More Related Content Similar to Web Application Penetration Testing - 101 (20) Web Application Penetration Testing - 1013. $ whoami
1) Me @Twitter: https://twitter.com/aha_181
2) DC4131: https://www.defcon-switzerland.org/
3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/
4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/
5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
4. Hints
•PDF of slides exists (with more text and links)
• Ask me afterwards or hit me up on twitter
•A blog post will be published on Thursday
• https://scip.ch/en/?labs.20191024
+
10. Setup
1) Reporting definition: http://www.pentest-
standard.org/index.php/Reporting
2) Reporting examples: https://github.com/juliocesarfort/public-pentesting-
reports
3) Scoping definition: http://www.pentest-standard.org/index.php/Pre-
engagement
4) How to get the most from your penetration test (includes scoping):
https://www.ncsc.gov.uk/guidance/penetration-testing
13. Tools
1) Kali LinuxVM: https://www.kali.org/downloads/
2) BurpSuite: https://portswigger.net/burp
3) OWASP ZAP:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
4) nmap: https://nmap.org/
17. Methodology
1) BurpSuite extensions: https://portswigger.net/bappstore
2) OWASP Top 10 Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
3) OWASP Testing Guide:
https://www.owasp.org/index.php/OWASP_Testing_Project
4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
21. OWASP Top 10
1) OWASP: https://www.owasp.org/index.php/Main_Page
2) OWASP Top 10 Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
23. Injection
1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection
2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1-
Injection
24. Injection
The example is a web shop with a category filter which is
vulnerable to SQL Injection
Initial normal Request →
32. Injection
Fixed Code
String q = "SELECT * FROM products
WHERE cat= ? AND released = 1";
PreparedStatement p = con.prepareStat(q);
p.setString(1, req.getParam("category"));
34. Injection
1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
2) Injection Prevention Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che
at_Sheet.html
3) Query Parameterization Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_
Cheat_Sheet.html
42. Broken Authentication
What should have happened?1, 2 and 3
fancyUserName 102b04394cedfeac6abe02dd94
007eb076bc4cba13a0e9bd965b96cb8f696f52125
Ce189eca166d7176d3e8a2be068b5209bbca07ad8
6440d36a36695599247c
43. Broken Authentication
1) Password hashing: https://medium.com/@mpreziuso/password-hashing-
pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e
2) scrypt: http://www.tarsnap.com/scrypt.html
3) Argon2: https://password-hashing.net/
45. First run of session id harvesting
Second run of session id harvesting
The session ids are the same
between the two runs
46. Broken Authentication
First run
Token: _j_Shs8ujMHRPgR
Token: __ESsW9SfUHbPIR
Token: _EhsWu_QfUHbPIR
Token: _hsSuS-JfUHbPIR
Token: _sWTSQAxfUHbPIR
Token: _WuTQJBxfUHbPIR
Second run
Token: _j_9hsNu3uQQGFR
Token: __E9sWOS02QaGuR
Token: _Eh9WuPQ02QaGuR
Token: _hs9uSQJ02QaGuR
Token: _sW9SQRx02QaGuR
Token: _Wu9QJSx02QaGuR
47. Broken Authentication
First run
Token: _j_Shs8ujMHRPgR
Token: __ESsW9SfUHbPIR
Token: _EhsWu_QfUHbPIR
Token: _hsSuS-JfUHbPIR
Token: _sWTSQAxfUHbPIR
Token: _WuTQJBxfUHbPIR
Second run
Token: _j_9hsNu3uQQGFR
Token: __E9sWOS02QaGuR
Token: _Eh9WuPQ02QaGuR
Token: _hs9uSQJ02QaGuR
Token: _sW9SQRx02QaGuR
Token: _Wu9QJSx02QaGuR
48. Broken Authentication
First run
Token: _j_Shs8ujMHRPgR
Token: __ESsW9SfUHbPIR
Token: _EhsWu_QfUHbPIR
Token: _hsSuS-JfUHbPIR
Token: _sWTSQAxfUHbPIR
Token: _WuTQJBxfUHbPIR
Second run
Token: _j_9hsNu3uQQGFR
Token: __E9sWOS02QaGuR
Token: _Eh9WuPQ02QaGuR
Token: _hs9uSQJ02QaGuR
Token: _sW9SQRx02QaGuR
Token: _Wu9QJSx02QaGuR
49. Broken Authentication
First run
Token: _j_Shs8ujMHRPgR
Token: __ESsW9SfUHbPIR
Token: _EhsWu_QfUHbPIR
Token: _hsSuS-JfUHbPIR
Token: _sWTSQAxfUHbPIR
Token: _WuTQJBxfUHbPIR
Second run
Token: _j_9hsNu3uQQGFR
Token: __E9sWOS02QaGuR
Token: _Eh9WuPQ02QaGuR
Token: _hs9uSQJ02QaGuR
Token: _sW9SQRx02QaGuR
Token: _Wu9QJSx02QaGuR
50. Broken Authentication
First run
Token: _j_Shs8ujMHRPgR
Token: __ESsW9SfUHbPIR
Token: _EhsWu_QfUHbPIR
Token: _hsSuS-JfUHbPIR
Token: _sWTSQAxfUHbPIR
Token: _WuTQJBxfUHbPIR
Second run
Token: _j_9hsNu3uQQGFR
Token: __E9sWOS02QaGuR
Token: _Eh9WuPQ02QaGuR
Token: _hs9uSQJ02QaGuR
Token: _sW9SQRx02QaGuR
Token: _Wu9QJSx02QaGuR
55. Broken Authentication
1) Authentication Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh
eet.html
2) Credential Stuffing Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve
ntion_Cheat_Sheet.html
3) Forgot Password Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_
Sheet.html
60. Cross Site Scripting (XSS)
•Payload:
•OWASP Top 10 - A71
•User input returned without validation2 and 3
<script>alert(“XSS”)</script>
61. Cross Site Scripting (XSS)
1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7-
Cross-Site_Scripting_(XSS)
2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
64. Cross Site Scripting (XSS)
What happened?
