SlideShare uma empresa Scribd logo

4 Mapping the Application

Sam Bowne
Sam Bowne

For a Securing Web Applications class at college. More info: https://samsclass.info/129S/129S_S23.shtml

Educação
1 de 88
Baixar para ler offline
CNIT 129S: Securing Web Applications Ch 4: Mapping the Applicatio n Sl 56 Updated 2-9-2023
Mapping • Enumerate application's content and functionalit y • Some is hidden, requiring guesswork and luck to discove r • Examine every aspect of behavior, security mechanisms, and technologie s • Determine attack surface and vulnerabilities
Enumerating Content and Functionality
Web Spiders • Load web page, fi nd all links on i t • (into the targeted domain ) • Load those pages, fi nd more link s • Continue until no new content is discovered
Web Application Spiders • Also parse HTML form s • Fill in the forms with preset or random values and submit the m • Trying to walk through multistage functionalit y • Can also parse client-side JavaScript to extract URL s • Tool: Zed Attack Prox y • WebScarab & CAT seem old and abandoned
Robots.txt • Intended to stop search engine s • May guide spiders to interesting content
Limitations of Automatic Spidering • May fail to handle unusual navigation mechanisms, such as dynamically created JavaScript menu s • So it may miss whole areas of an applicatio n • Links buried in compiled client-side objects like ActiveX or Java may be missed
Limitations of Automatic Spidering • Forms may have validation checks, such as user registration form s • Email address, telephone number, address, zip cod e • Too complex for most spiders, which use a single text string for all form fi eld s • Spider cannot understand the "Invalid" error messages
Limitations of Automatic Spidering • Spiders only fetch each URL onc e • But applications use forms-based navigation, in which the same URL may return different content and function s • For example, a bank may implement every user action with a POST to /account.jsp with parameters determining the actio n • Spiders aren't smart enough to handle that
Limitations of Automatic Spidering • Some applications place volatile data within URL s • Parameters containing timers or random number seed s • Spider will fetch the same page over and over, thinking it's ne w • May freeze up
Limitations of Automatic Spidering • Authentication: spider must be able to submit valid credential s • Perhaps using a valid cooki e • However, spiders often break the authenticated session, b y • Requesting a logout functio n • Submitting invalid input to a sensitive functio n • Requesting pages out-of-sequence
Warning • Spiders may fi nd an administrative page and click every lin k • Delete User, Shut Down Database, Restart Server...
User-Directed Spidering • More sophisticated and controlled technique than automated spidering, usually preferabl e • User walks through application using a browser connected to Burp (or another proxy ) • The proxy collects all requests and responses
Preparing Burp • Launch Burp Suite • Click Next, Start Burp • On the Proxy Tab, turn off Intercept • Click Open Browser
Shopping • In Burp's browser, go to http://hackazon.samsclass.inf o • Click an item, then click Add to car t • Repeat for a second item
Shopping Cart (Not logged in) • At top right, click shopping cart icon to see items
Shopping • In Burp, on the Target tab • On the Site map sub-tab • Expand http://hackazon.samsclass.info • Expand cart • Expand add • Expand user
• Note items in car t • "user" contains only 5 URLs
Logging In • In the Hackazon page, at the top right, click Sign U p • Register a new user • Log out • Sign in
• Login event seen in Burp
A
Advantages of User-Directed Spidering • User can follow unusual or complex navigation mechanism s • User can enter valid data where neede d • User can log in as neede d • User can avoid dangerous functionality, such as deleteUser.jsp
Browser Tools • Chrome's Developer Tools can show details of requests and responses within the browse r • No proxy neede d • Often useful; shows timing as well as content
Discovering Hidden Content • Finding it requires automated testing, manual testing, and luc k • Testing or debugging features left in applicatio n • Different functionality for different categories of user s • Anonymous, authenticated, administrator s • Backup copies of live fi le s • May be non-executable and reveal source code
Discovering Hidden Content • Backup archives that contain snapshot of entire applicatio n • New functionality implemented for testing but not yet linked from main applicatio n • Default functionality in an off-the-shelf application that has been super fi cially hidden from the user but not remove d • Old versions of fi les--may still be exploitable
