Carmen Alcivar completed a lab assignment for her Foundations of Information Assurance course at Northeastern University. The assignment involved attacking a vulnerable web application and database. She performed tests like SQL injection and cross-site scripting attacks. Carmen provided screenshots and explanations of her results. She demonstrated techniques for discovering database structure and vulnerabilities. Overall, the assignment aimed to help Carmen learn how to identify security issues through penetration testing before software is deployed.
“We live in a world that has walls and those walls need to be guarded by men with guns”.
A short presentation on how to secure data and avoid theft of data. Also mention the tips and techniques to safe your data.
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
“We live in a world that has walls and those walls need to be guarded by men with guns”.
A short presentation on how to secure data and avoid theft of data. Also mention the tips and techniques to safe your data.
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
This will give you knowledge about basics of what ethical hacking is and few attacks. This document edited in Ubuntu. Types of hackers explained in detail. what kind of language is used by the hacker. How attacks happen with the help of scanning and access point for the system which is helpfull for the hacker after doing attacks gaining the access and maintaining the access. how to protect the system from the attackers and what to do after the attack happened.
Network security presentation that briefly covers the aspect of security in networks. The slide consists of procedural steps for network security then some of the important network security components are described. To give it a practical approach, attacks on networks are also covered.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Cyber crime & security
If we can defeat them sitting at home……who needs to fight with tanks and guns!!!!
Introduction
Cyber Crime
- What Is Cyber Crime?
- Types Of Cyber Crime
Cyber Security
- What Is Cyber Security?
- Top Seven Cyber Safety Actions
- Cyber Safety At Work & Home
Coclusion
INRTODUCTION
This tutorial provides some basic information about “Cyber Crime” and practical suggestions for protecting your personal information and computer from cyber-attacks i.e. “Cyber Security”!!!
What Is Cyber Crime ?
Cybercrime is nothing but where the computer used as an object or subject of crime!
Crime committed using a computer and the internet to steal a person’s identity!!
Firewall is a network that is used to block certain types of network traffic. It is basically a security system that is designed to protect untrusted access on a private network. Firewall forms a barrier between a trusted and an untrusted network. We are going to tell you the various types of firewall security in this PPT
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
This will give you knowledge about basics of what ethical hacking is and few attacks. This document edited in Ubuntu. Types of hackers explained in detail. what kind of language is used by the hacker. How attacks happen with the help of scanning and access point for the system which is helpfull for the hacker after doing attacks gaining the access and maintaining the access. how to protect the system from the attackers and what to do after the attack happened.
Network security presentation that briefly covers the aspect of security in networks. The slide consists of procedural steps for network security then some of the important network security components are described. To give it a practical approach, attacks on networks are also covered.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Cyber crime & security
If we can defeat them sitting at home……who needs to fight with tanks and guns!!!!
Introduction
Cyber Crime
- What Is Cyber Crime?
- Types Of Cyber Crime
Cyber Security
- What Is Cyber Security?
- Top Seven Cyber Safety Actions
- Cyber Safety At Work & Home
Coclusion
INRTODUCTION
This tutorial provides some basic information about “Cyber Crime” and practical suggestions for protecting your personal information and computer from cyber-attacks i.e. “Cyber Security”!!!
What Is Cyber Crime ?
Cybercrime is nothing but where the computer used as an object or subject of crime!
Crime committed using a computer and the internet to steal a person’s identity!!
Firewall is a network that is used to block certain types of network traffic. It is basically a security system that is designed to protect untrusted access on a private network. Firewall forms a barrier between a trusted and an untrusted network. We are going to tell you the various types of firewall security in this PPT
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
2. Contents
Lab #15: Attacking a Vulnerable Web Application and Database ................................................2
a. Assessment Sheet........................................................................................................................2
b. Challenge Question.....................................................................................................................3
c. Screenshots: ................................................................................................................................3
3. Lab #15: Attacking a Vulnerable Web Application and Database
a. Assessment Sheet
Course Name and Number: Foundations of Information Assurance – IA5010
Student Name: <Carmen Alcivar>
Instructor Name: Derek Brodeur
Lab Due Date: <2/21/16>
Lab Assessment Questions & Answers
1. Why is it critical to perform a penetration test on a Web application and a
Web server prior to production implementation?
