You are on page 1of 65

SUMMER TRAINING REPORT

ON

“Web Application Penetration Testing


project”

IN

CyberFoxTechnology

Submitted By-
Supervised By-

Sonalika Sunil Singh


1
Project
Manager

PREFACE

The successful completion of this project was a unique


experience for us and we achieved a better knowledge about
Social media marketing in India. The experience which we got
by doing this project was essential to our future. The information
in this project being submitted by us contains detailed analysis of
the research undertaken by us.

The research provides an opportunity to us to devote our skills,


knowledge and competencies during our knowledge gathering
sessions of marketing management.
The research is on the topic “Web application penetration
testing project”.

2
ACKNOWLEDGEMENT

―Knowledge is an experience gained in life, it is the choicest


possession, which should not be shelved but should be happily
shared with others. It is the supreme art of the teacher to awaken
joy in creative expression and knowledge.‖The success of any
project is the result of hard work & endeavor of not one but
many people and this project is no different. I take this as a
prospect to a vow that it was an achievement to have succeeded
in our final project, which would not have been possible without
the guidance of -

Mr. Sunil Singh -Manager, Marketing, Cyberfoxtechnology

Mr. Pawan - Manager, Human Resource, Cyberfoxtechnology

Mr. -Faculty, Mentor, NIU GREATER NOIDA


3
Dr., Director, NIU.

Mr. - Head of the Department, NIU.

Finally we are thankful to our entire Cyberfoxtechnology team


who has given the full support in collecting the required
information and continuous help during the project.

DECLARATION

I, Sonalika Roll no 11111111, student of NIU GREATER


NOIDA, , hereby declare that the project report on ―Web
Application Penetration Testing Project ―at
CyberfoxTechnology, A Business and Career networking site is
an original and authenticated work done by me. The project was
of 45 days duration.

I further declare that it has not been submitted elsewhere by any


other person in any of the institutes for the awardof any degree
or diploma.

4
Sonalika

B.tech (CSE)

Executive Summary

1.1 Summary

Sonalika has assigned the task of carrying out Quarterly


Penetration Testing of , to Network Intelligence
5
Cyberfoxtechnology .
This is the second quarter Penetration Testing report. This
Penetration Test was performed during 28/10/2017. The detailed
report about each task and our findings are described below.
The purpose of the test is to determine security vulnerabilities in
the server configurations and web applications running on the
servers specified as part of the scope. The tests are carried out
assuming the identity of an attacker or a user with malicious
intent. At the same time due care is taken not to harm the server.
 Approach

 Perform broad scans to identify potential areas of


exposure and services that may act as entry points.
 Perform targeted scans and manual investigation to
validate vulnerabilities.
 Test identified components to gain access to:

 Identify and validate vulnerabilities


 Rank vulnerabilities based on threat level, loss potential,
and likelihood of exploitation.
 Perform supplemental research and development activities
to support analysis.
 Identify issues of immediate consequence and recommend
solutions.
 Develop long-term recommendations to enhance security.
 Transfer knowledge.

During the network level security checks we tried to probe the


6
ports present on the various servers and detect the services
running on them with the existing security holes, if any. At the
web application level we checked the web servers’ configuration
issues, and more importantly the logical errors in the web
application itself.

COMPANY OVERVIEW
7
Cyber Fox Technology is the Best Institute For Ethical Hacking
Courses & Information Security Certifications & Core Java ,
Advance Java Training ,Tally Training Other IT Professional
Courses and Training Cyber Fox Technology is an Information
Security Training and development company We started our
operations on 10 April, 2014, since its foundation we are
committed to offer best information security training and
services to our students, clients and partners, with a high
standard content, because we believe that high standards bring
excellent output in long run, our standards is our strength, and
we maintain this
so that when we say "We are Professional in it" and we must
really mean it.In just a few years of its inception Cyber Fox
technology has grown with a rapid increment in its
students,clients and customers,. World's No.1 in classroom
training, online training, offshore training for EC-Council, Tally ,
CISCO, Microsoft , Complete penetration testing services
providers. There are few courses which we are providing in our
institute -.

