G O N Y: Ignite Technologies

UG
OUNTY
Ignite Technologies
Where we are today
Web Servers & Web Applications
What is a Bug Bounty Program
Introduction
.
Web Penetration Testing & its Methodologies
Introduction to OWASP
Introduction to Burp Suite
Ignite Technologies
“ A Web Server can be referred to as a hardware or
software, or both of them working together.”
What is “Web Server”

Major of Web Servers:
Apache Web Server
IIS Web Server
Nginx Web Server
Google Web Server
Web Servers & Web
Ignite Technologies
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP Burp Suite
A Web Server has been categorized into 3 major types as:
Types of Web
Servers
Content
Static Dynamic
Management
Web Server Web Server
System
(CMS)
Web Servers & Web

Ignite Technologies
What is HTML?
A Web Server must contain up the website's files, namely all
HTML documents and their related assets, including images, CSS
stylesheets, JavaScript files, fonts, and videos..
It must have the following services installed in it.
A Web Server APACHE

PHP
Configurations PHPMyAdmin
MySQL
FTP
SSH
To setup a Apache Server, click here Ignite Technologies

Web Servers & Web
What is HTML?
A Web Application is an application software that runs on a web
server.
It includes online forms, shopping carts, word processors,
spreadsheets, video and photo editing, file conversion, file
scanning, and email programs such as Gmail, Yahoo and AOL.
A Web Popular applications include Google Apps and Microsoft 365.
Application
Web Servers & Web

Ignite Technologies
What is HTML?
Let’s setup & configure some vulnerable Web Applications as at:
DVWA
BWAPP
SQLILAB
Web Application MUTTILDAE
Configuration
Click here Click here Click here Click here
Web Servers & Web

Ignite Technologies
What is HTML?
B
A Bug Bounty program is a deal offered by many websites,
organizations and software developers by which individuals can
receive recognition and compensation for reporting bugs,
ug especially those pertaining to security exploits and

vulnerabilities.
ounty Platforms where you can hunt for the “bugs”:
Program
Hackerone
Bugcrowd
Ignite Technologies
Web Servers & Web Bug Bounty Program
What is HTML?
Applications Web Penetration testing OWASP Burp Suite
SCOPING PREPARE
Identify the scope and Choose a way to connect

prepare a document with host URL and prepare your
questionnaires asking from attacking machine & select
Web Security client regarding clear scope tool of your choice
Assessment
(Vulnerability Assessment) SCANNING REPORT
Identify the vulnerability as prepare a document on the

per OWASP Top 10 or Web basis of your finding and
Checklist provide possible solution to
mitigate it.
Ignite Technologies
Web Servers & Web Web Penetration testing
What is HTML?
Applications Bug Bounty Program OWASP Burp Suite
REPEAT
PREPARE VULNERABILITY
ASSESSMENT
Choose a way to connect

host URL and prepare your On the basis of VA,
attacking machine & select penetration testing is
Web Security tool of your choice performed
Assessment
(Penetration Testing) EXPLOIT REPORT
Identify the vulnerability as prepare a document on the

per OWASP top 10 or Web basis of your finding and
Checklist and exploit it by provide possible solution to
injecting malicious code. mitigate it.
Ignite Technologies
Web Servers & Web Web Penetration testing
What is HTML?
Applications Bug Bounty Program OWASP Burp Suite
“OWASP or the Open Web Application Security Project is
an international non-profit organization dedicated to web
application security.”
What is “OWASP &
its TOP 10” The OWASP Top 10 is a regularly-updated report outlining
security concerns for web application security, focusing on
the 10 most critical risks.
OWASP refers to the Top 10 as an ‘awareness document’ and

