SlideShare a Scribd company logo

Web Application Penetration Testing - 101

A
Andrea Hauser

This document provides an overview of web application pentesting. It discusses preparations like setting up reporting and tools. The methodology involves reconnaissance, automated testing, and manual testing. Technical topics covered include the OWASP Top 10 vulnerabilities like injection, broken authentication, sensitive data exposure, and cross-site scripting. Examples are provided and recommendations on prevention. Tutorial resources like PortSwigger and OWASP Juice Shop are referenced.

Presentations & Public Speaking
1 of 98
Download to read offline
Web App Pentesting 101 Andrea Hauser
$ whoami •Andrea Hauser ( 1 @aha_181) •Security Consultant + 2 3 4 5
$ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
Hints •PDF of slides exists (with more text and links) • Ask me afterwards or hit me up on twitter •A blog post will be published on Thursday • https://scip.ch/en/?labs.20191024 +
Outline •Security Consulting •Web App Pentesting Introduction • Demos
Security Consulting Customer Service Testing (Pentesting, Red Teaming, Reviews, …) Reporting Research
Web App Pentesting Preparations
Setup Prepare reporting method1 and 2 Set up tools Review scope3 and 4
Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
Reporting
Tools •Kali LinuxVM1 •Favourite Browser •Proxy ( BurpSuite2 or OWASP ZAP3) •nmap4
Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
Scoping Define targets Define goals Define methods
Scoping What? Where? Why? Who? How? When?
Methodology •Reconnaissance •Automated Testing1 •Manual Testing2, 3 and 4
Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
Web App Pentesting Technical
OWASP Top 10 •Open Web Application Security Project1 •List of top 10 vulnerabilities2
OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Injection •Payload SQL Injection1: •OWASP Top 10 - A12 •User input executed without validation ‘ OR 1=1--
Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
Injection The example is a web shop with a category filter which is vulnerable to SQL Injection Initial normal Request →
Injection Initial normal Response
Injection Normal Request with filter
Injection Attack with Payload: ‘ OR 1=1--
Injection Successful attack with more results
Injection Vulnerable Code "SELECT * FROM products WHERE cat=‘"+req.getParam("category")+"‘ AND released = 1";
Injection URL: /filter?category=Accessories "SELECT * FROM products WHERE cat=‘Accessories‘ AND released = 1";
Injection URL: /filter?category=‘ OR 1=1-- "SELECT * FROM products WHERE cat=‘’ OR 1=1--‘ AND released = 1";
Injection Fixed Code String q = "SELECT * FROM products WHERE cat= ? AND released = 1"; PreparedStatement p = con.prepareStat(q); p.setString(1, req.getParam("category"));
Injection •Injection Prevention Cheat Sheet (OWASP)1, 2 and 3
Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
Broken Authentication •OWASP Top 10 - A21 •Everything regarding authentication weaknesses
Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
Creation of a new user
in default settings username and password are saved in plaintext
Broken Authentication
Broken Authentication What happened? fancyUserName fancyPassword
Broken Authentication What should have happened?1, 2 and 3 fancyUserName 102b04394cedfeac6abe02dd94 007eb076bc4cba13a0e9bd965b96cb8f696f52125 Ce189eca166d7176d3e8a2be068b5209bbca07ad8 6440d36a36695599247c
Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
Broken Authentication •Hashing Algorithm not usually inWeb App Pentest
First run of session id harvesting Second run of session id harvesting The session ids are the same between the two runs
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
Broken Authentication •ID not random •Known characters in red x _ _ _ _ _ x _ x x x x x x x •Brute force: 6 chars
Broken Authentication What happened? ID: 1 Token: 123456789 ID: 2 Token: 1abcde789 ID: 3 Token: 1zyxwv879
Broken Authentication What should have happened? ID: 83 Token: 509d3sz3c ID: 1764 Token: 00r839scc ID: 454 Token: nlzca1b10
Broken Authentication •Authentication Cheat Sheet1 •Credential Stuffing Cheat Sheet2 •Forgot Password Cheat Sheet3 •Session Management Cheat Sheet4
Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
Sensitive Data Exposure •OWASP Top 10 - A31 •Weak encryption/hashing of data
Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
Sensitive Data Exposure •Passwords saved in plaintext •Default setup: not HTTPS
Cross Site Scripting (XSS) •Payload: •OWASP Top 10 - A71 •User input returned without validation2 and 3 <script>alert(“XSS”)</script>
Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
Cross Site Scripting (XSS) Final Payload: <script>alert(“XSS”)</script>
Cross Site Scripting (XSS)
Cross Site Scripting (XSS) What happened? <p id=“username”> < script> alert(“XSS”)< /script> </p>
Cross Site Scripting (XSS) What should have happened?1 <p id=“username”> &lt;script&gt;alert(“XSS”)&lt;/script&gt; </p>
Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
Cross Site Request Forgery (CSRF) •OWASP Top 10 2013 - A81 •Forging requests, triggering every action a logged in user can do2
1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
Login as an administrative user
Triggering the Cross Site Request Forgery Requests in the background
The top 3 Requests are the triggered Cross Site Request Forgery Requests
Newly added batch script
Resulting Requests sent to a malicious server containing username/password of every user that logs in and triggers the maliciously created batch script
What happened? POST /triggering/action Cookie: Token Well known content Cross Site Request Forgery (CSRF)
What should have happened?1 and 2 Cross Site Request Forgery (CSRF) POST /triggering/action Cookie: Token Well known content & RANDOM value
1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
Tutorials •PortSwiggerWeb Security Academy1 •OWASP Juice Shop2 •https://www.root-me.org •https://shellterlabs.com
1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials
Questions?
References
$ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials
Thank you!