Discovering Hidden Content • Con fi guration and include fi les containing sensitive data such as database credential s • Source fi les from which application functions were compile d • Comments in source code; may contain usernames and passwords, "test this" marks, and other useful dat a • Log fi les--may contain valid usernames, session tokens, etc.
Brute-Force Techniques • Suppose user-directed spidering fi nds the URLs on the lef t • A brute-forcer will try names as shown on the right
Burp's Brute-Forcer • Burp's brute- forcer is very slow in the free version
Dirb • Good brute-force spidering tool • Included in Kali Linux
B
Inference from Published Content • Look for pattern s • All subdirectories of "auth" start with a capital lette r • One is "ForgotPassword", so try these
Other Patterns • Names may use numbers or date s • Check include fi les from HTML and JavaScrip t • They may be publicly readabl e • Comments may include database names, SQL query string s • Java applets and ActiveX controls may contain sensitive data
More Clues • Search for temporary fi les created by tools and fi le editor s • .DS_Store fi le (a directory index created by Mac OS X ) • fi le.php-1 created when fi le.php is edite d • .tmp fi les created by many tools
Burp Pro's Content Discovery
Google's Skip fi sh • Vulnerability scanner but main strength is fi nding fi les and folder s • Links Ch 4d, 4e
Public Information • Search engines (and cached content ) • Web archives such as the Wayback Machin e • Posts to forums like Stack Exchange
Google Advanced Search
Web Server Vulnerabilities • Some Web servers let you list directory contents or see raw source cod e • Sample and diagnostic scripts may contain vulnerabilities
Nikto and Wikto • Scans servers for known vulnerable fi les and version s • Wikto is the Windows versio n • Nikto is the Linux versio n • Included in Kal i • Fast and easy to us e • Has false positives like all vulnerability scanner s • Must verify results with manual testing
Example
Functional Paths • Different from old-fashioned tree- structured fi le syste m • Every request goes to the same UR L • Parameters specify functio n • Very different structure to explore
Map of Functional Paths
Discovering Hidden Parameters • Try adding "debug=true" to request s • Or test, hide, source, etc . • Burp Intruder can do this (see Ch 14)
Analyzing the Application • Key area s • Core functionalit y • Peripheral behavior: off-site links, error messages, administrative and logging functions, and use of redirect s • Core security mechanisms: session state, access control, authenticatio n • User registration, password change, account recovery
Key Areas (continued) • Everywhere the application processes user- supplied inpu t • URL, query string, POST data, cookie s • Client-side technologie s • Forms, scripts, thick-client components (Java applets, ActiveX controls, and Flash), and cookies
Key Areas (continued) • Server-side technologie s • Static and dynamic pages, request parameters, SSL, Web server software, interaction with databases, email systems, and other back-end components
Entry Points for User Input
RESTful URLs
Request Parameters • Normally, google.com?q=duc k • Here are some nonstandard parameter formats
HTTP Headers • User-Agent is used to detect small screen s • Sometimes to modify content to boost search engine ranking s • May allow XSS and other injection attack s • Changing User-Agent may reveal a different user interface
HTTP Headers • Applications behind a load balancer or proxy may use X-Forwarded-For header to identify sourc e • Can be manipulated by attacker to inject content
Out-of-Band Channels • User data may come in vi a • Emai l • Publishing content via HTTP from another server (e.g. WebDAV ) • IDS that sniffs traf fi c and puts it into a Web applicatio n • API interface for non-browser user agents, such as cell phone apps, and then shares data with the primary web application
C
Identifying Server-Side Technologies
Banner Grabbing • Banners often leak version informatio n • Also Web page template s • Custom HTTP header s • URL query string parameters
HTTP Fingerprinting • httprecon uses subtle clues to identify versions, not just banner s • Link Ch 4h
Wappalyzer • Browser extension
File Extensions • Disclose platform or language
Error Messages
Error Message
File Extension Mappings • Different DLLs may lead to different error messages
OpenText • Vignette is now rebranded as OpenTex t • Link Ch 4i
Directory Names • Indicate technology in use
Session Tokens
Third-Party Code Components • Add common functionality lik e • Shopping cart s • Login mechanism s • Message board s • Open-source or commercia l • May contain known vulnerabilities
Hack Steps 1. Identify all entry points for user inpu t •URL, query string parameters, POST data, cookies, HTTP header s 2. Examine query string format; should be some variation on name/value pai r 3. Identify any other channels that allow user- controllable or third-party data into the app
