SlideShare una empresa de Scribd logo
1 de 27
Descargar para leer sin conexión
WEB APPLICATION
PENETRATION TESTING
Anurag
Srivastava
Information
Security Researcher
PRE NULL MEET – LUCKNOW
Introduction To Web-
Application Penetration Testing
 Process to check and penetrate the security
of a web application or a website
 process involves an active analysis of the
application for any weaknesses, technical
flaws, or vulnerabilities
 Any security issues that are found will be
presented to the system owner, together
with an assessment of the impact, a
proposal for mitigation or a technical
solution.
Why Web Application
Penetration Testing ?
Common Misnomers
 “Our site is safe”
 We have Firewalls in place
 We encrypt our data
 We have IDS/IPS
 We have a privacy policy
Top Ten Critical Bugs According
To Owasp !
 Injection like Sql ,Os and Ldap
 Broken Authentication And Session
Management
 XSS – Cross Site Scripting
 Insecure Direct Object Reference
 Security Misconfiguration
 Sensitive Data Exposure
 Missing Function level Access Control
 CSRF -Cross Site Request Forgery
 Using Components with Known Vulnerabilities
 Unvalidated Redirects and Forwards
Injection
 Such As Sql,Os and LDAP Injections
 Untrusted data is sent to an
interpreter as part of a command or
query.
 Attacker’s hostile data can trick the
interpreter into executing unintended
commands or accessing data without
proper authorization.
Sql Injection
Trying the basic - 1' or '1'='1 in the
vulnerable input field in order to get the
username,password and confirm the sql
injection vulnerability
Returns true
for all 
Blind Sql Injection
I tried to execute a sql
query in the input field
here
along with a true
return value
I tried to execute the “database() “ to extract the db name.
query
Database
Name
(DVWA)
Am I Vulnerable To 'Injection'?
 Verify that all use of interpreters
clearly separates untrusted data from
the command or query
 Code analysis tools can help a
security analyst find the use of
interpreters and trace the data flow
through the application
 Poor error handling makes injection
flaws easier to discover
XSS – Cross Site Scripting
 Occurs whenever an application takes
untrusted data and sends it to a web
browser without proper validation or
escaping.
 Allows attackers to execute scripts in
the victim’s browser which can hijack
user sessions, deface web sites, or
redirect the user to malicious sites.
Introduction to Web Application Penetration Testing
Payload
Payload used :- <img
src=urloftheimage>
Stored
XSS
Payload used -
<script>alert(document.cookie)<
/script>
Am I Vulnerable To 'Cross-Site
Scripting (XSS)'?
 Vulnerable if you do not ensure that all user
supplied input is properly escaped, or you
do not verify it to be safe via input
validation, before including that input in the
output page.
 If Ajax is being used to dynamically update
the page, are you using
safe JavaScript APIs? For unsafe JavaScript
APIs, encoding or validation must also be
used.
CSRF – Cross Site Request Forgery
 Attack forces a logged-on victim’s browser
to send a forged HTTP request, including
the victim’s session cookie and any other
automatically included authentication
information, to a vulnerable web application
 Allows the attacker to force the victim’s
browser to generate requests the
vulnerable application thinks are legitimate
requests from the victim.
CSRF
Introduction to Web Application Penetration Testing
The Request doesnot have CSRF
token/access token and thus
we can take advantage to generate a
csrf
We are using the same form which our vulnerable website
uses but we are changing the value of the password and
thus resetting the password to anything we wish  ..
<form
action="http://127.0.0.1/dvwa/vulnerabilities/csrf/?"
method="GET"> New password:<br>
<input type="password" AUTOCOMPLETE="off"
name="password_new" value="anurag"><br>
Confirm new password: <br>
<input type="password" AUTOCOMPLETE="off"
name="password_conf" value="anurag"><br>
<input type="submit" value="Change"
name="Change">
</form>
Submitting the
form
Wow ! Password
has been Changed

Am I Vulnerable To 'Cross-Site
Request Forgery (CSRF)'?
 Check if any links and forms lack an
unpredictable CSRF token.
 Without such a token, attackers can forge
malicious requests.
 An alternate defense is to require the user
to prove they intended to submit the
request, either through reauthentication, or
some other proof they are a real user (e.g.,
a CAPTCHA).
Only 10 ?
NO , There are not only
10 but hundreds of
issues that could affect
the overall security of a
web application.
COUNTERMEASURES
 For Injections - Use a safe API which avoids
the use of the interpreter entirely or
provides a parameterized interface.
 For XSS - Properly escape all untrusted
data based on the HTML context (body,
attribute, JavaScript, CSS, or URL) that the
data will be placed into.
 For CSRF - Include the unique token in a
hidden field. Requiring the user to
reauthenticate, or prove they are a user
(e.g., via a CAPTCHA) can also protect
against CSRF.
Thanks !
Anurag Srivastava
Information Source –

Más contenido relacionado

La actualidad más candente

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 

La actualidad más candente (20)

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Web application security
Web application securityWeb application security
Web application security
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Application Security
Application SecurityApplication Security
Application Security
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 

Destacado

Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga 0xdec0de
 
Gıda Mühendisleri İstihdam Analizi Anketi Sonuç Bildirgesi
Gıda Mühendisleri İstihdam Analizi Anketi Sonuç BildirgesiGıda Mühendisleri İstihdam Analizi Anketi Sonuç Bildirgesi
Gıda Mühendisleri İstihdam Analizi Anketi Sonuç BildirgesiAbdussamed Boyu
 
Blogging for a Cause
Blogging for a CauseBlogging for a Cause
Blogging for a CauseBess Auer
 
Social Media for Elementary
Social Media for ElementarySocial Media for Elementary
Social Media for ElementaryBess Auer
 
Social Media for Coaches
Social Media for CoachesSocial Media for Coaches
Social Media for CoachesBess Auer
 
Informationsmöte förskoleklass inför läsår 15-16
Informationsmöte förskoleklass inför läsår 15-16Informationsmöte förskoleklass inför läsår 15-16
Informationsmöte förskoleklass inför läsår 15-16Skapaskolan
 
Blogging for Your Business
Blogging for Your BusinessBlogging for Your Business
Blogging for Your BusinessBess Auer
 
How to work with bloggers
How to work with bloggersHow to work with bloggers
How to work with bloggersBess Auer
 
Live Streaming on WordPress
Live Streaming on WordPressLive Streaming on WordPress
Live Streaming on WordPressBess Auer
 
Föräldramöte 130911
Föräldramöte 130911Föräldramöte 130911
Föräldramöte 130911Skapaskolan
 
Föräldramöte 130821
Föräldramöte 130821Föräldramöte 130821
Föräldramöte 130821Skapaskolan
 
End Hunger - Meet Kate
End Hunger - Meet Kate End Hunger - Meet Kate
End Hunger - Meet Kate Bess Auer
 
Infomöte 140609 1-4
Infomöte 140609 1-4Infomöte 140609 1-4
Infomöte 140609 1-4Skapaskolan
 
Week 1 & 2: Lean Blogging: Developing the MVB
Week 1 & 2: Lean Blogging: Developing the MVBWeek 1 & 2: Lean Blogging: Developing the MVB
Week 1 & 2: Lean Blogging: Developing the MVBBess Auer
 
Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?
Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?
Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?Abdussamed Boyu
 

Destacado (20)

Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga
 
Livro juris consolidada(4)
Livro juris consolidada(4)Livro juris consolidada(4)
Livro juris consolidada(4)
 
Gıda Mühendisleri İstihdam Analizi Anketi Sonuç Bildirgesi
Gıda Mühendisleri İstihdam Analizi Anketi Sonuç BildirgesiGıda Mühendisleri İstihdam Analizi Anketi Sonuç Bildirgesi
Gıda Mühendisleri İstihdam Analizi Anketi Sonuç Bildirgesi
 
Blogging for a Cause
Blogging for a CauseBlogging for a Cause
Blogging for a Cause
 
Social Media for Elementary
Social Media for ElementarySocial Media for Elementary
Social Media for Elementary
 
Social Media for Coaches
Social Media for CoachesSocial Media for Coaches
Social Media for Coaches
 
Informationsmöte förskoleklass inför läsår 15-16
Informationsmöte förskoleklass inför läsår 15-16Informationsmöte förskoleklass inför läsår 15-16
Informationsmöte förskoleklass inför läsår 15-16
 
Blogging for Your Business
Blogging for Your BusinessBlogging for Your Business
Blogging for Your Business
 
How to work with bloggers
How to work with bloggersHow to work with bloggers
How to work with bloggers
 
Live Streaming on WordPress
Live Streaming on WordPressLive Streaming on WordPress
Live Streaming on WordPress
 
Föräldramöte 130911
Föräldramöte 130911Föräldramöte 130911
Föräldramöte 130911
 
Religion
ReligionReligion
Religion
 
Föräldramöte 130821
Föräldramöte 130821Föräldramöte 130821
Föräldramöte 130821
 
End Hunger - Meet Kate
End Hunger - Meet Kate End Hunger - Meet Kate
End Hunger - Meet Kate
 
Infomöte 140609 1-4
Infomöte 140609 1-4Infomöte 140609 1-4
Infomöte 140609 1-4
 
Week 1 & 2: Lean Blogging: Developing the MVB
Week 1 & 2: Lean Blogging: Developing the MVBWeek 1 & 2: Lean Blogging: Developing the MVB
Week 1 & 2: Lean Blogging: Developing the MVB
 
Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?
Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?
Kurbanlık Seçimi, Kesimi ve Etin Muhafazası Nasıl Olmalıdır?
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 

Similar a Introduction to Web Application Penetration Testing

Similar a Introduction to Web Application Penetration Testing (20)

WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Security 101
Security 101Security 101
Security 101
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
ieee
ieeeieee
ieee
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 
OWASP Evening #10
OWASP Evening #10OWASP Evening #10
OWASP Evening #10
 
OWASP Evening #10 Serbia
OWASP Evening #10 SerbiaOWASP Evening #10 Serbia
OWASP Evening #10 Serbia
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
T04505103106
T04505103106T04505103106
T04505103106
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 

Último

Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024eCommerce Institute
 
Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Gokulks007
 
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy ResultsMaking AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy ResultsAccess Innovations, Inc.
 
Circle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning IssueCircle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning Issuebdavis22
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8Access Innovations, Inc.
 
Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54ZhazgulNurdinova
 
IPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdfIPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdfratnasehgal888
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!Loay Mohamed Ibrahim Aly
 

Último (10)

Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
 
Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024
 
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy ResultsMaking AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
Making AI Behave: Using Knowledge Domains to Produce Useful, Trustworthy Results
 
Circle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning IssueCircle Of Life Civics Presentation Burning Issue
Circle Of Life Civics Presentation Burning Issue
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
 
Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54
 
IPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdfIPO OFFERINGS by mint hindustantimes.pdf
IPO OFFERINGS by mint hindustantimes.pdf
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!
 

Introduction to Web Application Penetration Testing

  • 2. Introduction To Web- Application Penetration Testing  Process to check and penetrate the security of a web application or a website  process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities  Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
  • 3. Why Web Application Penetration Testing ? Common Misnomers  “Our site is safe”  We have Firewalls in place  We encrypt our data  We have IDS/IPS  We have a privacy policy
  • 4. Top Ten Critical Bugs According To Owasp !  Injection like Sql ,Os and Ldap  Broken Authentication And Session Management  XSS – Cross Site Scripting  Insecure Direct Object Reference  Security Misconfiguration  Sensitive Data Exposure  Missing Function level Access Control  CSRF -Cross Site Request Forgery  Using Components with Known Vulnerabilities  Unvalidated Redirects and Forwards
  • 5. Injection  Such As Sql,Os and LDAP Injections  Untrusted data is sent to an interpreter as part of a command or query.  Attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • 7. Trying the basic - 1' or '1'='1 in the vulnerable input field in order to get the username,password and confirm the sql injection vulnerability Returns true for all 
  • 8. Blind Sql Injection I tried to execute a sql query in the input field here along with a true return value
  • 9. I tried to execute the “database() “ to extract the db name. query Database Name (DVWA)
  • 10. Am I Vulnerable To 'Injection'?  Verify that all use of interpreters clearly separates untrusted data from the command or query  Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application  Poor error handling makes injection flaws easier to discover
  • 11. XSS – Cross Site Scripting  Occurs whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.  Allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • 14. Payload used :- <img src=urloftheimage> Stored XSS
  • 16. Am I Vulnerable To 'Cross-Site Scripting (XSS)'?  Vulnerable if you do not ensure that all user supplied input is properly escaped, or you do not verify it to be safe via input validation, before including that input in the output page.  If Ajax is being used to dynamically update the page, are you using safe JavaScript APIs? For unsafe JavaScript APIs, encoding or validation must also be used.
  • 17. CSRF – Cross Site Request Forgery  Attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application  Allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
  • 18. CSRF
  • 20. The Request doesnot have CSRF token/access token and thus we can take advantage to generate a csrf
  • 21. We are using the same form which our vulnerable website uses but we are changing the value of the password and thus resetting the password to anything we wish  .. <form action="http://127.0.0.1/dvwa/vulnerabilities/csrf/?" method="GET"> New password:<br> <input type="password" AUTOCOMPLETE="off" name="password_new" value="anurag"><br> Confirm new password: <br> <input type="password" AUTOCOMPLETE="off" name="password_conf" value="anurag"><br> <input type="submit" value="Change" name="Change"> </form>
  • 23. Wow ! Password has been Changed 
  • 24. Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'?  Check if any links and forms lack an unpredictable CSRF token.  Without such a token, attackers can forge malicious requests.  An alternate defense is to require the user to prove they intended to submit the request, either through reauthentication, or some other proof they are a real user (e.g., a CAPTCHA).
  • 25. Only 10 ? NO , There are not only 10 but hundreds of issues that could affect the overall security of a web application.
  • 26. COUNTERMEASURES  For Injections - Use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface.  For XSS - Properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into.  For CSRF - Include the unique token in a hidden field. Requiring the user to reauthenticate, or prove they are a user (e.g., via a CAPTCHA) can also protect against CSRF.