<p id=“username”>
< script> alert(“XSS”)< /script>
</p>
65. Cross Site Scripting (XSS)
What should have happened?1
<p id=“username”>
<script>alert(“XSS”)</script>
</p>
66. Cross Site Scripting (XSS)
1) Prevention:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr
oss_Site_Scripting_Prevention_Cheat_Sheet.md
67. Cross Site Request Forgery
(CSRF)
•OWASP Top 10 2013 - A81
•Forging requests, triggering every action a logged
in user can do2
68. 1) OWASP Top 10 2013 - A8:
https://www.owasp.org/index.php/Top_10_2013-A8-Cross-
Site_Request_Forgery_(CSRF)
2) Tutorial: https://portswigger.net/web-security/csrf
Cross Site Request Forgery
(CSRF)
71. The top 3 Requests are the
triggered Cross Site Request
Forgery Requests
73. Resulting Requests sent to a
malicious server containing
username/password of every
user that logs in and triggers
the maliciously created batch
script
75. What should have happened?1 and 2
Cross Site Request Forgery
(CSRF)
POST /triggering/action
Cookie: Token
Well known content & RANDOM value
76. 1) CSRF Prevention Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.html
2) SameSite Cookie preventing CSRF: https://portswigger.net/web-
security/csrf/samesite-cookies
Cross Site Request Forgery
(CSRF)
78. 1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security
2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/
Tutorials
81. $ whoami
1) Me @Twitter: https://twitter.com/aha_181
2) DC4131: https://www.defcon-switzerland.org/
3) WoSEC: https://wearetechwomen.com/wosec-women-of-security/
4) Blackhoodie: https://www.blackhoodie.re/HackLu_schedule/
5) Bsides Zurich: https://bsideszh.ch/call-for-papers/
82. Setup
1) Reporting definition: http://www.pentest-
standard.org/index.php/Reporting
2) Reporting examples: https://github.com/juliocesarfort/public-pentesting-
reports
3) Scoping definition: http://www.pentest-standard.org/index.php/Pre-
engagement
4) How to get the most from your penetration test (includes scoping):
https://www.ncsc.gov.uk/guidance/penetration-testing
83. Tools
1) Kali LinuxVM: https://www.kali.org/downloads/
2) BurpSuite: https://portswigger.net/burp
3) OWASP ZAP:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
4) nmap: https://nmap.org/
84. Methodology
1) BurpSuite extensions: https://portswigger.net/bappstore
2) OWASP Top 10 Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
3) OWASP Testing Guide:
https://www.owasp.org/index.php/OWASP_Testing_Project
4) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
85. OWASP Top 10
1) OWASP: https://www.owasp.org/index.php/Main_Page
2) OWASP Top 10 Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
86. Injection
1) SQL Injection Tutorial: https://portswigger.net/web-security/sql-injection
2) OWASP Top 10 - A1: https://www.owasp.org/index.php/Top_10-2017_A1-
Injection
87. Injection
1) OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/
2) Injection Prevention Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Che
at_Sheet.html
3) Query Parameterization Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_
Cheat_Sheet.html
89. Broken Authentication
1) Password hashing: https://medium.com/@mpreziuso/password-hashing-
pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e
2) scrypt: http://www.tarsnap.com/scrypt.html
3) Argon2: https://password-hashing.net/
90. Broken Authentication
1) Authentication Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sh
eet.html
2) Credential Stuffing Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Preve
ntion_Cheat_Sheet.html
3) Forgot Password Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_
Sheet.html
93. Cross Site Scripting (XSS)
1) OWASP Top 10 - A7: https://www.owasp.org/index.php/Top_10-2017_A7-
Cross-Site_Scripting_(XSS)
2) Description: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
3) Tutorial: https://portswigger.net/web-security/cross-site-scripting
94. Cross Site Scripting (XSS)
1) Prevention:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr
oss_Site_Scripting_Prevention_Cheat_Sheet.md
95. 1) OWASP Top 10 2013 - A8:
https://www.owasp.org/index.php/Top_10_2013-A8-Cross-
Site_Request_Forgery_(CSRF)
2) Tutorial: https://portswigger.net/web-security/csrf
Cross Site Request Forgery
(CSRF)
96. 1) CSRF Prevention Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.html
2) SameSite Cookie preventing CSRF: https://portswigger.net/web-
security/csrf/samesite-cookies
Cross Site Request Forgery
(CSRF)
97. 1) PortSwiggerWeb Security Academy: https://portswigger.net/web-security
2) OWASP Juice Shop: https://www2.owasp.org/www-project-juice-shop/
Tutorials