Penetration testing tips & tricks

Hi, I often face this problem that I install cookie manager add-on to Firefox but it doesn't show up in the menu bar of the browser, I search everywhere and waste at least 5-10 minutes searching the browser add-ons page and internet before I realize the solution. So this post is for all such nerds like me. For cookie manager add-on, after you install it on your browser, click on  icon on top right corner of the menu bar and click on 'Customize' button on the bottom of the list, Cookie manager add-on would be present in the list, Drag and drop it in the right menu page. From now on your cookie manager add-on would be visible whenever you click on the menu bar

Hi, Today I'm going to explain you the importance of cookie in web communication. Let us begin with understanding what exactly a cookie is; Since HTTP is a stateless protocol,Every request sent by the user to server would be treated as the first request itself,server does not know about the previous request sent by the user. The request surpasses the conventional communication flow such as Three way handshake before TCP connection being established and encrypting the request if SSL is implemented etc. This goes well with the static web pages which didn't have authentication or authorization, anyone could access the URL and view the web application but with the enhancements of web applications increasing day by day from conventional contact me pages to modern e-commerce sites, the authentication and authorization mechanisms became the need of the hour Although authentication and authorization are used synchronously there is a slight difference between the two Authenticati...

Server side request forgery uses the vulnerable web server to interact with its internal servers  based on the attacker’s request Generally the access to the internal nodes on the server i.e.: intranet is not publicly available any direct communication attempt would be objected by the fire wall , but the server would have unrestricted access to the intranet as it is the one which has to save the parameter in another server typically a database server, application server etc So, In order to interact with the servers in the intranet of the server we design payloads to establish communication in our normal http requests, so the server would be executing the payloads on our behalfs so the packets would be accessed by the intranet server A typical scenario is the port scanning of various servers present in the intranet For example if a parameter contains a database field in the request such as username or password we inject the portscanning mechanism into the normal http ...

Often automated scan results give lot of false positives, some may be legitimate and some are as per design which can be omitted. Most automated scanners give medium level vulnerabilities when the session identifier cookie does not have HTTPOnly and Secure flag enabled. What exactly is the problem? What happens if these flags are disabled for a session identifier? Let me explain as follows: HTTPOnly: The Httponly flag is an additional property that is added to cookies which helps to mitigate accessing cookie information through XSS. Which means declaring a cookie to httponly will restrict the client side script from accessing the cookie and return an empty string Exploitation: Consider a web application which doesn't have HTTPOnly flag enabled, auth_token is the session identifier of the application,upon executing the <script>alert(document.cookie)</script> in the application the output would be  Now let us enable the HTTPOnly flag on the s...

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands SQLMap SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching...

Hypertext Transfer Protocol (HTTP) is an application layer protocol used in internet to access web applications. When you type any web address in your web browser, your browser acts as a client, and the computer having the requested information acts as a server. When client requests for any information from the server, it uses HTTP protocol to do so. The server responds back to the client after the request completes. The response comes in the form of web page which you see just after typing the web address and press “Enter”. For example when we enter www.google.com in a browser the webpage request is sent over http protocol, Hence the URL of the web page would become http://www.google.com Hypertext Transfer Protocol Secure (HTTPS) is a combination of two different protocols. It is more secure way to access the web. It is combination of Hypertext Transfer Protocol (HTTPS) and SSL/TLS protocol. The web page communication is done through the typical HTTP Communication protocol a...