Reading Notes: Web Penetration Testing with Kali Linux, Second Edition

I start to read the book Web Penetration Testing with Kali Linux, Sencond Edition today, and make some notes on it.

Chapter 1: Introduction to Penetration Testing and Web Applications

Different testing methodologies

• Ethical hacking
• Penestration testing
• Vulnerability assessment
• Security audits

RoE (Role of engagement)

• Black box testing or Gray box testing
• Client contact details
• Client IT Team notifications
• Sensitive data handling
• Status meeting

The Limitations of Penetration testing

• Limitation of skills
• Limitation of time
• Limitation of custom exploits
• Avoding DoS Attack
• Limitation of access
• Limitations of tools used

The need for testing web applications

• Protecting customer data
• Compliance with law and regulation
• Loss of reputation
• Revenue loss
• Protection against business disrupt

Social Engineering attacks

• E-mail Spoofing
• Telephone attacks
• Dumpster diving
• Malicious USB drives

A web application overview for penetration testers

• HTTP protocal
• Headers in HTTP
• Session tracking using cookies
• HTML
• Architecture of web applications

Request and Response header

Important fields in request header

• Host
• User-Agent
• Cookie
• Referer
• Accept-Encoding

Important fields in response header

• Status Code: A full list of HTTP status code can be found in
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Response_codes
• Set Cookie
• Server: display useful information about the web server hosting the website
• Content-Length

The exhaustive list of all the header fields and their usage can be found at the
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

Important HTTP method for penetration testing

• GET
• POST
• HEAD: Server will only respond with the HTTP header without sending any payload. Can be used to quickly identify the type of server.
• TRACE: Server bounces back the TRACE response with the original request message in the body of the response. It can be used to check what request the server received. Also, it can be used to identify any alterations to the request by intermediary devices such as proxy servers and firewalls. IIS server has a TRACK method, same as TRACE method. Related attack: cross-site tracking(XST), which can steal user’s cookies.
• PUT
• DELETE
• OPTIONS: Query the server for the method that it supports.

Session tracking using cookies

Cookies can be divided into two main categories, persistent and non-persistent cokies

If you are using Windows 7, you can find persistent cookies in the following path:

• Internet Explorer: C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies. The cookies are stored in text files.
• Google Chrome: C:\Users\Juned\AppData\Local\Google\Chrome\User Data\Default\cookies. The cookies are stored in a sigle SQLite3 database. Besides, we can also view cookies in the browser, by simply type in chrome://settings/cookies.

Cookie Parameters

• Domain: specifies the domain to which the cookie would be sent.
• Path: use with the Domain, specify cookie’s scope.
• HttpOnly: if this parameter is set, javascript could not access the cookie.
• Secure: if this parameter is set, the cookie is only sent over SSL.
• Expires: the cookie will be stored until the time specified in this parameter.

Multi-tier web application

• Presentation layer. Apache, Nginx, Microsoft IIS are all deployed in this layer.
• Application layer. PHP and ASP are programming languages that work at the application layer.
• Data access layer.

Chapter 2: Setting up Your Lab with Kali Linux

Important tools in Kali Linux

We focused on 03 - Web Application Analysis

Web Application Proxies

• Burp proxy