Successfully reported this slideshow.
Your SlideShare is downloading. ×

Infosec girls training-hackcummins-college-jan-2020(v0.1)

Ad

INFOSECGIRLS
TRAINING IN
COLLABORATION
WITH
HACKCUMMINS

Ad

$WHOIS INFOSECGIRLS
• Community for women in Information Security.
Website
Twitter
Facebook
Linkedin
YouTube
Mailing List

Ad

WHY INFOSECGIRLS?
• We aim is to bring in more women in security and help them to grow in the
area.

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 48 Ad
1 of 48 Ad

Infosec girls training-hackcummins-college-jan-2020(v0.1)

Download to read offline

The presentation describes the basics of web applications and learning different ways to detect and analyse security issues related to the same. DVWA has been used as vulnerable web application to practice different critical vulnerabilities and hence, analysing and exploiting them.

The training was conducted on 18th-19th Jan at Cummins College. https://www.meetup.com/WoSEC-India-Women-of-Security/events/267828816/?_xtd=gatlbWFpbF9jbGlja9oAJGRhYjRiZTA0LTI5NTUtNDAzNi1iNTU5LTEzYmEyODY1Yzk1Yg

The presentation describes the basics of web applications and learning different ways to detect and analyse security issues related to the same. DVWA has been used as vulnerable web application to practice different critical vulnerabilities and hence, analysing and exploiting them.

The training was conducted on 18th-19th Jan at Cummins College. https://www.meetup.com/WoSEC-India-Women-of-Security/events/267828816/?_xtd=gatlbWFpbF9jbGlja9oAJGRhYjRiZTA0LTI5NTUtNDAzNi1iNTU5LTEzYmEyODY1Yzk1Yg

Advertisement
Advertisement

More Related Content

Advertisement

Infosec girls training-hackcummins-college-jan-2020(v0.1)

  1. 1. INFOSECGIRLS TRAINING IN COLLABORATION WITH HACKCUMMINS
  2. 2. $WHOIS INFOSECGIRLS • Community for women in Information Security. Website Twitter Facebook Linkedin YouTube Mailing List
  3. 3. WHY INFOSECGIRLS? • We aim is to bring in more women in security and help them to grow in the area.
  4. 4. TRAINERS • Ishaq Mohammed, Appsec @ Qualys • Shrutirupa Banerjiee, @WAF Research @ Qualys • Komal Armarkar, Spotlight Engineer @Crowdstrike
  5. 5. AGENDA: Basics of Web Application Architecture Client Server Communication HTTP/S HTTP Methods Status Codes The WHY factor Test Cases Vulnerabilities Demo
  6. 6. WEB APPLICATION
  7. 7. ARCHITECTU RE
  8. 8. HTTP/HTTPS • HyperText Transfer Protocol (Secure) • used by the World Wide Web • defines how messages are formatted and transmitted • what actions Web servers and browsers should take in response to various commands
  9. 9. METHODS • GET • POST • PUT • OPTIONS • AND MANY MORE…
  10. 10. STATUS CODES • 1xx - informational • 2xx - success • 3xx - redirection • 4xx - client error • 5xx - server error
  11. 11. HTTP HEADERS
  12. 12. COOKIE
  13. 13. HOW DO WE VIEW THE SOURCE CODE??
  14. 14. View-source Inspect element
  15. 15. VIEW-SOURCE
  16. 16. INSPECT ELEMENT
  17. 17. THE WHY FACTOR WHY ARE WE TALKING ABOUT IT???
  18. 18. VULNERABILIT IES TO BE COVERED TODAY File inclusion File upload Xss reflected Xss stored SQL Injection
  19. 19. DEMO
  20. 20. FILE INCLUSION • Local File Inclusion • Remote File Inclusion
  21. 21. FILE UPLOAD • Uploading a malicious file • Can lead to Remote Code Execution
  22. 22. XSS REFLECTED • malicious script bounces off of another website to the victim's browser • You can trick a user to click on a malicious link to steal user’s cookies
  23. 23. XSS STORED • malicious script is injected directly into a vulnerable web application • The script is stored in the web application
  24. 24. SQL INJECTION • Executing malicious SQL statements in the web application • To gain unauthorized access to the sensitive data in the database
  25. 25. COMMAND INJECTION • Attacker can execute commands directly • Can lead to remote code execution, hence, getting the shell of the server
  26. 26. LETS DEEP DIVE A BIT MORE!!!
  27. 27. WHAT IS PROXY??
  28. 28. BURPSUITE
  29. 29. INITIAL SETUP AND CONFIGURATIO N
  30. 30. SPIDER
  31. 31. SCANNER
  32. 32. REPEATER
  33. 33. INTRUDER
  34. 34. DECODER
  35. 35. LET’S EXPLOIT SOME VULNERABILITIES USING BURP!!!
  36. 36. FILE UPLOAD – MEDIUM CSRF – LOW
  37. 37. FILE UPLOAD • Let’s bypass the mitigations
  38. 38. CSRF • Cross Site Request Forgery • Aims at authenticated users to make them execute unwanted actions
  39. 39. REFERENCES: • Damn Vulnerable Web Application (DVWA) • HTTP • Learn web development
  40. 40. RESOURCES • So, you want to work in security? • Roadmap for Application Security • Getting Started in Offensive Security • BREAKING INTO INFOSEC: A BEGINNERS CURRICULUM • OWASP Foundation • OWASP Top 10 – 2017 • CodePath Web Security Guides • Awesome-Hacking • High-Level Approaches for Finding Vulnerabilities
  41. 41. TRAINER CONTACT • Shrutirupa Banerjiee - https://twitter.com/freak_crypt • Komal Armarkar - https://twitter.com/n0th1n3_00X • Ishaq Mohammed - https://twitter.com/security_prince

×