root@dafthack:~#‎ > ‎

REVIEW: Kali Linux Web Penetration Testing Cookbook

posted Mar 29, 2016, 9:07 PM by Beau Bullock   [ updated Mar 29, 2016, 9:13 PM ]
I perform pentests against web applications on a regular basis amongst other types of pentesting including internal network assessments, external network assessments, phishing, wireless, C2, pivot tests and more. In the past two years I've pentested around 40 different web applications for various organizations. I read the Kali Linux Web Penetration Testing Cookbook, and wanted to share my thoughts on the book.

This is a great book for introducing webapp attack vectors to new pentesters. There might be a section or two that seasoned pentesters find useful. I felt the author did a great job describing the tools and techniques in the book. The book lacks details into the underlying web protocols so don't expect to become an "expert" of all the intricacies involved in web applications after reading this book. I also feel there were a few items included that were a bit off topic and probably should not have been included in this book. That said, I give this book a 4 out of 5. 

Ok... the longer version is next. I've provided a brief outline of what is included in each chapter below, as well as what I felt was either awesome about the chapter or what I felt was missing in the "Comments" section.

-The author describes the book as being designed for many types of readers including those who want to go beyond general computer science study, application developers, and even seasoned security pros.
-States the book will include some possible intermediate or advanced exploitation by chaining attacks together.

Chapter 1 - Setting Up Kali
-Downlading Kali, and updating it
-Using OWASP Mantra - firefox plugin
-Setup Iceweasal with addons (tamperdata etc.)
-Using Owasp-bwa vm and BWapp Bee-box as target vuln machines
-Download Windows 7 IE8 VM as client for MitM attacks

There were no instructions on installing Kali. The book jumps straight from downloading it to updating it. Some readers might have trouble installing it. Also, the book is focused on installing Kali as the host OS. I would bet that the majority of readers who are jumping into web application pentesting will probably want to install Kali as VM. I was very happy to see that the author is putting the VM's to good use. 

Chapter 2 - Reconnaissance
-Nmap - shows basic network scan
-WAF detection with Nmap script http-waf-detect, http-waf-fingerprint, and wafw00f
-Looking at the source code of a page to identify vulnerabilities. Locating hidden fields that might be alterable
-Cookies manager+ to edit cookie values
-Looking in robots.txt for hidden dirs.
-Dirbuster to find hidden dirs - demos a basic wordlist but doesn't mention Dirbuster's wordlists (mentioned later when demoing Zap proxy forced browse)
-Cewl for creating wordlists from site content.
-Using John and the wordlist generated by Cewl to mangle a more complex wordlist with John's rules.
-Zap forced browse

This chapter does a decent job of covering recon for a webapp but I might add that during recon for a webapp Google can be your best friend. I discuss that in more detail in the next comments section. Also, is a good resource for finding what technologies a webapp is utilizing. 

Chapter 3 - Crawlers and Spiders
-Use wget and HTTrack to download website for offline analysis
-Using Zap and Burp to spider a site
-Burp's repeater to repeat requests
-Using webscarab to spider

Three different tools were demonstrated to perform the same task of spidering a site. Two tools were demonstrated to make a local copy of the site. The author did not mention what the purpose of creating a copy of the site was for or why this is useful. This section could be improved by spending less time on separate tools and more on focusing the spider engine. There are times where sites are so big that you may want to limit the spider's scope to only a certain directory and to only recurse a certain depth.

I would also add that Google has already done a good job of this. Using "Google hacking" techniques a pentester can find sensitive directories, and files without spidering at all. This can be a most valuable technique when the goal is to be stealthy.

Chapter 4 - Finding Vulnerabilities
-Hackbar Firefox addon - second address bar that is not affected by redirections, and allows  POST modification
-TamperData to modify requests
-Using Zap and Burp to intercept and modify requests
-Identifying XSS
-Uses DVWA XSS reflection exercise with basic alert script
-Error based SQLi with DVWA
-Blind SQLi
-Session cookie vulns - Mentions secure and httponly flag
-Using sslscan to get SSL info from a site
-Testing for LFI and RFI
-Detecting Poodle with Nmap script

While some more demonstrative examples are included later on in the book there was no information about why XSS is bad in this section. It could have provided a test case to demonstrate risk. There are a number of vulnerabilities that could be discovered through manual testing that were left out from this section. None of the following vulnerabilities were covered: CSRF (covered in advanced exploit chapter later on, but how to discover it), username harvesting, account lockout controls, session fixation, weak session token entropy, privilege escalation across access roles, insecure direct object reference (again, included later on in the book), etc.

I really like how the author is demonstrating some manual techniques prior to jumping into automated scanning. 

