LEADER 00000nam a22004933i 4500 
001    EBC5314613 
003    MiAaPQ 
005    20200713055456.0 
006    m     o  d |       
007    cr cnu|||||||| 
008    200713s2018    xx      o     ||||0 eng d 
020    9781788623803|q(electronic bk.) 
020    |z9781788623377 
035    (MiAaPQ)EBC5314613 
035    (Au-PeEL)EBL5314613 
035    (CaPaEBR)ebr11520258 
035    (OCoLC)1028221202 
040    MiAaPQ|beng|erda|epn|cMiAaPQ|dMiAaPQ 
050  4 QA76.9.A25 .N354 2018 
082 0  005.8 
100 1  Najera-Gutierrez, Gilberto 
245 10 Web Penetration Testing with Kali Linux :|bExplore the 
       Methods and Tools of Ethical Hacking with Kali Linux, 3rd 
       Edition 
250    3rd ed 
264  1 Birmingham :|bPackt Publishing, Limited,|c2018 
264  4 |c©2018 
300    1 online resource (421 pages) 
336    text|btxt|2rdacontent 
337    computer|bc|2rdamedia 
338    online resource|bcr|2rdacarrier 
505 0  Cover -- Title Page -- Copyright and Credits -- Dedication
       -- Packt Upsell -- Contributors -- Table of Contents -- 
       Preface -- Chapter 1: Introduction to Penetration Testing 
       and Web Applications -- Proactive security testing -- 
       Different testing methodologies -- Ethical hacking -- 
       Penetration testing -- Vulnerability assessment -- 
       Security audits -- Considerations when performing 
       penetration testing -- Rules of Engagement -- The type and
       scope of testing -- Client contact details -- Client IT 
       team notifications -- Sensitive data handling -- Status 
       meeting and reports -- The limitations of penetration 
       testing -- The need for testing web applications -- 
       Reasons to guard against attacks on web applications -- 
       Kali Linux -- A web application overview for penetration 
       testers -- HTTP protocol -- Knowing an HTTP request and 
       response -- The request header -- The response header -- 
       HTTP methods -- The GET method -- The POST method -- The 
       HEAD method -- The TRACE method -- The PUT and DELETE 
       methods -- The OPTIONS method -- Keeping sessions in HTTP 
       -- Cookies -- Cookie flow between server and client -- 
       Persistent and nonpersistent cookies -- Cookie parameters 
       -- HTML data in HTTP response -- The server-side code -- 
       Multilayer web application -- Three-layer web application 
       design -- Web services -- Introducing SOAP and REST web 
       services -- HTTP methods in web services -- XML and JSON -
       - AJAX -- Building blocks of AJAX -- The AJAX workflow -- 
       HTML5 -- WebSockets -- Summary -- Chapter 2: Setting Up 
       Your Lab with Kali Linux -- Kali Linux -- Latest 
       improvements in Kali Linux -- Installing Kali Linux -- 
       Virtualizing Kali Linux versus installing it on physical 
       hardware -- Installing on VirtualBox -- Creating the 
       virtual machine -- Installing the system -- Important 
       tools in Kali Linux -- CMS & Framework Identification -- 
       WPScan -- JoomScan -- CMSmap 
505 8  Web Application Proxies -- Burp Proxy -- Customizing 
       client interception -- Modifying requests on the fly -- 
       Burp Proxy with HTTPS websites -- Zed Attack Proxy -- 
       ProxyStrike -- Web Crawlers and Directory Bruteforce -- 
       DIRB -- DirBuster -- Uniscan -- Web Vulnerability Scanners
       -- Nikto -- w3af -- Skipfish -- Other tools -- OpenVAS -- 
       Database exploitation -- Web application fuzzers -- Using 
       Tor for penetration testing -- Vulnerable applications and
       servers to practice on -- OWASP Broken Web Applications --
       Hackazon -- Web Security Dojo -- Other resources -- 
       Summary -- Chapter 3: Reconnaissance and Profiling the Web
       Server -- Reconnaissance -- Passive reconnaissance versus 
       active reconnaissance -- Information gathering -- Domain 
       registration details -- Whois - extracting domain 
       information -- Identifying related hosts using DNS -- Zone
       transfer using dig -- DNS enumeration -- DNSEnum -- Fierce
       -- DNSRecon -- Brute force DNS records using Nmap -- Using
       search engines and public sites to gather information -- 
       Google dorks -- Shodan -- theHarvester -- Maltego -- Recon
