Usually whenever I take Interview for any candidate related to security background. I must ask one question.
What happens when we type https://example.com
Mostly security people know answer this question. With this answer i come to know how in-depth knowledge candidate have in this domain.
Let's try to understand the concept in a little brief.
Websites are secured by https protocol. But most of us do not have clear concept about how it really works. Let me give you a high level overview of how https works.
Suppose we are trying to access https://abc.com. After typing the url in address bar of browser when we press enter first SSL handshaking happens.
First When we type a domain and click enter
Domain Name resolve to IP address by DNS server and request reaches to the server we want to communicate with.
Then the server immediately responds to the initial connection by offering a list of encryption methods the webserver supports.
The client selects a connection method. Then the client and server exchange certificates to authenticate their identities for this first server sends its public certificate to the browser.
After receiving that public certificate browser performs some tasks.
First it validates signature of the certificate. For this it takes the value of Issued by field and search in Trusted Root Certification Authorities certificate store to get the public key of that authority. If it finds that public certificate it uses that to validate the signature of the public certificate received from abc.com. Popular certificates providers are VeriSign, GoDaddy etc.
Next it tries to match value of Issued to field with domain name(here abc.com).
Next it checks validity period of that certificate to check it expired or not.
After that it calls to check the revocation list of that certificate authority in the web to check is that certificate blacklisted or not.
If everything goes fine the browser generates a random key and encrypt the key with that public key got from server and sends that encrypted value to the server(abc.com). Because it is encrypted by the public key of abc.com no one except abc.com can decrypt it. When server(abc.com) got this encrypted key it uses its private key to decrypt it. Then both server(abc.com) and browser uses that random key sent from browser to encrypt, decrypt, sign and verify signature of all data sent or received between them in that communication. Thus using symmetric encryption data remains secured in https communication.
This video is for all those students who want to get a Job in Cyber Security feild but don't know from where to start. So tried to explain the whole concept in a simple manner. If you don't know what to study and what are the things required to learn . You are at the right destination. Cyber Security is a booming career in India and is having lot of Opportunities. So here at davidertutorials you will get all the relevant stuff related to Cyber Security and IT
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.
Lets say , we visit a signup page of a website and we entered email and password and click on signup . But before clicking sign up , I am capturing request in the Burp Suite . So when i captured the request , I changed email to some long string , like if email is "davinder@gmail.com" , i changed that to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@gmail.com" or even more in size
If i am able to proceed further without any restriction and or boundation, that this vulnerability exists.
Another example of code
Steps to resolve:
Restrict size limit on input parameter.
Impact
Category:Availability: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. Access control (instruction processing): Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
Portswigger.net will give you detailed video for burp setup , But to hunt bugs on Android , Below are some important steps in order to unpin Apps for testing . To do so you need to install below apps
1. Dowload genymotion - This is Your Andoid Emulater
2. Download super su v2.46 or latest
3. Download xposed installer apk
4. download xposed sdk
5. Download ssl unpinning
first root your android fone
than download xposed apk in that fone
than install xposed sdk (Note sdk version must be same as your fone apk version)
than ssl unpinning
After all steps , Restart android phone.
After Restarting the phone , Open SSL pinning App, Select the app you want to test and click on upin.
After that capture the requests on the Burp and have fun.
This is something when we are able to sign up on any web application using a long 100000 characters password which may lead website becoming unavailable or unresponsive.
When you supply a long password , Generally what happens applications are implementing password hashing algorithms , So when we supply long password than server will get busy doing that and website becomes unavailable or unresponsive . When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
Prevention
Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack.
The password hashing implementation must be fixed to limit the maximum length of accepted passwords.
A rate limiting is used to check if the user session has to be limited based on the information in the session
cache. If user make too many requests within a given time ,
HTTP-Servers has to respond with status code
429: Too Many Requests.
Description:-
I have identified that when Forgetting Password for account , the
request has no rate limit which then can be used to loop through one
request. Which can be annoying to the root users sending mass password
to one email.
Steps To Reproduce The Issue
Go to Forget Password page
Enter the mail where you want to receive the link
Capture that request in BURP.
Send this to Intruder and set parameter at"Accept-Language: en-US,en;q=0.5"
Now go to payload and select number from 1 to 100.
Click on start attack.
If you will receive 100 mails with this , than this is a bug which have to be reported.