Chapter 5 - Automated Scanners
-Nikto scanner
-Wapiti scanner
-Zap automated scanner
-Using w3af scanner
-w3af has command line interface in addition to GUI
-vega vulnerability scanner - has ability to do auth to webapp but lacks reporting
-Using wmap as a scanner

Automated scanners can help speed up the process of a pentest. Being familiar with different types of scanners can help in various situations so I appreciate the inclusion of multiple tools. Although many tools were listed, I didn't feel that any real insight into what to do with the output of the scans was given. 

Chapter 6 - Exploitation - Low Hanging Fruits
-Uploading a PHP webshell to execute commands on the server
-Command injection - appending system commands to get Netcat shell is demonstrated
-XML External Entity Injection - very nice description and example of XXE. Also, the author demonstrates how it can be used to run commands when combined with a webshell upload vuln.
-Brute forcing passwords with THC-HYDRA
-Brute forcing passwords with Burp Intruder and wordlists
-Exploiting stored XSS to get a victims browser to visit an attacker hosted webserver with a PHP script to store cookies
-Nice manual SQLi walkthrough
-SQLMap for automated sqli
-Bruteforcing Tomcat logins with Metasploit module
-Tomcat war file upload with Laudanum web shell

I thought this section was probably the most valuable of the entire book with the next chapter being second. Good examples of some common exploit vectors were provided. Later on in the book the author dives into man-in-the-middle attacks and social engineering. I feel that these sections could have been left out and the author could have expanded chapters 6 and 7 as these two are truly the core of webapp testing. Having real world scenarios and potential exploit techniques really can help demonstrate to a reader what the risk is with certain vulnerabilities. I think the author did a fantastic job here. 

Chapter 7 - Advanced Exploitation
-Using Searchsploit to locate exploits in ExploitDB
-Exploiting Heartbleed
-Hooking a browser with Beef
-Manual blind SQL injection
-Using Sqlmap to gather data like current DB user and password hashes
-Decent CSRF walkthrough
-Decent Shellshock walkthrough 
-Cracking passwords with John and oclHashcat

More good examples were provided as in chapter 6. I think more information could have been provided regarding discovering particular vulnerabilities such as ShellShock, and CSRF. 

Chapter 8 - MitM attacks
-Using Ettercap to arp poison the network to MitM two systems
-Capturing packets with Wireshark
-Ettercap filters to replace data in web requests
-Use sslsplit to decrypt traffic after mitm (victim gets cert error)
-Spoofing dns to redirect requests

I'm not sure that I feel this chapter was necessary in this book. When approaching a web application pentest it is rare that the tester would need to demonstrate the risk of a MitM attack. The fact a user system can be attacked to create a MitM situation does not mean a vulnerability in the web application being tested exists. These are really "Network Pentest" techniques. 

Chapter 9 - Client Side Attacks and Social Engineering
-Harvesting login credentials with a scraped site using SET
-Creating a login harvester that actually logs the user into the real site.
-Creating a reverse shell Meterpreter exe 
-Browser autopwn Metasploit module
-Social engineering a user to run a malicious beef hook

Again, I'm not sure this chapter belongs here. There is a section in this chapter that explains how to create a Meterpreter payload, host the payload on an attacker's webserver, and then get a target to download it via social engineering. What does this have to do with webapp testing? I think between this chapter and the last the author could have expanded quite a bit on both webapp attack vectors, and the underlying protocols at use.

Chapter 10 - Fixing OWASP Top 10
-This chapter walks through the OWASP top 10 vulnerabilities and how to fix them. 

Comments: This chapter redeemed chapters 8 and 9 for me. It is rare that a "pentesting" book includes a very detailed chapter on actually fixing the vulnerabilities discovered through the techniques presented in the book. This chapter does this. As penetration testers we need to not only find the vulnerabilities, but also provide the best recommendations we can to fix them to the clients we are working with. 

Conclusion - 

The Good:
-The author portrays each concept taught in the book very well. His teaching style is very easy to understand and I think anyone can pick this book up and start learning.
-Many tools related to webapp pentesting that are built into Kali Linux are demonstrated.
-The majority of common vulnerabilities found in web applications are demonstrated.
-New web application testers will learn a ton!
-Seasoned web application testers might find a new trick or two.
-Great demonstrations of manual exploit techniques.
-For each of the tools demonstrated the author provides a number of additional options that may be useful.
-Chapter on fixing OWASP top 10 vulnerabilities is awesome. More pentesting books should include recommendations for fixing the vulnerabilities we find.

The Bad:
-No steps to install Kali
-No mention of Google Hacking
-Some common vulnerabilities were left out of the vulnerability discovery section including username harvesting, account lockout controls, session fixation, etc.
-No WPScan (Wordpress attack tool)
-MitM and Social Engineering chapters could have been replaced by more web application testing content