Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Hacking E Book

    Загружено:

    lemarxav
    59 просмотров28 страниц
    hacker atividade

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    hacker atividade

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    59 просмотров28 страниц

    Hacking E Book

    Загружено:

    lemarxav
    hacker atividade

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 28

    Hey guys, Welcome to Mighty Shouts and let me formally introduce myself to you.

    Im
    Utkarsh Wadhwa , and I manage and run Mighty Shouts. Im a passionate guy, and
    love computing and internet.
    Im currenty pursuing B.tech IT from Galgotia's College of Engineering and
    Technology, Greater Noida. I finished my schooling from Bareilly .
    Computer and technology have been my passion since I was a child and after few blogs
    and communities on technology .I started Mighty Shouts.
    I am a computer junkie and loves spending time on the computer learning new
    techniques.I am a passionate blogger.I am a strong supporter of Anonymous &
    Wikileaks.I have designed complex networks .I am a Red hat certified Linux system
    administrator (RHCSA),Red hat certified engineer(RHCE),Cisco certified network
    associate(CCNA ),Red hat certified engineer(RHCE),Cisco certified network
    associate(CCNA),CEH.

    REFERENCES
    Information and resources from Internet were
    extensively used for the creation of this presentation.

    HTTP BASICS
    Client Server Model.
    Client - Request resources from the Server.

    Server - Provides the requested resources.


    Request-response / Request-reply Model
    Resources are identified by URI / URL
    3

    HTTP RESPONSE CODE


    For every request, server responds with a
    response code .

    HTTP RESPONSE CODE


    1xx = Informational
    2xx = Success - e.g. 200 OK
    3xx = Redirection e.g. 302 Moved Temporarily

    4xx = Client Error e.g. 401 Unauthorized


    5xx = Server Error
    5

    HTTP RESPONSE CODE - DEMO


    Wireshark

    Log
    curl

    VERSIONS
    HTTP 1.0
    HTTP 1.1

    VERSIONS - DIFFERENCE
    HTTP 1.0
    Require one connection per resource

    Disconnect immediately.

    HTTP 1.1
    Reuse connection for multiple URI
    8

    VERSIONS - OTHER DEVELOPMENTS


    HTTP/1.2 Extension Protocol (PEP)
    PEP - The Protocol Extension Protocol

    HTTP REQUEST METHODS


    According to Wikipedia:
    HTTP defines methods
    Indicate the desired action to
    performed on the identified resource.
    Methods are also referred to as verbs.

    10

    be

    HTTP REQUEST METHODS


    Summary: it is an operation which you can
    perform on a resource on the web server.

    11

    HTTP/1.0 METHODS
    GET,
    POST and
    HEAD methods

    12

    HTTP/1.1 ADDITIONAL METHODS


    OPTIONS,
    PUT,
    DELETE,
    TRACE and

    CONNECT.
    13

    DEMO - HTTP/1.0 METHODS


    GET,
    POST and
    HEAD methods

    14

    HTTP METHOD TESTING


    Process of enumerating the HTTP options
    available on a web server.

    Cross Site Tracing (XST), a form of cross site


    scripting using the server's HTTP TRACE
    method

    INJECTION ATTACKS
    Frontend

    Backend

    16

    FRONT-END
    Rendering Attacks

    HTML Injection
    Code Execution
    JS Injection
    XSS
    17

    BACKEND
    Command Injection
    SQL Injection

    18

    HTML INJECTION
    User input not sanitized.
    HTML Tags / Code Injected.
    Page rendered based on the injected code.

    19

    SQL INJECTION
    It is the code injection technique used to
    attack the data driven applications in which
    malicious SQL statements are inserted into
    the entry field for execution .
    This will dump the database contents to
    the attacker.

    20

    XSS
    Cross Site Scripting
    is a type of
    computer security vulnerability typically
    found in Web applications.
    XSS allow the attacker to inject client side
    script to the webpages.

    21

    OWASP
    Broken
    Authentication
    Management

    and

    Insecure Direct Object References


    CSRF
    Security Misconfiguration

    22

    Session

    OWASP
    Insecure Cryptographic Storage
    Failing to Restrict URL Access
    Insufficient Transport Layer Protection

    Unvalidated Redirects and Forwards

    23

    SUMMARY

    24

    REFERENCES
    http://en.wikipedia.org/wiki/List_of_HTTP_status_codes http://www8.org/w8papers/5c-protocols/key/key.html
    http://stackoverflow.com/questions/246859/http-1-0-vs-1-1
    http://devhub.fm/http-requestresponse-basics/
    http://wiki.hashphp.org/HttpPrimer http://www.w3.org/TR/WD-http-pep960820.html http://www.infoq.com/news/2011/04/http-1.2-released
    http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods

    http://www.fishnetsecurity.com/6labs/blog/jboss-jmx-console-authentication-bypass
    http://jeremiahgrossman.blogspot.in/2008/06/what-you-need-to-know-about-http-verb.html
    https://www.owasp.org/index.php/Testing_for_HTTP_Verb_Tampering_%28OWASP-DV003%29 http://photos1.blogger.com/blogger2/1912/1679/1600/vulnerability_stack.png

    25

    GOOD SECURITY PROFESSIONAL

    A good security professional is someone who


    always looks both ways before crossing a oneway street.

    Вам также может понравиться