Hackazon realistic e-commerce Hack platform
ssuserdec930
1,702 views
18 slides
Sep 30, 2019
Slide 1 of 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
About This Presentation
Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and ...
Slide Content
Hackazon Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
Links Internet: http://hackazon.webscantest.com Info: http://cybersecology.com/hackazon-review/ https://github.com/rapid7/hackazon Installation: https://appspider.help.rapid7.com/docs/hackazon-installation-guide Testing: https://github.com/rapid7/hackazon/blob/master/VULNERABILITIES.md https://appspider.help.rapid7.com/docs/conducting-a-basic-test-manually-against-hackazon https://blog.securityevaluators.com/hacking-hackazon-2bda9830ccf0
Tools BurpSuite OwaspZap Nexpose
Registration verification via email
Don’t Save passwords to browser To prevent the browser from saving passwords (and usernames), you need to: copy username and password to hidden form fields before submitting the login form clear the visible username and password fields set autocomplete=off for good measure This makes the browser attempt to save empty credentials, or not save at all. A login form might look like this: COPY <form action= '/login' class= 'login-form' autocomplete= 'off' > Email: <input type= 'email' name= 'email-entry' > <input type= 'hidden' name= 'email' > Password: <input type= 'password' name= 'password-entry' > <input type= 'hidden' name= 'password' > </form> <script> $( '.login-form' ).on( 'submit' , function () { $( '[name="email"]' ). val ($( '[name="email-entry"]' ). val ()); $( '[name="email-entry"]' ). val ( '' ); $( '[name="password"]' ). val ($( '[name="password-entry"]' ). val ()); $( '[name="password-entry"]' ). val ( '' ); }); </script> https://makandracards.com/makandra/34245-how-to-disable-auto-complete-on-login-forms
Captcha on registration Integrate Google reCAPTCHA in your website To integrate it into your website you need to put it in the client side as well as in Server side. In client HTML page you need to integrate this line before the tag. <script src ="https://www.google.com/recaptcha/api.js?render=put your site key here"></script> Google reCAPTCHA v3 is invisible. You won’t see a captcha form of any sort on your web page. You need to capture the google captcha response in your JavaScript code. Here is a small snippet. <script src ="https://www.google.com/recaptcha/api.js?render=put your site key here"></script> <script> grecaptcha.ready (function() { grecaptcha.execute ('put your site key here', { action:'homepage '}).then(function(token) { // pass the token to the backend script for verification }); }); </script> https://codeforgeek.com/google-recaptcha-v3-tutorial/
Session Fixation Update session after: Registration Authorization Password change Logout
User Enumeration Prevent any information about user existence
Password guessing Use Burp Intruder to guess password for previously enumerated users
SQL Injections $name = $_POST[ 'name' ]; // $_POST['name'] == "a'='a' OR 1=1 #" $query = " SELECT name, password FROM user WHERE name = '" . $name . "' AND role = 'user'" ; Blind injection identified by Sleep command Prevention: Prepared Statements (with Parameterized Queries) Use of Stored Procedures Whitelist Input Validation Escaping All User Supplied Input Enforcing Least Privilege Performing Whitelist Input Validation https://github.com/OWASP/CheatSheetSeries/blob/master / cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md Unsafe: String query = "SELECT account_balance FROM user_data WHERE user_name = " + request . getParameter ( " customerName " ); try { Statement statement = connection . createStatement ( ... ); ResultSet results = statement . executeQuery ( query ); }
Remote File Include RFI Injection allows to use an app logic where the app includes some file based on user input. In our app it's implemented in the Help Articles section: http://hackazon.webscantest.com/account/help_articles?page=/etc/passwd%00
XSS Implement test cases based on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
File Input (XXE, XSS Persistent) http:// hackazon.webscantest.com/user_pictures/e8/PersistFileXSS.html <html> <script> alert( document.cookie ); </script> </html> Potential XXE https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>& xxe ;</foo>
CSRF Write wrappers (that would auto add tokens when used) around default form tags/ajax calls and educate your developers to use those wrappers instead of standard tags. Though this approach is better than depending purely on developers to add tokens, it still is vulnerable to the issue of human tendency to forget things. Spring Security uses this technique to add CSRF tokens by default when a custom < form:form > tag is used, you can opt to use after verifying that its enabled and properly configured in the Spring Security version you are using. Write a hook (that would capture the traffic and add tokens to CSRF vulnerable resources before rendering to customers) in your organizational web rendering frameworks. Because it is hard to analyze when a particular response is doing any state change (and thus needing a token), you might want to include tokens in all CSRF vulnerable resources (ex: include tokens in all POST responses). This is one recommended approach, but you need to consider the performance costs it might incur. Get the tokens automatically added on the client side when the page is being rendered in user’s browser, with help of a client side script (this approach is used by CSRF Guard ). You need to consider any possible JavaScript hijacking attacks. https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md
Open Redirect Link to authorization: hackazon.webscantest.com/user/ login?return_url =https://hack.me
IDOR “id ”, “ user_id ”, “value”, “ pid ”, “ post_id ” https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/ INSECURE DIRECT OBJECT REFERENCE
101 Web Hacking https://darkweblinks.org/files/hacking/scribd-download.com_web-hacking-101.pdf
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,702
- Slides 18
- Favorites 1
- Age 2254 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views