SlideShare a Scribd company logo

Intro to Web Hacking

Download as PPTX, PDF
Helge Sverre Hessevik Liseth
Helge Sverre Hessevik Liseth

This document introduces common web hacking techniques such as SQL injection, local/remote file inclusion (LFI/RFI), cross-site scripting (XSS), session hijacking, web shells, and provides a demonstration of exploiting vulnerabilities on a vulnerable web application. It also lists resources for learning about ethical hacking of web applications such as courses, YouTube playlists, and security blogs.

Internet
1 of 13
INTRODUKSJON TIL WEB HACKING Ein kikk på di mest kjente sikkerhets hullene hos web applikasjoner Helge Sverre Hessevik Liseth https://helgesverre.com
SQL INJECTION • Gjør det mulig å kjøre egen SQL kode på serveren • Dårlig filterering av parameterer
LFI & RFI • Local File Inclusion • Remote File Inclusion • Let me just file_get_contents() whatever you pass into the URL
XSS – CROSS SITE SCRIPTING • A.K.A – Let me just add all my JavaScript in here. • Uten filtrering av bruker input kan script og nasty shit bli lagret • Kan brukes til å stjele cookies
SESSION HIJACKING - CAN I HAZ COOKIES? • Cookies brukes til (ofte) autentisering • Steal Cookie -> Use Cookie -> Steal logged in session
WEB SHELLS • PHP Script som lar man gjøre system kommandoer ifra browseren • <?php system($_GET[‘cmd’]; ?> • C99, C100, WSO, b374k
DEMO – LIVE HACKING • Damn Vulnerable Web App • http://dvwa.helgesverre.com • I assume no liability for the actions you choose to partake in, I am providing this information for educational purposes, any illicit activity is solely your own god damned fault.
KEEPING UP WITH THE KARDASHIANS EXPLOITS! • Exploit-db.com • CVEDetails.com • blog.sucuri.net • reddit.com/r/netsec
RESURSER • https://app.pluralsight.com/library/courses/ethical-hacking-web- applications • http://www.pentesteracademy.com/course?id=5 • https://www.youtube.com/playlist?list=PLnTZ5U14285BvyWNsjr5zIoXAm1t7 vsS4 • https://www.youtube.com/playlist?list=PLdAZSmMuzxzLc9B0gpOEVv0PlotD ykMoV • http://bobby-tables.com/ • https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet • http://www.amazon.com/The-Web-Application-Hackers-
BLOGGER SOM IKKJE ER ROSA • https://troyhunt.com • http://krebsonsecurity.com/ • https://itsjack.cc/blog/ • https://godpraksis.no/
CREDZ • Xkcd.com – There is always a relevant XKCD • RandomStorm – Utvikler av DVWA

Recommended

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardeningn|u - The Open Security Community
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAnant Shrivastava
 
Asp.net performance secrets
Asp.net performance secretsAsp.net performance secrets
Asp.net performance secretsMahmoud Ghoz
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaMarko Heijnen
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 

Recommended

Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardeningn|u - The Open Security Community
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAnant Shrivastava
 
Asp.net performance secrets
Asp.net performance secretsAsp.net performance secrets
Asp.net performance secretsMahmoud Ghoz
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaMarko Heijnen
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityJie Liau
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityJie Liau
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
Mike MacCana - Deploying your JS app in 2018
Mike MacCana - Deploying your JS app in 2018 Mike MacCana - Deploying your JS app in 2018
Mike MacCana - Deploying your JS app in 2018 OdessaJS Conf
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Deployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerDeployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerMifrazMurthaja
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Azure Bastion Cloud swipes 01
Azure Bastion Cloud swipes 01 Azure Bastion Cloud swipes 01
Azure Bastion Cloud swipes 01 Dileepa Rajapaksa
 
OWASP CSRF Protector
OWASP CSRF ProtectorOWASP CSRF Protector
OWASP CSRF ProtectorMinhaz A V
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Random numbers
Random numbersRandom numbers
Random numbersPositive Hack Days
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Markus Huster: Communication device for deaf-blind people
Markus Huster: Communication device for deaf-blind peopleMarkus Huster: Communication device for deaf-blind people
Markus Huster: Communication device for deaf-blind peopleMFG Innovationsagentur
 
“WIRELESS TILT MOUSE” -using XBEE module
“WIRELESS TILT MOUSE” -using XBEE module“WIRELESS TILT MOUSE” -using XBEE module
“WIRELESS TILT MOUSE” -using XBEE moduleRishabh Gupta
 

More Related Content

What's hot

Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityJie Liau
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityJie Liau
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
Mike MacCana - Deploying your JS app in 2018
Mike MacCana - Deploying your JS app in 2018 Mike MacCana - Deploying your JS app in 2018
Mike MacCana - Deploying your JS app in 2018 OdessaJS Conf
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Deployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerDeployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerMifrazMurthaja
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Azure Bastion Cloud swipes 01
Azure Bastion Cloud swipes 01 Azure Bastion Cloud swipes 01
Azure Bastion Cloud swipes 01 Dileepa Rajapaksa
 
OWASP CSRF Protector
OWASP CSRF ProtectorOWASP CSRF Protector
OWASP CSRF ProtectorMinhaz A V
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 

What's hot (20)

Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container Security
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails example
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route Integrity
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server Security
 
Mike MacCana - Deploying your JS app in 2018
Mike MacCana - Deploying your JS app in 2018 Mike MacCana - Deploying your JS app in 2018
Mike MacCana - Deploying your JS app in 2018
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Deployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerDeployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity Server
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copy
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
Azure Bastion Cloud swipes 01
Azure Bastion Cloud swipes 01 Azure Bastion Cloud swipes 01
Azure Bastion Cloud swipes 01
 
