Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Mastering Modern Web Penetration Testing
Mastering Modern Web Penetration Testing

Mastering Modern Web Penetration Testing: Master the art of conducting modern pen testing attacks and techniques on your web application before the hacker does!

Arrow left icon
Profile Icon Prakhar Prasad Profile Icon Rafay Baloch
Arrow right icon
$9.99 $39.99
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.2 (11 Ratings)
eBook Oct 2016 298 pages 1st Edition
eBook
$9.99 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Prakhar Prasad Profile Icon Rafay Baloch
Arrow right icon
$9.99 $39.99
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.2 (11 Ratings)
eBook Oct 2016 298 pages 1st Edition
eBook
$9.99 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$9.99 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

Mastering Modern Web Penetration Testing

Chapter 2. Information Gathering

Information Gathering is a phase in which we attempt to gather information regarding the target we're attempting to break into. The information can be open ports, services running, applications like unauthenticated administrative consoles or those with default passwords. I'd like to quote Abraham Lincoln – Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

In simple words, the more information we gather about the target, the more it will be beneficial to us, as there will be more attack surface available to us. Assume that you want to break into your neighbor's house. You'll probably inspect the varied locks they use before breaking-in, this will ensure that you can check the ways to break that lock beforehand. Similarly, when doing a web application assessment, we need to explore all the possibilities of breaking into the web application, because the more information we can gather...

Information gathering techniques

Classically speaking, information gathering techniques consist of the following two classes:

  • Active techniques
  • Passive techniques

Active techniques

Typically, an active technique is connecting to our target for gaining information. This may include running port scans, enumerating files, and so on. Active techniques can be detected by the target, so care must be taken to ensure that we don't perform unnecessary techniques that generate a lot of noise. They could be picked up by the firewall of the target, and prolonged scans to enumerate information can even slow down the target for regular users.

Passive techniques

Using passive techniques, we make use of third party websites and tools that don't contact the target for harvesting data for our reconnaissance purposes. Websites like Shodan and Google can purge a lot of data for a website, properly utilizing these can be extremely beneficial for getting information that can be later used in exploiting...

Enumerating Domains, Files, and Resources

In this section we'll try to make use of different kinds of recon technique to do domain enumeration. Finding subdomains of a website can land us in surprising places. I remember a talk by Israeli security researcher, Nir Goldshlager, in which he performed a subdomain enumeration scan on a Google service, out of the bunch of subdomains he found there was one which ran a web application with a publicly disclosed local file inclusion vulnerability. Nir then used this to gain a shell on Google's server. Nir's intention wasn't evil, he reported this vulnerability responsibly to Google's security team.

Let us now learn some information gathering techniques. We'll use both active and passive methods.

The following recon tools will be discussed:

  • Fierce
  • theHarvester
  • SubBrute
  • CeWL – Custom Word List Generator
  • DirBuster
  • WhatWeb
  • Maltego

The following websites will be used for passive enumeration:

  • Wolfram Alpha
  • Shodan
  • DNSdumpster
  • Reverse...

Fierce

Fierce is an open source active recon tool to enumerate sub domains of a target website. This tool was written by Robert (RSnake) Hansen and comes pre-installed by default in Kali Linux.

The Fierce Perl script applies techniques such as zone transfer and wordlist brute-forcing to find subdomains of the target domain:

fierce -dns target.com

Let's run Fierce against iitk.ac.in and see how it performs. It is shown in the following screenshot:

Fierce

Voila, Fierce presented us with a list of subdomains. One thing to note is that Fierce enumerated the name servers of iitk.ac.in, and then tried to do a zone transfer on each. Luckily one of the name servers was misconfigured and Fierce then grabbed a list of DNS entries including the subdomains from the misconfigured server.

We can also use a tool called dig which is available in *nix systems too, to perform a zone transfer without using Fierce. The command to perform a zone transfer using dig goes like this:

dig @<name-server-of-target>...

theHarvester

theHarvester is an open source reconnaissance tool, it can dig out heaps of information, comprising of subdomains, email addresses, employee names, open ports, and so on. theHarvester mainly makes use of passive techniques and sometimes active techniques as well.

Let's run this amazing tool against my homepage:

theharvester –d prakharprasad.com –b google
theHarvester

Look at this! theHarvester found out a list of subdomains and an email address. We may use this email address to perform client side exploitation or phishing, but that's a different topic. The tool only utilized Google as a source of data to reveal this much information.