 CEH (Certified Ethical Hacking)

 CHFI (Computer Hacking Forensic Investigator)

 ECSA (EC-Council Certified Security Analyst)

 ENSA (EC-Council Network Security Administrator)


8
 LPT (Licensed Penetration Tester)

 Java Course Training

 C , C++ Training

 Digital Marketing

 PHP , Html Training

 Website Development

 Website Desgining Training

 Core Java Training

 Advance Java Training

About Cyber Fox Technology


Cyber Fox Technology - Fastest Growing and Leading IT
Company

Cyber Fox Technology is the Best Institute For Ethical


Hacking Courses & Information Security Certifications &
Core Java , Advacne Java Training ,Tally Training Other IT
Professinal Courses and Training

Cyber Fox Technology is an Information Security Training


and development company We started our operations on
9
10 April, 2014, since its foundation we are committed to
offer best information security training and services to our
students, clients and partners, with a high standard
content, because we believe that high standards bring
excellent output in long run, our standards is our strength,
and we maintain this so that when we say "We are
Professional in it" and we must really mean it.In just a few
years of its inception Byte Code has grown with a rapid
increment in its students,clients and customers,.

World's No.1 in classroom training, online training, offshore


training for EC-Council, Tally , CISCO, Microsoft ,
Complete penetration testing services providers. There are
few courses which we are providing in our institute -.

 CEH (Certified Ethical Hacking)

 CHFI (Computer Hacking Forensic Investigator)

 ECSA (EC-Council Certified Security Analyst)

 ENSA (EC-Council Network Security Administrator)

 LPT (Licensed Penetration Tester)

 Java Course Training

 C , C++ Training

 Digital Marketing

10
 PHP , Html Training

 Website Development

 Website Desgining Training

 Core Java Training

 Advance Java Training

Industry Partnerships

 Microsoft Certified Partner

 VMware Authorized Partner

 EC Council Authorized Training Center

 CompTIA Authorized Partner

 Tally Academy

11
Careers at Cyber Fox
Technology
Information Secuity
Conslutant

Job Description

Cyber Fox Technology Services has an opportunity to help our


customers build, manage, and deploy their HP
Fortify/WebInspect Software applications more securely across
the entire application lifecycle - - free of vulnerabilities that can
be exploited by cyber attackers.

Responsibilities

The responsibilities of a Software Security Consultant are broad


and may vary depending on your level of experience and skills.
Responsibilities include but are not limited to:

 Scanning customer source code, auditing results with


development and/or security teams and offering plans for
remediation of vulnerabilities.

 Installing and configuring HP Fortify products onsite for


customers

 Communicating technical application security concepts to


customer staff including developers, architects, and managers.

12
 Training customer staff on application security and
products.

 Assessing and scoping of customer's application security


needs.

 Contributing to project planning and other project


deliverables.

 Customizing the implementation of HP Fortify's production


and test products.

 Collaborating with Product Management and Engineering


to enhance products.

 Represent technical, business, and professional values to


customers, partners, and peers.

 Work is conducted mostly at customer sites; extensive


travel is required.

Technical Qualifications

The ideal candidate should have:

 A Technical Bachelor's degree or 6-8 years relative work


experience.

 Prior consulting experience desired.

 5+ years experience in role of software or security


consulting.
13
 5+ years experience in software development using Java,
Microsoft .NET (C# or VB), or C/C++.

 Experience using build tools (e.g. ant, make, maven,


msbuild, nant, etc.).

 Experience in developing and/or deploying web


applications is strongly desired.

 Experience with multiple operating systems is strongly


desired.

 Fundamental understanding of software, computer, and


network architectures.

 Experience in the enterprise security or application security


is a plus.

 CISSP, CSSLP, CISA, CEH, MCSE/MCITP and SANS


certifications are a plus.

