Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Practical Web Penetration Testing
Practical Web Penetration Testing

Practical Web Penetration Testing: Secure web applications using Burp Suite, Nmap, Metasploit, and more

eBook
$24.99 $35.99
Paperback
$43.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Practical Web Penetration Testing

Building a Vulnerable Web Application Lab

In learning about how web application vulnerabilities work, the first step is to have an environment for exploring such vulnerabilities, such as SQL Injection and Cross-Site Scripting. If this is the first time you are hearing about these types of vulnerabilities, don't worry; we will dive deeper into them later in this book.

In this chapter, I will show you how to install a vulnerable web application called Mutillidae. I know that the name sounds awkward; in fact, a Mutillidae is a type of ant (just in case you want to know what that word means).

In this chapter, you will learn how to install the application in either Windows or Ubuntu Linux; I will leave the choice up to you.

In this chapter, we will cover the following:

  • Downloading Mutillidae
  • Installing Mutillidae on a Windows machine
  • Installing Mutillidae on a Linux Ubuntu host
  • Getting familiar with Mutillidae
  • Introducing the OWASP community

Downloading Mutillidae

The best way to download Mutillidae is through https://sourceforge.net/. An older version of the web application also exists on the Metasploitable 2 virtual machine (VM). If you're wondering what Metasploitable is, it is another virtual machine, filled with vulnerabilities for security professionals to test.

It's always better to get the latest version from SourceForge, at https://sourceforge.net/projects/mutillidae/:

To download it, all you need to do is click on the Download button, and you'll be ready for installation in both Windows and Linux. The latest version (at the time of writing this book) is 2.6; by the time you're reading, there will probably be a newer version, with more exciting functionalities. It's good to know that the owner of this application is always working on enhancing its features.

Installing Mutillidae on Windows

Mutillidae can easily be installed on Windows operating systems. In this example, I will install it on Windows 7 (this is just a personal choice).

First, we will download and install XAMPP, which stands for Apache, MySQL, PHP, and Perl (the X at the beginning indicates that this application is cross-platform—some people call it WAMPP on Windows, replacing the X with W). So, as you may have guessed, after installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).

Downloading and installing XAMPP

To download XAMPP, browse to https://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.10 in my case (see the following screenshot). Then, click on the Download button to save it to your local Windows machine:

Before we start installing XAMPP, we will change the Windows User Account Control settings. To do so, open the Control Panel and click on User Accounts. When the new dialog box opens, click on Change User Account Control settings:

In the UAC window, you will need to drag the slider completely to the bottom and click on the OK button to save the changes:

It's time to install XAMPP (or WAMPP). Double-click on the downloaded file to start the installation process, and in the first dialog window, click on the Next button. In the next window, accept all of the default components, and click Next:

In the next step, you need to choose a folder to install XAMPP in. Generally, I leave it as the default path, C:\xamp, and then click on Next.

After this, you will be prompted to choose whether you want to learn about Bitnami. I would leave the checkbox checked, and click on Next.

At this stage, the setup is ready to begin installing XAMPP. Click on the last Next button, and finally, you will see the installation dialog.

After the installation has completed, you will be asked whether you want to start the Control Panel; leave it checked, so that we can start the services needed to install Mutillidae.

In the beginning, the services in the Control Panel have been stopped. We will need to start Apache and MySQL by clicking on their Start buttons:

Mutillidae installation

I'm assuming that you have already downloaded Mutillidae, as instructed previously in this chapter. Extract the compressed archive file, copy the mutillidae folder, and paste it into the C:\xamp\htdocs folder.

In order to access the Mutillidae site from the intranet, we will need to adjust the configuration file, .htaccess. Open the Mutillidae folder that you just copied, and the .htaccess file will be inside (use Notepad to open it):

Since my network IP address range is 10.0.0.0/24, I will add the line Allow from 10. in the allow section:

Open your browser and go to http://[your machine IP]/mutillidae. After the page loads, click on the setup/reset the DB link, and Mutillidae will install. If everything is good, you will be told that no errors were detected when resetting the database.

Finally! The installation of Mutillidae is complete:

Check this out! We have a Mutillidae home page up and running, and it's screaming, Hack me, please:

Installing Mutillidae on Linux

You probably hate Windows, so Linux is probably your favorite operating system, and you would prefer to install Mutillidae on Linux. In this section, I will use Ubuntu version 17.10 to install Mutillidae. If you have skipped the Windows installation section, let me tell you that you will need to install XAMPP on Linux before installing Mutillidae. Now, if you don't know what XAMPP is, don't worry; it refers to Apache, MySQL, PHP, and Perl. The X at the beginning indicates that this application is cross-platform (it's also called LAMPP on Linux; the L stands for Linux). So, as you may have guessed, through installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).

