SlideShare a Scribd company logo

Security Testing hands on Workshop Material

Download as ODP, PDF
vodQA
vodQA

This document discusses cross-site scripting (XSS) and SQL injection vulnerabilities. It provides an example of how Samy used an XSS attack on MySpace to automatically send friend requests to over 1 million users in just 20 hours. It also discusses how SQL injection allows hackers to extract data by manipulating queries, and provides examples of how injecting code into the username, password, or ID fields can expose user data or union queries. The document aims to demonstrate how these attacks work and why they remain prevalent issues.

Technology
1 of 15
LET'S H4CK By H4rryp0tt3r
2 XSS (Xross Site Scripting)
3 Not so powerful? ● What XSS means to most of the people at first is, XSS won't be a big issue. It won't be very harmful. ● And If you report an XSS bug, the very first question is, “what harm you can do by popping up an alert box?”
4
5 ● Samy wants to become every ones hero ● No more waiting, He wrote a JavaScript ● Injected into his profile page He wants to be a hero..
6 What that script will do? If you visit Samy's profile, then that code will execute in your browser. Samy's Profile with Injected Code Victim's profile Add Samy to my hero's list Send a friend request to Samy MySpace Server It will send a friend request to Samy on behalf of you Injected code gets copied to your profile Now Samy is victim's Hero
7 So many friends... At 12:30 am: You have 73 friends. 1 hour later, 1:30 am: You have 73 friends and 1 friend request. 8 hour later, 8:30 am: You have 518 friends and 561 friend requests. 10 hours later, 10:30 am: You have 2,503 friends and 6,373 friend requests. 13 hours later, 1:30 pm: You have 2,503 friends. 917,084 friend requests. A few minutes later, I refresh. 1,005,831 friend requests.
8 One can't say that anymore... In just 20 hours over one million people got affected by a JavaScript worm called Samy Worm that spread on MySpace(A social networking website once upon a time)
9 https://www.google.com/about/appsecurity/learning/xss/ https://google-gruyere.appspot.com/start Simple XSS Demo URL
10 SQL Injection
11 Stays for ever... ● Ranked 1st in OWASP Top 10 vulnerabilities ● 97% of data breaches are still due to SQL Injection ● The most common form of attack against websites
12 May be the largest ever breach... Hackers exposed 130 million card numbers from Heartland Payment system in 2007
13 select * from <some-table> where username='<user-input>' and password='<user-input>' Basic Login validation query.. select * from <some-table> where username='admin' or 1=1 #' and password='<user-input>'
14 select * from <some-table> where id = <user-given-id> ID based content selection query select * from <some-table> where id = 1 UNION select 1,2,3 select * from <some-table> where id = 1 AND 1=0 UNION select 1,2,3
THANKS For questions or suggestions: Nagesh Podilapu nagesh.podilapu@thoughtworks.com

Recommended

The Web You Thought You Knew
The Web You Thought You KnewThe Web You Thought You Knew
The Web You Thought You KnewMunir Njiru
 
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEIST
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEISTBANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEIST
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEISTAdam Quirk
 
Cross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionCross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionAbhishek kumar
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 
5 steps to raise big money with major gifts
5 steps to raise big money with major gifts5 steps to raise big money with major gifts
5 steps to raise big money with major giftsgailperry
 
Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Anam
 
Sudan południowy
Sudan południowySudan południowy
Sudan południowysknsz
 

Recommended

The Web You Thought You Knew
The Web You Thought You KnewThe Web You Thought You Knew
The Web You Thought You KnewMunir Njiru
 
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEIST
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEISTBANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEIST
BANK ROBBERY TRAINING: HOW TO STAY SAFE IN A VIOLENT HEISTAdam Quirk
 
Cross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionCross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionAbhishek kumar
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 
5 steps to raise big money with major gifts
5 steps to raise big money with major gifts5 steps to raise big money with major gifts
5 steps to raise big money with major giftsgailperry
 
Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Anam
 
Sudan południowy
Sudan południowySudan południowy
Sudan południowysknsz
 
Japońska tragedia
Japońska tragediaJapońska tragedia
Japońska tragediasknsz
 
Presentation3
Presentation3Presentation3
Presentation3sverrirs2859
 
2006 este general
2006 este general2006 este general
2006 este generalAnam
 
Yapc asia 2011
Yapc asia 2011Yapc asia 2011
Yapc asia 2011onagatani
 
Badminton VOCABULARI
Badminton VOCABULARIBadminton VOCABULARI
Badminton VOCABULARIccidt
 
G+
G+G+
G+Esze Dóra
 
Hachiojipm#13
Hachiojipm#13Hachiojipm#13
Hachiojipm#13Hideaki Ohno
 
Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Anam
 
Relacje ue z krajami globalnego południa
Relacje ue z krajami globalnego południaRelacje ue z krajami globalnego południa
Relacje ue z krajami globalnego południasknsz
 
Small Business SEO
Small Business SEOSmall Business SEO
Small Business SEOJa-Nae Duane
 
Politicize europe and recruit new activists
Politicize europe and recruit new activistsPoliticize europe and recruit new activists
Politicize europe and recruit new activistsPes Pse
 
Go viral for victory II - Spread your news on social networks
Go viral for victory II - Spread your news on social networksGo viral for victory II - Spread your news on social networks
Go viral for victory II - Spread your news on social networksPes Pse
 
qw3ries Executive Summary Version 0.07
qw3ries Executive Summary Version 0.07qw3ries Executive Summary Version 0.07
qw3ries Executive Summary Version 0.07Jon Pincus
 
Spotkanie z mattem kwasiborskim
Spotkanie z mattem kwasiborskimSpotkanie z mattem kwasiborskim
Spotkanie z mattem kwasiborskimsknsz
 
情報収集リテラシー向上勉強会
情報収集リテラシー向上勉強会情報収集リテラシー向上勉強会
情報収集リテラシー向上勉強会Toshiyuki Oka
 
XSS and SQL injection workshop steps
XSS and SQL injection workshop stepsXSS and SQL injection workshop steps
XSS and SQL injection workshop stepsvodQA
 
Facebook case study by students Danijela Lalic
Facebook case study by students Danijela LalicFacebook case study by students Danijela Lalic
Facebook case study by students Danijela LalicDanijela Lalic
 
Евгений Кирпичёв Многопоточное программирование
Евгений Кирпичёв Многопоточное программированиеЕвгений Кирпичёв Многопоточное программирование
Евгений Кирпичёв Многопоточное программированиеSiel01
 
Aerial photos
Aerial photos Aerial photos
Aerial photos aldridged
 
Testing the Mysterious Sphere
Testing the Mysterious SphereTesting the Mysterious Sphere
Testing the Mysterious SpherevodQA
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Security Primer
Security PrimerSecurity Primer
Security PrimerAlison Gianotto
 

More Related Content

Viewers also liked

Japońska tragedia
Japońska tragediaJapońska tragedia
Japońska tragediasknsz
 
2006 este general
2006 este general2006 este general
2006 este generalAnam
 
Yapc asia 2011
Yapc asia 2011Yapc asia 2011
Yapc asia 2011onagatani
 
Badminton VOCABULARI
Badminton VOCABULARIBadminton VOCABULARI
Badminton VOCABULARIccidt
 
Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Anam
 
Relacje ue z krajami globalnego południa
Relacje ue z krajami globalnego południaRelacje ue z krajami globalnego południa
Relacje ue z krajami globalnego południasknsz
 
Small Business SEO
Small Business SEOSmall Business SEO
Small Business SEOJa-Nae Duane
 
Politicize europe and recruit new activists
Politicize europe and recruit new activistsPoliticize europe and recruit new activists
Politicize europe and recruit new activistsPes Pse
 
