Practical Web Penetration Testing E-Book

Practical Web Penetration Testing

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor: Rahul NairContent Development Editor: Abhishek JadhavTechnical Editor: Prachi SawantCopy Editor: Safis EditingProject Coordinator: Judie JoseProofreader: Safis EditingIndexer: Rekha NairGraphics:Tom ScariaProduction Coordinator: Arvindkumar Gupta

First published:  June 2018

Production reference: 1200618

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78862-403-9

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Gus Khawaja holds a bachelor's degree in computer science. He specializes in IT security and ethical hacking. He is an author and shares his passion with millions of viewers around the world using his online courses. He also works as a cybersecurity consultant in Montreal, Canada.

After many years of experience in programming, he turned his attention to cybersecurity and the importance that security brings to this minefield. His passion for the ethical hacking mixed with his background in programming and IT makes him a wise swiss-knife professional in the computer science domain.

About the reviewer

Akash Mahajan is an accomplished security professional with over a decade's experience of providing specialist application and infrastructure consulting services to companies, governments, and organizations around the world. He has deep experience of working with clients to provide innovative security insights that truly reflect the commercial and operational needs of the organization, from strategic advice to testing and analysis to incident response and recovery. He has authored Burp Suite Essentials and Security Automation with Ansible2, both by Packt.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Practical Web Penetration Testing

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Building a Vulnerable Web Application Lab

Downloading Mutillidae

Installing Mutillidae on Windows

Downloading and installing XAMPP

Mutillidae installation

Installing Mutillidae on Linux

Downloading and installing XAMPP

Mutillidae installation

Using Mutillidae

User registration

Showing hints and setting security levels

Application reset

OWASP Top 10

Summary

Kali Linux Installation

Introducing Kali Linux

Installing Kali Linux from scratch

Installing Kali on VMware

Installing Kali on VirtualBox

Bridged versus NAT versus Internal Network

Updating Kali Linux

Summary

Delving Deep into the Usage of Kali Linux

The Kali filesystem structure

Handling applications and packages

The Advanced Packaging Tool

Debian's package management system

Using dpkg commands

Handling the filesystem in Kali

File compression commands

Security management

Secure shell protocol

Configuring network services in Kali

Setting a static IP on Kali

Checking active connections in Kali

Process management commands

Htop utility

Popular commands for process management

System info commands

Summary

All About Using Burp Suite

An introduction to Burp Suite

A quick example 

Visualizing the application structure using Burp Target 

Intercepting the requests/responses using Burp Proxy

Setting the proxy in your browser

BURP SSL certificate

Burp Proxy options

Crawling the web application using Burp Spider

Manually crawling by using the Intruder tool

Automated crawling and finding hidden spots

Looking for web vulnerabilities using the scanner

Replaying web requests using the Repeater tab

Fuzzing web requests using the Intruder tab

Intruder attack types

Practical examples

Installing third-party apps using Burp Extender

Summary

Understanding Web Application Vulnerabilities

File Inclusion

Local File Inclusion

Remote File Inclusion

Cross-Site Scripting

Reflected XSS

Stored XSS

Exploiting stored XSS using the header

DOM XSS

JavaScript validation

Cross-Site Request Forgery

Step 01 – victim

Step 02 – attacker

Results

SQL Injection

Authentication bypass

Extracting the data from the database

Error-based SQLi enumeration

Blind SQLi

Command Injection

OWASP Top 10

1 – Injection

2 – Broken Authentication

3 – Sensitive Data

4 – XML External Entities

5 – Broken Access Control

6 – Security Misconfiguration

7 – Cross-Site Scripting (XSS)

