leading professional certifications, such as Offensive Security Certified Professional (OSCP), GIAC Exploit Researcher, and Advanced Penetration Tester (GXPN).
Para Leticia y Alexa, gracias por el apoyo, la motivacin y la paciencia durante este proyecto y por el amor y la felicidad de cada da. Las amo.
About the reviewer
Alex Samm has over 10 years' experience in the IT field, holding a BSc in computer science from the University of Hertfordshire. His experience includes EUC support, Linux and UNIX, server and network administration, security, and more.
He currently works at ESP Global Services and lectures at the Computer Forensics and Security Institute on IT security courses, including ethical hacking and penetration testing.
He recently reviewed Digital Forensics with Kali Linux by Shiva Parasram and Advanced Infrastructure Penetration Testing by Chiheb Chebbi published by Packt.
I'd like to thank my parents, Roderick and Marcia, for their continued support in my relentless pursuit for excellence; ESP's management, Vinod and Dianne; and CFSI's Shiva and Glen for their guidance and support.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Preface
Nowadays, information security is a hot topic all over the news and the internet. We hear almost every day about web page defacement, data leaks of millions of user accounts and passwords or credit card numbers from websites, and identity theft on social networks. Terms such as cyberattack, cybercrime, hacker, and even cyberwar are becoming part of the daily lexicon in the media.
All this exposure to information security subjects and the very real need to protect both sensitive data and their reputations has made organizations more aware of the need to know where their systems are vulnerable, especially ones that are accessible to the world through the internet, how they could be attacked, and what the consequences would be in terms of information lost or systems being compromised if an attack were successful. Also, much more importantly, how to fix those vulnerabilities and minimize the risks.
The task of detecting vulnerabilities and discovering their impact on organizations can be addressed with penetration testing. A penetration test is an attack, or attacks, made by a trained security professional who uses the same techniques and tools real hackers use, to discover all of the possible weak spots in an organization's systems. Those weak spots are then exploited and the impact is measured. When the test is finished, the penetration tester reports all of their findings and suggests how future damage could be prevented.
In this book, we follow the whole path of a web application penetration test and, in the form of easy-to-follow, step-by-step recipes, show how the vulnerabilities in web applications and web servers can be discovered, exploited, and fixed.
Who this book is for
We have tried to write this book with many kinds of readers in mind. Firstly, computer science students, developers, and systems administrators who want to take their information security knowledge one step further or want to pursue a career in the field will find some very easy-to-follow recipes here that will allow them to perform their first penetration test in their own testing laboratory, and will also give them the basis and tools to continue practicing and learning.
Next page