vodQA, profile picture
Uploaded byvodQA
ODP, PPTX588 views

Security Testing hands on Workshop Material

This document discusses cross-site scripting (XSS) and SQL injection vulnerabilities. It provides an example of how Samy used an XSS attack on MySpace to automatically send friend requests to over 1 million users in just 20 hours. It also discusses how SQL injection allows hackers to extract data by manipulating queries, and provides examples of how injecting code into the username, password, or ID fields can expose user data or union queries. The document aims to demonstrate how these attacks work and why they remain prevalent issues.

Technology
Related topics:
Information Security

Embed presentation

Download as ODP, PPTX
LET'S H4CK By H4rryp0tt3r
2 XSS (Xross Site Scripting)
3 Not so powerful? ● What XSS means to most of the people at first is, XSS won't be a big issue. It won't be very harmful. ● And If you report an XSS bug, the very first question is, “what harm you can do by popping up an alert box?”
4
5 ● Samy wants to become every ones hero ● No more waiting, He wrote a JavaScript ● Injected into his profile page He wants to be a hero..
6 What that script will do? If you visit Samy's profile, then that code will execute in your browser. Samy's Profile with Injected Code Victim's profile Add Samy to my hero's list Send a friend request to Samy MySpace Server It will send a friend request to Samy on behalf of you Injected code gets copied to your profile Now Samy is victim's Hero
7 So many friends... At 12:30 am: You have 73 friends. 1 hour later, 1:30 am: You have 73 friends and 1 friend request. 8 hour later, 8:30 am: You have 518 friends and 561 friend requests. 10 hours later, 10:30 am: You have 2,503 friends and 6,373 friend requests. 13 hours later, 1:30 pm: You have 2,503 friends. 917,084 friend requests. A few minutes later, I refresh. 1,005,831 friend requests.
8 One can't say that anymore... In just 20 hours over one million people got affected by a JavaScript worm called Samy Worm that spread on MySpace(A social networking website once upon a time)
9 https://www.google.com/about/appsecurity/learning/xss/ https://google-gruyere.appspot.com/start Simple XSS Demo URL
10 SQL Injection
11 Stays for ever... ● Ranked 1st in OWASP Top 10 vulnerabilities ● 97% of data breaches are still due to SQL Injection ● The most common form of attack against websites
12 May be the largest ever breach... Hackers exposed 130 million card numbers from Heartland Payment system in 2007
13 select * from <some-table> where username='<user-input>' and password='<user-input>' Basic Login validation query.. select * from <some-table> where username='admin' or 1=1 #' and password='<user-input>'
14 select * from <some-table> where id = <user-given-id> ID based content selection query select * from <some-table> where id = 1 UNION select 1,2,3 select * from <some-table> where id = 1 AND 1=0 UNION select 1,2,3
THANKS For questions or suggestions: Nagesh Podilapu nagesh.podilapu@thoughtworks.com

More Related Content

PDF
The Web You Thought You Knew
byMunir Njiru
 
PDF
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEIST
byAdam Quirk
 
PPT
Cross Site Scripting Augusta For Matrix Session
byAbhishek kumar
 
PPTX
Navigating Online Threats - Website Security for Everyday Website Owners
byTony Perez
 
PPTX
Word camp orange county 2012 enduser security
byTony Perez
 
PDF
5 steps to raise big money with major gifts
bygailperry
 
PDF
Llista provisional d'inscrits ve'12
byAnam
 
PPTX
Sudan południowy
bysknsz
 
The Web You Thought You Knew
byMunir Njiru
 
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEIST
byAdam Quirk
 
Cross Site Scripting Augusta For Matrix Session
byAbhishek kumar
 
Navigating Online Threats - Website Security for Everyday Website Owners
byTony Perez
 