Steps Involved For Web Hacking


14
1. Information Gathering
2. Scanning
3. SQL Injection
1. What information Gathering ?

Foot printing and Reconnaissance


Why Foot printing and Reconnaissance is important?
Foot printing is the first step of hacker where an attacker or
hacker
collect all information about the target such as:
 Is Target system is alive or not
 What is the IP address of it?
 Geographical location
 How many security system are implemented like IDS
or Firewall
 How many domains are running, operating system
and etc. after
15
collecting all information about the target hacker attempt for
hacking? It is similar like a smart robber. First Robber seen how
many security camera implemented in the bank where the cash
counter and security guards is and so on.
Reconnaissance refers to the preparatory phase where an attacker
gather as much information as possible about the target prior to
launching the attack. Also in this phase, the attacker draws on
competitive intelligence to learn more about the target network.
This
phase may also involve network scanning, either external or
internal,
without authorization. Social Engineering is also a part of it
where an
attacker gather information by smooth-talks.
Foot printing refers collecting as much information as possible
about the
target. Foot printing and reconnaissance both are same.

How To Get Information About the target


site ?
Tools for Gather Information

16
.Google search Engine
 whois
 whois.com
 whois.net
And also to check the server where target site is hosted , how
many other website are running on same server .

Let's have practical Session


We have Two Target site
 http://beckabeads.com/
 http://ppsrudra.com/

Firstly Go in google and Type whois.com

17
18
Here result of http://beckabeads.com/ are showing above
via Whois.com and whois.net

19
Now You can see in screenshot whole information about target
site
same for next website.

http://ppsrudra.com/
Now we use whois.net same like whois.com

20
21
Now we will go find out vulnerability in our Target sites
for check the weakness we need a software it's name Acunetix

What is Scanning ?
After footprinting and reconnaissance, scanning is the second
phase of information gathering that hackers use to size up a
network. Scanning is where they dive deeper into the system to
look for valuable data and services in a specific IP address range.

22
What is website scanning ?
A web application security scanner is a program which
communicates with a web application through the web front-end
in order to identify potential security vulnerabilities in the web
application and architectural weaknesses. It performs a black-
box test.
What is acunetix ?
Acunetix Web Vulnerability Scanner is an automated web
application security testing tool that audits your web applications
by checking for vulnerabilities like SQL Injection, Cross site
scripting, and other exploitable vulnerabilities.

Now just install acunetix in your system and start testing .


Open Tool .
Paste your target site .

23
24
This Acunetix Report
Blind SQL Injection
Vulnerability description
This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter


back-end SQL statements by manipulating the user input. An
SQL injection occurs when web applications accept user input
that is directly placed into a SQL statement and doesn't properly
filter out dangerous characters.
25
This is one of the most common application layer attacks
currently being used on the Internet. Despite the fact that it is
relatively easy to protect against, there is a large number of web
applications vulnerable.
Affected items
 /shop.asp
The impact of this vulnerability
An attacker may execute arbitrary SQL statements on the
vulnerable system. This may compromise the integrity of your
database and/or expose sensitive information.

Depending on the back-end database in use, SQL injection


vulnerabilities lead to varying levels of data/system access for
the attacker. It may be possible to not only manipulate existing
queries, but to UNION in arbitrary data, use sub selects, or
append additional queries. In some cases, it may be possible to
read in or write out to files, or to execute shell commands on the
underlying operating system.

Certain SQL Servers such as Microsoft SQL Server contain


stored and extended procedures (database server functions). If an
attacker can obtain access to these procedures it may be possible
to compromise the entire machine.
How to fix this vulnerability
Your script should filter metacharacters from user input.
26
Check detailed information for more information about fixing
this vulnerability.

Cross Site Scripting


Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS)
attacks.