Recommended

Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
Dharmesh Makwana
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
Vishal Kumar
 

Recommended

Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
Dharmesh Makwana
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
Vishal Kumar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Nitheesh Adithyan
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
penetration testing
penetration testingpenetration testing
penetration testing
Shitesh Sachan
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
Umesh Mahawar
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
أحلام انصارى
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Hacking
HackingHacking
Hacking
Sitwat Rao
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 

More Related Content

What's hot

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 

What's hot (20)

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Web application security
Web application securityWeb application security
Web application security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Hacking
HackingHacking
Hacking
 

Similar to Web Application Penetration Testing - 101

AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
OpenCredo
 

Similar to Web Application Penetration Testing - 101 (20)

Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 

Recently uploaded

No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 

Recently uploaded (20)

Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 

Web Application Penetration Testing - 101

  • 2. $ whoami •Andrea Hauser ( 1 @aha_181) •Security Consultant + 2 3 4 5
  • 3. $ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
  • 4. Hints •PDF of slides exists (with more text and links) • Ask me afterwards or hit me up on twitter •A blog post will be published on Thursday • https://scip.ch/en/?labs.20191024 +
  • 5. Outline •Security Consulting •Web App Pentesting Introduction • Demos
  • 6. Security Consulting Customer Service Testing (Pentesting, Red Teaming, Reviews, …) Reporting Research
  • 7.
  • 9. Setup Prepare reporting method1 and 2 Set up tools Review scope3 and 4
  • 10. Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
  • 12. Tools •Kali LinuxVM1 •Favourite Browser •Proxy ( BurpSuite2 or OWASP ZAP3) •nmap4
  • 13. Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
  • 17. Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
  • 18.
  • 20. OWASP Top 10 •Open Web Application Security Project1 •List of top 10 vulnerabilities2
  • 21. OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 22. Injection •Payload SQL Injection1: •OWASP Top 10 - A12 •User input executed without validation ‘ OR 1=1--
  • 23. Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
  • 24. Injection The example is a web shop with a category filter which is vulnerable to SQL Injection Initial normal Request →
  • 29. Injection Vulnerable Code "SELECT * FROM products WHERE cat=‘"+req.getParam("category")+"‘ AND released = 1";
  • 30. Injection URL: /filter?category=Accessories "SELECT * FROM products WHERE cat=‘Accessories‘ AND released = 1";
  • 31. Injection URL: /filter?category=‘ OR 1=1-- "SELECT * FROM products WHERE cat=‘’ OR 1=1--‘ AND released = 1";
  • 32. Injection Fixed Code String q = "SELECT * FROM products WHERE cat= ? AND released = 1"; PreparedStatement p = con.prepareStat(q); p.setString(1, req.getParam("category"));
  • 33. Injection •Injection Prevention Cheat Sheet (OWASP)1, 2 and 3
  • 34. Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
  • 35. Broken Authentication •OWASP Top 10 - A21 •Everything regarding authentication weaknesses
  • 36. Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
  • 37.
  • 38. Creation of a new user
  • 39. in default settings username and password are saved in plaintext
  • 42. Broken Authentication What should have happened?1, 2 and 3 fancyUserName 102b04394cedfeac6abe02dd94 007eb076bc4cba13a0e9bd965b96cb8f696f52125 Ce189eca166d7176d3e8a2be068b5209bbca07ad8 6440d36a36695599247c
  • 43. Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
  • 44. Broken Authentication •Hashing Algorithm not usually inWeb App Pentest
  • 45. First run of session id harvesting Second run of session id harvesting The session ids are the same between the two runs
  • 46. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 47. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 48. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 49. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 50. Broken Authentication First run Token: _j_Shs8ujMHRPgR Token: __ESsW9SfUHbPIR Token: _EhsWu_QfUHbPIR Token: _hsSuS-JfUHbPIR Token: _sWTSQAxfUHbPIR Token: _WuTQJBxfUHbPIR Second run Token: _j_9hsNu3uQQGFR Token: __E9sWOS02QaGuR Token: _Eh9WuPQ02QaGuR Token: _hs9uSQJ02QaGuR Token: _sW9SQRx02QaGuR Token: _Wu9QJSx02QaGuR
  • 51. Broken Authentication •ID not random •Known characters in red x _ _ _ _ _ x _ x x x x x x x •Brute force: 6 chars
  • 52. Broken Authentication What happened? ID: 1 Token: 123456789 ID: 2 Token: 1abcde789 ID: 3 Token: 1zyxwv879
  • 53. Broken Authentication What should have happened? ID: 83 Token: 509d3sz3c ID: 1764 Token: 00r839scc ID: 454 Token: nlzca1b10
  • 54. Broken Authentication •Authentication Cheat Sheet1 •Credential Stuffing Cheat Sheet2 •Forgot Password Cheat Sheet3 •Session Management Cheat Sheet4