       -ng - a framework for information gathering -- Domain 
       enumeration using Recon-ng -- Sub-level and top-level 
       domain enumeration -- Reporting modules -- Scanning - 
       probing the target -- Port scanning using Nmap -- 
       Different options for port scan -- Evading firewalls and 
       IPS using Nmap -- Identifying the operating system -- 
       Profiling the server -- Identifying virtual hosts -- 
       Locating virtual hosts using search engines -- Identifying
       load balancers -- Cookie-based load balancer -- Other ways
       of identifying load balancers -- Application version 
       fingerprinting -- The Nmap version scan -- The Amap 
       version scan -- Fingerprinting the web application 
       framework -- The HTTP header -- The WhatWeb scanner -- 
       Scanning web servers for vulnerabilities and 
       misconfigurations 
505 8  Identifying HTTP methods using Nmap -- Testing web servers
       using auxiliary modules in Metasploit -- Identifying HTTPS
       configuration and issues -- OpenSSL client -- Scanning TLS
       /SSL configuration with SSLScan -- Scanning TLS/SSL 
       configuration with SSLyze -- Testing TLS/SSL configuration
       using Nmap -- Spidering web applications -- Burp Spider --
       Application login -- Directory brute forcing -- DIRB -- 
       ZAP's forced browse -- Summary -- Chapter 4: 
       Authentication and Session Management Flaws -- 
       Authentication schemes in web applications -- Platform 
       authentication -- Basic -- Digest -- NTLM -- Kerberos -- 
       HTTP Negotiate -- Drawbacks of platform authentication -- 
       Form-based authentication -- Two-factor Authentication -- 
       OAuth -- Session management mechanisms -- Sessions based 
       on platform authentication -- Session identifiers -- 
       Common authentication flaws in web applications -- Lack of
       authentication or incorrect authorization verification -- 
       Username enumeration -- Discovering passwords by brute 
       force and dictionary attacks -- Attacking basic 
       authentication with THC Hydra -- Attacking form-based 
       authentication -- Using Burp Suite Intruder -- Using THC 
       Hydra -- The password reset functionality -- Recovery 
       instead of reset -- Common password reset flaws -- 
       Vulnerabilities in 2FA implementations -- Detecting and 
       exploiting improper session management -- Using Burp 
       Sequencer to evaluate the quality of session IDs -- 
       Predicting session IDs -- Session Fixation -- Preventing 
       authentication and session attacks -- Authentication 
       guidelines -- Session management guidelines -- Summary -- 
       Chapter 5: Detecting and Exploiting Injection-Based Flaws 
       -- Command injection -- Identifying parameters to inject 
       data -- Error-based and blind command injection -- 
       Metacharacters for command separator -- Exploiting 
       shellshock -- Getting a reverse shell 
505 8  Exploitation using Metasploit -- SQL injection -- An SQL 
       primer -- The SELECT statement -- Vulnerable code -- SQL 
       injection testing methodology -- Extracting data with SQL 
       injection -- Getting basic environment information -- 
       Blind SQL injection -- Automating exploitation -- sqlninja
       -- BBQSQL -- sqlmap -- Attack potential of the SQL 
       injection flaw -- XML injection -- XPath injection -- 
       XPath injection with XCat -- The XML External Entity 
       injection -- The Entity Expansion attack -- NoSQL 
       injection -- Testing for NoSQL injection -- Exploiting 
       NoSQL injection -- Mitigation and prevention of injection 
       vulnerabilities -- Summary -- Chapter 6: Finding and 
       Exploiting Cross-Site Scripting (XSS) Vulnerabilities -- 
       An overview of Cross-Site Scripting -- Persistent XSS -- 
       Reflected XSS -- DOM-based XSS -- XSS using the POST 
       method -- Exploiting Cross-Site Scripting -- Cookie 
       stealing -- Website defacing -- Key loggers -- Taking 
       control of the user's browser with BeEF-XSS -- Scanning 
       for XSS flaws -- XSSer -- XSS-Sniper -- Preventing and 
       mitigating Cross-Site Scripting -- Summary -- Chapter 7: 
