![Page 1: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/1.jpg)
TOP 10 WEB APPLICATION SECURITY
HAZARDS{ PART - 2 }
@ by Abhinav Sejpal
Null - Humla Session
![Page 3: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/3.jpg)
WHO AM I
I' m Next-Gen Exploratory Testy
Student of Information Security field
Researcher & Reader in free time
Member of
Crowd Tester (AKA. Bug bounty Hunter)
Proficient at Functional, Usability , Accessibility & Compatibility Testing
Love to develop nasty code & Hack it :)
Works as Quality Analyst at
AKA. Bug Wrangler
Null Open Security Co mmunity
passbrains.com
![Page 4: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/4.jpg)
DISCLAIMER
This presentation is intended for educational purpose only and I cannot be held liable for
any kind of damages done, whatsoever to your machine, or any other damages. Don't try this attack on any other system without having context knowledge or permission,
this may harm someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
^ I hope - You gotcha ^
![Page 5: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/5.jpg)
AGENDA
No Revision of Part - 1 Understand New Attacks Self exploratory exercise Learn + Hack Q & A
![Page 6: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/6.jpg)
FOR SOCIAL MEDIA Twitter handle
@ @ null0x00 Abhinav_Sejpal
Hashtag for this session
# # Nullhumla nullblr
![Page 7: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/7.jpg)
HUMLA
MEANS 'ATTACK' IN HINDI
![Page 8: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/8.jpg)
![Page 9: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/9.jpg)
![Page 10: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/10.jpg)
![Page 11: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/11.jpg)
![Page 12: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/12.jpg)
OBJECTIVES FOR THIS SESSION
BUILD SECURITY AWARENESS FOR WEBAPPLICATIONLEARN WAY TO DISCOVER SECURITYVULNERABILITIESLEARN BASIC OF SECURE WEB APPLICATION VIAOWASP TOP 10
![Page 13: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/13.jpg)
LET'S BEGIN OUR JOURNEY OF
TOP 10 WEB APPLICATION SECURITYHAZARDS
* We won't talk about Injection & XSS *
![Page 14: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/14.jpg)
for:
Setup the Test Lab
Install XAMPP
AcronymX (to be read as "cross", meaning )cross-platformApache HTTP ServerMySQLPHPPerl
![Page 15: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/15.jpg)
TARGETED APPLICATION
Client Side language : HTML & Javascript Server side Language: PHP
DB : MYSQL
Why PHP ? - Any answer Here?
Why MySQL? MySQL is Girlfriend of PHP <3
![Page 16: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/16.jpg)
PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE
PROGRAMMING LANGUAGE.
http://w3techs.com/technologies/overview/programming_language/all
![Page 17: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/17.jpg)
PHP: 244M SITES
2.1M IP ADDRESSES
![Page 18: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/18.jpg)
2013 Server-side Programming Language of the Year
Don't Mind Power of PHP > Facebook & yahoo
http://w3techs.com/blog/entry/web_technologies_of_the_year_2013
![Page 19: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/19.jpg)
It's a free, open source web application provided to allowsecurity enthusiast to pen-test and hack a web application.
V.2X developed by aka
PLAY GROUND
MUTILLIDAE
Jeremy Druin webpwnized.
![Page 20: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/20.jpg)
ALL SET WITH MULTILLIDAE ?
![Page 21: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/21.jpg)
AM I VULNERABLE TO 'CSRF' ?
![Page 22: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/22.jpg)
OWASP A8 - CSRF
CROSS-SITE REQUEST FORGERY
![Page 23: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/23.jpg)
CSRF ATTACK CYCLE
![Page 24: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/24.jpg)
CSRF AKA. XSRF
THE ATTACKER EXPLOITS THE TRUST A WEBSITE
HAS AGAINST A USER’S BROWSER.
Permission faking\stealing Disruption of the normal sequence of the site
![Page 25: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/25.jpg)
DEMO #1Login ID - admin
password - adminpass
HTTP GET Request
http://127.0.0.1/xampp/mutillidae/index.php?do=logout
![Page 26: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/26.jpg)
<a href= >
: ANSWER DEMO 1:
<html>
<title> CSRF Demo 1 </title>
http://127.0.0.1/xampp/mutillidae/index.php?do=logout
Click me </a>
</html>
![Page 27: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/27.jpg)
UNDERSTANDING
Logout page was a simple HTTP GET that required noconfirmation
Every user who visited that page would immediately belogged out - that's CSRF in action.
Yes it's not dangerous but annoying
![Page 28: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/28.jpg)
![Page 29: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/29.jpg)
SO WHAT DO YOU THINK,IT'S ALL ABOUT CLICK ?
ssh, No!!
Would you like to write CSRF exploit without click ??
![Page 30: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/30.jpg)
IMAGE TAG
<img style="display:none;" src="your Request">
Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request
Can we try Demo 1 with Image tag ?
