Professional Documents
Culture Documents
Chapter 1 Cyber
Chapter 1 Cyber
Chapter 1 Cyber
Steps In Reconnaissance:
1. Explore the Web App: Go through the web application like a regular user,
noting down all the actions you take.
2. Look at the Web Traffic: Pay attention to the requests your actions generate.
This helps you understand how the app works behind the scenes.
3. Find Different Pages: Try to find all the pages the app has, including ones that
might not be directly linked.
4. Check Data Entry Points: See where you can input information, like search
boxes or forms, and try putting different things to see how the app reacts.
5. Check Login and Logout: Understand how logging in and out works, and if
there are any flaws in the process.
6. Look for Errors: See what happens when things go wrong, like entering the
wrong password or URL. Sometimes error messages can reveal important clues.
7. Check for Security Measures: Look at how the app handles security, like
protecting against attacks or keeping your information safe.
8. Figure Out What Technology is Used: See what tools and technologies are
behind the app, as this can give you clues about potential weaknesses.
9. Test Access Controls: Make sure the app only lets you see and do things you're
supposed to, and not things you shouldn't.
10. Check for Third-party Services: Look for any outside services the app uses and
make sure they're secure too.
Process in XSS:
XSS A ack are executed using <script> tags . This tag is used to control the
whole website.
2. Reflected XSS:
Reflected XSS a acks, also known as non-persistent a acks, occur when
a malicious script is reflected off of a web applica on to the vic m's
browser. The script is ac vated through a link, which sends a request to a
website with a vulnerability that enables execu on of malicious scripts
where the malicious script comes from the current HTTP request.
Preven on of XSS:
1. We should filter the tags like <script> in order to prevent XSS
2. We can use Web Applica on firewall For Filtering the Script Tag
Process in XSSRF:
When user Clicks on the Link It sends the previous Session token issued by
bank along with it . Therefore the hacker requested is executed and now he has
the control over users account
What are the Things That Can Be Done by CSRF related to Banking:
1. Fund Transfer
2. Adding new beneficiary
3. Block or limi ng the user out of the site
4. Change site preference
CSRF a ack can also be Done based upon IP Address rather than cookie
Examples:
1. Post Anonymus comment that is shown coming from vic ms IP
2. Perform Distributed password guessing a ack without bot net
3. Modify the se ng of devices such as wireless router or cable
4. Modify the intranet wiki page
XXE: XML External En ty
XML Data Come in Par cular Format Which is Generally Key-Value Pair.
< First.Name=”Chandan”> lastname=” RAWAT”)
So therefore When Data Comes In XML parser Will Read and Interpret It
XML En tes:
En tes Are Variables In XML that are used for the purpose of Storage
Or we can say they are a way of represen ng an item of data within XML
2. External En tes:
<!Doctype Foo [
<! En ty MyEn ty “ h ps://google.com”>
]>
Therefore This XML Xternal En tes can be Target Through Server Side
Request Forgery A ack through XXE