We can control the sources of data to be used with theHarvester by using the -b switch. The sources of data that theHarvester supports are:

google, googleCSE, bing, bingapi, pgp, linkedin, google-profiles, people123, jigsaw,twitter, googleplus, all

Let us try to run theHarvester on my domain and provide the data source as LinkedIn. Let&apos...

SubBrute

SubBrute is an open source subdomain enumeration tool. It is community maintained and aims to be the fastest and most accurate domain finding tool. It makes use of open DNS resolvers to bypass rate-limiting restrictions.

This doesn't come preinstalled with Kali Linux and must be downloaded from https://github.com/TheRook/subbrute:

./subbrute.py target.com

Let us run SubBrute against PacktPub's website and see what results it yields:

SubBrute

You can see list of subdomains purging out. This tool utilizes open DNS resolvers to partially make this process somewhat passive. We have to use the –r switch to supply our own custom resolver list.

Information gathering techniques


Classically speaking, information gathering techniques consist of the following two classes:

  • Active techniques

  • Passive techniques

Active techniques

Typically, an active technique is connecting to our target for gaining information. This may include running port scans, enumerating files, and so on. Active techniques can be detected by the target, so care must be taken to ensure that we don't perform unnecessary techniques that generate a lot of noise. They could be picked up by the firewall of the target, and prolonged scans to enumerate information can even slow down the target for regular users.

Passive techniques

Using passive techniques, we make use of third party websites and tools that don't contact the target for harvesting data for our reconnaissance purposes. Websites like Shodan and Google can purge a lot of data for a website, properly utilizing these can be extremely beneficial for getting information that can be later used in exploiting the target....

Enumerating Domains, Files, and Resources


In this section we'll try to make use of different kinds of recon technique to do domain enumeration. Finding subdomains of a website can land us in surprising places. I remember a talk by Israeli security researcher, Nir Goldshlager, in which he performed a subdomain enumeration scan on a Google service, out of the bunch of subdomains he found there was one which ran a web application with a publicly disclosed local file inclusion vulnerability. Nir then used this to gain a shell on Google's server. Nir's intention wasn't evil, he reported this vulnerability responsibly to Google's security team.

Let us now learn some information gathering techniques. We'll use both active and passive methods.

The following recon tools will be discussed:

  • Fierce

  • theHarvester

  • SubBrute

  • CeWL – Custom Word List Generator

  • DirBuster

  • WhatWeb

  • Maltego

The following websites will be used for passive enumeration:

  • Wolfram Alpha

  • Shodan

  • DNSdumpster

  • Reverse IP Lookup using YouGetSignal

  • Pentest...

Fierce


Fierce is an open source active recon tool to enumerate sub domains of a target website. This tool was written by Robert (RSnake) Hansen and comes pre-installed by default in Kali Linux.

The Fierce Perl script applies techniques such as zone transfer and wordlist brute-forcing to find subdomains of the target domain:

fierce -dns target.com

Let's run Fierce against iitk.ac.in and see how it performs. It is shown in the following screenshot:

Voila, Fierce presented us with a list of subdomains. One thing to note is that Fierce enumerated the name servers of iitk.ac.in, and then tried to do a zone transfer on each. Luckily one of the name servers was misconfigured and Fierce then grabbed a list of DNS entries including the subdomains from the misconfigured server.

We can also use a tool called dig which is available in *nix systems too, to perform a zone transfer without using Fierce. The command to perform a zone transfer using dig goes like this:

dig @<name-server-of-target> &lt...

theHarvester


theHarvester is an open source reconnaissance tool, it can dig out heaps of information, comprising of subdomains, email addresses, employee names, open ports, and so on. theHarvester mainly makes use of passive techniques and sometimes active techniques as well.

Let's run this amazing tool against my homepage:

theharvester –d prakharprasad.com –b google

Look at this! theHarvester found out a list of subdomains and an email address. We may use this email address to perform client side exploitation or phishing, but that's a different topic. The tool only utilized Google as a source of data to reveal this much information.

We can control the sources of data to be used with theHarvester by using the -b switch. The sources of data that theHarvester supports are:

google, googleCSE, bing, bingapi, pgp, linkedin, google-profiles, people123, jigsaw,twitter, googleplus, all

Let us try to run theHarvester on my domain and provide the data source as LinkedIn. Let's see what happens next...

SubBrute


SubBrute is an open source subdomain enumeration tool. It is community maintained and aims to be the fastest and most accurate domain finding tool. It makes use of open DNS resolvers to bypass rate-limiting restrictions.