Downloading and installing XAMPP

To download XAMPP, browse to https://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.1, in my case (see the following screenshot). Then, click on the Download button to save it locally to your machine:

Open the Terminal window and make sure that your current directory is where the file is located (in my case, it's the Downloads folder). Next, you need to give the installer permission to execute, by using the following command:

Now that the installer has permission to execute, let's run it:

After executing the installer, you will be prompted with a couple of questions; hit the letter Y to say yes and continue further:

Enter a final Y before starting the installation of XAMPP:

Voila! XAMPP has been successfully installed on the Ubuntu machine:

Congratulations! You just finished installing XAMPP. Take note that LAMPP is installed on /opt/lampp, which is where you're going to manage your web projects.

Mutillidae installation

I'm assuming that you have already downloaded Mutillidae, as described previously. First, you will need to extract the compressed archive file. Right-click and select Extract Here from the menu.

Next, copy the mutillidae folder into the /opt/lampp/htdocs folder:

After copying the mutillidae folder, change your directory to /opt/lampp, and start the XAMPP servers:

Open the browser, type http://[Ubuntu IP Address]/mutillidae, and replace the IP address with your own local IP address on the Ubuntu host where you installed XAMPP. Or, simply use the localhost, if you're using the browser on your Ubuntu server. To get your local IP address on Linux, type the command ifconfig in your Terminal window:

Don't panic! When the page loads for the first time, it will ask you to set up the server. In order to do so, click on the setup/reset the DB link, and Mutillidae will be installed on the XAMPP server:

Perfect! Mutillidae is installed, with no errors, according to the pop-up message. All you need to do at this point is click on the OK button, and you will be redirected to the Mutillidae home page. Amazing, right?

Using Mutillidae

Congratulations! You now have Mutillidae installed, on either Windows or Linux. You should be able to access it from any host on the intranet with the same subnet mask. I invite you to start getting familiar with the site by clicking around on the top and left menus.

User registration

Let me give you a quick overview of how to start using Mutillidae.

First, let's register an account to use in our pen test, later in this book. On the top menu, click on the Login/Register button, and you will be redirected to the login page:

You guessed it! On this page, click on Please register here to go to the registration page. Let's register a user, gus, and a super secret password, password123:

Finally, click on the Create Account button to create the account:

Showing hints and setting security levels

This application is meant for web application professionals who want to practice web application type vulnerabilities. (For example, SQL Injection, Cross-Site Scripting, and so on. Don't worry; you will learn about them later in this book.) While practicing, Mutillidae offers you the option to display hints, in case you are blocked and you can't find the vulnerability that you are trying to solve.

First, on the top menu, click the Toggle Hints button to enable/disable hints. Next, click on Show Popup Hints to enable the pop-up hints, and you will notice that the text changes to Hide Popup Hints, in case you change your mind and want to disable it again:

Also, you can change the complexity levels for hacking this application. By default, the security is set to 0 (completely vulnerable); click on the Toggle Security button, and the level will change to 1 (client side active). Click one more time, and the level 5 will be active (server side). If you want to go back to level 0, click on Toggle Security while you're in level 5, and it should go back to 1. I'm going to leave it on level 1 for the rest of this book.

Application reset

Things can go wrong, and the application can stop working. If this happens to Mutillidae, it means that your application is sick and needs some medication. No, I'm kidding! All you need to do is reset it. Resetting Mutillidae is simple; just click on the Reset DB button on the top menu bar, and your application will become brand new again.

OWASP Top 10

The Open Web Application Security Project (OWASP) is a community dedicated to helping people and organizations with application security topics. If you'll be working as an AppSec expert, then OWASP should be your bible; they have plenty of help sections that will make your life much easier. Just follow their guidelines and tutorials at http://www.owasp.org.

The OWASP community defined the Top 10 vulnerabilities related to web applications. As for Mutillidae, it dedicated a menu to these vulnerabilities. On the left menu, you will see the OWASP items organized by year (the latest is the OWASP Top 10 for 2017; see the following screenshot). OWASP always keeps this list updated with the latest web vulnerabilities:

I have dedicated a whole chapter to these vulnerabilities, later in this book. For the time being, try to get familiar with the menu items.