8 – Insecure Deserialization

9 – Using Components with Known Vulnerabilities

10 – Insufficient Logging & Monitoring

Summary

Application Security Pre-Engagement

Introduction

The first meeting

The day of the meeting with the client

Non-Disclosure Agreement

Kick-off meeting

Time and cost estimation

Statement of work

Penetration Test Agreement

External factors

Summary

Application Threat Modeling

Software development life cycle

Application Threat Modeling at a glance

Application Threat Modeling in real life

Application Threat Modeling document parts

Data Flow Diagram

External dependencies

Trust levels

Entry points

Assets

Test strategies

Security risks

Practical example

xBlog Threat Modeling

Scope

Threat Modeling

Project information

Data Flow Diagram

External dependencies

Trust levels

Entry points

Assets

Threats list

Spoofing – authentication

Tampering – integrity

Repudiation

Information disclosure – confidentiality

Denial of service – availability

Elevation of privilege – authorization

Test strategies

Summary

Source Code Review

Programming background

Enterprise secure coding guidelines

Static code analysis – manual scan versus automatic scan

Secure coding checklist

Summary

Network Penetration Testing

Passive information gathering – reconnaissance – OSINT

Web search engines

Google Hacking Database – Google dorks

Online tools

Kali Linux tools

WHOIS lookup

Domain name system – DNS enumeration

Gathering email addresses

Active information gathering – services enumeration

Identifying live hosts

Identifying open ports/services

Service probing and enumeration

Vulnerability assessment

OpenVas

Exploitation

Finding exploits

Listener setup

Generating a shell payload using msfvenom

Custom shells

Privilege escalation

File transfers

Using PowerShell

Using VBScript

Administrator or root

Summary

Web Intrusion Tests

Web Intrusion Test workflow

Identifying hidden contents

Common web page checklist

Special pages checklist

Reporting

Common Vulnerability Scoring System – CVSS

First case – SQLi

Second case – Reflected XSS

Report template

Summary

Pentest Automation Using Python

Python IDE

Downloading and installing PyCharm 

PyCharm quick overview

Penetration testing automation

 Automate.py in action

Utility functions

Service enumeration

DTO service class

The scanner core

Summary

Nmap Cheat Sheet

Target specification

Host discovery

Scan types and service versions

Port specification and scan order

Script scan

Timing and performance

Firewall/IDS evasion and spoofing

Output

Metasploit Cheat Sheet

Metasploit framework

Using the database

More database-related commands

Getting around

Using modules

Miscellaneous

msfvenom

Listener scripting

Meterpreter

Netcat Cheat Sheet

Netcat command flags

Practical examples

Networking Reference Section

Network subnets

Port numbers and services

Python Quick Reference

Quick Python language overview

Basics of Python

Operators

Arithmetic calculation operators

Assignment operators

Comparison operators 

Membership and identity operators

Binary operators

Making an if decision

Variables

Strings

Escape String Characters

Numbers

Lists

Tuples

Dictionary

Miscellaneous

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

This book will teach you how to execute penetration testing from start to finish. Starting from the pre-engagement phase, you will learn threat modeling for the architecture phase. After that, you will engage in the source code review process. Following this, you will also learn how to execute web application and network infrastructure penetration testing, and finally, you'll discover how to automate all this using Python.

Who this book is for

This book is for security professionals and enthusiasts who want to deepen their knowledge of the web penetration testing world. Many topics will be covered in this book, but you will need the basics of ethical hacking before you start reading (many online courses out there will get you up to speed). If you're a professional, I'm betting that you will appreciate a lot the straight forward checklists that I will provide. In fact, I use them myself in my career as a penetration tester.

What this book covers

Chapter 1, Building a Vulnerable Web Application Lab, will help us to get and install the vulnerable application Mutillidae using Windows and Linux. Also, we will have a quick tour of how to use this vulnerable web application.

Chapter 2, Kali Linux Installation, will explain how to download, install, and configure Kali Linux

Chapter 3, Delving Deep into the Usage of Kali Linux, will teach more about how to deal with Kali Linux from the Terminal window, and will help you to become a ninja in bash scripting as well.

Chapter 4, All About Using Burp Suite, covers what you need to know about Metasploit to fulfil the role of a web application security expert.