Performing penetration tests on a Web application and a Web server prior to
production implementation is a critical step in ensuring the confidentiality,
integrity, and availability (CIA) of the Web application or service. It is imperative
to perform penetration test in order to protect customer’s private information that
will be entered via the Web application. There are also laws regulating the
confidentiality of customer’s data.
2. What is a cross-site scripting attack? Explain in your own words?
A cross-site scripting attack is the type of attack that exploit a cross-site scripting
(XSS) vulnerability in a Website. It is subject to a SQL injection attack on the
Web application's SQL database. XSS is the malicious insertion of scripting code
to extract data or modify a Web site’s code, application, or content.
3. What is a reflective cross-site scripting attack?
The reflective cross-site scripting attack is a non-persistent attack in which all
input shows output on the user’s/attacker’s screen and does not modify data stored
on the server.
4. Based on the tests you performed in this lab, which Web application attack is
more likely to extract privacy data elements out of a database?
The reflective cross-site scripting attack is the type of attacks that allows you to
extract privacy data elements out of a database.
5. If you can monitor when SQL injections are performed on an SQL database,
what would you recommend as a security countermeasure to monitor your
production SQL databases?
I would recommend the use of Simple Network Management Protocol (SNMP)
alerts which allows Database administrators to monitor their SQL databases for
unauthorized or abnormal SQL injections and write scripts for alarming as well as.
Encrypting the data elements that reside in long-term storage of the SQL database
is another option.
6. Given that Apache and Internet Information Services (IIS) are the two most
popular Web application servers for Linux and Microsoft® Windows
platforms, what would you do to identify known software vulnerabilities and
exploits?
4. I could search the CVE listing using the keyword Apache to find all known
Apache vulnerabilities and exploits. This allows to include all software patches
and security patches on the production Web servers to remediate critical and
major software vulnerabilities before the application is released.
7. What can you do to ensure that your organization incorporates penetration
testing and Web application testing as part of its implementation
procedures?
Penetration testing should be part of the policy. The organization's security policy
should dictate that no production Web application can be implemented without
proper penetration testing and security hardening.
8. What is the purpose of setting the DVWA security level to “low” before
beginning the remaining lab steps
The low setting mimics a vulnerable Web application. Only a vulnerable system
can be attacked.
9. As an ethical hacker, once you’ve determined that a database is injectable,
what should you do with that information?
As an ethical hacker, I should recommend specific countermeasures for
remediating the vulnerabilities and eliminating the exploits. Once I have
determined that a database is injectable
b. Challenge Question
c. Screenshots:
Part 2:
[Deliverable Lab Step 5] screen shot showing the exposed vulnerability
5. 1. [Deliverable Lab Step 8] screen shot showing cross-site scripting attacks in the High
setting. It does not go through.
6. Part 3:
Step 6: screen shot displaying the result of the use the presence or lack of errors strategy to
determine vulnerabilities. Review the output of this script (a' ORDER BY 1;# ). Here, I am
trying to order the output by the first (1) column, or field. In this case, there is no error which
means there is a first column. This allows to learn about the structure of the Database.
7. Step 7 screen shot displaying the result of the use the presence or lack of errors strategy to
determine vulnerabilities. Review the output of this script (a' ORDER BY 2;#). Here, I am
trying to order the output by the second (2) column, or field. In this case, there is no error
which means there is a second column.
Step 8: screen shot displaying the result of the use the presence or lack of errors strategy to
determine vulnerabilities. Review the output of this script (a' ORDER BY 3;#). Here, I am
trying to order the output by the third (3) column, or field. In this case, there is an error which
means there is not a third column.
8. [Deliverable Lab Step 18]: a screen capture showing the user information for the user
name that is currently being used to make queries on the server.
[Deliverable Lab Step 20 ] a screen capture showing hash for the user to the backend
database. Hashing in a database allows the creation of an index number. This facilitates the
search of a record later on. http://www.webopedia.com/TERM/H/hashing.html