Hack Steps 4. View HTTP server banner returned by the app; it may use several different server s 5. Check for other software identi fi ers in custom HTTP headers or HTML source code 6. Run httprint to fi ngerprint the web serve r 7. Research software versions for vulnerabilitie s 8. Review map of URLs to fi nd interesting fi le extensions, directories, etc. with clues about the technologies in use
httprint • Not updated since 2005 (link Ch 4j ) • Alternatives include nmap, Netcraft, and SHODAN (Link Ch 4k ) • Also the Wappalyzer Chrome extension
Hack Steps 9. Review names of session tokens to identify technologies being use d 10. Use lists of common technologies, or Google, to identify technologies in use, or discover other websites that use the same technologie s 11. Google unusual cookie names, scripts, HTTP headers, etc. If possible, download and install the software to analyze it and fi nd vulnerabilities
Identifying Server-Side Functionality • .jsp - Java Server Page s • OrderBy parameter looks like SQ L • isExpired suggests that we could get expired content by changing this value
Identifying Server-Side Functionality • .aspx - Active Server Pages (Microsoft ) • template - seems to be a fi lename and loc - looks like a directory; may be vulnerable to path traversa l • edit - maybe we can change fi les if this is tru e • ver - perhaps changing this will reveal other functions to attack
Identifying Server-Side Functionality • .php - PH P • Connecting to an email server, with user-controllable content in all fi eld s • May be usable to send email s • Any fi elds may be vulnerable to email header injection
Identifying Server-Side Functionality • Change action to "edit" or "add " • Try viewing other collections by changing the id number
Extrapolating Application Behavior • An application often behaves consistently across the range of its functionalit y • Because code is re-used or written by the same developer, or to the same speci fi cation s • So if your SQL injections are being fi ltered out, try injecting elsewhere to see what fi ltering is in effect
Extrapolating Application Behavior • If app obfuscates data, try fi nding a place where a user can enter an obfuscated string and retrieve the original • Such as an error messag e • Or test systematically-varying values and deduce the obfuscation scheme
Error Handling • Some errors may be properly handled and give little information Others may crash and return verbose error information
Google Dorks • Link Ch 4p
Isolate Unique Application Behavior • App may use a consistent framework that prevents attack s • Look for extra parts "bolted on" later, which may not be integrated into the framewor k • Debug functions, CAPTCHAs, usage tracking, third-party cod e • Different GUI appearance, parameter naming conventions, comments in source code
Mapping the Attack Surface • Client-side validatio n • Database interaction -- SQL injectio n • File uploading and downloading -- Path traversal, stored XS S • Display of user-supplied data - XS S • Dynamic redirects -- Redirection and header attacks
Mapping the Attack Surface • Social networking features -- username enumeration, stored XS S • Login -- Username enumeration, weak passwords, brute-force attack s • Multistage login -- Logic fl aw s • Session state -- Predictable tokens, insecure token handling
Mapping the Attack Surface • Access controls -- Horizontal and vertical privilege escalatio n • User impersonation functions -- Privilege escalatio n • Cleartext communications -- Session hijacking, credential thef t • Off-site links -- Leakage of query string parameters in the Referer heade r • Interfaces to external systems -- Shortcuts handling sessions or access controls
Mapping the Attack Surface • Error messages -- Information leakag e • Email interaction -- Email or command injectio n • Native code components or interaction -- Buffer over fl ow s • Third-party components -- Known vulnerabilitie s • Identi fi able Web server -- Common con fi guration errors, known bugs
Example • /auth contains authentication functions -- test session handling and access contro l • /core/sitestats -- parameters; try varying them; try wildcards like all and * ; PageID contains a path, try traversa l • /home -- authenticated user content; try horizontal privilege escalation to see other user's info
Example • /icons and /images -- static content, might fi nd icons indicating third- party content, but probably nothing interesting her e • /pub -- RESTful resources under / pub/media and /pub/user; try changing the numerical value at the en d • /shop -- online shopping, all items handled similarly; check logic for possible exploits
D