![Page 31: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/31.jpg)
![Page 32: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/32.jpg)
<img src= >
CSRF GET Request with Image Tag
<html>
<title> CSRF Demo 1 </title>
http://127.0.0.1/xampp/mutillidae/index.php?do=logout
</html>
![Page 33: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/33.jpg)
THE NATURE OF BROWSERS IS TO SEND HTTP REQUESTS TO VISUAL OBJECTS SUCH AS PICTURE OR REMOTE FILES (CSS, JS,
ETC.) EVEN WHILE LOADING THE PAGE WITHOUT THE USER'S PERMISSIONS.
Iframe tag
<iframe src="your Request"></iframe>
Java Script code
<script> var X= new Image(); X.src = "URL"; </script>
Can we try Demo 1 with Iframe & JS ?
![Page 34: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/34.jpg)
HTTP REQUEST
<iframe src="http://127.0.0.1/xampp/mutillidae/index.php?
do=logout"></iframe>
<script> var X= new Image(); X.src= "
http://127.0.0.1/xampp/mutillidae/index.php?do=logout";
</script>
![Page 36: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/36.jpg)
:: SOLUTION #1 :: <html>
<title> CSRF Demo 1 </title>
<a href = http://127.0.0.1/xampp/mutillidae/index.php?page=user-poll.php&csrf-
token=&choice=nmap&initials=n&user-poll-php-submit-button=Submit+Vote>
Click me </a>
</html>
![Page 37: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/37.jpg)
CHALLENGE #2
{ Post HTTP Request }
![Page 38: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/38.jpg)
: Solution Available :
http://127.0.0.1/xampp/CSRF Attack/Add New Blog Entry -CSRF POST.html
![Page 39: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/39.jpg)
DOES IT EASY TO CREATE CSRF HTTP REQUEST ?
No - you should try out
~ ~CSRF Finder Firefox add-on
* One Click POC *
* Hybrid automation *
Thank you - Piyush Pattanayak
![Page 40: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/40.jpg)
CSRF FINDER DEMO
![Page 41: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/41.jpg)
LIVE CHALLENGE
* SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE
PASSWORD TEST
CSRF & XSRFUpdate the user info. without their knowledge
http://testphp.vulnweb.com/userinfo.php
Copyright © 2014, Acunetix Ltd
![Page 42: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/42.jpg)
Copyright © 2014, Acunetix Ltd
![Page 43: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/43.jpg)
You've been CSRF'd with static token!
Can we exploit this with Level #2 ?
![Page 44: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/44.jpg)
![Page 45: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/45.jpg)
POPULAR COOL FINDINGS
by Amol Facebook CSRF worth USD 5000
GOOGLE GROUPS PROFILE CSRFGoogle Account display pic deletion
Facebook Account deactivation
Advance Leanings - CSRF Token Validation Fail
http://haiderm.com/csrf-token-protection-bypass-methods/
![Page 46: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/46.jpg)
![Page 47: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/47.jpg)
Am I Vulnerable To 'Broken Authentication &
Session Management'?
A2 - OWASP TOP 10
![Page 48: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/48.jpg)
![Page 49: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/49.jpg)
LETS' BYPASS THE MUTILLIDAE
Can we do it ?
Part -1 Learning with SQL Injection
![Page 50: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/50.jpg)
APPLY BRUTE FORCE ATTACK/xampp/mutillidae/index.php?page=login.php
Account Lock Policy & Captcha missing :P
![Page 51: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/51.jpg)
![Page 52: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/52.jpg)
IN-SECURED SESSION-ID
Cookies Flag HTTP ONLY
Secure flag would be complimentary
![Page 53: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/53.jpg)
XSS SESSION HIJACKING
PHPSESSID=0ebmp37g8v8stqsjpf1ln40c20
JSESSIONID ASP Session.SessionID
Let's Try out Part 1 learning and exploit the session
![Page 54: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/54.jpg)
So, Let's Learn about Web App DB structure
Passwords are stored in plain text.
oh really -- ':(
OWASP #A6
![Page 55: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/55.jpg)
Password is protected, when stored using encryption
algorithm. Are you sure?
http://www.md5online.org/
![Page 56: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/56.jpg)
YOU MAY ALSO TRY OUT HASH BUT PASSWORD SALT IS A
RECOMMENDED SOLUTION SO FAR.
P ASSWORD POLICY SHOULD BE APPLIED NICELY AND SHOULD NOT BE WEAKER. -- * --
SECURITY & BUSINESS LOGIC SHOULD BE APPLIED FOR CHANGING PASSWORD.
