Web Security Jumpstart

Web Security Workshop
A Jumpstart!
Satria Ady Pradana
http://xathrya.id/ 1
Lightweight and Powerful Penetration Testing OS
Xathrya

# whoami?
• Satria Ady Pradana
– Junior Security Analyst at MII (Metrodata Group)
– Researcher at dracOS Dev Team
– Staff at Reversing.ID
– Interest in low level stuffs
Xathrya

• Now tell me yours
Xathrya

Dracos Linux is an open source operating system provides to penetration testing. Packed with a ton of pentest tools including
information gathering, forensics, malware analysis, mantaining access, and reverse engineering.
We Live by Code and Rise by Ethic
Xathrya

Unix-like operating system for various device and
hardware.
Free and open source, under the license of GNU.
Made by Linux Torvalds in 1991.
LINUX :*
#screetsec Xathrya

Making Linux Distro
great again
#screetsec Xathrya

Derivate or making a new distro base on
existing other distro.
Had undergo some modification from the
author that make it different from the
parent distro.
Remastering
#screetsec Xathrya

• A way to build linux from the very
start.
• Not derivating from existing distro,
• Initiated by Gerad Beckmans,
• Develop & assembly all part of
system by yourself.
Linux From Scratch
#screetsec Xathrya

• Teach yourself the inner of operating system.
• Flexible, do as you wish.
• Positively have full control of your system.
Advantages
#screetsec Xathrya

INTRODUCING
#screetsec Xathrya

THE PHILOSOPHY
#screetsec Xathrya

 The name dracOs comes from Dragon Comodos
 A rare species and can only be found in Indonesia archipelago.
 Inspired by Comodo character
• Strong enough to kill its prey with minimum force.
• Its mouth has various bactery and virus to immediately kill the prey.
#screetsec Xathrya

#screetsec Xathrya

• Initiate the project on 12 June 2012 by Zico Ekel
• Remastering of Ubuntu 10.04
• Update dracOs v2.0 Beta still use Ubuntu
• Reinitiate the project on Desember 2015, did radical change, adopting LFS
HISTORY
#screetsec Xathrya

STYLE OLD SCHOOL
#screetsec Xathrya

WHY
Xathrya

I am a l33t
h@cker
LMAO
#screetsec
Doing something But do not know what they are doing
Xathrya

SOMEWHERE
Xathrya

#screetsec
So...
DRACOS LINUX
Xathrya

FEATURES IN DRACOS
GTK MENU
#screetsec Xathrya

FEATURES IN DRACOS
#screetsec Xathrya

# In this Lab
• Install dracOs
• Configure network (use NAT or bridge)
• Ping my machine from dracOs
• Try the user interface (DWM)
• Install a package
Xathrya

ARE YOU A HACKER?
You might be, but I am not

Information Security is Like Football
32
Formation = Framework
- ISO/IEC 27001
- NIST SP 800
(Computer Security)
- PCI DSS
- HIPAA
- ISMF
GK-DEFENDER
MIDFIELDER
STRIKER
COACH
Sysadmin, Network,
Firewall, SIEM, etc.
InfoSec Officer, Risk
Management Internal,
Compliance, etc.
InfoSec Consultant,
Pentester, etc.
Top Management, CISO
Supporter
Soccer
Stakeholder
rungga_reksya
I am sure you are interest in offensive penetration tester.

33
Three Critical Components for an Information
Security
Integrity I A
C
Availability
Confidentiality
rungga_reksya

Penetration Testing Methodologies and
Standards
34
PENETRATION
TESTINGBLACKBOX WHITE BOX
GRAY
BOX
rungga_reksy
a

Framework
Penetration Testing
35
Web Application Security
Consortium Threat Classification
Open Source Security Testing
Methodology Manual
WASC
Open Web Application Security
Project Testing Guide
OSSTMM OWASP
rungga_reksya

36
@rungga_reks
ya
OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)
2010-A1 – Injection 2013-A1 – Injection
2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management
2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS)
2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References
2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration
2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure
2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control
2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)
2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW)
2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards
3 Primary Changes:  Merged: 2010-A7 and 2010-A9 -> 2013-A6
 Added New 2013-A9: Using Known Vulnerable Components  2010-A8 broadened to 2013-A7
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

• Injecting snippet of SQL syntax to make the
database give information to us, unintended by
developer.
• Unsanitized input.
• Things you should know
• Basic of SQL
• Union
• Specific things for DBMS
• Unicode and character representation
SQL Injection
#screetsec Xathrya

• Injecting client-side script into web page viewed by
(other) user.
• Unsanitized input.
• Reflected
• Persistent
Cross-Site Scripting (XSS)
#screetsec Xathrya

• Unauthorized commands transmitted from a user
that the website trusts thus tricking it as a valid and
authorized command.
• Exploit the trust that a site has in user’s browser.
• Reflected
• Persistent
Cross-Site Request Forgery (CSRF)
#screetsec Xathrya

# In this Lab
• Trying SQL Injection
• Trying XSS
• Trying CSRF
Your target is ...
Xathrya

When you are aiming
Professional Career

Exploit Database
36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc.
https://www.exploit-
db.com
https://packetstormsecurity.com https://cve.mitre.org https://www.rapid7.com/db/
modules
Exploit DB Packet Storm
Common
Vulnerabilities
& Exposures
Rapid 7
rungga_reksya
42
41 2 3

Bug Bounty Programs
43
https://bugcrowd.co
m
Bug Crowd
http://bugsheet.com
Bug Sheet
https://hackerone.com
Hacker One
https://firebounty.co
m
Fire Bounty
https://bountyfactory.io
Bounty
Factory
https://www.openbugbounty.
org
Open Bug
Bounty
rungga_reksya

44
Concept of Takeover System
PWN
SVR
SQL Injection
Make Form
Upload
Phishing
XSS
Login to
MYSQL
SHELL
Login to
APP
Upload
File
rungga_reksya

45
PORT
STATE
S
1
Open:
This indicates that an
application is listening
for connections on this
port.
3
Filtered:
This indicates that the
probes were not
received and the
state could not be
established. It also
indicates that the
probes are being
dropped by some
kind of filtering. 5
Open/Filtered:
port was filtered or open
but Nmap couldn't
establish the state.
2
Closed:
probes were received
but there is no
application listening on
this port.
4
Unfiltered:
probes were received
but a state could not
be established.
6
Closed/Filtered:
port was filtered or
closed but Nmap
couldn't establish the
state.
rungga_reksy
a
NMAP Features
45

# In this Lab
• Good Luck!
Xathrya

Web Security Jumpstart

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Web Security Jumpstart

Similar to Web Security Jumpstart (20)

More from Satria Ady Pradana

More from Satria Ady Pradana (20)

Recently uploaded

Recently uploaded (20)

Web Security Jumpstart