Go viral for victory II - Spread your news on social networks
Go viral for victory II - Spread your news on social networksGo viral for victory II - Spread your news on social networks
Go viral for victory II - Spread your news on social networksPes Pse
 
qw3ries Executive Summary Version 0.07
qw3ries Executive Summary Version 0.07qw3ries Executive Summary Version 0.07
qw3ries Executive Summary Version 0.07Jon Pincus
 
Spotkanie z mattem kwasiborskim
Spotkanie z mattem kwasiborskimSpotkanie z mattem kwasiborskim
Spotkanie z mattem kwasiborskimsknsz
 
情報収集リテラシー向上勉強会
情報収集リテラシー向上勉強会情報収集リテラシー向上勉強会
情報収集リテラシー向上勉強会Toshiyuki Oka
 
XSS and SQL injection workshop steps
XSS and SQL injection workshop stepsXSS and SQL injection workshop steps
XSS and SQL injection workshop stepsvodQA
 
Facebook case study by students Danijela Lalic
Facebook case study by students Danijela LalicFacebook case study by students Danijela Lalic
Facebook case study by students Danijela LalicDanijela Lalic
 
Евгений Кирпичёв Многопоточное программирование
Евгений Кирпичёв Многопоточное программированиеЕвгений Кирпичёв Многопоточное программирование
Евгений Кирпичёв Многопоточное программированиеSiel01
 
Aerial photos
Aerial photos Aerial photos
Aerial photos aldridged
 
Testing the Mysterious Sphere
Testing the Mysterious SphereTesting the Mysterious Sphere
Testing the Mysterious SpherevodQA
 

Viewers also liked (20)

Japońska tragedia
Japońska tragediaJapońska tragedia
Japońska tragedia
 
Presentation3
Presentation3Presentation3
Presentation3
 
2006 este general
2006 este general2006 este general
2006 este general
 
Yapc asia 2011
Yapc asia 2011Yapc asia 2011
Yapc asia 2011
 
Badminton VOCABULARI
Badminton VOCABULARIBadminton VOCABULARI
Badminton VOCABULARI
 
G+
G+G+
G+
 
Hachiojipm#13
Hachiojipm#13Hachiojipm#13
Hachiojipm#13
 
Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12Llista provisional d'inscrits ve'12
Llista provisional d'inscrits ve'12
 
Relacje ue z krajami globalnego południa
Relacje ue z krajami globalnego południaRelacje ue z krajami globalnego południa
Relacje ue z krajami globalnego południa
 
Small Business SEO
Small Business SEOSmall Business SEO
Small Business SEO
 
Politicize europe and recruit new activists
Politicize europe and recruit new activistsPoliticize europe and recruit new activists
Politicize europe and recruit new activists
 
Go viral for victory II - Spread your news on social networks
Go viral for victory II - Spread your news on social networksGo viral for victory II - Spread your news on social networks
Go viral for victory II - Spread your news on social networks
 
qw3ries Executive Summary Version 0.07
qw3ries Executive Summary Version 0.07qw3ries Executive Summary Version 0.07
qw3ries Executive Summary Version 0.07
 
Spotkanie z mattem kwasiborskim
Spotkanie z mattem kwasiborskimSpotkanie z mattem kwasiborskim
Spotkanie z mattem kwasiborskim
 
情報収集リテラシー向上勉強会
情報収集リテラシー向上勉強会情報収集リテラシー向上勉強会
情報収集リテラシー向上勉強会
 
XSS and SQL injection workshop steps
XSS and SQL injection workshop stepsXSS and SQL injection workshop steps
XSS and SQL injection workshop steps
 
Facebook case study by students Danijela Lalic
Facebook case study by students Danijela LalicFacebook case study by students Danijela Lalic
Facebook case study by students Danijela Lalic
 
Евгений Кирпичёв Многопоточное программирование
Евгений Кирпичёв Многопоточное программированиеЕвгений Кирпичёв Многопоточное программирование
Евгений Кирпичёв Многопоточное программирование
 
