Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
View webinar: http://www.eurostarconferences.com/community/member/webinar-archive/webinar-81-api-testing-the-heart-of-functional-testing
An API, or Application Programming Interface, is a collection of functions that provide much of the functional capabilities in complex software systems. Most customers are accustomed to interacting with a graphical user interface on the computer. But, many customers do not realize the much of the functionality of a program comes from APIs in the operating system or program's dynamic-link libraries (DLL). So, if the business logic or core functionality is exposed via an API call then and if we want to find functional bugs sooner than API testing may be an approach that provides additional value in your overall test strategy. Additionally, API testing can start even before the user interface is complete so functional capabilities can be tested while designers are hashing out the "look and feel." API testing will not replace testing through the user interface, but it can augment your test strategy and provide a solid foundation of automated tests that increase your confidence in the functional quality of your product.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
View webinar: http://www.eurostarconferences.com/community/member/webinar-archive/webinar-81-api-testing-the-heart-of-functional-testing
An API, or Application Programming Interface, is a collection of functions that provide much of the functional capabilities in complex software systems. Most customers are accustomed to interacting with a graphical user interface on the computer. But, many customers do not realize the much of the functionality of a program comes from APIs in the operating system or program's dynamic-link libraries (DLL). So, if the business logic or core functionality is exposed via an API call then and if we want to find functional bugs sooner than API testing may be an approach that provides additional value in your overall test strategy. Additionally, API testing can start even before the user interface is complete so functional capabilities can be tested while designers are hashing out the "look and feel." API testing will not replace testing through the user interface, but it can augment your test strategy and provide a solid foundation of automated tests that increase your confidence in the functional quality of your product.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Ch 1: Web Application (In)security
Ch 2: Core Defense Mechanisms
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
A one-hour, intermediate-level Postman learning session geared specifically for developers and testers. We’ll walk you through strategies and tactics for debugging more efficiently. Whether you're just exploring new APIs or developing rigorous API workflows, learn how to work smarter while debugging.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Ch 1: Web Application (In)security
Ch 2: Core Defense Mechanisms
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
A one-hour, intermediate-level Postman learning session geared specifically for developers and testers. We’ll walk you through strategies and tactics for debugging more efficiently. Whether you're just exploring new APIs or developing rigorous API workflows, learn how to work smarter while debugging.
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Npm has modules for devops, like logging, metrics, service discovery. But when you arrive to production, you may find that these are already handled by old players. Avoid the same mistakes I did, when my first node app was on its way to the world.
The Query Service is the new platform solution for querying a variety of data sources. The goal of Query Service is that administrators can configure a metadata description of the data source that can then be used by end users without detailed knowledge of the underlying data source. This session explains how to configure Query Service data sources and use them with the RESTful API or component collection.
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
An overview of how to structure your Lumen APIs to make them awesome. Topics covered: requests, responses, logging, documentation and testing.
Slides assume some background in Laravel.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Some old and new tips, tricks and tools for rapid web application security assessment (black and white box). They are useful in various situtations: pentest with very limited time or huge scope, competition, bugbounty program, etc.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
2. Mapping
• Enumerate application's content and
functionalit
y
• Some is hidden, requiring guesswork
and luck to discove
r
• Examine every aspect of behavior,
security mechanisms, and technologie
s
• Determine attack surface and
vulnerabilities
4. Web Spiders
• Load web page,
fi
nd all links on i
t
• (into the targeted domain
)
• Load those pages,
fi
nd more link
s
• Continue until no new content is discovered
5. Web Application Spiders
• Also parse HTML form
s
• Fill in the forms with preset or random values
and submit the
m
• Trying to walk through multistage
functionalit
y
• Can also parse client-side JavaScript to extract
URL
s
• Tool: Zed Attack Prox
y
• WebScarab & CAT seem old and abandoned
7. Limitations of Automatic
Spidering
• May fail to handle unusual navigation
mechanisms, such as dynamically created
JavaScript menu
s
• So it may miss whole areas of an applicatio
n
• Links buried in compiled client-side objects like
ActiveX or Java may be missed
8. Limitations of Automatic
Spidering
• Forms may have validation checks, such as
user registration form
s
• Email address, telephone number, address,
zip cod
e
• Too complex for most spiders, which use a
single text string for all form
fi
eld
s
• Spider cannot understand the "Invalid" error
messages
9. Limitations of Automatic
Spidering
• Spiders only fetch each URL onc
e
• But applications use forms-based navigation,
in which the same URL may return different
content and function
s
• For example, a bank may implement every
user action with a POST to /account.jsp with
parameters determining the actio
n
• Spiders aren't smart enough to handle that
10. Limitations of Automatic
Spidering
• Some applications place volatile data within
URL
s
• Parameters containing timers or random
number seed
s
• Spider will fetch the same page over and over,
thinking it's ne
w
• May freeze up
11. Limitations of Automatic
Spidering
• Authentication: spider must be able to submit
valid credential
s
• Perhaps using a valid cooki
e
• However, spiders often break the authenticated
session, b
y
• Requesting a logout functio
n
• Submitting invalid input to a sensitive functio
n
• Requesting pages out-of-sequence
12. Warning
• Spiders may
fi
nd an administrative page and
click every lin
k
• Delete User, Shut Down Database, Restart
Server...