Cross site scripting (also referred to as XSS) is a vulnerability


that allows an attacker to send malicious code (usually in the
form of Javascript) to another user. Because a browser cannot
know if the script should be trusted or not, it will execute the
script in the user context allowing the attacker to access any
cookies or session tokens retained by the browser.
This vulnerability affects /addtocart.asp.
Discovered by: Scripting (XSS.script).
Attack details
URL encoded GET input c was set to 1"
onmouseover=prompt(912760) bad="
The input is reflected inside a tag parameter between double
quotes.

View HTTP headers

27
View HTML response

Launch the attack with HTTP Editor

Retest alert(s)

Mark this alert as a false positive

The impact of this vulnerability


Malicious users may inject JavaScript, VBScript, ActiveX,
HTML or Flash into a vulnerable application to fool a user in
order to gather data from them. An attacker can steal the session
cookie and take over the account, impersonating the user. It is
also possible to modify the content of the page presented to the
user.
How to fix this vulnerability
Your script should filter metacharacters from user input.

Cross site scripting (verified)

28
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS)
attacks.

Cross site scripting (also referred to as XSS) is a vulnerability


that allows an attacker to send malicious code (usually in the
form of Javascript) to another user. Because a browser cannot
know if the script should be trusted or not, it will execute the
script in the user context allowing the attacker to access any
cookies or session tokens retained by the browser.
This vulnerability affects /addtocart.asp.
Discovered by: Scripting (XSS.script).
Attack details
URL encoded GET input c was set to CLASPS"
onmouseover=prompt(960510) bad="
The input is reflected inside a tag parameter between double
quotes.

View HTTP headers

View HTML response

Launch the attack with HTTP Editor


29
Retest alert(s)

Mark this alert as a false positive

The impact of this vulnerability


Malicious users may inject JavaScript, VBScript, ActiveX,
HTML or Flash into a vulnerable application to fool a user in
order to gather data from them. An attacker can steal the session
cookie and take over the account, impersonating the user. It is
also possible to modify the content of the page presented to the
user.
How to fix this vulnerability
Your script should filter metacharacters from user input.
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS)
attacks.

Cross site scripting (also referred to as XSS) is a vulnerability


that allows an attacker to send malicious code (usually in the
form of Javascript) to another user. Because a browser cannot
know if the script should be trusted or not, it will execute the

30
script in the user context allowing the attacker to access any
cookies or session tokens retained by the browser.
This vulnerability affects /shop.asp.
Discovered by: Scripting (XSS.script).
Attack details
URL encoded GET input c was set to CLASPS"
onmouseover=prompt(904973) bad="
The input is reflected inside a tag parameter between double
quotes.
View HTTP headers

View HTML response

Launch the attack with HTTP Editor

Retest alert(s)

The impact of this vulnerability


Malicious users may inject JavaScript, VBScript, ActiveX,
HTML or Flash into a vulnerable application to fool a user in
order to gather data from them. An attacker can steal the session
cookie and take over the account, impersonating the user. It is
31
also possible to modify the content of the page presented to the
user.
How to fix this vulnerability
Your script should filter metacharacters from user input.

SQL injection (verified)


Vulnerability description
This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter


back-end SQL statements by manipulating the user input. An
SQL injection occurs when web applications accept user input
that is directly placed into a SQL statement and doesn't properly
filter out dangerous characters.

This is one of the most common application layer attacks


currently being used on the Internet. Despite the fact that it is
relatively easy to protect against, there is a large number of web
applications vulnerable.
Affected items
 /shop.asp
The impact of this vulnerability
An attacker may execute arbitrary SQL statements on the
32
vulnerable system. This may compromise the integrity of your
database and/or expose sensitive information.

Depending on the back-end database in use, SQL injection


vulnerabilities lead to varying levels of data/system access for
the attacker. It may be possible to not only manipulate existing
queries, but to UNION in arbitrary data, use sub selects, or
append additional queries. In some cases, it may be possible to
read in or write out to files, or to execute shell commands on the
underlying operating system.