Recomendados

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 

Recomendados

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxManahari Darshika Pemarathna
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Sam Bowne
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 

Mais conteúdo relacionado

Mais procurados

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Sam Bowne
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 

Mais procurados (20)

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptx
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
 
Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 

Semelhante a 4 Mapping the Application

CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsSam Bowne
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Sam Bowne
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 

Semelhante a 4 Mapping the Application (20)

CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the Application
 
CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the Application
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End Components
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
 
Redundant devops
Redundant devopsRedundant devops
Redundant devops
 
Codeigniter framework
Codeigniter framework Codeigniter framework
Codeigniter framework
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 

Mais de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 

Mais de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 

Último

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxPooja Bhuva
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 

Último (20)

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 

4 Mapping the Application

  • 1. CNIT 129S: Securing Web Applications Ch 4: Mapping the Applicatio n Sl 56 Updated 2-9-2023
  • 2. Mapping • Enumerate application's content and functionalit y • Some is hidden, requiring guesswork and luck to discove r • Examine every aspect of behavior, security mechanisms, and technologie s • Determine attack surface and vulnerabilities
  • 4. Web Spiders • Load web page, fi nd all links on i t • (into the targeted domain ) • Load those pages, fi nd more link s • Continue until no new content is discovered
  • 5. Web Application Spiders • Also parse HTML form s • Fill in the forms with preset or random values and submit the m • Trying to walk through multistage functionalit y • Can also parse client-side JavaScript to extract URL s • Tool: Zed Attack Prox y • WebScarab & CAT seem old and abandoned
  • 6. Robots.txt • Intended to stop search engine s • May guide spiders to interesting content
  • 7. Limitations of Automatic Spidering • May fail to handle unusual navigation mechanisms, such as dynamically created JavaScript menu s • So it may miss whole areas of an applicatio n • Links buried in compiled client-side objects like ActiveX or Java may be missed
  • 8. Limitations of Automatic Spidering • Forms may have validation checks, such as user registration form s • Email address, telephone number, address, zip cod e • Too complex for most spiders, which use a single text string for all form fi eld s • Spider cannot understand the "Invalid" error messages
  • 9. Limitations of Automatic Spidering • Spiders only fetch each URL onc e • But applications use forms-based navigation, in which the same URL may return different content and function s • For example, a bank may implement every user action with a POST to /account.jsp with parameters determining the actio n • Spiders aren't smart enough to handle that
  • 10. Limitations of Automatic Spidering • Some applications place volatile data within URL s • Parameters containing timers or random number seed s • Spider will fetch the same page over and over, thinking it's ne w • May freeze up
  • 11. Limitations of Automatic Spidering • Authentication: spider must be able to submit valid credential s • Perhaps using a valid cooki e • However, spiders often break the authenticated session, b y • Requesting a logout functio n • Submitting invalid input to a sensitive functio n • Requesting pages out-of-sequence
  • 12. Warning • Spiders may fi nd an administrative page and click every lin k • Delete User, Shut Down Database, Restart Server...
  • 13. User-Directed Spidering • More sophisticated and controlled technique than automated spidering, usually preferabl e • User walks through application using a browser connected to Burp (or another proxy ) • The proxy collects all requests and responses
  • 14. Preparing Burp • Launch Burp Suite • Click Next, Start Burp • On the Proxy Tab, turn off Intercept • Click Open Browser
  • 15. Shopping • In Burp's browser, go to http://hackazon.samsclass.inf o • Click an item, then click Add to car t • Repeat for a second item
  • 16. Shopping Cart (Not logged in) • At top right, click shopping cart icon to see items
  • 17. Shopping • In Burp, on the Target tab • On the Site map sub-tab • Expand http://hackazon.samsclass.info • Expand cart • Expand add • Expand user
  • 18. • Note items in car t • "user" contains only 5 URLs
  • 19. Logging In • In the Hackazon page, at the top right, click Sign U p • Register a new user • Log out • Sign in
  • 21. A
  • 22. Advantages of User-Directed Spidering • User can follow unusual or complex navigation mechanism s • User can enter valid data where neede d • User can log in as neede d • User can avoid dangerous functionality, such as deleteUser.jsp