OWASP CSRF Protector
OWASP CSRF ProtectorOWASP CSRF Protector
OWASP CSRF Protector
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
Random numbers
Random numbersRandom numbers
Random numbers
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 

Viewers also liked

Markus Huster: Communication device for deaf-blind people
Markus Huster: Communication device for deaf-blind peopleMarkus Huster: Communication device for deaf-blind people
Markus Huster: Communication device for deaf-blind peopleMFG Innovationsagentur
 
“WIRELESS TILT MOUSE” -using XBEE module
“WIRELESS TILT MOUSE” -using XBEE module“WIRELESS TILT MOUSE” -using XBEE module
“WIRELESS TILT MOUSE” -using XBEE moduleRishabh Gupta
 
3D Printed Wireless Mouse
3D Printed Wireless Mouse3D Printed Wireless Mouse
3D Printed Wireless MouseZMorph
 
Mse%204001%20 Wireless%20 Optical%20 Mouse
Mse%204001%20 Wireless%20 Optical%20 MouseMse%204001%20 Wireless%20 Optical%20 Mouse
Mse%204001%20 Wireless%20 Optical%20 Mouseadamwentworth
 
Input devices_(Mouse and Keyboard)
Input devices_(Mouse and Keyboard)Input devices_(Mouse and Keyboard)
Input devices_(Mouse and Keyboard)Hossain Md Shakhawat
 
Computer mouse.pptx
Computer mouse.pptxComputer mouse.pptx
Computer mouse.pptxgadhon
 

Viewers also liked (6)

Markus Huster: Communication device for deaf-blind people
Markus Huster: Communication device for deaf-blind peopleMarkus Huster: Communication device for deaf-blind people
Markus Huster: Communication device for deaf-blind people
 
“WIRELESS TILT MOUSE” -using XBEE module
“WIRELESS TILT MOUSE” -using XBEE module“WIRELESS TILT MOUSE” -using XBEE module
“WIRELESS TILT MOUSE” -using XBEE module
 
3D Printed Wireless Mouse
3D Printed Wireless Mouse3D Printed Wireless Mouse
3D Printed Wireless Mouse
 
Mse%204001%20 Wireless%20 Optical%20 Mouse
Mse%204001%20 Wireless%20 Optical%20 MouseMse%204001%20 Wireless%20 Optical%20 Mouse
Mse%204001%20 Wireless%20 Optical%20 Mouse
 
Input devices_(Mouse and Keyboard)
Input devices_(Mouse and Keyboard)Input devices_(Mouse and Keyboard)
Input devices_(Mouse and Keyboard)
 
Computer mouse.pptx
Computer mouse.pptxComputer mouse.pptx
Computer mouse.pptx
 

Similar to Intro to Web Hacking

Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSSDefconRussia
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Shrutirupa Banerjiee
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless HackingDon Anto
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
AOEconf17: Application Security
AOEconf17: Application SecurityAOEconf17: Application Security
AOEconf17: Application SecurityAOE
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOE
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final projectKaya Ota
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 

Similar to Intro to Web Hacking (20)

Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSS
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
AOEconf17: Application Security
AOEconf17: Application SecurityAOEconf17: Application Security
AOEconf17: Application Security
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian Ike
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final project
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격
 

Recently uploaded

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 

Recently uploaded (20)

Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 

Intro to Web Hacking

  • 1. INTRODUKSJON TIL WEB HACKING Ein kikk på di mest kjente sikkerhets hullene hos web applikasjoner Helge Sverre Hessevik Liseth https://helgesverre.com
  • 2. SQL INJECTION • Gjør det mulig å kjøre egen SQL kode på serveren • Dårlig filterering av parameterer
  • 3. LFI & RFI • Local File Inclusion • Remote File Inclusion • Let me just file_get_contents() whatever you pass into the URL
  • 4. XSS – CROSS SITE SCRIPTING • A.K.A – Let me just add all my JavaScript in here. • Uten filtrering av bruker input kan script og nasty shit bli lagret • Kan brukes til å stjele cookies
  • 5. SESSION HIJACKING - CAN I HAZ COOKIES? • Cookies brukes til (ofte) autentisering • Steal Cookie -> Use Cookie -> Steal logged in session
  • 6. WEB SHELLS • PHP Script som lar man gjøre system kommandoer ifra browseren • <?php system($_GET[‘cmd’]; ?> • C99, C100, WSO, b374k
  • 7.
  • 8. DEMO – LIVE HACKING • Damn Vulnerable Web App • http://dvwa.helgesverre.com • I assume no liability for the actions you choose to partake in, I am providing this information for educational purposes, any illicit activity is solely your own god damned fault.
  • 9. KEEPING UP WITH THE KARDASHIANS EXPLOITS! • Exploit-db.com • CVEDetails.com • blog.sucuri.net • reddit.com/r/netsec
  • 10. RESURSER • https://app.pluralsight.com/library/courses/ethical-hacking-web- applications • http://www.pentesteracademy.com/course?id=5 • https://www.youtube.com/playlist?list=PLnTZ5U14285BvyWNsjr5zIoXAm1t7 vsS4 • https://www.youtube.com/playlist?list=PLdAZSmMuzxzLc9B0gpOEVv0PlotD ykMoV • http://bobby-tables.com/ • https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet • http://www.amazon.com/The-Web-Application-Hackers-
  • 11.
  • 12. BLOGGER SOM IKKJE ER ROSA • https://troyhunt.com • http://krebsonsecurity.com/ • https://itsjack.cc/blog/ • https://godpraksis.no/
  • 13. CREDZ • Xkcd.com – There is always a relevant XKCD • RandomStorm – Utvikler av DVWA