Certain SQL Servers such as Microsoft SQL Server contain


stored and extended procedures (database server functions). If an
attacker can obtain access to these procedures it may be possible
to compromise the entire machine.
How to fix this vulnerability
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing
this vulnerability.

Application error message

Vulnerability description
This page contains an error/warning message that may disclose
sensitive information. The message can also contain the location
of the file that produced the unhandled exception.
33
This may be a false positive if the error message is found in
documentation pages.
Affected items
 /shop.asp
The impact of this vulnerability
The error messages may disclose sensitive information. This
information can be used to launch further attacks.
How to fix this vulnerability
Review the source code for this script.

Insecure transition from HTTP to HTTPS in


form post

Vulnerability description
This form is served from an insecure page (http) page. This page
could be hijacked using a Man-in-the-middle attack and an
attacker can replace the form target.

34
Affected items
 /shop.asp (0be1c7f488c5faca47af0b835336b8ba)
The impact of this vulnerability
Possible information disclosure.
How to fix this vulnerability
The form should be served from a secure (https) page.

Clickjacking: X-Frame-Options header


missing

Vulnerability description
Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into
clicking on something different from what the user perceives
they are clicking on, thus potentially revealing confidential
information or taking control of their computer while clicking on
seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which


means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to
indicate whether or not a browser should be allowed to render a
35
page in a <frame> or <iframe>. Sites can use this to avoid
clickjacking attacks, by ensuring that their content is not
embedded into other sites.
Affected items
 Web Server
The impact of this vulnerability
The impact depends on the affected web application.
How to fix this vulnerability
Configure your web server to include an X-Frame-Options
header. Consult Web references for more information about the
possible values for this header.

Possible sensitive directories

Vulnerability description
A possible sensitive directory has been found. This directory is
not directly linked from the website.This check looks for
common sensitive resources like backup directories, database
dumps, administration pages, temporary directories. Each one of
these directories could help an attacker to learn more about his
target.
Affected items

36
 /admin
The impact of this vulnerability
This directory may expose sensitive information that could help
a malicious user to prepare more advanced attacks.
How to fix this vulnerability
Restrict access to this directory or remove it from the website.

Session Cookie without HttpOnly flag set

Vulnerability description
This cookie does not have the HTTPOnly flag set. When a
cookie is set with the HTTPOnly flag, it instructs the browser
that the cookie can only be accessed by the server and not by
client-side scripts. This is an important security protection for
session cookies.
Affected items
 /
The impact of this vulnerability
None
How to fix this vulnerability

37
If possible, you should set the HTTPOnly flag for this cookie.

Session Cookie without Secure flag set

Vulnerability description
This cookie does not have the Secure flag set. When a cookie is
set with the Secure flag, it instructs the browser that the cookie
can only be accessed over secure SSL channels. This is an
important security protection for session cookies.
Affected items
 /
The impact of this vulnerability
None
How to fix this vulnerability
If possible, you should set the Secure flag for this cookie.

Email address found

Vulnerability description
One or more email addresses have been found on this page. The
majority of spam comes from email addresses harvested off the
internet. The spam-bots (also known as email harvesters and
38
email extractors) are programs that scour the internet looking for
email addresses on any website they come across. Spambot
programs look for strings like myname@mydomain.com and
then record any addresses found.
Affected items
 /classes.asp
 /contact.asp
The impact of this vulnerability
Email addresses posted on Web sites may attract spam.
How to fix this vulnerability
Check references for details on how to solve this problem.

39
Now Just take the next traget site ..........
=============================================
http://www.ppsrudra.com/

same like previous site


open your Acunetix and put your target site .........
This is the second site report ......
40
Blind SQL Injection

Vulnerability description
This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter


back-end SQL statements by manipulating the user input. An
SQL injection occurs when web applications accept user input
that is directly placed into a SQL statement and doesn't properly
filter out dangerous characters.