This doesn't come preinstalled with Kali Linux and must be downloaded from https://github.com/TheRook/subbrute:

./subbrute.py target.com

Let us run SubBrute against PacktPub's website and see what results it yields:

You can see list of subdomains purging out. This tool utilizes open DNS resolvers to partially make this process somewhat passive. We have to use the –r switch to supply our own custom resolver list.

CeWL


CeWL is a custom wordlist generator made by Robin Hood. It basically spiders the target site to a certain depth and then returns a list of words. This wordlist can later be used as a dictionary to bruteforce web application logins, for example an administrative portal.

CeWL is present in Kali Linux but can be downloaded from https://digi.ninja/projects/cewl.php#download.

./cewl target.com

Let me run this tool on my homepage with a link depth count of 1.

Look at that! It returned us a nice looking wordlist based on the scraped data from my website. CeWL also supports HTTP Basic Authentication and provide options to proxy the traffic. More options can be fiddled with by viewing its help switch --help. Instead of displaying the wordlist output on the console, we can save it to a file by using the -w switch.

You can clearly see the generated wordlist was written to the cewl.txt file. There's also the -v switch to increase the verbosity of the CeWL output, it comes in very handy when the site...

DirBuster


DirBuster is a file/directory brute-forcer. It's written in Java and programmed by the members of the OWASP community. It's a GUI application and comes with Kali Linux. DirBuster supports multithreading and is capable of brute-forcing targets at insane speeds.

DirBuster project: https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project.

The GUI of this tool is straightforward as it provides a ton of options for brute-forcing. It can go up to 100 threads which is amazingly fast, provided that there is proper bandwidth supplied.

It comes with a set of wordlists for different requirements and conditions.

Let us run DirBuster against my website to look around for files/folders:

It found out some directories and files and although there a few false positives, not all results are incorrect. One thing that must be taken care of when using DirBuster is that it generates a lot of traffic which can easily slow down small websites, so the threads must be properly set to avoid taking down...

WhatWeb


We can use WhatWeb, which is an active recon tool, to get basic information about a website.

WhatWeb listed cookies, country, and uncommon headers related to my website.

Maltego

Maltego is an Open-Source Intelligence (OSINT) tool developed by Paterva. It's a commercial tool, however the community edition comes by default alongside Kali Linux. We'll be using the community edition for this demonstration.

Maltego can be launched from the Information Gathering section of Kali Linux's Application menu. During the first launch, Maltego will ask you to register for the community edition license or login directly if already registered. This step must be done to access and run Maltego.

After the basic formalities are done, we can run Maltego again and we'll be presented with a dialog asking us the choice of machine to run. Machines are different categories or genres of information gathering we're interested in.

In the dialog, we're presented with different machines or information gathering categories...

Shodan


Before I begin, I must say Shodan is a one-of-a-kind search engine. In their own words, it is the world's first computer search engine, often dubbed as the search engine for hackers. We can use Shodan to find different types of information about a target.

Let us to do a search on web servers running Microsoft IIS running version 8.0 through Shodan:

Shodan presented us with a page listing entries it has in its database. Shodan provides a very decent and useful way to filter our result by the following criterion:

  • TOP COUNTRIES

  • TOP SERVICES

  • TOP ORGANIZATIONS

  • TOP OPERATING SYSTEMS

  • TOP PRODUCTS

Recently there was a publicly disclosed code execution flaw inside a Python-based debugger known as Werkzeug Debugger. We can give Shodan a shot and find out the computers running Werkzeug:

There we go! There is the list of computers running the vulnerable debugger.

Now let's find some ZTE OX253P routers. This particular brand of router is used widely by BSNL in India for providing WiMAX services...

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • This book covers the latest technologies such as Advance XSS, XSRF, SQL Injection, Web API testing, XML attack vectors, OAuth 2.0 Security, and more involved in today’s web applications
  • Penetrate and secure your web application using various techniques
  • Get this comprehensive reference guide that provides advanced tricks and tools of the trade for seasoned penetration testers

Description

Web penetration testing is a growing, fast-moving, and absolutely critical field in information security. This book executes modern web application attacks and utilises cutting-edge hacking techniques with an enhanced knowledge of web application security. We will cover web hacking techniques so you can explore the attack vectors during penetration tests. The book encompasses the latest technologies such as OAuth 2.0, Web API testing methodologies and XML vectors used by hackers. Some lesser discussed attack vectors such as RPO (relative path overwrite), DOM clobbering, PHP Object Injection and etc. has been covered in this book. We'll explain various old school techniques in depth such as XSS, CSRF, SQL Injection through the ever-dependable SQLMap and reconnaissance. Websites nowadays provide APIs to allow integration with third party applications, thereby exposing a lot of attack surface, we cover testing of these APIs using real-life examples. This pragmatic guide will be a great benefit and will help you prepare fully secure applications.