Solution -
I Will Recommend to Add A ReCaptcha & Sort Of Something Which
Requires Manual Human Interaction To Proceed Like You Can Add Captcha
Like 2+2=___ so that it cannot be brute forced and you also can have a
limit at the backend for particular number upto 5 times a day user can
request Forget Password Email or Link something like that will prevent
you from someone exploiting this vulnerability
Impact
If You Are Using Any Email Service Software API Or Some Tool Which
Costs You For Your Email This Type Of Attack Can Result You In Financial
Lose And It Can Also Slow Down Your Services It Can Take Bulk Of
Storage In Sent Mail Although If Users Are Affected By This
Vulnerability They Can Stop Using Your Services Which Can Lead To
Business Risk
Redirect means allowing a website to forward the request for the resources to another URL/endpoint. Let’s assume that you make a request to davindertutorials.com and davindertutorials.com can redirect you to another website(new-davindertutorials.com), so you’ll end up at new-davindertutorials.com even though the original request was made for davindertutorials.com. This is called “redirection”. There are different types of redirects in HTTP, check em out below.
Now Lets understand this vulnerability:
Open redirect is basically what the name says, Openly allow Redirects to any website.
URL redirection vulnerabilities found when user redirect to some other url , mainly the attacker url in unsafe way.
An attacker can construct a URL within the application that causes a redirection to an external domain. This behavior is well known for doing phishing attacks against users of the application.
Redirection Status Code - 3xx
300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
307 Temporary Redirect
308 Permanent Redirect
The redirection can happen on the server-side or the client side.
Server-Side: Request to redirect is sent to the server, then the server notifies the browser to redirect to the url specified via the response.
Client-Side: Browser is notified to redirect to the url specified directly without the intervention of the server.
Why is this an issue?
Think about it for a moment, what if davindertutorials.com, a TRUSTED website allows you to redirect to any other website. Then a malicious user can simply redirect davindertutorials.com to attacker.com, and people fall for it all the time believing that it’s trusted, but infact, it’s not. So allowing redirects to any website without a stop in the middle or without a proper notification for the user is Bad.
Explanation
Let’s say there’s a “well known” website - https://example.com/. And let’s assume that there’s a link like
This link is to a sigup page, once you signup, you get redirected to https://example.com/login which is specified in the HTTP GET Parameter redirectUrl.
What happens if we change the example.com/login to attacker.com?
By visiting this url, if we get redirected to attacker.com after the signup, this means we have an open redirect vulnerablility. This is a classic open redirect vulnerability.
Why does this happen?
This happens due to insufficient redirection checks in the back-end, which means the server is not properly checking if the redirect URL is in their whitelist or not.
Here are some examples of vulnerable code
PHP (Server-Side)
Here, the php code blindly grabs the url from redirect_url parameter and redirects to that url using the Location HTTP header.
Java (Server-Side)
Here, a jsp page takes the url from the parameter u and blindly redirects it to the specified url.
Javascript (Client-Side)
We can assign the URL string to the location.href of window’s object. This will cause a redirect. If there are no checks inplace, then it’s a bug.
HTML (Client-Side)
HTML Meta tags can refresh the site with the given url as it’s content and also you can specify the refresh delay time.
How to find them?
Visit every endpoint of the target to find these “redirect” parameters.
View your proxy history, you might find something. Make sure to use filters.
Bruteforcing helps too.
You might uncover many endpoints by reading javascript code.
Google is your friend, example query: inurl:redirectUrl=http site:target.com
Understand and analyze where the redirection is needed in the target application like redirecting to dashboard after login or something like that.
Some tricks to find this bugs
Test for basic modification of the url like target.com/?redirect_url=https://attacker.com.
Try with double forward slashes target.com//attacker.com.
Try target.com/@attacker.com. In this case the interpretation will be like, the target.com is the username and attacker.com will be the domain.
Test for javascript Protocol javascript:confirm(1).
Try target.com/?image_url=attacker.com/.jpg if there’s an image resource being loaded.
Try IP address instead of the domain name.
You can go further in terms of representing the IP in decimal, hex or octal.
You can also try target.com/?redirect_url=target.com.attacker.com to bypass weak regex implementations.
Chinese seperator 。 as the dot - https://attacker%E3%80%82com.
Test for String reverser unicode(“\u202e”) target.com@%E2%80%AE@attacker.com.
No slashes https:attacker.com.
Back slashes http:/\/\attacker.com or https:/\attacker.com.
Different domain redirect_url=.jp resulting in redirection of target.com.jp which is not the same as target.com.
Try some unicode(including emojis) madness t𝐀rget.com or 𝐀ttacker.com(‘𝐀’ is “\uD835\uDC00”).
