View
39
Download
2
Category
Tags:
Preview:
DESCRIPTION
hacker atividade
Citation preview
Hey guys, Welcome to Mighty Shouts and let me formally introduce myself to you. Im Utkarsh Wadhwa , and I manage and run Mighty Shouts. Im a passionate guy, and love computing and internet.
Im currenty pursuing B.tech IT from Galgotia's College of Engineering and
Technology, Greater Noida. I finished my schooling from Bareilly .
Computer and technology have been my passion since I was a child and after few blogs
and communities on technology .I started Mighty Shouts.
I am a computer junkie and loves spending time on the computer learning new
techniques.I am a passionate blogger.I am a strong supporter of Anonymous &
Wikileaks.I have designed complex networks .I am a Red hat certified Linux system
administrator (RHCSA),Red hat certified engineer(RHCE),Cisco certified network
associate(CCNA ),Red hat certified engineer(RHCE),Cisco certified network
associate(CCNA),CEH.
REFERENCES
Information and resources from Internet were
extensively used for the creation of this presentation. 2
HTTP BASICS
Client Server Model. Client - Request resources from the Server. Server - Provides the requested resources. Request-response / Request-reply Model Resources are identified by URI / URL
3
HTTP RESPONSE CODE
For every request, server responds with a
response code . 4
HTTP RESPONSE CODE
1xx = Informational 2xx = Success - e.g. 200 OK 3xx = Redirection e.g. 302 Moved Temporarily 4xx = Client Error e.g. 401 Unauthorized 5xx = Server Error
5
HTTP RESPONSE CODE - DEMO
Wireshark Log curl
6
VERSIONS
HTTP 1.0 HTTP 1.1
7
VERSIONS - DIFFERENCE
HTTP 1.0
Require one connection per resource
Disconnect immediately. HTTP 1.1
Reuse connection for multiple URI 8
VERSIONS - OTHER DEVELOPMENTS
HTTP/1.2 Extension Protocol (PEP) PEP - The Protocol Extension Protocol
9
HTTP REQUEST METHODS
According to Wikipedia:
HTTP defines methods
Indicate the desired action to be
performed on the identified resource.
Methods are also referred to as verbs. 10
HTTP REQUEST METHODS
Summary: it is an operation which you can
perform on a resource on the web server. 11
HTTP/1.0 METHODS
GET, POST and HEAD methods
12
HTTP/1.1 ADDITIONAL METHODS
OPTIONS, PUT, DELETE, TRACE and CONNECT.
13
DEMO - HTTP/1.0 METHODS
GET, POST and HEAD methods
14
HTTP METHOD TESTING
Process of enumerating the HTTP options
available on a web server. Cross Site Tracing (XST), a form of cross site
scripting using the server's HTTP TRACE method
INJECTION ATTACKS
Frontend Backend
16
FRONT-END
Rendering Attacks
HTML Injection Code Execution
JS Injection
XSS
17
BACKEND
Command Injection
SQL Injection 18
HTML INJECTION
User input not sanitized. HTML Tags / Code Injected. Page rendered based on the injected code.
19
SQL INJECTION
It is the code injection technique used to attack the data driven applications in which malicious SQL statements are inserted into the entry field for execution .
This will dump the database contents to
the attacker.
20
XSS
Cross Site Scripting is a type of computer security vulnerability typically found in Web applications.
XSS allow the attacker to inject client side script to the webpages.
21
OWASP
Broken Authentication and Session
Management Insecure Direct Object References CSRF Security Misconfiguration
22
OWASP
Insecure Cryptographic Storage Failing to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards
23
SUMMARY 24
REFERENCES
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes http://www8.org/w8-
papers/5c-protocols/key/key.html
http://stackoverflow.com/questions/246859/http-1-0-vs-1-1
http://devhub.fm/http-requestresponse-basics/
http://wiki.hashphp.org/HttpPrimer http://www.w3.org/TR/WD-http-pep-
960820.html http://www.infoq.com/news/2011/04/http-1.2-released
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods
http://www.fishnetsecurity.com/6labs/blog/jboss-jmx-console-authentication-bypass
http://jeremiahgrossman.blogspot.in/2008/06/what-you-need-to-know-about-http-verb.html
https://www.owasp.org/index.php/Testing_for_HTTP_Verb_Tampering_%28OWASP-DV-
003%29 http://photos1.blogger.com/blogger2/1912/1679/1600/vulnerability_stack.png
25
GOOD SECURITY PROFESSIONAL
A good security professional is someone who always looks both ways before crossing a one-way street.
page2page3page4page5page6page7page8page9page10page11page12page13page14page15page16page17page18page19page20page21page22page23page24page25page26page27
Recommended