       Cross-Site Request Forgery, Identification, and 
       Exploitation -- Testing for CSRF flaws -- Exploiting a 
       CSRF flaw -- Exploiting CSRF in a POST request -- CSRF on 
       web services -- Using Cross-Site Scripting to bypass CSRF 
       protections -- Preventing CSRF -- Summary -- Chapter 8: 
       Attacking Flaws in Cryptographic Implementations -- A 
       cryptography primer -- Algorithms and modes -- Asymmetric 
       encryption versus symmetric encryption -- Symmetric 
       encryption algorithm -- Stream and block ciphers -- 
       Initialization Vectors -- Block cipher modes -- Hashing 
       functions -- Salt values -- Secure communication over SSL/
       TLS -- Secure communication in web applications -- TLS 
       encryption process -- Identifying weak implementations of 
       SSL/TLS -- The OpenSSL command-line tool -- SSLScan -- 
       SSLyze 
505 8  Testing SSL configuration using Nmap -- Exploiting 
       Heartbleed -- POODLE -- Custom encryption protocols -- 
       Identifying encrypted and hashed information -- Hashing 
       algorithms -- hash-identifier -- Frequency analysis -- 
       Entropy analysis -- Identifying the encryption algorithm -
       - Common flaws in sensitive data storage and transmission 
       -- Using offline cracking tools -- Using John the Ripper -
       - Using Hashcat -- Preventing flaws in cryptographic 
       implementations -- Summary -- Chapter 9: AJAX, HTML5, and 
       Client-Side Attacks -- Crawling AJAX applications -- AJAX 
       Crawling Tool -- Sprajax -- The AJAX Spider - OWASP ZAP --
       Analyzing the client-side code and storage -- Browser 
       developer tools -- The Inspector panel -- The Debugger 
       panel -- The Console panel -- The Network panel -- The 
       Storage panel -- The DOM panel -- HTML5 for penetration 
       testers -- New XSS vectors -- New elements -- New 
       properties -- Local storage and client databases -- Web 
       Storage -- IndexedDB -- Web Messaging -- WebSockets -- 
       Intercepting and modifying WebSockets -- Other relevant 
       features of HTML5 -- Cross-Origin Resource Sharing (CORS) 
       -- Geolocation -- Web Workers -- Bypassing client-side 
       controls -- Mitigating AJAX, HTML5, and client-side 
       vulnerabilities -- Summary -- Chapter 10: Other Common 
       Security Flaws in Web Applications -- Insecure direct 
       object references -- Direct object references in web 
       services -- Path traversal -- File inclusion 
       vulnerabilities -- Local File Inclusion -- Remote File 
       Inclusion -- HTTP parameter pollution -- Information 
       disclosure -- Mitigation -- Insecure direct object 
       references -- File inclusion attacks -- HTTP parameter 
       pollution -- Information disclosure -- Summary -- Chapter 
       11: Using Automated Scanners on Web Applications -- 
       Considerations before using an automated scanner -- Web 
       application vulnerability scanners in Kali Linux -- Nikto 
       -- Skipfish 
505 8  Wapiti 
520    This book covers everything you need to set up a Kali 
       Linux lab, the latest generation of the BackTrack Linux 
       penetration testing and security auditing Linux 
       distribution. Learn how to use the hundred tools Kali 
       Linux has so you can manage security tasks such as 
       penetration testing, forensics, and reverse engineering 
588    Description based on publisher supplied metadata and other
       sources 
590    Electronic reproduction. Ann Arbor, Michigan : ProQuest 
       Ebook Central, 2020. Available via World Wide Web. Access 
       may be limited to ProQuest Ebook Central affiliated 
       libraries 
650  0 Penetration testing (Computer security) 
655  4 Electronic books 
700 1  Ansari, Juned Ahmed 
776 08 |iPrint version:|aNajera-Gutierrez, Gilberto|tWeb 
       Penetration Testing with Kali Linux : Explore the Methods 
       and Tools of Ethical Hacking with Kali Linux, 3rd Edition
       |dBirmingham : Packt Publishing, Limited,c2018
       |z9781788623377 
856 40 |uhttps://ebookcentral.proquest.com/lib/sinciatw/
       detail.action?docID=5314613|zClick to View