Reconnaissance:

Reconnaisance is the way to gain info of web applica on without necessarily

trying to hack it.
This process of gaining info is Exploit.
Reconnaissance is done by :
1. Pen Testers
2. Hackers
3. Big Bounty Hunters
4. Security Engineers : They Do It With Good Inten on
There is a race between security engineers , pen testers , bug bounty hunters
to find defects in code
Security Engineers find defect in code and release a patch for it
So there fore pentester, bug bounty hunters and hackers are offensive in
generic way while security engineers are defensive

Steps In Reconnaissance:

1. Explore the Web App: Go through the web application like a regular user,
noting down all the actions you take.
2. Look at the Web Traffic: Pay attention to the requests your actions generate.
This helps you understand how the app works behind the scenes.
3. Find Different Pages: Try to find all the pages the app has, including ones that
might not be directly linked.
4. Check Data Entry Points: See where you can input information, like search
boxes or forms, and try putting different things to see how the app reacts.
5. Check Login and Logout: Understand how logging in and out works, and if
there are any flaws in the process.
6. Look for Errors: See what happens when things go wrong, like entering the
wrong password or URL. Sometimes error messages can reveal important clues.
7. Check for Security Measures: Look at how the app handles security, like
protecting against attacks or keeping your information safe.
8. Figure Out What Technology is Used: See what tools and technologies are
behind the app, as this can give you clues about potential weaknesses.
9. Test Access Controls: Make sure the app only lets you see and do things you're
supposed to, and not things you shouldn't.
 10. Check for Third-party Services: Look for any outside services the app uses and
make sure they're secure too.

Cross Site Scrip ng

Cross site contains giving command to the brains of website i.e we inset
malliciouse code in javascript of website
It is generally done with site which has a search op on or a bu on
It can also be done on a website where we are using user id and password
The Malliciouse code is inserted into search box, textbox . the most targeted
sites prone to XSS are Social Sites, bank and Email

Process in XSS:

Type The Text in search box, Post Method

bu on , etc on a website

H p Request Goes To Server

Request Stored in Database of Request Executed ( Reflected XSS)

server (Stored XSS)

XSS A ack are executed using <script> tags . This tag is used to control the
whole website.

Different Types Of XSS:

1. Stored XSS:
In this the maliiciouse code is stored in database and each me the code
is executed we send request.

2. Reflected XSS:
 Reflected XSS a acks, also known as non-persistent a acks, occur when
a malicious script is reflected off of a web applica on to the vic m's
browser. The script is ac vated through a link, which sends a request to a
website with a vulnerability that enables execu on of malicious scripts
where the malicious script comes from the current HTTP request.

3. Document Based XSS:

This type of XSS is combina on of Stored and reflected XSS.

where the vulnerability exists in client-side code rather than server-
side code.

What Can We Do With XSS?

1. Altera on of HTML Documents
2. Dele on of HTML Document
3. Open Or Create another HTML Document
4. Pull A Website Down
5. Cookie Stealing

Preven on of XSS:
1. We should filter the tags like <script> in order to prevent XSS
2. We can use Web Applica on firewall For Filtering the Script Tag

COOKIE STEALING Through XSS:

When A Applica on is prone to Cross Site Scrip ng the A acker tries to steal
users session cookie through use of XSS. They try to Hijack user account
If the User is admin used then the a acker exploits all admin func ons and
data thus the en re applica on is compromise
Thus This Can Be Prevented Using HTTPS Only Flag at server Side
 Cross Site Request Forgery XSSRF:
Cross-Site Request Forgery (CSRF) is an a ack that forces authen cated users
to submit a request to a Web applica on against which they are currently
authen cated.
CSRF a acks exploit the trust a Web applica on has in an authen cated user.
Social engineering pla orms are o en used by a ackers to launch a CSRF
a ack. This tricks the vic m into clicking a URL that contains a maliciously
cra ed, unauthorized request for a par cular Web applica on
The user’s browser then sends this maliciously cra ed request to a targeted
Web applica on. The request also includes any creden als related to the
par cular website (e.g., user session cookies). If the user is in an ac ve session
with a targeted Web applica on, the applica on treats this new request as an
authorized request submi ed by the user

Process in XSSRF:
 When user Clicks on the Link It sends the previous Session token issued by
bank along with it . Therefore the hacker requested is executed and now he has
the control over users account

What are the Things That Can Be Done by CSRF related to Banking:
1. Fund Transfer
2. Adding new beneficiary
3. Block or limi ng the user out of the site
4. Change site preference

CSRF a ack can also be Done based upon IP Address rather than cookie
Examples:
1. Post Anonymus comment that is shown coming from vic ms IP
2. Perform Distributed password guessing a ack without bot net
3. Modify the se ng of devices such as wireless router or cable
4. Modify the intranet wiki page
 XXE: XML External En ty

XML Stands For Xtensible Markup language

In this we have many predefined and user Defined Tags.

The Major Applica on of XML is Data Storage & Exchange

XML Is Also Used in Web Services

XML Data Come in Par cular Format Which is Generally Key-Value Pair.
< First.Name=”Chandan”> lastname=” RAWAT”)

To Interpret this Data our applica on needs to Have A XML Processor

known As XML Parser

So therefore When Data Comes In XML parser Will Read and Interpret It

A XML Document Can Contain Only One Root Element.

Tag Names Are Case Sensi ve

Opening & Closing Tag Needs To be Same
XML Type Defina on

XML Type Defina on is used to Specify What type Of Document it is:

1. XSD: XML Schema Defina on

It’s a purpose is to validate the structure of another XML Document

2. DTD: Document Type Defina on

It Tells About the Document Type Defina on . It you about the en te,
a ributes & Data Type Present in Document

XML En tes:

En tes Are Variables In XML that are used for the purpose of Storage
Or we can say they are a way of represen ng an item of data within XML

En tes are defined in Document Type Defina on (DTD) part of XMl

1. Custom En tes (Same As Above):
<!Doctype Foo [
<! En ty MyEn ty “ myEn tyValue”>
]>

2. External En tes:
<!Doctype Foo [
<! En ty MyEn ty “ h ps://google.com”>
]>

Therefore This XML Xternal En tes can be Target Through Server Side
Request Forgery A ack through XXE

Therefore Such A ack Are Known As Blind XXE Vulnerability

Orr Blind SSRF A ack.