I recently finished the book Web Penetration Testing With Kali Linux by Joseph Muniz and Amir Lakhani and I decided to write a review of it. It is a book about performing penetration tests (In layman terms: hacking) specifically on web applications. I found the title catchy and intriguing because web penetration testing is currently the biggest area in the world of information security and Kali is the latest penetration testing platform.
|Image courtesy: Amazon.in|
The book highlights most of the standard techniques in hacking and testing web applications. It follows five steps of hacking, reconnaissance, target evaluation, exploitation, privilege escalation and maintaining access. The first two chapters deal with the basic concepts and reconnaissance. They also teach you how to install Kali in a VM. For the third chapter onwards, the attacks are classified into server side attacks, client side attacks, Attacking authentication, web attacks etc. In server side attacks, the authors have shown the usual pentesting tools such as metasploit, w3af, hydra, SSLstrip etc. Under client side attacks, there are Social Engineering Toolkit ,MITM proxies, Nessus etc. Under authentication and web attacks, there is Wireshark, man in the middle attacks, dnssniff and arpspoof, Firefox plugins , Burpsuite, Denial of service etc. If you are a seasoned penetration tester, by now you may have noticed that most of these tools and techniques are standard practice and there is nothing new here. What the authors have essentially done is, bring together all the tools and techniques for penetration testing so that they all fit under one platform, Kali Linux. Kali has most tools preinstalled, so, the idea here is to identify all tools relevant to web application pentesting. In all the chapters, there is a brief explanation of the attack methodology, and a very small demo of the tool. The last chapter covers report writing and a brief about auditing standards. There is also mention of several reporting tools.
The book is a good read and it covers a very vast array of topics, but it isn't as detailed as I had hoped. All in all, if you are a beginner in the penetration testing scenario, this book is for you. It will serve as a good starting point for testing web applications. However, like I mentioned before, the techniques aren't too detailed, so you will have to supplement your reading with Google searches if you want to be thorough. And as for the professional penetration tester, the book will serve as a reference to cover all bases while pentesting.