Chapter 5, Understanding Web Application Vulnerabilities, explains the attacks that can happen on a web application, and after finishing the chapter, you will be able to use these skills to manipulate your findings during pentests.

Chapter 6, Application Security Pre-Engagement, will explain how to sign all the necessary contracts before starting the tests. Also, you will learn how to estimate, scope, and schedule your tests before they start. 

Chapter 7, Application Threat Modeling, will explains that ATM is a security architecture document that allows you to identify future threats and to pinpoint the different pentest activities that need to be executed in the future deployment of the web application project.

Chapter 8, Source Code Review, covers how to deal with the source code review process. The source code is the heart or engine of a web application, and it must be properly constructed from a security perspective.

Chapter 9, Network Penetration Testing, explains how to use Metasploit, Nmap, and OpenVAS together to conduct a network infrastructure vulnerability assessment.

Chapter 10, Web Intrusion Tests, will show how to look for web application based vulnerabilities (SQLi, XSS, and CSRF) using Burp. Also, the readers will learn how to take advantage of, get a remote shell, and probably elevate their privileges on the victim web server.

Chapter 11, Pentest Automation Using Python, explains how to automate everything that we have learned using the Python language for a more performant result.

Appendix A, Nmap Cheat Sheet, a list of the most common Nmap options.

Appendix B, Metasploit Cheat Sheet, provides a quick reference to the Metasploit framework. 

Appendix C, Netcat Cheat Sheet, provides Netcat commands and a few popular practical examples.

Appendix D, Networking Reference Section, provides important information about networking, such as network subnets, port number, and its services.

Appendix E, Python Quick Reference, provides a quick overview of the amazing programming language—Python.

To get the most out of this book

To get the most out of this book you need to know the basics of ethical hacking and you will need to build a lab. You will need a virtual machine software (for example, VirtualBox or VMware) for the virtualization of the lab environment. To follow the examples, you will also need to install Kali Linux. Don't worry, I will discuss how to do it in Chapter 2, Kali Linux Installation. Kali Linux will be the attacker machine that we will use to test the security of the victim's machine. Speaking of the victim host, I encourage you to install a Windows 7 virtual machine where you will install a vulnerable web application called Mutillidae. Again, I will walk you through all the steps of building the vulnerable host in Chapter 1, Building a Vulnerable Web Application Lab. Finally, I will be using Burp Suite Professional Edition, but you can follow along with the free edition of this tool. That being said, all the tools that we are going to use for the security tests are already installed by default on Kali Linux.

Download the example code files

You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you. 

You can download the code files by following these steps:

Log in or register at

www.packtpub.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Practical-Web-Penetration-Testing. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/PracticalWebPenetrationTesting_ColorImages.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Building a Vulnerable Web Application Lab

In learning about how web application vulnerabilities work, the first step is to have an environment for exploring such vulnerabilities, such as SQL Injection and Cross-Site Scripting. If this is the first time you are hearing about these types of vulnerabilities, don't worry; we will dive deeper into them later in this book.

In this chapter, I will show you how to install a vulnerable web application called Mutillidae. I know that the name sounds awkward; in fact, a Mutillidae is a type of ant (just in case you want to know what that word means).

In this chapter, you will learn how to install the application in either Windows or Ubuntu Linux; I will leave the choice up to you.

In this chapter, we will cover the following:

Downloading Mutillidae

Installing Mutillidae on a Windows machine

Installing Mutillidae on a Linux Ubuntu host

Getting familiar with Mutillidae

Introducing the OWASP community

Downloading Mutillidae

The best way to download Mutillidae is through https://sourceforge.net/. An older version of the web application also exists on the Metasploitable 2 virtual machine (VM). If you're wondering what Metasploitable is, it is another virtual machine, filled with vulnerabilities for security professionals to test.

It's always better to get the latest version from SourceForge, at https://sourceforge.net/projects/mutillidae/:

To download it, all you need to do is click on the Download button, and you'll be ready for installation in both Windows and Linux. The latest version (at the time of writing this book) is 2.6; by the time you're reading, there will probably be a newer version, with more exciting functionalities. It's good to know that the owner of this application is always working on enhancing its features.