This is one of the most common application layer attacks


currently being used on the Internet. Despite the fact that it is
relatively easy to protect against, there is a large number of web
applications vulnerable.
Affected items
 /admin/login.php
 /service.php
The impact of this vulnerability
An attacker may execute arbitrary SQL statements on the
vulnerable system. This may compromise the integrity of your
database and/or expose sensitive information.

41
Depending on the back-end database in use, SQL injection
vulnerabilities lead to varying levels of data/system access for
the attacker. It may be possible to not only manipulate existing
queries, but to UNION in arbitrary data, use sub selects, or
append additional queries. In some cases, it may be possible to
read in or write out to files, or to execute shell commands on the
underlying operating system.

Certain SQL Servers such as Microsoft SQL Server contain


stored and extended procedures (database server functions). If an
attacker can obtain access to these procedures it may be possible
to compromise the entire machine.
How to fix this vulnerability
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing
this vulnerability.

jQuery cross site scripting

Vulnerability description
This page is using an older version of jQuery that is vulnerable
to a Cross Site Scripting vulnerability. Many sites are using to
select elements using location.hash that allows someone to inject
script into the page. This problem was fixed in jQuery 1.6.3.
Affected items
42
 /js/jquery-1.4.2.js
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX,
HTML or Flash into a vulnerable application to fool a user in
order to gather data from them. An attacker can steal the session
cookie and take over the account, impersonating the user. It is
also possible to modify the content of the page presented to the
user.
How to fix this vulnerability
Update to the latest version of jQuery.

Microsoft IIS tilde directory enumeration

Vulnerability description
It is possible to detect short names of files and directories which
have an 8.3 file naming scheme equivalent in Windows by using
some vectors in several versions of Microsoft IIS. For instance, it
is possible to detect all short-names of ".aspx" files as they have
4 letters in their extensions. This can be a major issue especially
for the .Net websites which are vulnerable to direct URL access
as an attacker can find important files and folders that they are
not normally visible.
Affected items

43
 /
The impact of this vulnerability
Possible sensitive information disclosure.
How to fix this vulnerability
Consult the "Prevention Technique(s)" section from Soroush
Dalili's paper on this subject. A link to this paper is listed in the
Web references section below.

Vulnerable Javascript library

Vulnerability description
You are using a vulnerable Javascript library. One or more
vulnerabilities were reported for this version of the Javascript
library. Consult Attack details and Web References for more
information about the affected library and the vulnerabilities that
were reported.
Affected items
 /admin/js/jquery-ui-1.8.21.custom.min.js
The impact of this vulnerability

44
Consult Web References for more information.
How to fix this vulnerability
Upgrade to the latest version.

HTML form without CSRF protection

Vulnerability description
This alert may be a false positive, manual confirmation is
required.

Cross-site request forgery, also known as a one-click attack or


session riding and abbreviated as CSRF or XSRF, is a type of
malicious exploit of a website whereby unauthorized commands
are transmitted from a user that the website trusts.

Acunetix WVS found a HTML form with no apparent CSRF


protection implemented. Consult details for more information
about the affected HTML form.
Affected items
 /admin
 /contactus.php
 /team.php
45
The impact of this vulnerability
An attacker may force the users of a web application to execute
actions of the attacker''s choosing. A successful CSRF exploit
can compromise end user data and operation in case of normal
user. If the targeted end user is the administrator account, this
can compromise the entire web application.
How to fix this vulnerability
Check if this form requires CSRF protection and implement
CSRF countermeasures if necessary.

User credentials are sent in clear text

Vulnerability description
User credentials are transmitted over an unencrypted channel.
This information should always be transferred via an encrypted
channel (HTTPS) to avoid being intercepted by malicious users.
Affected items
 /admin
The impact of this vulnerability
A third party may be able to read the user credentials by
intercepting an unencrypted HTTP connection.
How to fix this vulnerability

46
Because user credentials are considered sensitive information,
should always be transferred to the server over an encrypted
connection (HTTPS).

