SlideShare a Scribd company logo

Web Application Penetration Testing - 101

A
Andrea Hauser

This document provides an overview of web application pentesting. It discusses preparations like setting up reporting and tools. The methodology involves reconnaissance, automated testing, and manual testing. Technical topics covered include the OWASP Top 10 vulnerabilities like injection, broken authentication, sensitive data exposure, and cross-site scripting. Examples are provided and recommendations on prevention. Tutorial resources like PortSwigger and OWASP Juice Shop are referenced.

Presentations & Public Speaking
1 of 98
Download to read offline
Web App Pentesting 101 Andrea Hauser
$ whoami •Andrea Hauser ( 1 @aha_181) •Security Consultant + 2 3 4 5
$ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
Hints •PDF of slides exists (with more text and links) • Ask me afterwards or hit me up on twitter •A blog post will be published on Thursday • https://scip.ch/en/?labs.20191024 +
Outline •Security Consulting •Web App Pentesting Introduction • Demos
Security Consulting Customer Service Testing (Pentesting, Red Teaming, Reviews, …) Reporting Research
Web App Pentesting Preparations
Setup Prepare reporting method1 and 2 Set up tools Review scope3 and 4
Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
Reporting
Tools •Kali LinuxVM1 •Favourite Browser •Proxy ( BurpSuite2 or OWASP ZAP3) •nmap4
Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
Scoping Define targets Define goals Define methods
Scoping What? Where? Why? Who? How? When?
Methodology •Reconnaissance •Automated Testing1 •Manual Testing2, 3 and 4
Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
Web App Pentesting Technical
OWASP Top 10 •Open Web Application Security Project1 •List of top 10 vulnerabilities2
OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Injection •Payload SQL Injection1: •OWASP Top 10 - A12 •User input executed without validation ‘ OR 1=1--
Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
Injection The example is a web shop with a category filter which is vulnerable to SQL Injection Initial normal Request →
Injection Initial normal Response
Injection Normal Request with filter
Injection Attack with Payload: ‘ OR 1=1--
Injection Successful attack with more results
Injection Vulnerable Code "SELECT * FROM products WHERE cat=‘"+req.getParam("category")+"‘ AND released = 1";
Injection URL: /filter?category=Accessories "SELECT * FROM products WHERE cat=‘Accessories‘ AND released = 1";
Injection URL: /filter?category=‘ OR 1=1-- "SELECT * FROM products WHERE cat=‘’ OR 1=1--‘ AND released = 1";
Injection Fixed Code String q = "SELECT * FROM products WHERE cat= ? AND released = 1"; PreparedStatement p = con.prepareStat(q); p.setString(1, req.getParam("category"));
Injection •Injection Prevention Cheat Sheet (OWASP)1, 2 and 3
Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
Broken Authentication •OWASP Top 10 - A21 •Everything regarding authentication weaknesses
Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
Creation of a new user
in default settings username and password are saved in plaintext
Broken Authentication
Broken Authentication What happened? fancyUserName fancyPassword
Broken Authentication What should have happened?1, 2 and 3 fancyUserName 102b04394cedfeac6abe02dd94 007eb076bc4cba13a0e9bd965b96cb8f696f52125 Ce189eca166d7176d3e8a2be068b5209bbca07ad8 6440d36a36695599247c
Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
Broken Authentication •Hashing Algorithm not usually inWeb App Pentest
First run of session id harvesting Second run of session id harvesting The session ids are the same between the two runs
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication •ID not random •Known characters in red x _ _ _ _ _ x _ x x x x x x x •Brute force: 6 chars
Broken Authentication What happened? ID: 1 Token: 123456789 ID: 2 Token: 1abcde789 ID: 3 Token: 1zyxwv879
Broken Authentication What should have happened? ID: 83 Token: 509d3sz3c ID: 1764 Token: 00r839scc ID: 454 Token: nlzca1b10
Broken Authentication •Authentication Cheat Sheet1 •Credential Stuffing Cheat Sheet2 •Forgot Password Cheat Sheet3 •Session Management Cheat Sheet4
Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
Sensitive Data Exposure •OWASP Top 10 - A31 •Weak encryption/hashing of data
Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
Sensitive Data Exposure •Passwords saved in plaintext •Default setup: not HTTPS
Cross Site Scripting (XSS) •Payload: •OWASP Top 10 - A71 •User input returned without validation2 and 3 <script>alert(“XSS”)</script>
Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
Cross Site Scripting (XSS) Final Payload: <script>alert(“XSS”)</script>
Cross Site Scripting (XSS)
Cross Site Scripting (XSS) What happened? <p id=“username”> < script> alert(“XSS”)< /script> </p>
Cross Site Scripting (XSS) What should have happened?1 <p id=“username”> &lt;script&gt;alert(“XSS”)&lt;/script&gt; </p>
Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
Cross Site Request Forgery (CSRF) •OWASP Top 10 2013 - A81 •Forging requests, triggering every action a logged in user can do2
1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
Login as an administrative user
Triggering the Cross Site Request Forgery Requests in the background
The top 3 Requests are the triggered Cross Site Request Forgery Requests
Newly added batch script
Resulting Requests sent to a malicious server containing username/password of every user that logs in and triggers the maliciously created batch script
What happened? POST /triggering/action Cookie: Token Well known content Cross Site Request Forgery (CSRF)
What should have happened?1 and 2 Cross Site Request Forgery (CSRF) POST /triggering/action Cookie: Token Well known content & RANDOM value
1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
Tutorials •PortSwiggerWeb Security Academy1 •OWASP Juice Shop2 •https://www.root-me.org •https://shellterlabs.com
1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials
Questions?
References
$ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials
Thank you!