the thus all companies incorporate the report into their
processes in order to minimize and/or mitigate security risks.
Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
OWASP Top 10 (2013) OWASP Top 10 (2017)<New>
Injection Injection
Broken Authentication & Broken Authentication
Session Management
Cross Site Scripting (XSS) Sensitive Data Exposure
Insecure Direct Object References XML External Entities (XXE)
Security Misconfiguration Broken Access Control
Sensitive Data Exposure Security Misconfiguration
Missing Function Level Access Control Cross-Site Scripting XSS
Cross-Site Request Forgery (CSRF) Insecure Deserialization
Using Known Vulnerable Components Using Components with Known Vulnerabilities.
Unvalidated Redirects and Forwards Insufficient Logging & Monitoring
Ignite Technologies
What is HTML?
“Injection attacks occurs when an untrusted data is sent to
Injection the code interpreter through a form input or some other

data submission to a web application”, egs : SQL Injection
#1
OWASP TOP 10
Ignite Technologies
What is HTML?
Broken “Broken Authentication is the vulnerability in the (login)
systems which provides up the attacker to access the user
Authentication accounts and even gives the ability to compromise an entire

system using an admin account”.
#2
OWASP TOP 10
Ignite Technologies
What is HTML?
“Web applications sometimes don’t protect sensitive data, thus
Sensitive Data the attackers can access that data and can utilize it for some
malicious purposes.
Exposure The best method to steal sensitive information is a man-in-the-

middle attack.”.
#3
OWASP TOP 10
Ignite Technologies
What is HTML?
XML External “This is an attack against a web application that parses XML*
Entities (XEE) input”. Many poorly configured XML processors evaluate
external entity references within XML documents. Thus
#4
these external entities can be used to disclose internal files.
OWASP TOP 10
Ignite Technologies
What is HTML?
Broken Access “Broken access controls allow attackers to bypass
authorization and perform tasks as though they were
Control privileged users such as administrators”.
#5
OWASP TOP 10
Ignite Technologies
What is HTML?
Security “Security misconfiguration is the most common vulnerability
Misconfiguration on the list, and is often the result of using default

configurations or displaying excessively verbose errors.”
#6
OWASP TOP 10
Ignite Technologies
What is HTML?
Cross-Site “Cross-site scripting vulnerabilities occur when web
applications allow users to add custom code into a URL path
Scripting or onto a website that will be seen by other users. This

vulnerability can be exploited to run malicious JavaScript
#7
code on a victim’s browser.”
OWASP TOP 10
Ignite Technologies
What is HTML?
Insecure “This attack is over many web applications which frequently
serialize and deserialize the data. ”
Deserialization Serialization means taking objects from the application code and
#8
converting them into a format that can be used for another
purpose, such as storing the data to disk or streaming it.
Deserialization is just the opposite: converting serialized

data back into objects the application can use.
An insecure deserialization exploit is the result of

OWASP TOP 10 deserializing data from untrusted sources, and can result in
serious consequences like DDoS attacks and remote code
execution attacks.
Ignite Technologies
What is HTML?
“Many modern web developers use components such
Using Components as libraries and frameworks in their web applications in
With Known order to avoid redundant work and provide needed
functionality ”
Vulnerabilities Attackers look for vulnerabilities in these components
#9
which they can then use to orchestrate attacks.
OWASP TOP 10
Ignite Technologies
What is HTML?
“Many web applications are not taking enough steps to
detect data breaches. The average discovery time for a
Insufficient Logging breach is around 200 days after it has happened. This
gives attackers a lot of time to cause damage before
And Monitoring there is any response.”
10
OWASP recommends that web developers should
implement logging and monitoring as well as incident
#
response plans to ensure that they are made aware of
attacks on their applications.
OWASP TOP 10
Ignite Technologies
What is HTML?
“Burp” or “Burp Suite” is a set of tools used for penetration
testing over web applications.
It tools work seamlessly together to support the entire

testing process, from initial mapping and analysis of an
application’s attack surface, through to finding and
Introduction to exploiting security vulnerabilities.