13. User-Directed Spidering
• More sophisticated and controlled technique
than automated spidering, usually preferabl
e
• User walks through application using a browser
connected to Burp (or another proxy
)
• The proxy collects all requests and responses
18. Advantages of
User-Directed Spidering
• User can follow unusual or complex navigation
mechanism
s
• User can enter valid data where neede
d
• User can log in as neede
d
• User can avoid dangerous functionality, such as
deleteUser.jsp
19. Browser Tools
• Chrome's Developer Tools can show details of
requests and responses within the browse
r
• No proxy neede
d
• Often useful; shows timing as well as content
20.
21.
22. Discovering Hidden Content
• Finding it requires automated testing, manual
testing, and luc
k
• Testing or debugging features left in applicatio
n
• Different functionality for different categories of
user
s
• Anonymous, authenticated, administrator
s
• Backup copies of live
fi
le
s
• May be non-executable and reveal source
code
23. Discovering Hidden Content
• Backup archives that contain snapshot of entire
applicatio
n
• New functionality implemented for testing but
not yet linked from main applicatio
n
• Default functionality in an off-the-shelf
application that has been super
fi
cially hidden
from the user but not remove
d
• Old versions of
fi
les--may still be exploitable
24. Discovering Hidden Content
• Con
fi
guration and include
fi
les containing
sensitive data such as database credential
s
• Source
fi
les from which application functions
were compile
d
• Comments in source code; may contain
usernames and passwords, "test this" marks,
and other useful dat
a
• Log
fi
les--may contain valid usernames, session
tokens, etc.
25. Brute-Force Techniques
• Suppose user-directed spidering
fi
nds the URLs
on the lef
t
• A brute-forcer will try names as shown on the
right
29. Inference from Published
Content
• Look for pattern
s
• All subdirectories of "auth" start with a capital
lette
r
• One is "ForgotPassword", so try these
30. Other Patterns
• Names may use numbers or date
s
• Check include
fi
les from HTML and JavaScrip
t
• They may be publicly readabl
e
• Comments may include database names, SQL
query string
s
• Java applets and ActiveX controls may contain
sensitive data
31. More Clues
• Search for temporary
fi
les created by tools and
fi
le editor
s
• .DS_Store
fi
le (a directory index created by Mac
OS X
)
•
fi
le.php-1 created when
fi
le.php is edite
d
• .tmp
fi
les created by many tools
36. Web Server Vulnerabilities
• Some Web servers let you list directory
contents or see raw source cod
e
• Sample and diagnostic scripts may contain
vulnerabilities
37. Nikto and Wikto
• Scans servers for known vulnerable
fi
les and
version
s
• Wikto is the Windows versio
n
• Nikto is the Linux versio
n
• Included in Kal
i
• Fast and easy to us
e
• Has false positives like all vulnerability
scanner
s
• Must verify results with manual testing
39. Functional Paths
• Different from old-fashioned tree-
structured
fi
le syste
m
• Every request goes to the same UR
L
• Parameters specify functio
n
• Very different structure to explore
42. Analyzing the Application
• Key area
s
• Core functionalit
y
• Peripheral behavior: off-site links, error
messages, administrative and logging
functions, and use of redirect
s
• Core security mechanisms: session state,
access control, authenticatio
n
• User registration, password change,
account recovery
43. Key Areas (continued)
• Everywhere the application processes user-
supplied inpu
t
• URL, query string, POST data, cookie
s
• Client-side technologie
s
• Forms, scripts, thick-client components (Java
applets, ActiveX controls, and Flash), and
cookies
44. Key Areas (continued)
• Server-side technologie
s
• Static and dynamic pages, request
parameters, SSL, Web server software,
interaction with databases, email systems,
and other back-end components
48. HTTP Headers
• User-Agent is used to detect small screen
s
• Sometimes to modify content to boost search
engine ranking
s
• May allow XSS and other injection attack
s
• Changing User-Agent may reveal a different
user interface
49. HTTP Headers
• Applications behind a load balancer or proxy
may use X-Forwarded-For header to identify
sourc
e
• Can be manipulated by attacker to inject content
50. Out-of-Band Channels
• User data may come in vi
a
• Emai
l
• Publishing content via HTTP from another
server (e.g. WebDAV
)
• IDS that sniffs traf
fi
c and puts it into a
Web applicatio
n
• API interface for non-browser user agents,
such as cell phone apps, and then shares
data with the primary web application
63. Third-Party Code
Components
• Add common functionality lik
e
• Shopping cart
s
• Login mechanism
s
• Message board
s
• Open-source or commercia
l
• May contain known vulnerabilities
64. Hack Steps
1. Identify all entry points for user inpu
