Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Kali Linux Web Penetration Testing Cookbook

You're reading from   Kali Linux Web Penetration Testing Cookbook Identify, exploit, and prevent web application vulnerabilities with Kali Linux 2018.x

Arrow left icon
Product type Paperback
Published in Aug 2018
Publisher Packt
ISBN-13 9781788991513
Length 404 pages
Edition 2nd Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Gilberto Najera-Gutierrez Gilberto Najera-Gutierrez
Author Profile Icon Gilberto Najera-Gutierrez
Gilberto Najera-Gutierrez
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Setting Up Kali Linux and the Testing Lab 2. Reconnaissance FREE CHAPTER 3. Using Proxies, Crawlers, and Spiders 4. Testing Authentication and Session Management 5. Cross-Site Scripting and Client-Side Attacks 6. Exploiting Injection Vulnerabilities 7. Exploiting Platform Vulnerabilities 8. Using Automated Scanners 9. Bypassing Basic Security Controls 10. Mitigation of OWASP Top 10 Vulnerabilities 11. Other Books You May Enjoy

Configuring the web browser for penetration testing

Most web penetration testing happens in the client, that is, in the web browser; hence, we need to prepare our browser to make it a useful tool for our purposes. In this recipe, we will do that by adding several plugins to the Firefox browser installed in Kali Linux by default.

How to do it...

Firefox is a very flexible browser that fits the purpose of web penetration testing very well; it also comes pre-installed in Kali Linux. Let's customize it a little bit to make it better using the following steps:

  1. Open Firefox and go to Add-ons in the menu:
  1. In the search box, type wappalyzer to look for the first plugin we will install:
  1. Click Install in the Wappalyzer add-on to install it. You may also need to confirm the installation.
  2. Next, we search for FoxyProxy.
  3. Click on Install.
  4. Now search for and install Cookies Manager+.
  5. Search for and install HackBar.
  6. Search for and install HttpRequester.
  7. Search for and install RESTClient.
  8. Search for and install User-Agent Switcher.
  9. Search for and install Tampermonkey.
  10. Search for and install Tamper Data and Tamper Data Icon Redux.
  1. The list of extensions installed should look like the following screenshot:

How it works...

So far, we've just installed some tools in our web browser, but what are these tools good for when it comes to penetration testing a web application? The add-ons installed are as follows:

  • HackBar: A very simple add-on that helps us try different input values without having to change or rewrite the full URL. We will be using this a lot when doing manual checks for cross-site scripting and injections. It can be activated using the F9 key.
  • Cookies Manager+: This add-on will allow us to view and sometimes modify the value of cookies the browser receives from the applications.
  • User-Agent Switcher: This add-on allows us to modify the user-agent string (the browser identifier) that is sent in all requests to the server. Applications sometimes use this string to show or hide certain elements depending on the browser and operating system used.
  • Tamper Data: This add-on has the ability to capture any request to the server just after it is sent by the browser, giving us the chance to modify the data after introducing it in the application's forms and before it reaches the server. Tamper Data Icon Redux only adds an icon.
  • FoxyProxy Standard: A very useful extension that lets us change the browser's proxy settings in one click using user-provided presets.
  • Wappalyzer: This is a utility to identify the platforms and developing tools used in websites. This is very useful for fingerprinting the web server and the software it uses.
  • HttpRequester: With this tool, it is possible to craft HTTP requests, including get, post, and put methods, and to watch the raw response from the server.
  • RESTClient: This is basically a request generator like HTTP requester, but focused on REST web services. It includes options to add headers, different authentication modes, and get, post, put, and delete methods.
  • Tampermonkey: This is an extension that will allow us to install user scripts in the browser and make on-the-fly changes to web page content before or after they load. From a penetration testing point of view, this is useful to bypass client-side controls and other client code manipulations.

See also

Other add-ons that could prove useful for web application penetration testing are the following:

  • XSS Me
  • SQL Inject Me
  • iMacros
  • FirePHP

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image