Exploitation
Phishing
Assume that the target is example.com. It has a password recovery page at example.com/forgot-password. You enter the email and you click on Forgot Password button, and it’ll send you an email with a password reset link, and this link might look like
If we tamper with the redirect parameter and change it to
This redirects the user to an evil login page instead if the original one and the user can be phished.
Mitigation
Only use redirects if you really want em.
If you want to use them, make sure you properly check the whitelisted domains and allow the matched ones.
Multiple protocols are susceptible of enumeration, we should ask our client which ones are really needed in the network. The obvious preventive measure is to disable those insecure protocols that are not required in the network. However, this is not always feasible, especially if there are legacy applications in the organization that depends on insecure protocols to operate and for which there is no migration scheduled in the short term.
Some defensive measures that you can suggest to your client are:
Configure filter rules on the perimeter firewall(s) to prevent that protocols susceptible to enumeration that do not perform a public function be exposed to Internet (e.g. Netbios).
Implement a migration plan to update the version of legacy operating systems and applications periodically based on cost/benefit. In companies where the number of workstations is large, you might consider a project to replace the desktops by thin clients by using virtualization. License costs are usually lower in virtual environments.
Similarly, in environments with many servers, a consolidation process could not only provide savings in energy consumption, but also on maintenance costs of hardware/software and administration.
If you have a predominantly Windows network, you can deploy Active Directory policies to prevent the establishment of invalid logon sessions and disable the login through the network for the built-in Administrator account. However, care must be taken with legacy programs that could use null sessions.
Although the only 100% secure network is the one that is disconnected, we may take defensive measures that help us minimize security risks in our infrastructure during the scan.
Here are some precautions that we can take:
To start, you cannot scan an application that is not installed. This means that before putting a target on production we should do a “hardening” of the operating system, applications and services.
Hardening means “minimize”. Therefore, for a server to perform a specific function there is no point to enable unnecessary services, neither should be installed applications that do not serve the intended purpose. For example, if the target would be only a Web server (HTTP/HTTPS), then why the service IRC (chat) have to be enabled?
By preventing unnecessary applications remaining active on the equipment, we prevent that potential vulnerabilities become a point for future exploitation.
Enable automatic update of the operating system patches that fix security issues so they are installed in a timely manner.
Keep up support contracts with the hardware/software providers, to reach them in case of an eventuality, for example; a zero-day vulnerability (for which there is no patch yet).
Redesigning the network to include security measures such as segmentation to separate security zones by intelligent next generation firewalls.
Set rules in firewalls to filter unauthorized access from the Internet and internal subnets ports.
Install intrusion prevention systems (IPS) that can work with firewalls and other network devices to detect threats (such as ping sweeps, mass scanning, etc.) and block them immediately.
Perform periodic analysis of vulnerabilities to detect any possible threats to the security of our network and take appropriate corrective actions.
When we talk about ethical hacking, we mean the act of making controlled penetration tests on computer systems; it means that the consultant or pentester, acting from the point of view of a cracker, will try to find vulnerabilities in the audited computers that can be exploited, providing - in some cases - access to the affected system; but always in a controlled environment and never effect the operation of the computer services being audited.
Phases of hacking
Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases. There is a general consensus among the entities and information security professionals that these phases are 5 in the following order: 1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues Usually these phases are represented as a cycle that is commonly called “the circle of hacking” with the aim of emphasizing that the cracker can continue the process over and over again.
Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:
1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Writing the Report 5-> Presenting the Report In this way, ethical hackers stop at Phase 3 of the “circle of hacking” to report their findings and make recommendations to the client. Subsequent posts will explain each phase in detail, and how to apply software tools and common sense, coupled with the experience, to run an ethical hacking from start to finish in a professional manner.
Types of hacking When we execute an ethical hacking is necessary to establish its scope to develop a realistic schedule of work and to deliver the economic proposal to the client. To determine the project extent we need to know at least three basic elements: the type of hacking that we will conduct, the modality and the additional services that customers would like to include with the contracted service. Depending on where we execute the penetration testing, an ethical hacking can be external or internal.
External pentesting This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service. Example of public hosts: router, firewall, web server, mail server, name server, etc.
Internal pentesting As the name suggests, this type of hacking is executed from the customer’s internal network, from the point of view of a company employee, consultant, or business associate that has access to the corporate network.
In this type of penetration test we often find more security holes than its external counterpart, because many system administrators are concerned about protecting the network perimeter and underestimate the internal attackers.