Installing Mutillidae on Windows

Mutillidae can easily be installed on Windows operating systems. In this example, I will install it on Windows 7 (this is just a personal choice). 

First, we will download and install XAMPP, which stands for Apache, MySQL, PHP, and Perl (the X at the beginning indicates that this application is cross-platform—some people call it WAMPP on Windows, replacing the X with W). So, as you may have guessed, after installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).

Downloading and installing XAMPP

To download XAMPP, browse to https://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.10 in my case (see the following screenshot). Then, click on the Download button to save it to your local Windows machine:

Before we start installing XAMPP, we will change the Windows User Account Control settings. To do so, open the Control Panel and click on User Accounts. When the new dialog box opens, click on Change User Account Control settings:

In the UAC window, you will need to drag the slider completely to the bottom and click on the OK button to save the changes:

It's time to install XAMPP (or WAMPP). Double-click on the downloaded file to start the installation process, and in the first dialog window, click on the Next button. In the next window, accept all of the default components, and click Next:

In the next step, you need to choose a folder to install XAMPP in. Generally, I leave it as the default path, C:\xamp, and then click on Next.

After this, you will be prompted to choose whether you want to learn about Bitnami. I would leave the checkbox checked, and click on Next.

At this stage, the setup is ready to begin installing XAMPP. Click on the last Next button, and finally, you will see the installation dialog.

After the installation has completed, you will be asked whether you want to start the Control Panel; leave it checked, so that we can start the services needed to install Mutillidae.

In the beginning, the services in the Control Panel have been stopped. We will need to start Apache and MySQL by clicking on their Start buttons:

Mutillidae installation

I'm assuming that you have already downloaded Mutillidae, as instructed previously in this chapter. Extract the compressed archive file, copy the mutillidae folder, and paste it into the C:\xamp\htdocs folder.

In order to access the Mutillidae site from the intranet, we will need to adjust the configuration file, .htaccess. Open the Mutillidae folder that you just copied, and the .htaccess file will be inside (use Notepad to open it):

Since my network IP address range is 10.0.0.0/24, I will add the line Allow from 10. in the allow section:

Open your browser and go to http://[your machine IP]/mutillidae. After the page loads, click on the setup/reset the DB link, and Mutillidae will install. If everything is good, you will be told that no errors were detected when resetting the database.

Finally! The installation of Mutillidae is complete:

Check this out! We have a Mutillidae home page up and running, and it's screaming, Hack me, please:

Installing Mutillidae on Linux

You probably hate Windows, so Linux is probably your favorite operating system, and you would prefer to install Mutillidae on Linux. In this section, I will use Ubuntu version 17.10 to install Mutillidae. If you have skipped the Windows installation section, let me tell you that you will need to install XAMPP on Linux before installing Mutillidae. Now, if you don't know what XAMPP is, don't worry; it refers to Apache, MySQL, PHP, and Perl. The X at the beginning indicates that this application is cross-platform (it's also called LAMPP on Linux; the L stands for Linux). So, as you may have guessed, through installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).

Downloading and installing XAMPP

To download XAMPP, browse tohttps://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.1, in my case (see the following screenshot). Then, click on the Download button to save it locally to your machine:

Open the Terminal window and make sure that your current directory is where the file is located (in my case, it's the Downloads folder). Next, you need to give the installer permission to execute, by using the following command:

Now that the installer has permission to execute, let's run it:

After executing the installer, you will be prompted with a couple of questions; hit the letter Y to say yes and continue further:

Enter a finalYbefore starting the installation of XAMPP:

Voila! XAMPP has been successfully installed on the Ubuntu machine:

Congratulations! You just finished installing XAMPP. Take note that LAMPP is installed on /opt/lampp, which is where you're going to manage your web projects.

Mutillidae installation

I'm assuming that you have already downloaded Mutillidae, as described previously. First, you will need to extract the compressed archive file. Right-click and selectExtract Here from the menu.

