· 6 years ago · Dec 16, 2019, 01:32 AM
1
2
3Session 12:
4
5Emails Tracing & Tracking <------
6
7Introduction to Vulnerability Assessment & Penetration Testing ( VAPT )
8Web Security Standards: OWASP Top 10
9SQL Basics
10SQL injection – Authentication Bypass
11
12--------------------
13
14Fake Mail Coming to us. <--- Email Tracing
15
16Open an Email --> More option --> Show Origional | Show Source | Show Header
17
18This Part is called <-- Header of Mail
19
20Look for a line :
21
22Received from : <1.2.3.4>
23
24This si the IP of company | Server | Sender
25
26@gmail.com <--- Google Address
27
28@gmail.com --> 000webhost.com
29
30Email Tracking <--
31==============
32
33Companies
34
35Promotioanl Email
36
37we l get to know, when email is getting OPEN
38
39Read Receipt
40
41How much Time spend to read
42
43IP address
44
45------------------------
46
47www.whoreadme.com
48
49www.getnotofy.com <-----
50
51------------------------
52
53
54VAPT for Website
55
56Vulnerability Assessment & Penetration Testing
57
58Vulnerability <-- Loopholes | Weakness | Backdoor
59
60Assessment <-- Finding
61
62Penetration <--- To Take Advantage of Vulnerability
63
64Testing <-- To Check
65
66
67Web Application Security
68
69Standard to Follow for VAPT :
70
71OWASP Top 10 :
72
73OWASP <--- Open Web Application Security Project
74
75This is the organization, who completely work on Security Project for Websites
76
77List of worldwide Top 10 Attack
78
79OWASP Top 10 :
80
811. SQL Injection --> i. Authentication Bypass ii. Union Based iii. Error Based
822. XSS
833. CSRF
844. IDOR
855. Missing Function Level Access Control
866. Broken Authentication & Sessiom Managemnt
877. Unvalidated Redirect & Frward
888. Knowm Vulnerability
899. Security Misconfigutaion
9010. Sensitice Data Exposure
91
92
93SQL Injection :
94================
95
96Authentication Bypass:
97
98www.hazarath.com <-- Very Good Website
99
100
101www.hazarath.com/login
102
103username:
104password:
105
106
107If this website is vulnerable we can get login into the website byusing Universal True Sting
108
109username : 1'or'1'='1
110password : 1'or'1'='1
111
112This is going to Database & auto checking the first accout available
113
11499% First Account is of Admin
115
116
117This is called Authentication Bypass:
118
119Securing Website :
120
1211. Validation
122
123No Spl character should be allowed in Username.
124
1252. Dont Read it a query (SQL)
126
127Just make every inout as a connebt onlly.