Computers, Programming, Technology, Music, Literature

Archive for the ‘Sqli’ Category

Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015

leave a comment »

 

 

 

Advertisements

Practical Security Testing For Developers Using OWASP ZAP at Dot Net Bangalore 3rd meet up on Feb 21 2015

leave a comment »

 

 

 

Title Practical Security Testing for Developers using OWASP ZAP
Abstract Every time an application faces the world wide web, it inherently becomes vulnerable to attacks. The attackers could be script kiddies, joyriders, turning from hobbyists to downright hostile. The earlier in the development cycle you find the vulnerabilities, the better they are to fix and test. OWASP ZAP is a free and open source penetration testing tool for finding vulnerabilities in web applications; widely used by security professionals, it is also ideal for anyone new to web application security and includes features specifically aimed at developers. This session shows/demonstrates some attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.
Gist See live attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.
Speaker Marudhamaran Gunasekaran
Time & Venue 21 Feb 2015 @ Dot Net Bangalore 2nd meet up

Devouring Security: OWASP ZAP – Successfully Ajax Spidering a website with Authentication

leave a comment »

 

 

 

OWASP ZAP – Successfully Ajax Spidering a website with Authentication (Northwind Products Management)

0. Make sure you are proxying via Zap (I love FoxyProxy)

1. Identify the session cookie

1.1 If the http session is not identified, use the Params tab and flag a Cookie as Session Token [alternatively, go to Tools –> Options.. –> Http Sessions and add a session identifier]

1.2 go do some browsing

2. Set an active session from the Http Sessions tab

3. Identify and exclude the Log off request from the spider (and scanner, and proxy, ir required)

Good luck with your Ajax spidering in ZAP!

Marudhamaran Gunasekaran
renouncedthoughts.wordpress.com/
vimeo.com/gmaran23


 

Also available on YouTube as an official OWASP ZAP video tutorial. Not so HD compared to vimeo. Thanks to Simon Bennets for feedback and sugesstions.

 

 

 

Written by gmaran23

August 29, 2014 at 4:42 pm

Posted in hacks, kali, linux, OWASP, security, Sqli

Sql Injection testing for QA (testers)

leave a comment »

 

 

This video is for anyone that likes to know how to test an application for Sql Injection. The content and presentation was focussed on Quality Assurance personnel who are not penetration testers.

Agenda:
Context setting
Quick introduction –
GET/POST/PUT/DELETE
XML/SOAP/JSON
Browser addons for easy proxy switching
Intercepting proxies – Fiddler, OWASP ZAP, BurpSuite, ..?
Fuzzing and identifying vulnerable parameters
Code review pointers for Buddy testing
Demonstration Fiddler, ZAP, sqlmap, Sql Inject Me
Firsthand experience with Sqli tools (Vijay/Shashank)
Feedback

 

Related Blogs/Videos/Downloads:

Devouring Security – Sql Injection Part 2  | http://vimeo.com/85256464
Devouring Security – Sql Injection Part 1  | http://vimeo.com/83658524

Foxy Proxy

Chrome extension (open from chrome browser) – https://chrome.google.com/webstore/detail/foxyproxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfnp?hl=en

Firefox Extenstion (open from Firefox) – https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

fiddler

http://www.telerik.com/download/fiddler

OWASP zap

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

sqlmap

http://sqlmap.org/

active python

http://www.activestate.com/activepython/downloads

Mantra browser

http://www.getmantra.com/download.html

Written by gmaran23

May 9, 2014 at 10:39 pm

Devouring Security: Sql injection exploitation and prevention part 2

with one comment

Devouring Security: Sql injection exploitation and prevention part 1

with one comment


I will upload the slide deck shortly, after the completion of Sql injection exploitation and prevention part 2. For those of you who were asking for it, here’s the screen recording.

Written by gmaran23

January 14, 2014 at 12:40 am