I recently finished the book Web Penetration Testing With Kali Linux by Joseph Muniz and Amir Lakhani
and I decided to write a review of it. It is a book about performing
penetration tests (In layman terms: hacking) specifically on web applications.
I found the title catchy and intriguing because web penetration testing is
currently the biggest area in the world
of information security and Kali is the latest penetration testing platform.
 |
| Image courtesy: Amazon.in |
Content
The book highlights most of the
standard techniques in hacking and
testing web applications. It follows
five steps of hacking, reconnaissance, target
evaluation, exploitation, privilege escalation and maintaining access.
The first two chapters deal with the basic concepts and reconnaissance. They
also teach you how to install Kali in a VM. For the third chapter onwards, the
attacks are classified into server side attacks, client side attacks, Attacking
authentication, web attacks etc. In server side attacks, the authors have shown
the usual pentesting tools such as metasploit, w3af, hydra, SSLstrip etc. Under
client side attacks, there are Social Engineering Toolkit ,MITM proxies, Nessus etc. Under
authentication and web attacks, there is Wireshark, man in the middle attacks,
dnssniff and arpspoof, Firefox plugins , Burpsuite, Denial of service etc. If
you are a seasoned penetration tester, by now you may have noticed that most of
these tools and techniques are standard practice and there is nothing new
here. What the authors have essentially
done is, bring together all the tools and techniques for penetration testing so
that they all fit under one platform, Kali Linux. Kali has most tools
preinstalled, so, the idea here is to identify all tools relevant to web application
pentesting. In all the chapters, there is a brief explanation of the attack methodology, and a
very small demo of the tool. The last chapter covers report writing and a brief
about auditing standards. There is also mention of several reporting tools.
Conclusion
The book is a good read and it
covers a very vast array of topics, but it isn't as detailed as I had hoped. All
in all, if you are a beginner in the penetration testing scenario, this book is
for you. It will serve as a good starting point for testing web applications.
However, like I mentioned before, the techniques aren't too detailed, so you
will have to supplement your reading with Google searches if you want to be
thorough. And as for the professional penetration tester, the book will serve
as a reference to cover all bases while pentesting.
0 comments:
Post a Comment