It is developed by the company named “Portswigger.”
Burp Suite
Ignite Technologies
Learn more about burpsuite from here
Web Servers & Web Burp Suite
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP
“Burp Suite” over Kali Linux
Burp Suite is already installed by default in Kali Linux and can be

opted from its menu.
Initializing
Burp Suite
“Burp Suite” over Windows
We can download the community edition of Burp Suite from here.
Ignite Technologies

What is HTML?
As soon as we boot up the burpsuite we’ll be presented with
its dashboard as:
Initializing
Burp Suite
Ignite Technologies

What is HTML?
Burp Suite
Setting up the Port and the Address for the
“Burpsuite” to listen on:
Burp Suite 127.0.0.1 : 8080
Configuration
Ignite Technologies

What is HTML?
Browser
Configuring up the “PROXY” over the Burpsuite’s Port and Address to send the HTTP traffic:
Manual Proxy Setup

3
Foxy Proxy Setup
Download Foxy Proxy

from here
Ignite Technologies

Browser
For the HTTPS traffic, Burpsuite certificate as:

In burp, turn “ON” the Intercept option to capture the
ongoing request, with the Proxy enabled in browser.
Burp Suite
Configuration
Surf at http://burp/ to download the certificate
Ignite Technologies

What is HTML?
Browser
Importing the Burpsuite certificate:
Learn more about burpsuite certificate from here
Ignite Technologies

Burp Suite Tools
Proxy
To intercept the browser’s request:
Enable proxy in the browser.

Start Burp and go to proxy tab, ensure nothing is enabled at the
initial phase
Open to target URL in same browser where proxy is enabled.
In Burp turn on the INTERCEPT option and navigate to URL for
capturing its request in burp.
Ignite Technologies

Burp Suite Tools
Intruder
A burp Intruder is fuzzer, which helps in brute forcing:
Ignite Technologies

Burp Suite Tools
Repeater Lets a user to send requests repeatedly with manual modifications
Ignite Technologies

Decoder
Lists the common encoding methods like URL, HTML,
Base64, Hex, etc.
Burp Suite
Tools
Ignite Technologies

What is HTML?
Ignite Technologies
www.ignitetechnologies.in
info@ignitetechnologies.in
+91 959 938 7841
THANK YOU
Ignite Technologies

G O N Y: Ignite Technologies

Uploaded by

Copyright:

Available Formats

G O N Y: Ignite Technologies

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

G O N Y: Ignite Technologies

Uploaded by

Copyright:

Available Formats

UG

Web Servers & Web Applications

What is a Bug Bounty Program

Web Penetration Testing & its Methodologies

Introduction to Burp Suite

What is “Web Server”

Web Servers & Web

It must have the following services installed in it.

A Web Server APACHE

To setup a Apache Server, click here Ignite Technologies

Web Servers & Web

Click here Click here Click here Click here

Web Servers & Web

ug especially those pertaining to security exploits and

Identify the scope and Choose a way to connect

Web Security client regarding clear scope tool of your choice

Identify the vulnerability as prepare a document on the

Choose a way to connect

Web Security tool of your choice performed

Identify the vulnerability as prepare a document on the

OWASP refers to the Top 10 as an ‘awareness document’ and

Injection the code interpreter through a form input or some other

Authentication accounts and even gives the ability to compromise an entire

Exposure The best method to steal sensitive information is a man-in-the-

Control privileged users such as administrators”.

Misconfiguration on the list, and is often the result of using default

Scripting or onto a website that will be seen by other users. This

Deserialization is just the opposite: converting serialized

An insecure deserialization exploit is the result of

It tools work seamlessly together to support the entire

Introduction to exploiting security vulnerabilities.

Burp Suite is already installed by default in Kali Linux and can be

We can download the community edition of Burp Suite from here.

Web Servers & Web Burp Suite

Web Servers & Web Burp Suite

Burp Suite 127.0.0.1 : 8080

Web Servers & Web Burp Suite

Manual Proxy Setup

Foxy Proxy Setup

Download Foxy Proxy

Web Servers & Web Burp Suite

For the HTTPS traffic, Burpsuite certificate as:

Web Servers & Web Burp Suite

Importing the Burpsuite certificate:

Learn more about burpsuite certificate from here

Web Servers & Web Burp Suite

Enable proxy in the browser.

Web Servers & Web Burp Suite

Web Servers & Web Burp Suite

Web Servers & Web Burp Suite

Web Servers & Web Burp Suite

You might also like