Next, copy the mutillidae folder into the /opt/lampp/htdocs folder:

After copying the mutillidae folder, change your directory to /opt/lampp, and start the XAMPP servers:

Open the browser, type http://[Ubuntu IP Address]/mutillidae, and replace the IP address with your own local IP address on the Ubuntu host where you installed XAMPP. Or, simply use the localhost, if you're using the browser on your Ubuntu server. To get your local IP address on Linux, type the command ifconfig in your Terminal window:

Don't panic! When the page loads for the first time, it will ask you to set up the server. In order to do so, click on the setup/reset the DB link, and Mutillidae will be installed on the XAMPP server:

Perfect! Mutillidae is installed, with no errors, according to the pop-up message. All you need to do at this point is click on the OK button, and you will be redirected to the Mutillidae home page. Amazing, right?

Using Mutillidae

Congratulations! You now have Mutillidae installed, on either Windows or Linux. You should be able to access it from any host on the intranet with the same subnet mask. I invite you to start getting familiar with the site by clicking around on the top and left menus. 

User registration

Let me give you a quick overview of how to start using Mutillidae.

First, let's register an account to use in our pen test, later in this book. On the top menu, click on the Login/Register button, and you will be redirected to the login page:

You guessed it! On this page, click on Please register hereto go to the registration page. Let's register a user,gus, and a super secret password,password123:

Finally, click on theCreate Accountbutton to create the account:

Showing hints and setting security levels

This application is meant for web application professionals who want to practice web application type vulnerabilities. (For example, SQL Injection, Cross-Site Scripting, and so on. Don't worry; you will learn about them later in this book.) While practicing, Mutillidae offers you the option to display hints, in case you are blocked and you can't find the vulnerability that you are trying to solve.

First, on the top menu, click the Toggle Hints button to enable/disable hints. Next, click on Show Popup Hints to enable the pop-up hints, and you will notice that the text changes to Hide Popup Hints, in case you change your mind and want to disable it again:

Also, you can change the complexity levels for hacking this application. By default, the security is set to 0 (completely vulnerable); click on the Toggle Security button, and the level will change to 1 (client side active). Click one more time, and the level 5 will be active (server side). If you want to go back to level 0, click on Toggle Security while you're in level 5, and it should go back to 1. I'm going to leave it on level 1 for the rest of this book.

Application reset

Things can go wrong, and the application can stop working. If this happens to Mutillidae, it means that your application is sick and needs some medication. No, I'm kidding! All you need to do is reset it. Resetting Mutillidae is simple; just click on the Reset DB button on the top menu bar, and your application will become brand new again.

OWASP Top 10

The Open Web Application Security Project (OWASP) is a community dedicated to helping people and organizations with application security topics. If you'll be working as an AppSec expert, then OWASP should be your bible; they have plenty of help sections that will make your life much easier. Just follow their guidelines and tutorials athttp://www.owasp.org.

The OWASP community defined the Top 10 vulnerabilities related to web applications. As for Mutillidae, it dedicated a menu to these vulnerabilities. On the left menu, you will see the OWASP items organized by year (the latest is the OWASP Top 10 for 2017; see the following screenshot). OWASP always keeps this list updated with the latest web vulnerabilities:

I have dedicated a whole chapter to these vulnerabilities, later in this book. For the time being, try to get familiar with the menu items.

Summary

Congratulations, folks! You've just finished the first chapter, and I hope that you enjoyed it and learned something new. Let's look at what we went over in this chapter:

What Mutillidae is

How to download Mutillidae (and where to find it)

Installing XAMPP on Windows

Installing Mutillidae on Windows

Installing XAMPP on Ubuntu Linux

Installing Mutillidae on Ubuntu Linux

Registering a new user in Mutillidae

Showing hints in Mutillidae

What OWASP is, and how it is related to Mutillidae

In the next chapter, you will learn how to install your penetration testing machine, Kali Linux.