Aerial photos
Aerial photos Aerial photos
Aerial photos
 
Testing the Mysterious Sphere
Testing the Mysterious SphereTesting the Mysterious Sphere
Testing the Mysterious Sphere
 

Similar to Security Testing hands on Workshop Material

Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
What’s the Difference Between Identity Fraud and Identity Theft?
What’s the Difference Between Identity Fraud and Identity Theft?What’s the Difference Between Identity Fraud and Identity Theft?
What’s the Difference Between Identity Fraud and Identity Theft?K7 Computing Pvt Ltd
 
What’s the Difference Between Identity Fraud and Identity Theft.docx.pptx
What’s the Difference Between Identity Fraud and Identity Theft.docx.pptxWhat’s the Difference Between Identity Fraud and Identity Theft.docx.pptx
What’s the Difference Between Identity Fraud and Identity Theft.docx.pptxkesavanrachel
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
Presentation of Cyber terrorism, Bitcoins & Ransomware
Presentation of Cyber terrorism, Bitcoins & RansomwarePresentation of Cyber terrorism, Bitcoins & Ransomware
Presentation of Cyber terrorism, Bitcoins & RansomwareHemraj Singh Chouhan
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
CROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptCROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptyashvirsingh48
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 
Top 10 Ransomware that might hack your devices
Top 10 Ransomware that might hack your devicesTop 10 Ransomware that might hack your devices
Top 10 Ransomware that might hack your devicesK7 Computing Pvt Ltd
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsConnecting Up
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalNSConclave
 
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...InfoCom Conferences
 

Similar to Security Testing hands on Workshop Material (20)

Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
What’s the Difference Between Identity Fraud and Identity Theft?
What’s the Difference Between Identity Fraud and Identity Theft?What’s the Difference Between Identity Fraud and Identity Theft?
What’s the Difference Between Identity Fraud and Identity Theft?
 
What’s the Difference Between Identity Fraud and Identity Theft.docx.pptx
What’s the Difference Between Identity Fraud and Identity Theft.docx.pptxWhat’s the Difference Between Identity Fraud and Identity Theft.docx.pptx
What’s the Difference Between Identity Fraud and Identity Theft.docx.pptx
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
Presentation of Cyber terrorism, Bitcoins & Ransomware
Presentation of Cyber terrorism, Bitcoins & RansomwarePresentation of Cyber terrorism, Bitcoins & Ransomware
Presentation of Cyber terrorism, Bitcoins & Ransomware
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
 
CROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptCROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.ppt
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Top 10 Ransomware that might hack your devices
Top 10 Ransomware that might hack your devicesTop 10 Ransomware that might hack your devices
Top 10 Ransomware that might hack your devices
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar Paghdal
 
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
 
Hacking
HackingHacking
Hacking
 

More from vodQA

Performance Testing
Performance TestingPerformance Testing
Performance TestingvodQA
 
Testing Strategy in Micro Frontend architecture
Testing Strategy in Micro Frontend architectureTesting Strategy in Micro Frontend architecture
Testing Strategy in Micro Frontend architecturevodQA
 
Api testing libraries using java script an overview
Api testing libraries using java script an overviewApi testing libraries using java script an overview
Api testing libraries using java script an overviewvodQA
 
Testing face authentication on mobile
Testing face authentication on mobileTesting face authentication on mobile
Testing face authentication on mobilevodQA
 
Testing cna
Testing cnaTesting cna
Testing cnavodQA
 
Etl engine testing with scala
Etl engine testing with scalaEtl engine testing with scala
Etl engine testing with scalavodQA
 