Who is this book for?

This book is for security professionals and penetration testers who want to speed up their modern web application penetrating testing. It will also benefit those at an intermediate level and web developers who need to be aware of the latest application hacking techniques.

What you will learn

  • Get to know the new and less-publicized techniques such PHP Object Injection and XML-based vectors
  • Work with different security tools to automate most of the redundant tasks
  • See different kinds of newly-designed security headers and how they help to provide security
  • Exploit and detect different kinds of XSS vulnerabilities
  • Protect your web application using filtering mechanisms
  • Understand old school and classic web hacking in depth using SQL Injection, XSS, and CSRF
  • Grasp XML-related vulnerabilities and attack vectors such as XXE and DoS techniques
  • Get to know how to test REST APIs to discover security issues in them

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Oct 28, 2016
Length: 298 pages
Edition : 1st
Language : English
ISBN-13 : 9781785289149
Vendor :
Offensive Security
Category :
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Oct 28, 2016
Length: 298 pages
Edition : 1st
Language : English
ISBN-13 : 9781785289149
Vendor :
Offensive Security
Category :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 188.97
Python: Penetration Testing for Developers
$84.99
Mastering Metasploit
$54.99
Mastering Modern Web Penetration Testing
$48.99
Total $ 188.97 Stars icon
Banner background image

Table of Contents

12 Chapters
1. Common Security Protocols Chevron down icon Chevron up icon
2. Information Gathering Chevron down icon Chevron up icon
3. Cross-Site Scripting Chevron down icon Chevron up icon
4. Cross-Site Request Forgery Chevron down icon Chevron up icon
5. Exploiting SQL Injection Chevron down icon Chevron up icon
6. File Upload Vulnerabilities Chevron down icon Chevron up icon
7. Metasploit and Web Chevron down icon Chevron up icon
8. XML Attacks Chevron down icon Chevron up icon
9. Emerging Attack Vectors Chevron down icon Chevron up icon
10. OAuth 2.0 Security Chevron down icon Chevron up icon
11. API Testing Methodology Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.2
(11 Ratings)
5 star 27.3%
4 star 18.2%
3 star 18.2%
2 star 18.2%
1 star 18.2%
Filter icon Filter
Top Reviews

Filter reviews by




joseph foley Aug 19, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Kindle Customer Nov 17, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A must read book for web app infosec guys.I read "The Web Application Hacker's Handbook" which have 900+ pages. But this book covers all those topics which is there inThe Web Application Hacker's Handbook plusmany new hacks too in just 300 pages. Each page is interesting and practical. To me it is the best book I have ever read on infosec matters.
Amazon Verified review Amazon
Johnny Mar 30, 2017
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Up to date coverage of same-origin, CORS, SSRF, IDOR and API/OAuth web penetration testing techniques. Doesn't go that deep into the topics but does list the code and command samples needed. Recommended !
Amazon Verified review Amazon
Rob53 Nov 18, 2016
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
I read the first review of this book and I think its quite obvious that the reviewer did not actually read this book. I found this book to be a great resource to my existing library of web app pen testing books. Prakhar covers items and describes topics that other books have not. Will you become a true master at web pen testing after reading this book? Certainly not, however, this is a great additional resource in my opinion. I found the book to be coherent and in a decent order although I would have liked to have seen a little more info on a few topics. The author does write about some of the latest attack methods and provides examples of such (like php attacks). The author covers pretty much most of the web app attacks that I see at my job on a daily basis. I do not have any regrets making this purchase. Overall, the content length isn't any different than any of the Kali Linux books from PacktPub, but I do like this one for being able to fill in the blanks that the other books didn't cover.
Amazon Verified review Amazon
Raghuvanshi Shetty Feb 16, 2018
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
If you are a beginner in web exploiting then this is a must read book.This book has the basics of each and every thing you need to know about the web exploits.The reason of buying this book should be for educational purposes only.ProsThe quality of the book is really good.Pages feel soft.Content is great.ConsIt includes a lot of very basic concepts which is generally known to a lot of people.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.