Preface
As a user’s we depend on web applications on our daily life. whether at home or at work, we access them several times a day from our smart phones, tablets, laptops and other devices. We use these Web applications to pay bills, online banking, shop, social network with friends and family and many other tasks.
Governments and businesses also depend on Web applications to do business and deliver services, this comes with many risks and threats to services delivered by businesses and governments. These risks and threats range from service availability to identity theft and hacking into systems and stealing sensitive information’s because web application deliver services through the internet, that means systems are exposed to hackers who want to exploit any vulnerability in these systems to disrupt services, steal sensitive information or spy on people or businesses.
Web applications development became very easy using today’s development frameworks. It’s became easier to create a functional web application without knowing anything about security. The subject of web application security is more important today than ever before. There is a significant need for more people to understand web applications attacks in the Information technology management side, information security side and information technology operations and development side.
This book takes the readers from starting level to advanced level in discovering and exploiting web applications vulnerabilities or what technically called Web penetration testing. By teaching the readers basic tools and techniques to find and exploit web applications vulnerabilities assuming no existing knowledge, web developers can see what areas to give more attention when developing web applications. For IT security managers and IT security analysts this book will show them web applications weaknesses that need to be harden. For those who would like to start a career as web penetration tester or website bug bounty hunters, this book will take them from zero to advanced level through clear step by step instructions about how to find weaknesses and how to exploit them.
Who is this Book for?
This book is a hands-on guide, it is for anyone interested in Websites security and wanted to know how hackers hack websites, what tool they use and how they do information gathering about their target. This book is aimed at people who are new to the world of ethical hacking and penetration testing. It is for those with little or no previous experience. However, this book is also good for Information Security Managers and Information Technology managers in general who want to understand what the threats to their systems and websites are when is exposed to the internet , what tools hackers use and what measures they need to take in order to protect their systems and networks.
This book contains step-by-step guide to 32 Web Penetration tests that are tested in the latest Kali Linux version 2020.1. It includes clear screen shots and easy to follow steps to most of Websites hacking techniques such as Website information gathering, DNS hijacking attacks, HTTP and HTTPS intercepting and decrypting, Cross Site Scripting XSS . SQL injection and more.
The Book can be used as a reference guide to Websites and Web applications penetration testers
Book Primary audience:
People who are interested in web applications security.
Website Penetration testers.
Websites administrators.
Information security analysts.
Website Developers.
Information Security managers.
Information Technology managers.
White Hat ethical hacker Ethics
This book teaches you to be a penetration tester in other word a white hat ethical hacker. The exercises listed in this book can be very harmful and illegal to do in real environment without prior permission to conduct such activities against any information system, Website, network or normal client who use computing devices.
Don’t be malicious.
Don’t use skills learned in illegal activities.
If you are doing Penetration testing for external Client, keep all data gathered during the penetration testing confidential and don’t not reveal the Data to anyone without the consent of the client.
Don’t use computer to harm or interfere with other people’s work.
Neither the author of this book, nor the publisher encourage the misuse of the penetration testing exercises listed in this book.
Chapter 1: Lab setup
All the exercises will be done in a virtual environment inside the student laptop, using Virtual box in a Windows 10 host or Mac. In order to do all exercises comfortably the laptop should have enough RAM, CPU and Disk space. Kali Linux will be the Main attacker Virtual machine, the victims machine will be normal Windows 10 and 8 pro machine, plus Metasploitable machine which is a vulnerable Linux server and OWASP virtual machine is other Linux server meant to test webserver specifically
Laptop minimum requirement
In the book all exercise and tests will be performed in user laptop, so in order to run all Labs smoothly the laptop should meet the following requirement:
CPU: Core i5 or similar
RAM: 8G RAM (16G is recommended)
Disk space 120G
Virtual box
Virtual Box is an open source virtualization platform that provided by Oracle and it works with Windows, MAC and Linux, in this training we are going to use Virtual box as our main Virtualization platform that going to host our virtual machines that we are going to practice Penetration testing on them.
Virtual Box Installation:
Go to https://www.virtualbox.org/ and download latest version of virtual box software.
From the same page also download virtual box extension pack.
Run the virtual box software
Run virtual box extension pack software
After Virtual box installation complete, create new NAT Network
Open Virtual box software and go to File Preferences Network
Add NatNetwork
Virtual Machines installation
The Lab which we are going to use will be setup inside the virtual Box software and will contain 3 VMs:
1 Attacker Machine which is Kali Linux
2 Victim machine Windows 10
3 Vulnerable Web sites (Metaspoliatble )
4 OWASP virtual machines based on Linux)
Kali Linux
Kali Linux is an open source Debian based Linux distribution that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services, Kali contains several hundred of tools used for information security tasks such as Penetration testing, Security research, Computer forensics and Reverse Engineering.
Download Kali Linux Virtual Box VM from