  • 23. Browser Tools • Chrome's Developer Tools can show details of requests and responses within the browse r • No proxy neede d • Often useful; shows timing as well as content
  • 24.
  • 25.
  • 26. Discovering Hidden Content • Finding it requires automated testing, manual testing, and luc k • Testing or debugging features left in applicatio n • Different functionality for different categories of user s • Anonymous, authenticated, administrator s • Backup copies of live fi le s • May be non-executable and reveal source code
  • 27. Discovering Hidden Content • Backup archives that contain snapshot of entire applicatio n • New functionality implemented for testing but not yet linked from main applicatio n • Default functionality in an off-the-shelf application that has been super fi cially hidden from the user but not remove d • Old versions of fi les--may still be exploitable
  • 28. Discovering Hidden Content • Con fi guration and include fi les containing sensitive data such as database credential s • Source fi les from which application functions were compile d • Comments in source code; may contain usernames and passwords, "test this" marks, and other useful dat a • Log fi les--may contain valid usernames, session tokens, etc.
  • 29. Brute-Force Techniques • Suppose user-directed spidering fi nds the URLs on the lef t • A brute-forcer will try names as shown on the right
  • 30. Burp's Brute-Forcer • Burp's brute- forcer is very slow in the free version
  • 31. Dirb • Good brute-force spidering tool • Included in Kali Linux
  • 32. B
  • 33. Inference from Published Content • Look for pattern s • All subdirectories of "auth" start with a capital lette r • One is "ForgotPassword", so try these
  • 34. Other Patterns • Names may use numbers or date s • Check include fi les from HTML and JavaScrip t • They may be publicly readabl e • Comments may include database names, SQL query string s • Java applets and ActiveX controls may contain sensitive data
  • 35. More Clues • Search for temporary fi les created by tools and fi le editor s • .DS_Store fi le (a directory index created by Mac OS X ) • fi le.php-1 created when fi le.php is edite d • .tmp fi les created by many tools
  • 37. Google's Skip fi sh • Vulnerability scanner but main strength is fi nding fi les and folder s • Links Ch 4d, 4e
  • 38. Public Information • Search engines (and cached content ) • Web archives such as the Wayback Machin e • Posts to forums like Stack Exchange
  • 40. Web Server Vulnerabilities • Some Web servers let you list directory contents or see raw source cod e • Sample and diagnostic scripts may contain vulnerabilities
  • 41. Nikto and Wikto • Scans servers for known vulnerable fi les and version s • Wikto is the Windows versio n • Nikto is the Linux versio n • Included in Kal i • Fast and easy to us e • Has false positives like all vulnerability scanner s • Must verify results with manual testing
  • 43. Functional Paths • Different from old-fashioned tree- structured fi le syste m • Every request goes to the same UR L • Parameters specify functio n • Very different structure to explore
  • 45. Discovering Hidden Parameters • Try adding "debug=true" to request s • Or test, hide, source, etc . • Burp Intruder can do this (see Ch 14)
  • 46. Analyzing the Application • Key area s • Core functionalit y • Peripheral behavior: off-site links, error messages, administrative and logging functions, and use of redirect s • Core security mechanisms: session state, access control, authenticatio n • User registration, password change, account recovery
  • 47. Key Areas (continued) • Everywhere the application processes user- supplied inpu t • URL, query string, POST data, cookie s • Client-side technologie s • Forms, scripts, thick-client components (Java applets, ActiveX controls, and Flash), and cookies
  • 48. Key Areas (continued) • Server-side technologie s • Static and dynamic pages, request parameters, SSL, Web server software, interaction with databases, email systems, and other back-end components
  • 49. Entry Points for User Input
  • 51. Request Parameters • Normally, google.com?q=duc k • Here are some nonstandard parameter formats
  • 52. HTTP Headers • User-Agent is used to detect small screen s • Sometimes to modify content to boost search engine ranking s • May allow XSS and other injection attack s • Changing User-Agent may reveal a different user interface
  • 53. HTTP Headers • Applications behind a load balancer or proxy may use X-Forwarded-For header to identify sourc e • Can be manipulated by attacker to inject content
  • 54. Out-of-Band Channels • User data may come in vi a • Emai l • Publishing content via HTTP from another server (e.g. WebDAV ) • IDS that sniffs traf fi c and puts it into a Web applicatio n • API interface for non-browser user agents, such as cell phone apps, and then shares data with the primary web application
  • 55. C
  • 57. Banner Grabbing • Banners often leak version informatio n • Also Web page template s • Custom HTTP header s • URL query string parameters
  • 58. HTTP Fingerprinting • httprecon uses subtle clues to identify versions, not just banner s • Link Ch 4h
  • 60. File Extensions • Disclose platform or language
  • 63. File Extension Mappings • Different DLLs may lead to different error messages
