API tools faq
paste
viprajput

g1s16

viprajput
Jul 11th, 2018
52
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.40 KB | None | 0 0
raw download clone embed print report
  1. SESSION 16
  2. ==========
  3.  
  4. CSRF
  5. =====
  6. CSRF stands for Cross/Client Site Request Forgery. This is a Web Application attack where a attacker forces an end user to execute unwanted actions on a web application in which they're currently authenticated. They creates his/her own malicious links or pages to trigger and lure a victim and further misuse and steal there data for illegal purposes further leads to Identity Theft etc..
  7.  
  8.  
  9. Eg. already logged in inta a bank site and clicking on a ad on other malicious website stating "click here to win an iphone X" and is malicious.
  10.  
  11. Demonstration on LVS and DVWA.
  12.  
  13. --------------------------------------------------------------------------------------------------------------------------------------------------------------
  14.  
  15. MISSING FUNCTION LEVEL ACCESS CONTROL
  16. =====================================
  17.  
  18. Let us first understand what Access Control means.
  19. Access Control : access control is a process by which users are granted access and certain privileges to systems, resources or information. This term is usually derives for Authentication Checks.
  20.  
  21. Most of the web applications verify function level access rights before making that functionality accessible to the user. Missing Function Level Access Control is one of the vulnerabilities on OWASP's Top 10 list and occurs when those authentication function checks are insufficient and attackers misuse them.
  22.  
  23. Demonstration on LVS via Unrestricted User Access to the Admin Account.
  24.  
  25. ---------------------------------------------------------------------------------------------------------------------------------------------------------------
  26.  
  27. INVALIDATED REDIRECTS AND FORWARDS
  28. ===================================
  29. Most web applications on the internet frequently redirect and forward users to other pages or other external websites.
  30. Invallidated/Unvalidated redirects and forwards means redirecting a authenticated and valid user to a phishing or malicious web page which defines a malicious activity created by the attacker as using forwards to access unauthorized pages.
  31.  
  32. How to find the redirecting value?
  33. There is a redirect_to="url" value in the Hyperlinks, this will signify that the URL is redirecting us to a particular malicious link.
  34.  
  35. Demonstration on LVS of Manual Redirects and Automatic Redirects.
  36.  
  37. ----------------------------------------------------------------------------------------------------------------------
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!