EDA for QAs
EDA for QAsEDA for QAs
EDA for QAsvodQA
 
vodQA Pune (2019) - Browser automation using dev tools
vodQA Pune (2019) - Browser automation using dev toolsvodQA Pune (2019) - Browser automation using dev tools
vodQA Pune (2019) - Browser automation using dev toolsvodQA
 
vodQA Pune (2019) - Augmented reality overview and testing challenges
vodQA Pune (2019) - Augmented reality overview and testing challengesvodQA Pune (2019) - Augmented reality overview and testing challenges
vodQA Pune (2019) - Augmented reality overview and testing challengesvodQA
 
vodQA Pune (2019) - Testing AI,ML applications
vodQA Pune (2019) - Testing AI,ML applicationsvodQA Pune (2019) - Testing AI,ML applications
vodQA Pune (2019) - Testing AI,ML applicationsvodQA
 
vodQA Pune (2019) - Design patterns in test automation
vodQA Pune (2019) - Design patterns in test automationvodQA Pune (2019) - Design patterns in test automation
vodQA Pune (2019) - Design patterns in test automationvodQA
 
vodQA Pune (2019) - Testing ethereum smart contracts
vodQA Pune (2019) - Testing ethereum smart contractsvodQA Pune (2019) - Testing ethereum smart contracts
vodQA Pune (2019) - Testing ethereum smart contractsvodQA
 
vodQA Pune (2019) - Insights into big data testing
vodQA Pune (2019) - Insights into big data testingvodQA Pune (2019) - Insights into big data testing
vodQA Pune (2019) - Insights into big data testingvodQA
 
vodQA Pune (2019) - Performance testing cloud deployments
vodQA Pune (2019) - Performance testing cloud deploymentsvodQA Pune (2019) - Performance testing cloud deployments
vodQA Pune (2019) - Performance testing cloud deploymentsvodQA
 
vodQA Pune (2019) - Jenkins pipeline As code
vodQA Pune (2019) - Jenkins pipeline As codevodQA Pune (2019) - Jenkins pipeline As code
vodQA Pune (2019) - Jenkins pipeline As codevodQA
 
vodQA(Pune) 2018 - Consumer driven contract testing using pact
vodQA(Pune) 2018 - Consumer driven contract testing using pactvodQA(Pune) 2018 - Consumer driven contract testing using pact
vodQA(Pune) 2018 - Consumer driven contract testing using pactvodQA
 
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...vodQA
 
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...vodQA
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
vodQA(Pune) 2018 - Docker in Testing
vodQA(Pune) 2018 - Docker in TestingvodQA(Pune) 2018 - Docker in Testing
vodQA(Pune) 2018 - Docker in TestingvodQA
 

More from vodQA (20)

Performance Testing
Performance TestingPerformance Testing
Performance Testing
 
Testing Strategy in Micro Frontend architecture
Testing Strategy in Micro Frontend architectureTesting Strategy in Micro Frontend architecture
Testing Strategy in Micro Frontend architecture
 
Api testing libraries using java script an overview
Api testing libraries using java script an overviewApi testing libraries using java script an overview
Api testing libraries using java script an overview
 
Testing face authentication on mobile
Testing face authentication on mobileTesting face authentication on mobile
Testing face authentication on mobile
 
Testing cna
Testing cnaTesting cna
Testing cna
 
Etl engine testing with scala
Etl engine testing with scalaEtl engine testing with scala
Etl engine testing with scala
 
EDA for QAs
EDA for QAsEDA for QAs
EDA for QAs
 
vodQA Pune (2019) - Browser automation using dev tools
vodQA Pune (2019) - Browser automation using dev toolsvodQA Pune (2019) - Browser automation using dev tools
vodQA Pune (2019) - Browser automation using dev tools
 
vodQA Pune (2019) - Augmented reality overview and testing challenges
vodQA Pune (2019) - Augmented reality overview and testing challengesvodQA Pune (2019) - Augmented reality overview and testing challenges
vodQA Pune (2019) - Augmented reality overview and testing challenges
 
vodQA Pune (2019) - Testing AI,ML applications
vodQA Pune (2019) - Testing AI,ML applicationsvodQA Pune (2019) - Testing AI,ML applications
vodQA Pune (2019) - Testing AI,ML applications
 
vodQA Pune (2019) - Design patterns in test automation
vodQA Pune (2019) - Design patterns in test automationvodQA Pune (2019) - Design patterns in test automation
vodQA Pune (2019) - Design patterns in test automation
 
vodQA Pune (2019) - Testing ethereum smart contracts
vodQA Pune (2019) - Testing ethereum smart contractsvodQA Pune (2019) - Testing ethereum smart contracts
vodQA Pune (2019) - Testing ethereum smart contracts
 
vodQA Pune (2019) - Insights into big data testing
vodQA Pune (2019) - Insights into big data testingvodQA Pune (2019) - Insights into big data testing
vodQA Pune (2019) - Insights into big data testing
 
vodQA Pune (2019) - Performance testing cloud deployments
vodQA Pune (2019) - Performance testing cloud deploymentsvodQA Pune (2019) - Performance testing cloud deployments
vodQA Pune (2019) - Performance testing cloud deployments
 
vodQA Pune (2019) - Jenkins pipeline As code
vodQA Pune (2019) - Jenkins pipeline As codevodQA Pune (2019) - Jenkins pipeline As code
vodQA Pune (2019) - Jenkins pipeline As code
 
vodQA(Pune) 2018 - Consumer driven contract testing using pact
vodQA(Pune) 2018 - Consumer driven contract testing using pactvodQA(Pune) 2018 - Consumer driven contract testing using pact
vodQA(Pune) 2018 - Consumer driven contract testing using pact
 
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...
vodQA(Pune) 2018 - Visual testing of web apps in headless environment manis...
 
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...
vodQA(Pune) 2018 - Enhancing the capabilities of testing team preparing for...
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
vodQA(Pune) 2018 - Docker in Testing
vodQA(Pune) 2018 - Docker in TestingvodQA(Pune) 2018 - Docker in Testing
vodQA(Pune) 2018 - Docker in Testing
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Security Testing hands on Workshop Material

  • 3. 3 Not so powerful? ● What XSS means to most of the people at first is, XSS won't be a big issue. It won't be very harmful. ● And If you report an XSS bug, the very first question is, “what harm you can do by popping up an alert box?”
  • 4. 4
  • 5. 5 ● Samy wants to become every ones hero ● No more waiting, He wrote a JavaScript ● Injected into his profile page He wants to be a hero..
  • 6. 6 What that script will do? If you visit Samy's profile, then that code will execute in your browser. Samy's Profile with Injected Code Victim's profile Add Samy to my hero's list Send a friend request to Samy MySpace Server It will send a friend request to Samy on behalf of you Injected code gets copied to your profile Now Samy is victim's Hero
  • 7. 7 So many friends... At 12:30 am: You have 73 friends. 1 hour later, 1:30 am: You have 73 friends and 1 friend request. 8 hour later, 8:30 am: You have 518 friends and 561 friend requests. 10 hours later, 10:30 am: You have 2,503 friends and 6,373 friend requests. 13 hours later, 1:30 pm: You have 2,503 friends. 917,084 friend requests. A few minutes later, I refresh. 1,005,831 friend requests.
  • 8. 8 One can't say that anymore... In just 20 hours over one million people got affected by a JavaScript worm called Samy Worm that spread on MySpace(A social networking website once upon a time)
  • 11. 11 Stays for ever... ● Ranked 1st in OWASP Top 10 vulnerabilities ● 97% of data breaches are still due to SQL Injection ● The most common form of attack against websites
  • 12. 12 May be the largest ever breach... Hackers exposed 130 million card numbers from Heartland Payment system in 2007
  • 13. 13 select * from <some-table> where username='<user-input>' and password='<user-input>' Basic Login validation query.. select * from <some-table> where username='admin' or 1=1 #' and password='<user-input>'
  • 14. 14 select * from <some-table> where id = <user-given-id> ID based content selection query select * from <some-table> where id = 1 UNION select 1,2,3 select * from <some-table> where id = 1 AND 1=0 UNION select 1,2,3
  • 15. THANKS For questions or suggestions: Nagesh Podilapu nagesh.podilapu@thoughtworks.com