Black box hacking This mode is applicable to external testing only. It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information, the infrastructure of the organization is a “black box”. While this type of audit is considered more realistic, since the external attacker who chooses an X victim has no further information to start that the name of the organization that is going to attack, it is also true that it requires a greater investment of time and therefore the cost incurred is higher too. Additionally, it should be noted that the ethical hacker - unlike the cracker - does not have all the time in the world to perform penetration testing, so the preliminary analysis cannot extend beyond what is possible in practical terms because of cost/time/benefit.
Gray box hacking This method is often refer to internal pentestings. Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited. Example: a list of data such as IP address and type/function of the equipment (router, web-server, firewall, etc.). When the term is applied to internal testing, it is given that name because the consultant receives the same access that an employee would have like having his laptop connected to the internal network and the NIC configured properly (IP address, subnet mask, gateway and DNS server); but does not obtain additional information such as: username/password to join a domain, the existence of related subnets, etc.
White box hacking White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems. This means, that besides providing a connection to the network and configuration information , the consultant receives extensive information such as network diagrams, detailed equipment audit list including names, types, platforms, main services, IP addresses, information from remote subnets, etc. Because the consultant avoids having to find out this information, this kind of hacking usually takes less time to execute and therefore also reduces costs.
Additional hacking services
There are additional services that can be included with an ethical hacking; among the popular ones are: social engineering, wardialing, wardriving, stolen equipment simulation and physical security. Social engineering Social engineering refers to the act of gathering information through the manipulation of people, it means that the hacker acquire confidential data using the wellknown fact that the weakest link in the chain of information security is the human component. Wardialing During the early years of Internet, access to it was mostly made by using modems, so it was common for companies to have a group of these devices (modem pool) connected to a PBX to answer the calls that required access to the company’s local network. These modems were connected to a remote access server (RAS), which through a menu entry (username/password) and using protocols such as SLIP or PPP, allowed authorized users to connect as if they were on the local network and have access to resources as applications, shared folders, printers, etc. At that time security was not something that managers meditated much, so many of these modems were not adequately protected, which made them easy prey for the first wardialing programs. What these programs did was dial phone numbers, based on the initial value provided by the user, and record those in which a modem answered instead of a person; then the cracker called these numbers manually and executed AT3 commands to gain access to the modem or ran brute force programs to overcome the key set by the system administrator. Afterward, these programs became more sophisticated and from the same application they could discover modems automatically and execute brute force password attacks. Today, our way of connecting to the Internet has changed, yet, is a fact to notice that many system and network managers still use modems as a backup strategy to provide remote support in the event of a network failure. It should, therefore, not be dismissed as an entry point into the customer network. Wardriving The term wardriving is derived from its predecessor wardialing, but is applied to wireless networks. The hacker strikes up a wireless war from the vicinity of the client/victim company, usually from his parked car with a laptop and a signal booster antenna.The aim is to detect the presence of wireless networks that belong to the client and identify vulnerabilities that could allow entry to the hacker. expertise with customer to back up the devices prior to the audit. Physical security audit Although physical security is considered by many experts as an independent subject from ethical hacking, specialized companies can integrate it as part of the service. This type of audit involves difficulties and risks that you must be aware with the aim of avoiding situations that endanger those involved. I point this because a physical security audit could be as simple as an inspection accompanied by customer staff filling out forms, a little bit more complex when we try getting to the boardroom to place a spy device pretending to be a lost customer, or something as delicate as attempting to circumvent armed guards and enter through a back door.
Finally, once you have obtained the required customer information - type of hacking, mode and optional services - we are ready to prepare a proposal that clearly defines: the scope of the service, the time it takes us to perform the ethical hacking, the deliverable (a report of findings and recommendations), costs and payment.
Sourcefire Next-Generation IPS sets a new standard for advanced threat protection.
Real-time Contextual Awareness—See and correlate extensive amounts of event data related to IT environments—applications, users, devices, operating systems, vulnerabilities, services, processes, network behaviours, files and threats
Advanced Threat Protection—Protecting for the latest threats, Sourcefire delivers the best threat prevention .
