hacking e book
DESCRIPTION
This is the e-book which will provide you the basic knowledge of Hacking. Rest check out at http://mightyshouts.comTRANSCRIPT
Hey guys, Welcome to Mighty Shouts and let me formally introduce myself to you. I’m Utkarsh Wadhwa , and I manage and run Mighty Shouts. I’m a passionate guy, and love computing and internet.
I’m currenty pursuing B.tech IT from Galgotia's College of Engineering and
Technology, Greater Noida. I finished my schooling from Bareilly .
Computer and technology have been my passion since I was a child and after few blogs
and communities on technology .I started Mighty Shouts.
I am a computer junkie and loves spending time on the computer learning new
techniques.I am a passionate blogger.I am a strong supporter of Anonymous &
Wikileaks.I have designed complex networks .I am a Red hat certified Linux system
administrator (RHCSA),Red hat certified engineer(RHCE),Cisco certified network
associate(CCNA ),Red hat certified engineer(RHCE),Cisco certified network
associate(CCNA),CEH.
REFERENCES
• Information and resources from Internet were
extensively used for the creation of this presentation.
2
HTTP BASICS
• Client Server Model. • Client - Request resources from the Server. • Server - Provides the requested resources. • Request-response / Request-reply Model • Resources are identified by URI / URL
3
HTTP RESPONSE CODE
• For every request, server responds with a
response code . 4
HTTP RESPONSE CODE
• 1xx = Informational • 2xx = Success - e.g. 200 OK • 3xx = Redirection e.g. 302 Moved Temporarily • 4xx = Client Error e.g. 401 Unauthorized • 5xx = Server Error
5
HTTP RESPONSE CODE - DEMO
• Wireshark • Log • curl
6
VERSIONS
• HTTP 1.0 • HTTP 1.1
7
VERSIONS - DIFFERENCE
• HTTP 1.0
• Require one connection per resource
• Disconnect immediately. • HTTP 1.1
• Reuse connection for multiple URI 8
VERSIONS - OTHER DEVELOPMENTS
• HTTP/1.2 Extension Protocol (PEP) • PEP - The Protocol Extension Protocol
9
HTTP REQUEST METHODS
• According to Wikipedia:
• HTTP defines methods
• Indicate the desired action to be
performed on the identified resource.
• Methods are also referred to as verbs. 10
HTTP REQUEST METHODS
• Summary: it is an operation which you can
perform on a resource on the web server. 11
HTTP/1.0 METHODS
• GET, • POST and • HEAD methods
12
HTTP/1.1 – ADDITIONAL METHODS
• OPTIONS, • PUT, • DELETE, • TRACE and • CONNECT.
13
DEMO - HTTP/1.0 METHODS
• GET, • POST and • HEAD methods
14
HTTP METHOD TESTING
• Process of enumerating the HTTP options
available on a web server. • Cross Site Tracing (XST), a form of cross site
scripting using the server's HTTP TRACE method
INJECTION ATTACKS
• Frontend • Backend
16
FRONT-END
• Rendering Attacks
• HTML Injection • Code Execution
• JS Injection
• XSS
17
BACKEND
• Command Injection
• SQL Injection 18
HTML INJECTION
• User input not sanitized. • HTML Tags / Code Injected. • Page rendered based on the injected code.
19
SQL INJECTION
• It is the code injection technique used to attack the data driven applications in which malicious SQL statements are inserted into the entry field for execution .
• This will dump the database contents to
the attacker.
20
XSS
Cross Site Scripting is a type of computer security vulnerability typically found in Web applications.
XSS allow the attacker to inject client side script to the webpages.
21
OWASP
• Broken Authentication and Session
Management • Insecure Direct Object References • CSRF • Security Misconfiguration
22
OWASP
• Insecure Cryptographic Storage • Failing to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
23
SUMMARY
24
REFERENCES
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes http://www8.org/w8-
papers/5c-protocols/key/key.html
http://stackoverflow.com/questions/246859/http-1-0-vs-1-1
http://devhub.fm/http-requestresponse-basics/
http://wiki.hashphp.org/HttpPrimer http://www.w3.org/TR/WD-http-pep-
960820.html http://www.infoq.com/news/2011/04/http-1.2-released
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods
http://www.fishnetsecurity.com/6labs/blog/jboss-jmx-console-authentication-bypass
http://jeremiahgrossman.blogspot.in/2008/06/what-you-need-to-know-about-http-verb.html
https://www.owasp.org/index.php/Testing_for_HTTP_Verb_Tampering_%28OWASP-DV-
003%29 http://photos1.blogger.com/blogger2/1912/1679/1600/vulnerability_stack.png
25
GOOD SECURITY PROFESSIONAL
A good security professional is someone who always looks both ways before crossing a one-way street.