Word camp orange county 2012 enduser security
byTony Perez
 
5 steps to raise big money with major gifts
bygailperry
 
Llista provisional d'inscrits ve'12
byAnam
 
Sudan południowy
bysknsz
 

Viewers also liked

PPTX
Japońska tragedia
bysknsz
 
PPTX
Presentation3
bysverrirs2859
 
PDF
2006 este general
byAnam
 
PDF
Yapc asia 2011
byonagatani
 
DOCX
Badminton VOCABULARI
byccidt
 
PPT
G+
byEsze Dóra
 
PDF
Hachiojipm#13
byHideaki Ohno
 
PDF
Llista provisional d'inscrits ve'12
byAnam
 
PPTX
Relacje ue z krajami globalnego południa
bysknsz
 
PDF
Small Business SEO
byJa-Nae Duane
 
PPT
Politicize europe and recruit new activists
byPes Pse
 
KEY
Go viral for victory II - Spread your news on social networks
byPes Pse
 
DOC
qw3ries Executive Summary Version 0.07
byJon Pincus
 
PPTX
Spotkanie z mattem kwasiborskim
bysknsz
 
PDF
情報収集リテラシー向上勉強会
byToshiyuki Oka
 
PDF
XSS and SQL injection workshop steps
byvodQA
 
PPS
Facebook case study by students Danijela Lalic
byDanijela Lalic
 
PDF
Евгений Кирпичёв Многопоточное программирование
bySiel01
 
PDF
Aerial photos
byaldridged
 
PDF
Testing the Mysterious Sphere
byvodQA
 
Japońska tragedia
bysknsz
 
Presentation3
bysverrirs2859
 
2006 este general
byAnam
 
Yapc asia 2011
byonagatani
 
Badminton VOCABULARI
byccidt
 
G+
byEsze Dóra
 
Hachiojipm#13
byHideaki Ohno
 
Llista provisional d'inscrits ve'12
byAnam
 
Relacje ue z krajami globalnego południa
bysknsz
 
Small Business SEO
byJa-Nae Duane
 
Politicize europe and recruit new activists
byPes Pse
 
Go viral for victory II - Spread your news on social networks
byPes Pse
 
qw3ries Executive Summary Version 0.07
byJon Pincus
 
Spotkanie z mattem kwasiborskim
bysknsz
 
情報収集リテラシー向上勉強会
byToshiyuki Oka
 
XSS and SQL injection workshop steps
byvodQA
 
Facebook case study by students Danijela Lalic
byDanijela Lalic
 
Евгений Кирпичёв Многопоточное программирование
bySiel01
 
Aerial photos
byaldridged
 
Testing the Mysterious Sphere
byvodQA
 

Similar to Security Testing hands on Workshop Material

PPT
Xss talk, attack and defense
byPrakashchand Suthar
 
PPT
Starwest 2008
byCaleb Sima
 
PPTX
04. xss and encoding
byEoin Keary
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PPTX
Convincing Developers to take Cross-Site Scripting Seriously
byjpubal
 
PDF
Ch 12 Attacking Users - XSS
bySam Bowne
 
PDF
The Cross Site Scripting Guide
byDaisuke_Dan
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PPTX
Security testing for web developers
bymatthewhughes
 
PDF
Web Security Horror Stories
bySimon Willison
 
PPT
Not only a XSS
byConferencias FIST
 
PPT
Xssandcsrf
byPrabhanshu Saraswat
 
PPTX
Cross Site Scripting
byAli Mattash
 
PPT
Protecting Your Web Site From SQL Injection & XSS
byskyhawk133
 
PDF
JavaScript Security
byJason Harwig
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
PDF
Complete xss walkthrough
byAhmed Elhady Mohamed
 
PPTX
Web Exploitation Security
byAman Singh
 
PDF
Web App Security Horror Stories
bySimon Willison
 
Xss talk, attack and defense
byPrakashchand Suthar
 
Starwest 2008
byCaleb Sima
 
04. xss and encoding
byEoin Keary
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
Convincing Developers to take Cross-Site Scripting Seriously
byjpubal
 
Ch 12 Attacking Users - XSS
bySam Bowne
 
The Cross Site Scripting Guide
byDaisuke_Dan
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
Security testing for web developers
bymatthewhughes
 
Web Security Horror Stories
bySimon Willison
 
Not only a XSS
byConferencias FIST
 
Xssandcsrf
byPrabhanshu Saraswat
 
Cross Site Scripting
byAli Mattash
 
Protecting Your Web Site From SQL Injection & XSS
byskyhawk133
 
JavaScript Security
byJason Harwig
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
Complete xss walkthrough
byAhmed Elhady Mohamed
 
Web Exploitation Security
byAman Singh
 
Web App Security Horror Stories
bySimon Willison
 

More from vodQA

PPTX
Performance Testing
byvodQA
 
PPTX
Testing Strategy in Micro Frontend architecture
byvodQA
 
PPTX
Api testing libraries using java script an overview
byvodQA
 
PPTX
Testing face authentication on mobile
byvodQA
 
PPTX
Testing cna
byvodQA
 
PPTX
Etl engine testing with scala
byvodQA
 
PPTX
EDA for QAs
byvodQA
 
PDF
vodQA Pune (2019) - Browser automation using dev tools
byvodQA
 
PPTX
vodQA Pune (2019) - Augmented reality overview and testing challenges
byvodQA
 
PPTX
vodQA Pune (2019) - Testing AI,ML applications
byvodQA
 
PPTX
vodQA Pune (2019) - Design patterns in test automation
byvodQA
 
PPTX
vodQA Pune (2019) - Testing ethereum smart contracts
byvodQA
 
PPTX
vodQA Pune (2019) - Insights into big data testing
byvodQA
 
PDF
vodQA Pune (2019) - Performance testing cloud deployments
byvodQA
 
PDF
vodQA Pune (2019) - Jenkins pipeline As code
byvodQA
 
PPTX
vodQA(Pune) 2018 - Consumer driven contract testing using pact
byvodQA
 
PPTX
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...
byvodQA
 
PPTX
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...
byvodQA
 
PPTX
vodQA(Pune) 2018 - QAing the security way
byvodQA
 
PPTX
vodQA(Pune) 2018 - Docker in Testing
byvodQA
 
Performance Testing
byvodQA
 
Testing Strategy in Micro Frontend architecture
byvodQA
 
Api testing libraries using java script an overview
byvodQA
 
Testing face authentication on mobile
byvodQA
 
Testing cna
byvodQA
 
Etl engine testing with scala
byvodQA
 
EDA for QAs
byvodQA
 
vodQA Pune (2019) - Browser automation using dev tools
byvodQA
 
vodQA Pune (2019) - Augmented reality overview and testing challenges
byvodQA
 
vodQA Pune (2019) - Testing AI,ML applications
byvodQA
 
vodQA Pune (2019) - Design patterns in test automation
byvodQA
 
vodQA Pune (2019) - Testing ethereum smart contracts
byvodQA
 
vodQA Pune (2019) - Insights into big data testing
byvodQA
 
vodQA Pune (2019) - Performance testing cloud deployments
byvodQA
 
vodQA Pune (2019) - Jenkins pipeline As code
byvodQA
 
vodQA(Pune) 2018 - Consumer driven contract testing using pact
byvodQA
 
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...
byvodQA
 
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...
byvodQA
 
vodQA(Pune) 2018 - QAing the security way
byvodQA
 
vodQA(Pune) 2018 - Docker in Testing
byvodQA
 

Recently uploaded

PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 

Security Testing hands on Workshop Material

  • 1.
  • 2.
  • 3.
    3 Not so powerful? ●What XSS means to most of the people at first is, XSS won't be a big issue. It won't be very harmful. ● And If you report an XSS bug, the very first question is, “what harm you can do by popping up an alert box?”
  • 4.
  • 5.
    5 ● Samy wantsto become every ones hero ● No more waiting, He wrote a JavaScript ● Injected into his profile page He wants to be a hero..
  • 6.
    6 What that scriptwill do? If you visit Samy's profile, then that code will execute in your browser. Samy's Profile with Injected Code Victim's profile Add Samy to my hero's list Send a friend request to Samy MySpace Server It will send a friend request to Samy on behalf of you Injected code gets copied to your profile Now Samy is victim's Hero
  • 7.
    7 So many friends... At12:30 am: You have 73 friends. 1 hour later, 1:30 am: You have 73 friends and 1 friend request. 8 hour later, 8:30 am: You have 518 friends and 561 friend requests. 10 hours later, 10:30 am: You have 2,503 friends and 6,373 friend requests. 13 hours later, 1:30 pm: You have 2,503 friends. 917,084 friend requests. A few minutes later, I refresh. 1,005,831 friend requests.
  • 8.
    8 One can't saythat anymore... In just 20 hours over one million people got affected by a JavaScript worm called Samy Worm that spread on MySpace(A social networking website once upon a time)
  • 9.
  • 10.
  • 11.
    11 Stays for ever... ●Ranked 1st in OWASP Top 10 vulnerabilities ● 97% of data breaches are still due to SQL Injection ● The most common form of attack against websites
  • 12.
    12 May be thelargest ever breach... Hackers exposed 130 million card numbers from Heartland Payment system in 2007
  • 13.
    13 select * from<some-table> where username='<user-input>' and password='<user-input>' Basic Login validation query.. select * from <some-table> where username='admin' or 1=1 #' and password='<user-input>'
  • 14.
    14 select * from<some-table> where id = <user-given-id> ID based content selection query select * from <some-table> where id = 1 UNION select 1,2,3 select * from <some-table> where id = 1 AND 1=0 UNION select 1,2,3
  • 15.
    THANKS For questions orsuggestions: Nagesh Podilapu nagesh.podilapu@thoughtworks.com