Unparalleled Performance and Scalability—Purpose-built appliances incorporate a low-latency, single-pass design for unprecedented performance and scalability
Application Control and URL Filtering—Reduce the surface area of attack through optional granular control of over 1200 applications and 100s millions of URLs in over 80 categories
Sourcefire has been aggregating network intelligence to provide “context” to network security defenses. • Worms • Triojans • Backdoor attacks • Spyware • Port Scans • VoIP attacks • IPv6 attacks • DoS attacks • Buffer overflows • P2P attacks • Statistical anomalies • Protocol anomalies • Application anomalies • Malformed traffic • Invalid headers • Blended threats • Rate-based threats • Zero-day threats • TCP segmentations and IP fragmentation
The Sourcefire NGIPS uses contextual awareness to fuel intelligent automation in the following ways:
• Optimize defenses and system performance by automating protection policy updates based on network changes • Reduce the number of “actionable” security events by up to 99% by correlating threats against target operating systems and applications and their inherent vulnerabilities • Know instantly who to contact when an internal host is affected by a client-side attack • Be alerted when a host violates a configuration policy or attempts to access an unauthorized system • Detect the spread of malware by baselining “normal” network traffic and detecting network anomalies
Sourcefire NGIPS takes advantage of the best hardware technology in the industry, providing IPS inspected throughput options ranging from 50Mbps to 40+Gbps
ISO/IEC 27001, also known as ISO 27001, is a security standard that outlines the suggested requirements for building, monitoring and improving an information security management system (ISMS). An ISMS is a set of policies for protecting sensitive information, e.g., financial data, intellectual property, customer details and employee records.
ISO 27001 is a voluntary standard employed by service providers to secure customer information. It requires an independent and accredited body to formally audit an organization to ensure compliance.
The benefits of working with an ISO 27001 certified service provider include:
Risk management – An ISMS helps govern who within an organization can access specific information, reducing the risk that said information can be stolen or otherwise compromised.
Information security – An ISMS contains information management protocols detailing how specific data needs to be handled and transmitted.
Business continuity – To remain ISO 27001 compliant, a service provider’s ISMS must be continuously tested and improved upon. This helps prevent data breaches that could impact your core business functions.
For service providers, compliance provides peace of mind to your customers, while allowing you to maintain due diligence regarding data security.
ISO COMPLIANCE AND INFORMATION SECURITY GOVERNANCE
ISO 27001 compliance can play an integral role in creating an information security governance policy-the plans, tools and business practices used by an enterprise to secure their sensitive data.
Creating an ISO compliant ISMS is a comprehensive process that includes scoping, planning, training and support. Below are some of the most important elements to be addressed before an enterprise can become certified.
1. ORGANIZATIONAL CONTEXT
Internal and external issues that can affect an enterprise’s ability to build an ISMS, e.g., information security, as well as legal, regulatory and contractual obligations, need to be identified.
2. SCOPE
The information defined in step one is then used to document the scope of the ISMS, outlining relevant areas, as well as boundaries. The ISMS than needs to be implemented, maintained and continually improved according to specific information security risks and ISO 27001 requirements.
3. LEADERSHIP
The enterprise’s management needs the necessary leadership skills to maintain the ISMS. This includes:
Creating an information security policy in line with the strategic direction of the organization.
Integrating the ISMS into standard organization processes.
Communicating the details of the information security policy and highlighting the importance of ISMS requirements.
Promoting the continual improvement to the ISMS.
Ensuring adequate support for staff who work to improve the system.
4. PLANNING
A plan for addressing information security risks needs to be integrated into the ISMS process. This involves:
Establishing and applying a detailed information security risk management process that includes risk criteria, the identification of information security threats, risk analysis and the evaluation of risks relative to the established criteria.
Defining and applying a process for mitigating threats that includes controls needed to implement each risk treatment option.
5. SUPPORT
The enterprise needs to obtain the resources, people, and infrastructure to effectively implement an ISMS.
Support involves training and mentoring staff to deal with sensitive information. Additionally, employees need to be informed as to how they can contribute to the effectiveness of the ISMS and the implications of not conforming to information security policies.
Lastly, internal and external communication policies relevant to the ISMS need to be established. Policies should include the definition of issues that need to be communicated, with whom these issues should be communicated and the methods of communication.
6. OPERATIONS
This step focuses on executing the plans and processes defined in previous sections. The organization needs to document all actions carried out to ensure that processes are executed as planned.
Additionally, outsourced processes need to be identified to evaluate and control information security risks.
7. PERFORMANCE EVALUATION
Performance evaluations ensure the continued effectiveness and future improvement of the ISMS. It also regularly identifies areas for potential improvement in information security.
Internal audits and management reviews need to be conducted and documented at defined regular intervals to evaluate ISMS performance.
8. IMPROVEMENT
Nonconformities with ISO 27001 requirements need to be addressed immediately upon discovery. Organizations need to identify and execute the steps to ensure that the same issues don’t recur.
Additionally, enterprises must continually attempt to improve the suitability, adequacy and effectiveness of their ISMS.