  • 55. Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
  • 56. Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
  • 57. Sensitive Data Exposure •OWASP Top 10 - A31 •Weak encryption/hashing of data
  • 58. Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
  • 59. Sensitive Data Exposure •Passwords saved in plaintext •Default setup: not HTTPS
  • 60. Cross Site Scripting (XSS) •Payload: •OWASP Top 10 - A71 •User input returned without validation2 and 3 <script>alert(“XSS”)</script>
  • 61. Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
  • 62. Cross Site Scripting (XSS) Final Payload: <script>alert(“XSS”)</script>
  • 64. Cross Site Scripting (XSS) What happened? <p id=“username”> < script> alert(“XSS”)< /script> </p>
  • 65. Cross Site Scripting (XSS) What should have happened?1 <p id=“username”> &lt;script&gt;alert(“XSS”)&lt;/script&gt; </p>
  • 66. Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
  • 67. Cross Site Request Forgery (CSRF) •OWASP Top 10 2013 - A81 •Forging requests, triggering every action a logged in user can do2
  • 68. 1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
  • 69. Login as an administrative user
  • 70. Triggering the Cross Site Request Forgery Requests in the background
  • 71. The top 3 Requests are the triggered Cross Site Request Forgery Requests
  • 73. Resulting Requests sent to a malicious server containing username/password of every user that logs in and triggers the maliciously created batch script
  • 74. What happened? POST /triggering/action Cookie: Token Well known content Cross Site Request Forgery (CSRF)
  • 75. What should have happened?1 and 2 Cross Site Request Forgery (CSRF) POST /triggering/action Cookie: Token Well known content & RANDOM value
  • 76. 1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
  • 77. Tutorials •PortSwiggerWeb Security Academy1 •OWASP Juice Shop2 •https://www.root-me.org •https://shellterlabs.com
  • 78. 1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials
  • 81. $ whoami 1) Me @Twitter: https://twitter.com/aha_181 2) DC4131: https://www.defcon-switzerland.org/ 3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/ 4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/ 5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
  • 82. Setup 1) Reporting definition: http://www.pentest- standard.org/index.php/Reporting 2) Reporting examples: https://github.com/juliocesarfort/public-pentesting- reports 3) Scoping definition: http://www.pentest-standard.org/index.php/Pre- engagement 4) How to get the most from your penetration test (includes scoping): https://www.ncsc.gov.uk/guidance/penetration-testing
  • 83. Tools 1) Kali LinuxVM: https://www.kali.org/downloads/ 2) BurpSuite: https://portswigger.net/burp 3) OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 4) nmap: https://nmap.org/
  • 84. Methodology 1) BurpSuite extensions: https://portswigger.net/bappstore 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 3) OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project 4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
  • 85. OWASP Top 10 1) OWASP: https://www.owasp.org/index.php/Main_Page 2) OWASP Top 10 Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 86. Injection 1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection 2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1- Injection
  • 87. Injection 1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ 2) Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che at_Sheet.html 3) Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_ Cheat_Sheet.html
  • 88. Broken Authentication 1) OWASP Top 10 - A2: https://www.owasp.org/index.php/Top_10-2017_A2- Broken_Authentication
  • 89. Broken Authentication 1) Password hashing: https://medium.com/@mpreziuso/password-hashing- pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e 2) scrypt: http://www.tarsnap.com/scrypt.html 3) Argon2: https://password-hashing.net/
  • 90. Broken Authentication 1) Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh eet.html 2) Credential Stuffing Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve ntion_Cheat_Sheet.html 3) Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_ Sheet.html
  • 91. Broken Authentication 4) Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Che at_Sheet.html
  • 92. Sensitive Data Exposure 1) OWASP Top 10 - A3: https://www.owasp.org/index.php/Top_10-2017_A3- Sensitive_Data_Exposure
  • 93. Cross Site Scripting (XSS) 1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7- Cross-Site_Scripting_(XSS) 2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
  • 94. Cross Site Scripting (XSS) 1) Prevention: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md
  • 95. 1) OWASP Top 10 2013 - A8: https://www.owasp.org/index.php/Top_10_2013-A8-Cross- Site_Request_Forgery_(CSRF) 2) Tutorial: https://portswigger.net/web-security/csrf Cross Site Request Forgery (CSRF)
  • 96. 1) CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html 2) SameSite Cookie preventing CSRF: https://portswigger.net/web- security/csrf/samesite-cookies Cross Site Request Forgery (CSRF)
  • 97. 1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security 2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/ Tutorials