Recommended

Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 

Recommended

Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
What is pentest
What is pentestWhat is pentest
What is pentestitissolutions
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 

More Related Content

What's hot

Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

What's hot (20)

Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Security testing
Security testingSecurity testing
Security testing
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Security testing
Security testingSecurity testing
Security testing
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
penetration testing
penetration testingpenetration testing
penetration testing
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 

Similar to Web Application Penetration Testing - 101

Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3AOE
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattOpenCredo
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 

Similar to Web Application Penetration Testing - 101 (20)

Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 

Recently uploaded

WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfakankshagupta7348026
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝soniya singh
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 

Recently uploaded (20)

WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 

Web Application Penetration Testing - 101

  • 2. $ whoami •Andrea Hauser ( 1 @aha_181) •Security Consultant + 2 3 4 5
  • 3. $ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
  • 4. Hints •PDF of slides exists (with more text and links) • Ask me afterwards or hit me up on twitter •A blog post will be published on Thursday • https://scip.ch/en/?labs.20191024 +
  • 5. Outline •Security Consulting •Web App Pentesting Introduction • Demos
  • 6. Security Consulting Customer Service Testing (Pentesting, Red Teaming, Reviews, …) Reporting Research
  • 7.
  • 9. Setup Prepare reporting method1 and 2 Set up tools Review scope3 and 4
  • 10. Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
  • 12. Tools •Kali LinuxVM1 •Favourite Browser •Proxy ( BurpSuite2 or OWASP ZAP3) •nmap4
  • 13. Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
  • 17. Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
  • 18.
  • 20. OWASP Top 10 •Open Web Application Security Project1 •List of top 10 vulnerabilities2
  • 21. OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 22. Injection •Payload SQL Injection1: •OWASP Top 10 - A12 •User input executed without validation ‘ OR 1=1--
  • 23. Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
  • 24. Injection The example is a web shop with a category filter which is vulnerable to SQL Injection Initial normal Request →
  • 29. Injection Vulnerable Code "SELECT * FROM products WHERE cat=‘"+req.getParam("category")+"‘ AND released = 1";
  • 30. Injection URL: /filter?category=Accessories "SELECT * FROM products WHERE cat=‘Accessories‘ AND released = 1";
  • 31. Injection URL: /filter?category=‘ OR 1=1-- "SELECT * FROM products WHERE cat=‘’ OR 1=1--‘ AND released = 1";
  • 32. Injection Fixed Code String q = "SELECT * FROM products WHERE cat= ? AND released = 1"; PreparedStatement p = con.prepareStat(q); p.setString(1, req.getParam("category"));
  • 33. Injection •Injection Prevention Cheat Sheet (OWASP)1, 2 and 3
  • 34. Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
  • 35. Broken Authentication •OWASP Top 10 - A21 •Everything regarding authentication weaknesses
  • 36. Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
  • 37.
  • 38. Creation of a new user
  • 39. in default settings username and password are saved in plaintext
  • 42. Broken Authentication What should have happened?1, 2 and 3 fancyUserName 102b04394cedfeac6abe02dd94 007eb076bc4cba13a0e9bd965b96cb8f696f52125 Ce189eca166d7176d3e8a2be068b5209bbca07ad8 6440d36a36695599247c
  • 43. Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
  • 44. Broken Authentication •Hashing Algorithm not usually inWeb App Pentest
  • 45. First run of session id harvesting Second run of session id harvesting The session ids are the same between the two runs
  • 46. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 47. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 48. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 49. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 50. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 51. Broken Authentication •ID not random •Known characters in red x _ _ _ _ _ x _ x x x x x x x •Brute force: 6 chars
  • 52. Broken Authentication What happened? ID: 1 Token: 123456789 ID: 2 Token: 1abcde789 ID: 3 Token: 1zyxwv879
  • 53. Broken Authentication What should have happened? ID: 83 Token: 509d3sz3c ID: 1764 Token: 00r839scc ID: 454 Token: nlzca1b10
  • 54. Broken Authentication •Authentication Cheat Sheet1 •Credential Stuffing Cheat Sheet2 •Forgot Password Cheat Sheet3 •Session Management Cheat Sheet4
  • 55. Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
  • 56. Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
  • 57. Sensitive Data Exposure •OWASP Top 10 - A31 •Weak encryption/hashing of data
  • 58. Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
  • 59. Sensitive Data Exposure •Passwords saved in plaintext •Default setup: not HTTPS
  • 60. Cross Site Scripting (XSS) •Payload: •OWASP Top 10 - A71 •User input returned without validation2 and 3 <script>alert(“XSS”)</script>
  • 61. Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
  • 62. Cross Site Scripting (XSS) Final Payload: <script>alert(“XSS”)</script>
  • 64. Cross Site Scripting (XSS) What happened? <p id=“username”> < script> alert(“XSS”)< /script> </p>
  • 65. Cross Site Scripting (XSS) What should have happened?1 <p id=“username”> &lt;script&gt;alert(“XSS”)&lt;/script&gt; </p>
  • 66. Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
  • 67. Cross Site Request Forgery (CSRF) •OWASP Top 10 2013 - A81 •Forging requests, triggering every action a logged in user can do2
  • 68. 1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
  • 69. Login as an administrative user
  • 70. Triggering the Cross Site Request Forgery Requests in the background
  • 71. The top 3 Requests are the triggered Cross Site Request Forgery Requests
  • 73. Resulting Requests sent to a malicious server containing username/password of every user that logs in and triggers the maliciously created batch script
  • 74. What happened? POST /triggering/action Cookie: Token Well known content Cross Site Request Forgery (CSRF)
  • 75. What should have happened?1 and 2 Cross Site Request Forgery (CSRF) POST /triggering/action Cookie: Token Well known content & RANDOM value
  • 76. 1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
  • 77. Tutorials •PortSwiggerWeb Security Academy1 •OWASP Juice Shop2 •https://www.root-me.org •https://shellterlabs.com
  • 78. 1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials
  • 81. $ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
  • 82. Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
  • 83. Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
  • 84. Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
  • 85. OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 86. Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
  • 87. Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
  • 88. Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
  • 89. Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
  • 90. Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
  • 91. Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
  • 92. Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
  • 93. Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
  • 94. Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
  • 95. 1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
  • 96. 1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
  • 97. 1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials