Hacking web applications

Slides:

Advertisements

Similar presentations

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Hands on Demonstration for Testing Security in Web Applications

Web Vulnerability Assessments

APPLICATION VULNERABILITY ASSESSMENTS REVISITED COMPUTING AND COMMUNICATIONS Jared Perry GSEC, GWAPT, GCWN Application testing at Memorial University.

OWASP Mantra-OS Because the world is cruel. About Me Attended United Stated Air Force Institute of Technology Defense Acquisition University Platform.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

DevFu! The Inner Ninja in Every Application Developer.

OWASP Xenotix XSS Exploit Framework

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

1 © Copyright 2014 Coveros, Inc. All rights reserved. Web Application Security Testing: Kali Linux Is the Way to Go Gene Gotimer, Senior Architect

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Hacking Exposed 7 Network Security Secrets & Solutions

Penetration testing – W3AF Tool

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

Security Scanning OWASP Education Nishi Kumar Computer based training

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Team BAM! Scott Amack, Everett Bloch, Maxine Major.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Introduction to Application Penetration Testing

NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Chapter 12 Web Hacking Revised Web Server Hacking.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Application Security Testing A practitioner’s rambling advice & musings.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.

Web Applications Testing By Jamie Rougvie Supported by.

Strategic Security, Inc. © Application Security is Easy Right?

1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

The Front Range’s Largest AppSec Conference is BACK February 18, 2016 Details & registration at Keynote by Jeremiah Grossman.

Web Applications on the battlefield Alain Abou Tass.

Error-based SQL Injection

Ken De Souza KWSQA, April 2016 V. 1.0

Cyber Security – The Changing Landscape Erick Weber Department of Public Works Khaled Tawfik Cyber Security.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Top 10 Hacking Tool Welcome TO hackaholic Kumar shubham.

Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada.

Hacking 101 Vulnerability scanning & Pentesting

Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.

Web Application Bug Hunting

Web Application Security

Module: Software Engineering of Web Applications

Securing Your Web Application in Azure with a WAF

WEB APPLICATION TESTING

Automatic security testing tools for web-based system

Nature, Darwin and Bug Bounty Hunting

Penetration Testing Karen Miller.

Penetration Testing following OWASP

Introduction to Application Penetration Testing

Homework & Class review

Intro to Ethical Hacking

Web Application Penetration Testing

HTML Level II (CyberAdvantage)

Security of web applications.

Homework & Class review

Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.

Presentation transcript:

Hacking web applications Web App Testing 101.

About me (disk0nn3ct) Danny Chrastil disk0nn3ct >I like to hack things >Used to be in Web-Dev >Hack for a living? >Emphasis on web tech

Web App Testing 101 > Why attack web applications ./ Acceptance of online purchases ./ Accessibility of sensitive info ./ New Technology all the time ./ New Applications all the time

Web App Testing 101 > BASICS of Web Servers

Web App Testing 101 > BASICS of Web Requests

Web App Testing 101 > BASICS of State

Web App Testing 101 > How do we BREAK them?!

Web App Testing 101

Web App Testing 101 > There is a process… ./ Recon & Mapping ./ Discovery ./ Exploitation(you can break it now)

Web App Testing 101 > Process: ./ Recon & Mapping (BE THOROUGH) .. Understand the application .. What are its functions? .. How is it supposed to work? .. View Source! .. Understand the technology .. What is the server stack? .. Is it built on a CMS? .. Map the application .. All directories and files

Web App Testing 101 > Process: ./ Discovery (DO NOT ATTACK YET) .. Run scanner tools .. BuRP, OWASP ZAP, Nikto, w3af .. WebInspect, AppScan, NetSparker .. Manual fuzzing .. Proxy tool & Elbow Grease .. OWASP TOP 10 .. XSS, SQLi, CSRF, Clickjacking

Web App Testing 101 > Process: ./ Exploitation (ATTACK!) .. Manual is Best .. Proxy & Elbow Grease .. Attack Tools .. W3af .. SQLMap (SQL Injection) .. BeEF (Broswer Exploitation) .. Metasploit (Server CVEs)

Web App Testing 101 Let’s get our Hands Dirty

Web App Testing 101 http://snowfrocninjas.com ./ modify “hosts” file: 192.168.0.6 snowfrocninjas.com

Questions? (preguntas)