Clickjacking: X-Frame-Options header


missing

Vulnerability description
Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into
clicking on something different from what the user perceives
they are clicking on, thus potentially revealing confidential
information or taking control of their computer while clicking on
seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which


means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to
indicate whether or not a browser should be allowed to render a
page in a <frame> or <iframe>. Sites can use this to avoid
clickjacking attacks, by ensuring that their content is not
embedded into other sites.
Affected items
 Web Server
47
The impact of this vulnerability
The impact depends on the affected web application.
How to fix this vulnerability
Configure your web server to include an X-Frame-Options
header. Consult Web references for more information about the
possible values for this header.

Login page password-guessing attack

Vulnerability description
A common threat web developers face is a password-guessing
attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every
possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.

This login page doesn't have any protection against password-


guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number
of incorrect password attempts. Consult Web references for more
information about fixing this problem.
Affected items
 /admin/login.php
48
The impact of this vulnerability
An attacker may attempt to discover a weak password by
systematically trying every possible combination of letters,
numbers, and symbols until it discovers the one correct
combination that works.
How to fix this vulnerability
It's recommended to implement some type of account lockout
after a defined number of incorrect password attempts

Now just go for the attack.

Before do the attack try to understand SQL Injection

SQL INJECTION
An SQL injection is a computer attack in which malicious code
is embedded in a poorly-designed application and then passed to
the backend database. The malicious data then produces database
query results or actions that should never have been executed.

Types of SQL Injection !


1. blind SQL
2. normal SQL

49
3. havij
4. SQL map

1. blind SQL
Blind SQL Injection to throw an error to validate that
encapsulation isn't working. The goal here is to throw an error to
cause the application to show us that it is not encapsulating
quotes correctly
code to be enter in username & password is given below..
1'OR'1'='1

inurl:login.aspx
Now Just Take you target site which you have allready scanned
http://beckabeads.com/
This is the site which is vulnerabe by Blind SQL Injection.
Now Just fine the Admin page of this website to login it .
For find the admin page of this website you can take help of this
website.
open google.
and type : admin http://beckabeads.com/

50
Then you find out our admin page of your target site .

51
Now Just Put you Blind SQL Injection in your target site user
name and Pass ...
User name : 1'OR'1'='1
Password : 1'OR'1'='1

52
And Sumbit ...
After Login you got Admin Access ....

53
Now we have All Access of Website , we can do edit , save ,
Delete any thing from this website ...

Havij Tool:-
Havij is an automated SQL Injection tool that helps penetration
testers to find and exploit SQL Injection vulnerabilities on a web
page.
It can take advantage of a vulnerable web application. By using
this software user can perform back-end database fingerprint,
retrieve DBMS users and password hashes, dump tables and
54
columns, fetching data from the database, running SQL
statements and even accessing the underlying file system and
executing commands on the operating system.
The power of Havij that makes it different from similar tools is
its injection methods. The success rate is more than 95% at
injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and
automated settings and detections makes it easy to use for
everyone even amateur users.
Just open Havij Software and paste Target website.

55
http://www.ppsrudra.com/service.php?id=57 this url is infected
url of
http://www.ppsrudra.com/
56
you got several database of website ppsrudra.com
- ppsrudradb
- information_schema
- test
than select first database ppsrudradb and fetch tables of such
database.
We got several tables of ppsrudradb database
1 admin
2 contactdb
3 portfolio
4 servicedb

Now next process is to select first table i.e admin and fetch
column of admin table.
Which are as follows:
 Id
 Username
 Password
Now select all three column and click on get data which
shows
57
the values of these columns as shown of picture below.

Now we have username password than goto admin page for


login
58
Which shown below

Put login credentials from havij tools and enter login

Put title and service detail and submit whatever written over here
59
display on website page as shown below.