CHANGE PASSWORD DOESN'T ASK FOR CURRENT PASSWORD - LOL
![Page 57: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/57.jpg)
![Page 58: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/58.jpg)
Robots.txt
All Sensitive data expose
![Page 59: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/59.jpg)
TAKE AWAY
![Page 60: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/60.jpg)
AVOIDING INSECURE DIRECT OBJECT REFERENCES
OWASP #A4
![Page 61: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/61.jpg)
URLS' PATTERN
![Page 62: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/62.jpg)
![Page 63: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/63.jpg)
Demo #1
Tamper the ID parameter
http://127.0.0.1/xampp/sqli/secondorder_changepass.php
![Page 64: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/64.jpg)
ENUMERATION USING PARAMETERLIVE
https://profile.utest.com/ 67797
https://profile.utest.com/200 -- N
![Page 65: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/65.jpg)
https://99tests.com/testers/
3298
![Page 66: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/66.jpg)
Secret PHP Server Configuration Page
http://127.0.0.1/xampp/mutillidae/index.php?page=phpinfo.php
![Page 67: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/67.jpg)
![Page 68: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/68.jpg)
MISSING FUNCTION LEVEL ACCESS CONTROL
OWASP #A7
![Page 69: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/69.jpg)
CONCEPT
![Page 70: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/70.jpg)
![Page 71: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/71.jpg)
![Page 72: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/72.jpg)
LIVEHTTP://STEPINFORUM.ORG/MAILERS2014/
http://demo.testfire.net/pr/
![Page 73: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/73.jpg)
OWASP #A9
USING KNOWN VULNERABLECOMPONENTS
![Page 74: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/74.jpg)
Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-
Libraries.pdf
![Page 75: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/75.jpg)
![Page 76: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/76.jpg)
![Page 77: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/77.jpg)
COOL WORDPRESS PROJECTS
Code Vigilant
Latest buzzing known vulnerabilities
#Heartbleed
# BashBug
![Page 78: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/78.jpg)
Can you verify that - your website SSL Cert isn't vulnerableto Heart bleed attack?
Google - SSL Heart bleed Fix verification script
https://lastpass.com/heartbleed/
![Page 79: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/79.jpg)
HISTORY ATTACK !!!
![Page 80: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/80.jpg)
A6 – Sensitive Data Exposure
![Page 81: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/81.jpg)
![Page 82: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/82.jpg)
![Page 83: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/83.jpg)
![Page 84: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/84.jpg)
![Page 85: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/85.jpg)
SECURITYMISCONFIGURATION
OWASP -#A5
![Page 86: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/86.jpg)
![Page 87: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/87.jpg)
![Page 88: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/88.jpg)
![Page 89: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/89.jpg)
CLICK JACKING
Code: – <iframe src= http://www.testingcircus.com></iframe>
Live Demo: – http://goo.gl/6gEq2I Click jacking Testing tool: – http://goo.gl/27VgQb
![Page 90: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/90.jpg)
IF YOU ARE PLANNING TO HOST YOUR OWN
SERVER
this talk matters for you
"SECURING A LINUX WEB SERVER IN 10 STEP S"
BY A KASH MAHAJAN
https://www.youtube.com/watch?v=ort9qxzu3h0
![Page 91: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/91.jpg)
![Page 92: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/92.jpg)
ELMAH.AXD ERROR LOGS GOOGLE SEARCH
![Page 93: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/93.jpg)
https://www.owasp.org/index.php/Top_10_2013- A10-Unvalidated_Redirects_and_Forwards
![Page 94: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/94.jpg)
![Page 95: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/95.jpg)
Vulnerable Redirection
http://127.0.0.1/xampp/mutillidae/index.php?page=redirectandlog.php&
forwardurl=http://www.owasp.org
I don't think so, i need to explain you what you can do here:D
![Page 96: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/96.jpg)
![Page 97: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/97.jpg)
Would like to do more practice ? Here is your Playground
Copyright © 2014, IBM Corporation
http://demo.testfire.net/
![Page 99: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/99.jpg)
WE NEED YOU!
Attend Null Meets-up & give presentations.Share your ideas & leanings.Talk to our community champions & gain from leanings. Your feedback helps us to build a good community.Looking forward to your ongoing support.
HTTP://NULL.CO.IN/Say 'Hello' @null0x00
![Page 100: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/100.jpg)
- Twitter Folks -
@ , @ , @
#Nullblr Leads & Champions
Big thank you to @ ,@ & you All.
CREDITS
TroyHunt yog3sharma @ Lavakumark HaiderMQ
null0x00 ru94mb
![Page 101: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/101.jpg)
INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU
SHOULD BE FOLLOWING IN TWITTER
Thank-you http://garage4hackers.com/ community
![Page 102: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/102.jpg)
THANK YOU!
KEEP THE SECURITY ANTE UP.
![Page 103: Owasp top 10 web application security hazards part 2](https://reader034.vdocuments.site/reader034/viewer/2022042716/55c37925bb61eb274d8b4581/html5/thumbnails/103.jpg)
https://slides.com/abhinavsejpal/top-10-web-application-security-hazards--2
LICENSE AND COPYRIGHTS
Copyrights 2013-2014 Abhinav Sejpal
-----
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy