Every penetration test, be it for a network or a web application, has a workflow; it has a series of stages that should be completed in order to increase our chances of finding and exploiting every possible vulnerability affecting our targets, such as:

• Reconnaissance
• Enumeration
• Exploitation
• Maintaining access
• Cleaning tracks

In a network penetration testing scenario, reconnaissance is the phase where testers must identify all the assets in the network, firewalls, and intrusion detection systems. They also gather the maximum information about the company, the network, and the employees.

In our case, for a web application penetration test, this stage will be all about getting to know the application, the database, the users, the server, and the relationship between the application and us.

Reconnaissance is an essential stage in every penetration test; the more information...

Passive reconnaissance is something we do without directly interacting with our target, that is, we gather information about it from third parties such as search engines, cache databases, reputation monitoring sites, and many others.

In this recipe, we will be requesting information from multiple online services, also referred to as open source intelligence (OSINT), in order to build a general picture of our target and discover information that is useful from a penetration testing perspective, in the scenario that we are testing a publicly available site or application.

Given that in this recipe, we will request information from multiple public sources, we will need for our Kali virtual...

Recon-ng is an information-gathering tool that uses many different sources to gather data, for example, on Google, Twitter, and Shodan.

In this recipe, we will learn the basics of Recon-ng and use it to gather public information about our target.

Although Recon-ng is ready to use as installed in Kali Linux, some of its modules require an API key to make queries to the online services. Also, having an API key will allow you to perform more advanced searches or avoid query limits in some services.

These keys can be generated by completing the registration on each search engine's website.

Nmap is probably the most used port scanner in the world. It can be used to identify live hosts, scan TCP and UDP open ports, detect firewalls, get versions of services running in remote hosts, and even, with the use of scripts, find and exploit vulnerabilities.

In this recipe, we will use Nmap to identify all the services running on our target application's server and their versions. For learning purposes, we will do this in several calls to Nmap, but it can be done using a single command.

All we need is to have our vulnerable vm_1 running.

A web application firewall (WAF) is a device or a piece of software that checks packages
sent to a web server in order to identify and block those that might be malicious, usually based on signatures or regular expressions.

We can end up dealing with a lot of problems in our penetration test if an undetected WAF blocks our requests or bans our IP address. When performing a penetration test, the reconnaissance phase must include the detection and identification of a WAF, intrusion detection system (IDS), or an intrusion prevention system (IPS). This is required in order to take the necessary measures to prevent being blocked or banned by these protection devices.

In this recipe, we will use different methods, along with the tools included in Kali Linux, to detect and identify the presence of a web application firewall between our target and...

We are, at a certain level, used to assuming that when a connection uses HTTPS with SSL or TLS encryption, it is secured and any attacker that intercepts it will only receive a series of meaningless numbers. Well, this may not be absolutely true; the HTTPS servers need to be correctly configured to provide a strong layer of encryption and to protect users from man-in-the-middle (MITM) attacks or cryptanalysis. A number of vulnerabilities in the implementation and design of the SSL protocol have been discovered and its successor, TLS, has also been found to be vulnerable under certain configurations, thus making the testing of secure connections mandatory in any web application penetration test.

In this recipe, we will use tools such as Nmap, SSLScan, and TestSSL to analyze the configuration (from the client's perspective) of the server...

Firebug is a browser add-on that allows us to analyze the inner components of a web page, such as table elements, CSS classes, and frames. It also has the ability to show us DOM objects, error codes, and request-response communication between the browser and server.

In the previous recipe, we saw how to look into a web page's HTML source code and found a hidden input field that established some default values for the maximum size of a file. In this recipe, we will see how to use the browser's debugging extensions, in this particular case, Firebug for Firefox, or OWASP Mantra.

With vm_1 running, go to your Kali VM and browse...

Cookies are small pieces of information sent by a web server to the client (browser) to store some information locally, related to that specific user. In modern web applications, cookies are used to store user-specific data, such as color theme configuration, object arrangement preferences, previous activity, and (more importantly for us) the session identifiers.

In this recipe, we will use the browser's tools to see the cookies' values, how they are stored, and how to modify them.

Our vm_1 needs to be running. 192.168.56.11 will be used as the IP address for that machine and we will use Firefox as the web browser.

The Storage tab in Developer Tools may not be enabled...

One step further into reconnaissance, we need to figure out if there is any page or directory in the site that is not linked to what is shown to the common user, for example, a login page to the intranet or to the Content Management Systems (CMS) administration. Finding a site similar to this will expand our testing surface considerably and give us some important clues about the application and its infrastructure.

In this recipe, we will use the robots.txt file to discover some files and directories that may not be linked to anywhere in the main application.

To illustrate how a penetration tester can take advantage of robots.txt, we will use vicnum, a vulnerable web application...