t
•URL, query string parameters, POST data,
cookies, HTTP header
s
2. Examine query string format; should be some
variation on name/value pai
r
3. Identify any other channels that allow user-
controllable or third-party data into the app
65. Hack Steps
4. View HTTP server banner returned by the
app; it may use several different server
s
5. Check for other software identi
fi
ers in
custom HTTP headers or HTML source code
6. Run httprint to
fi
ngerprint the web serve
r
7. Research software versions for
vulnerabilitie
s
8. Review map of URLs to
fi
nd interesting
fi
le
extensions, directories, etc. with clues about
the technologies in use
66. httprint
• Not updated since 2005 (link Ch 4j
)
• Alternatives include nmap, Netcraft, and
SHODAN (Link Ch 4k
)
• Also the Wappalyzer Chrome extension
67. Hack Steps
9. Review names of session tokens to identify
technologies being use
d
10. Use lists of common technologies, or Google,
to identify technologies in use, or discover other
websites that use the same technologie
s
11. Google unusual cookie names, scripts, HTTP
headers, etc. If possible, download and install
the software to analyze it and
fi
nd vulnerabilities
68. Identifying Server-Side
Functionality
• .jsp - Java Server Page
s
• OrderBy parameter looks like SQ
L
• isExpired suggests that we could get expired
content by changing this value
69. Identifying Server-Side
Functionality
• .aspx - Active Server Pages (Microsoft
)
• template - seems to be a
fi
lename and loc - looks
like a directory; may be vulnerable to path
traversa
l
• edit - maybe we can change
fi
les if this is tru
e
• ver - perhaps changing this will reveal other
functions to attack
70. Identifying Server-Side
Functionality
• .php - PH
P
• Connecting to an email server, with user-controllable
content in all
fi
eld
s
• May be usable to send email
s
• Any
fi
elds may be vulnerable to email header injection
72. Extrapolating Application
Behavior
• An application often behaves consistently
across the range of its functionalit
y
• Because code is re-used or written by the
same developer, or to the same speci
fi
cation
s
• So if your SQL injections are being
fi
ltered out,
try injecting elsewhere to see what
fi
ltering is in
effect
73. Extrapolating Application
Behavior
• If app obfuscates data, try
fi
nding a place where
a user can enter an obfuscated string and
retrieve the original
• Such as an error messag
e
• Or test systematically-varying values and
deduce the obfuscation scheme
74. Error Handling
• Some errors may be properly handled and give
little information
Others may crash and return verbose error
information
77. Isolate Unique Application
Behavior
• App may use a consistent framework that
prevents attack
s
• Look for extra parts "bolted on" later, which
may not be integrated into the framewor
k
• Debug functions, CAPTCHAs, usage tracking,
third-party cod
e
• Different GUI appearance, parameter naming
conventions, comments in source code
78. Mapping the Attack Surface
• Client-side validatio
n
• Database interaction -- SQL injectio
n
• File uploading and downloading -- Path
traversal, stored XS
S
• Display of user-supplied data - XS
S
• Dynamic redirects -- Redirection and header
attacks
79. Mapping the Attack Surface
• Social networking features -- username
enumeration, stored XS
S
• Login -- Username enumeration, weak
passwords, brute-force attack
s
• Multistage login -- Logic
fl
aw
s
• Session state -- Predictable tokens, insecure
token handling
80. Mapping the Attack Surface
• Access controls -- Horizontal and vertical
privilege escalatio
n
• User impersonation functions -- Privilege
escalatio
n
• Cleartext communications -- Session hijacking,
credential thef
t
• Off-site links -- Leakage of query string
parameters in the Referer heade
r
• Interfaces to external systems -- Shortcuts
handling sessions or access controls
81. Mapping the Attack Surface
• Error messages -- Information leakag
e
• Email interaction -- Email or command injectio
n
• Native code components or interaction -- Buffer
over
fl
ow
s
• Third-party components -- Known vulnerabilitie
s
• Identi
fi
able Web server -- Common
con
fi
guration errors, known bugs
82. Example
• /auth contains authentication
functions -- test session handling
and access contro
l
• /core/sitestats -- parameters; try
varying them; try wildcards like
all and * ; PageID contains a path,
try traversa
l
• /home -- authenticated user
content; try horizontal privilege
escalation to see other user's info
83. Example
• /icons and /images -- static content,
might
fi
nd icons indicating third-
party content, but probably nothing
interesting her
e
• /pub -- RESTful resources under /
pub/media and /pub/user; try
changing the numerical value at the
en
d
• /shop -- online shopping, all items
handled similarly; check logic for
possible exploits