Summary

Congratulations, folks! You've just finished the first chapter, and I hope that you enjoyed it and learned something new. Let's look at what we went over in this chapter:

  • What Mutillidae is
  • How to download Mutillidae (and where to find it)
  • Installing XAMPP on Windows
  • Installing Mutillidae on Windows
  • Installing XAMPP on Ubuntu Linux
  • Installing Mutillidae on Ubuntu Linux
  • Registering a new user in Mutillidae
  • Showing hints in Mutillidae
  • What OWASP is, and how it is related to Mutillidae

In the next chapter, you will learn how to install your penetration testing machine, Kali Linux.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • •Build an end-to-end threat model landscape for web application security
  • •Learn both web application vulnerabilities and web intrusion testing
  • •Associate network vulnerabilities with a web application infrastructure

Description

Companies all over the world want to hire professionals dedicated to application security. Practical Web Penetration Testing focuses on this very trend, teaching you how to conduct application security testing using real-life scenarios. To start with, you’ll set up an environment to perform web application penetration testing. You will then explore different penetration testing concepts such as threat modeling, intrusion test, infrastructure security threat, and more, in combination with advanced concepts such as Python scripting for automation. Once you are done learning the basics, you will discover end-to-end implementation of tools such as Metasploit, Burp Suite, and Kali Linux. Many companies deliver projects into production by using either Agile or Waterfall methodology. This book shows you how to assist any company with their SDLC approach and helps you on your journey to becoming an application security specialist. By the end of this book, you will have hands-on knowledge of using different tools for penetration testing.

Who is this book for?

Practical Web Penetration Testing is for you if you are a security professional, penetration tester, or stakeholder who wants to execute penetration testing using the latest and most popular tools. Basic knowledge of ethical hacking would be an added advantage.

What you will learn

  • •Learn how to use Burp Suite effectively
  • •Use Nmap, Metasploit, and more tools for network infrastructure tests
  • •Practice using all web application hacking tools for intrusion tests using Kali Linux
  • •Learn how to analyze a web application using application threat modeling
  • •Know how to conduct web intrusion tests
  • •Understand how to execute network infrastructure tests
  • •Master automation of penetration testing functions for maximum efficiency using Python

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 22, 2018
Length: 294 pages
Edition : 1st
Language : English
ISBN-13 : 9781788624039
Vendor :
Offensive Security
Category :
Languages :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Jun 22, 2018
Length: 294 pages
Edition : 1st
Language : English
ISBN-13 : 9781788624039
Vendor :
Offensive Security
Category :
Languages :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 147.97
Web Penetration Testing with Kali Linux
$54.99
Advanced Infrastructure Penetration Testing
$48.99
Practical Web Penetration Testing
$43.99
Total $ 147.97 Stars icon
Banner background image

Table of Contents

17 Chapters
Building a Vulnerable Web Application Lab Chevron down icon Chevron up icon
Kali Linux Installation Chevron down icon Chevron up icon
Delving Deep into the Usage of Kali Linux Chevron down icon Chevron up icon
All About Using Burp Suite Chevron down icon Chevron up icon
Understanding Web Application Vulnerabilities Chevron down icon Chevron up icon
Application Security Pre-Engagement Chevron down icon Chevron up icon
Application Threat Modeling Chevron down icon Chevron up icon
Source Code Review Chevron down icon Chevron up icon
Network Penetration Testing Chevron down icon Chevron up icon
Web Intrusion Tests Chevron down icon Chevron up icon
Pentest Automation Using Python Chevron down icon Chevron up icon
Nmap Cheat Sheet Chevron down icon Chevron up icon
Metasploit Cheat Sheet Chevron down icon Chevron up icon
Netcat Cheat Sheet Chevron down icon Chevron up icon
Networking Reference Section Chevron down icon Chevron up icon
Python Quick Reference Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.2
(5 Ratings)
5 star 80%
4 star 0%
3 star 0%
2 star 0%
1 star 20%
Sebastien Oct 24, 2019
Full star icon Full star icon Full star icon Full star icon Full star icon 5
It is a great book for learning and improving in Web application Pentesting!Great reference for the Web Application challenges on the Internet. I also use it as a reference for the University web application security class.Highly recommended!
Amazon Verified review Amazon
Kartik Sep 30, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Coool books for newbies who are new to this area
Amazon Verified review Amazon
Ernesto Guevara Gonzaga Jul 08, 2019
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Es un buen libro para comenzar
Amazon Verified review Amazon
Hudney Piquant Aug 01, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is truly practical. Gus is a great teacher and is very detailed as well. One of my favorite chapter is his break down of how to use Burp Suite. With this book I was able to implement many things for my current project at work. Thanks again Gus.
Amazon Verified review Amazon
D. Garland Mar 05, 2020
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
For those who want a TL:DR - waste of money, filled with information that can be found freely on the internet, provides tutorials on licensed ($400 USD) Burp Suite (not the free version), the last 15% of the book is nothing but cheat sheets for common pen-testing tools (again, free on the internet).Most of the work is a compilation of information that can be freely found using any search engine. I bought this primarily as a beginners introduction to pen-testing websites using Burp Suite. Obviously, the author has a licensed version of Burp Suite and if you want to follow along with the book you'll need to shell out $400 for a Burp Suite license. Otherwise, you aren't going to get much out of that section.There a few examples of how to exploit the OWASP Mutillidae website that the book has you setup. Again, information you can get for free on the internet and even directly from the Mutillidae website itself.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.