  • 64. OpenText • Vignette is now rebranded as OpenTex t • Link Ch 4i
  • 65. Directory Names • Indicate technology in use
  • 67. Third-Party Code Components • Add common functionality lik e • Shopping cart s • Login mechanism s • Message board s • Open-source or commercia l • May contain known vulnerabilities
  • 68. Hack Steps 1. Identify all entry points for user inpu t •URL, query string parameters, POST data, cookies, HTTP header s 2. Examine query string format; should be some variation on name/value pai r 3. Identify any other channels that allow user- controllable or third-party data into the app
  • 69. Hack Steps 4. View HTTP server banner returned by the app; it may use several different server s 5. Check for other software identi fi ers in custom HTTP headers or HTML source code 6. Run httprint to fi ngerprint the web serve r 7. Research software versions for vulnerabilitie s 8. Review map of URLs to fi nd interesting fi le extensions, directories, etc. with clues about the technologies in use
  • 70. httprint • Not updated since 2005 (link Ch 4j ) • Alternatives include nmap, Netcraft, and SHODAN (Link Ch 4k ) • Also the Wappalyzer Chrome extension
  • 71. Hack Steps 9. Review names of session tokens to identify technologies being use d 10. Use lists of common technologies, or Google, to identify technologies in use, or discover other websites that use the same technologie s 11. Google unusual cookie names, scripts, HTTP headers, etc. If possible, download and install the software to analyze it and fi nd vulnerabilities
  • 72. Identifying Server-Side Functionality • .jsp - Java Server Page s • OrderBy parameter looks like SQ L • isExpired suggests that we could get expired content by changing this value
  • 73. Identifying Server-Side Functionality • .aspx - Active Server Pages (Microsoft ) • template - seems to be a fi lename and loc - looks like a directory; may be vulnerable to path traversa l • edit - maybe we can change fi les if this is tru e • ver - perhaps changing this will reveal other functions to attack
  • 74. Identifying Server-Side Functionality • .php - PH P • Connecting to an email server, with user-controllable content in all fi eld s • May be usable to send email s • Any fi elds may be vulnerable to email header injection
  • 75. Identifying Server-Side Functionality • Change action to "edit" or "add " • Try viewing other collections by changing the id number
  • 76. Extrapolating Application Behavior • An application often behaves consistently across the range of its functionalit y • Because code is re-used or written by the same developer, or to the same speci fi cation s • So if your SQL injections are being fi ltered out, try injecting elsewhere to see what fi ltering is in effect
  • 77. Extrapolating Application Behavior • If app obfuscates data, try fi nding a place where a user can enter an obfuscated string and retrieve the original • Such as an error messag e • Or test systematically-varying values and deduce the obfuscation scheme
  • 78. Error Handling • Some errors may be properly handled and give little information Others may crash and return verbose error information
  • 80.
  • 81. Isolate Unique Application Behavior • App may use a consistent framework that prevents attack s • Look for extra parts "bolted on" later, which may not be integrated into the framewor k • Debug functions, CAPTCHAs, usage tracking, third-party cod e • Different GUI appearance, parameter naming conventions, comments in source code
  • 82. Mapping the Attack Surface • Client-side validatio n • Database interaction -- SQL injectio n • File uploading and downloading -- Path traversal, stored XS S • Display of user-supplied data - XS S • Dynamic redirects -- Redirection and header attacks
  • 83. Mapping the Attack Surface • Social networking features -- username enumeration, stored XS S • Login -- Username enumeration, weak passwords, brute-force attack s • Multistage login -- Logic fl aw s • Session state -- Predictable tokens, insecure token handling
  • 84. Mapping the Attack Surface • Access controls -- Horizontal and vertical privilege escalatio n • User impersonation functions -- Privilege escalatio n • Cleartext communications -- Session hijacking, credential thef t • Off-site links -- Leakage of query string parameters in the Referer heade r • Interfaces to external systems -- Shortcuts handling sessions or access controls
  • 85. Mapping the Attack Surface • Error messages -- Information leakag e • Email interaction -- Email or command injectio n • Native code components or interaction -- Buffer over fl ow s • Third-party components -- Known vulnerabilitie s • Identi fi able Web server -- Common con fi guration errors, known bugs
  • 86. Example • /auth contains authentication functions -- test session handling and access contro l • /core/sitestats -- parameters; try varying them; try wildcards like all and * ; PageID contains a path, try traversa l • /home -- authenticated user content; try horizontal privilege escalation to see other user's info
  • 87. Example • /icons and /images -- static content, might fi nd icons indicating third- party content, but probably nothing interesting her e • /pub -- RESTful resources under / pub/media and /pub/user; try changing the numerical value at the en d • /shop -- online shopping, all items handled similarly; check logic for possible exploits
  • 88. D