Scope of website penetration testing


In India companies like wipro ,infosys and IBM are interested in
employing ethical hackers. Moreover salaries are higher than
other areas of IT.According to Nasscom, India will require at
least 77,000 ethical hackers compared to the present figure of
15,000. If you are well versed with the inner workings of a
60
system and have the capabilities to discover new weaknesses in
an otherwise secure system , then you will find it easy to build
your career and take it to the next higher level. At the minimum
you will require an undergraduate degree in computer
science.Although the certifications help but they only go insofar
as your skills are concerned. In many cases you have to think
like a hacker, so sound grasp of system internals (including
networking protocol, underlying OS,reversing skills etc.)may be
required. You may land an average job at a startup based on the
skills you have but in order to ascend to the top you will have to
put some serious effort.I have seen people with average
educational backgrounds making it to a position of a chief
security officer from being just a security tester in a span of few
years just because they had that passion of going through
seemingly complicated tasks of reversing an unknown protocol
to finding vulnerabilities in an otherwise secure product,just
because they had the passion.
In the end its your passion that counts . To start with information
security you may follow As a 3rd year computer science student
of engineering how should I prepare after graduation to make
information security as my profession?

Limitation of Ethical Hacking


As the name implies, Ethical part is the only limitation of Ethical
Hacking. You have to play by rules.

61
When you consider other types, like Black hat, most of the
hacking involved doesn't have any rule book nor compliances.
Whereas in Ethical Hacking or White Hat, you'll have to strictly
comply with a company policy when hacking, it's a restricted
play ground.
Conclusion

The word "hacker" carries weight. People strongly disagree as to


what a hacker is. Hacking may be defined as legal or illegal,
ethical or unethical. The media’s portrayal of hacking has
boosted one version of discourse. The conflict between
discourses is important for our understanding of computer
hacking subculture. Also, the outcome of the conflict may prove
critical in deciding whether or not our society and institutions
remain in the control of a small elite or we move towards a
radical democracy (a.k.a. socialism). It is my hope that the
hackers of the future will move beyond their limitations (through
inclusion of women, a deeper politicization, and more concern
for recruitment and teaching) and become hacktivists. They need
to work with non-technologically based and technology-
borrowing social movements (like most modern social
movements who use technology to do their task more easily) in
the struggle for global justice. Otherwise the non-technologically
based social movements may face difficulty continuing to resist
as their power base is eroded while that of the new technopower
elite is growing

62
Reference
63
Rinaldi, et al, Identifying, Understanding, and Analyzing Critical
Infrastructure Interdependencies (link is external), IEEE Control
Systems Magazine, 2001.
GAO-04-354, Critical Infrastructure Protection: Challenges and
Efforts to Secure Control Systems, U.S. GAO, 2004.
Stamp, Jason, et al., Common Vulnerabilities in Critical
Infrastructure Control Systems, Sandia National Laboratories,
2003.
Duggan, David, et al, Penetration Testing of Industrial Control
Systems, Sandia National Laboratories, Report No SAND2005-
2846P, 2005.
NIST SP: 800-40, Creating a Patch and Vulnerability
Management Program, 2005.
NIST SP: 800-34 Rev. 1, Contingency Planning Guide for
Information Technology Systems, 2010.
NIST SP: 800-61 Rev. 2, Computer Security Incident Handling
Guide, March 2012.
Mix, S., Supervisory Control and Data Acquisition (SCADA)
Systems Security Guide, EPRI, 2003.
NIST SP 800-53 Rev 4, Recommended Security and Privacy
Controls for Federal Information Systems and Organizations,
April 2013.
NIST SP 800-53A Rev 1, Guide for Assessing the Security
Controls in Federal Information Systems, June 2010.
64
NIST SP: 800-115, Technical Guide to Information Security
Testing and Assessment, September 2008.
ANSI/ISA-62443-3-3 (99.03.03)-2013 - Security for industrial
automation and control systems Part 3-3:
System security requirements and security levels
(www.isa.org/standards).
ISA-TR84.00.09-2013 - Security Countermeasures Related to
Safety Instrumented Systems (SIS) (www.isa.org/standards).

65