Scribd Logo
Upload

Welcome to Scribd!

  • IT Application Security: Assignment-2

    Uploaded by

    Mansi Bisht
    7 views6 pages

    Original Title

    itas ass2.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views6 pages

    IT Application Security: Assignment-2

    Uploaded by

    Mansi Bisht

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    IT APPLICATION SECURITY

    1 1

    ASSIGNMENT-2

    Submitted1to:
    Ms.1TriptiMisra
    Assistant1Professor1(SS)
    Department1of1Systemics

    SUBMITTED1BY:

    Name Batch Roll1No. Sap1Id

    Mahima1Chawla B2 R134217079 500061523

    Mansi1Bisht B2 R134217081 500061643

    Isha1Saxena B2 R134217065 500061372

    Gaganpreet1Gandhi B2 R134217056 500061053

    Komal B2 R134217070 500061907


    SECURITY TESTING REPORT
    1 1

    OPPONENT TEAM DOMAIN:http://ec2-18-219-12-207.us-east-


    1 1

    2.compute.amazonaws.com:9000/

    1.) Pitchfork1Attack
    The1pitchfork1attack1type1uses1one1payload1set1for1each1position.1It1places
    1the1first1payload1in1the1first1position,1the1second1payload1in1the1second1p

    osition,1and1so1on.
    It1then1loops1through1all1payload1sets1at1the1same1time.1The1first1request1
    uses1the1first1payload1from1each1payload1set,1the1second1request1uses1th
    e1second1payload1from1each1payload1set,1and1so1on.
    The1pitchfork1attack
     uses1as1many1payload1sets1as1there1are1positions,
     replaces1each1position1with1its1respective1payload,
     does1as1many1requests1as1the1maximum1payload1set1size,
     first1payload1set1goes1into1first1position,1etc.

    1
    2.) Session1Hijacking

    Although1any1computer1session1could1be1hijacked,1session1hijacking1most
    1commonly1applies1to1browser1sessions1and1web1applications.1The1attack1

    relies1on1the1attacker’s1knowledge1of1the1victim’s1session1cookie1and1is1als
    o1called1cookie1hijacking1or1cookie1side-jacking.

    To1perform1session1hijacking,1an1attacker1needs1to1know1the1victim’s1sessi
    on1ID1(session1key).1This1can1be1obtained1by1stealing1the1session1cookie1or
    1persuading1the1user1to1click1a1malicious1link1containing1a1prepared1sessio

    n1ID.1In1both1cases,1after1the1user1is1authenticated1on1the1server,1the1attac
    ker1can1take1over1(hijack)1the1session1by1using1the1same1session1ID1for1the
    ir1own1browser1session.1The1server1is1then1fooled1into1treating1the1attack
    er’s1connection1as1the1original1user’s1valid1session.
    3.) 1Weak1lock1out1mechanism1

    In1the1opponent’s1website1there1is1no1restriction1found1on1number1of1login1atte
    mpts.
    Account1lockout1mechanisms1are1used1to1mitigate1brute1force1password1guessi
    ng1attacks.1Accounts1are1typically1locked1after131to151unsuccessful1login1attempt
    s1and1can1only1be1unlocked1after1a1predetermined1period1of1time,1via1a1self-
    service1unlock1mechanism,1or1intervention1by1an1administrator.1Account1lockou
    t1mechanisms1require1a1balance1between1protecting1accounts1from1unauthoriz
    ed1access1and1protecting1users1from1being1denied1authorized1access.
    Without1a1strong1lockout1mechanism,1the1application1may1be1susceptible1to1bru
    te1force1attacks.1After1a1successful1brute1force1attack,1a1malicious1user1could1ha
    ve1access1to:

     Confidential1information1or1data:1Private1sections1of1a1web1application1co
    uld1disclose1confidential1documents,1users'1profile1data,1financial1informatio
    n,1bank1details,1users'1relationships,1etc.

     Administration1panels:1These1sections1are1used1by1webmasters1to1manag
    e1(modify,1delete,1add)1web1application1content,1manage1user1provisioning,1
    assign1different1privileges1to1the1users,1etc.

     Opportunities1for1further1attacks:1authenticated1sections1of1a1web1applic
    ation1could1contain1vulnerabilities1that1are1not1present1in1the1public1section1
    of1the1web1application1and1could1contain1advanced1functionality1that1is1not1
    available1to1public1users.

    4.)Session1Management
    Session1management1refers1to1the1process1of1securely1handling1multiple1reques
    ts1to1a1web-
    based1application1or1service1from1a1single1user1or1entity.1Websites1and1browser
    s1use1HTTP1to1communicate,1and1a1session1is1a1series1of1HTTP1requests1and1tran
    sactions1initiated1by1the1same1user.1Typically,1a1session1is1started1when1a1user1a
    uthenticates1their1identity1using1a1password1or1another1authentication1protocol
    .1Session1management1involves1the1sharing1of1secrets1with1authenticated1users,
    and1as1such,1secure1cryptographic1network1communications1are1essential1to1m
    1

    aintaining1session1management1security.
    In1the1opponent’s1website1after1entering1the1credentials1we1are1logged1in1and1
    we1get1the1access1to1the1content1of1website1which1displays1user’s1personal1infor
    mation.1But1after1logging1out,1the1status1value1of1session1remains1in1active1state
    1so1after1pressing1the1back1button1we1can1still1view1the1user1info.1In1this1way1ses

    sion1is1not1managed1properly.1

    Logging1in

    User1info
    Logged1Out

    After1Pressing1Back1Button

    You might also like