Ethical Hacking Full Guide

Q. What is Hacking?
Hacking is the art or technique of finding and exploiting a security loophole in an infrastructure like a website, a software, a computer, or even a human being, and the artist is called a hacker.

Q. What does loopholes in a system mean?
In technical terms, a loophole can be referred to a part of a system which is not properly defined or secured and hence can be exploited to cause unintended things in the system.

Q. What is Unethical Hacking?
When a hacker uses his knowledge to steal from or cause damage to other people, it is known as Unethical Hacking. Like stealing, unethical hacking is also a crime and if caught, the thief will be arrested and would be tried in court.

Q. What is Ethical Hacking?
When the hacker helps organisations or individuals with finding security loopholes and fixing them with their permission, it is referred to as ethical hacking. And this is legal because you take permission from the system owner and your motive is not to cause harm or steal, but to secure the system.

Q. What is considered a cyber crime according to Indian Judiciary system?
The Indian Cyber Laws and the Indian IT act classifies cybercrimes into 2 broad categories. An activity is considered a cyber crime if
1. A computer is being used to attack other computers. For example: hacking, virus/worm attacks, DOS attacks, etc.
2. A computer is being used as a weapon to commit real world crimes. For example: cyber terrorism, IPR violations, credit card frauds, EFT frauds, pornography, etc.

This basically means that unlawful use of any computer/device is considered a Cyber Crime.

For Windows users:

• Press windows+r to open the Run dialog box.

• Type cmd and press enter.

• Type nslookup, space, the domain name that you want to see the IP address for, example: google.com, and press enter.

This will give you the most recent IP addresses of Google.

 

HTTP: HTTP stands for Hyper Text Transfer Protocol and it is used to transfer hyper text, which means web pages.

HTTPS: This is the secure version of HTTP, where s stands for secured and is used to transfer web pages in a secured way. Most websites that we visit, like internshala, amazon, google, etc., use HTTPS and not HTTP.
The fact that it is secured means that all communications between your browser and the website you are connected to, will be encrypted.
You can see this in the address bar located at the top of the browser.

FTP: FTP stands for File Transfer Protocol and is used while transferring files.

SMTP: SMTP stands for Simple Mail Transfer Protocol and as the name suggests, it is used to send emails from one device to another. But when you open gmail, or compose and send an email, does your address bar show SMTP, or HTTPS. Well, try it and find out for yourself, and lookout for the reason somewhere in this topic.

Telnet: This protocol is used to remotely run system commands on the server.

SSH: SSH is Secure Shell and is like a secure or encrypted version of Telnet.

VOIP: This stands for Voice Over Internet Protocol and is used for making a voice call over the internet.

 

OSI Model

So, we have seen the TCP/IP Model. Actually this was a derived model and is used today. But the original model on which the TCP/IP model was based, is called the OSI Model. This model has 7 layers, instead of 4 that we see in the TCP/IP model. The essential overall function of both the models remains the same, just that in the OSI model their work has been split into 7 layers.

Now let us look at the function of each layer of the OSI model in detail.

So, just like in the TCP/IP model, the data in the OSI model also passes from layer 7 to layer 1 at the sender’s end and from layer 1 to layer 7 at the receiver’s end.

Application Layer- This layer provides an interactive interface for the user to enter and view data. One can give inputs in the form of text, audio, images, files, etc. The browser makes up the application layer.

Presentation Layer- After the application layer, the data passes to the presentation layer. This is where the data is converted into computer friendly format, i.e in binary code. So, the presentation layer encodes the input, compresses it, and encrypts it if required. Then the data is sent to the next layer.

Session Layer- This layer initiates a connection and creates a session, so that some context can be provided to the communication between the two devices.

Transport Layer- This layer establishes an application level connectivity. For this, it attaches the source and destination port numbers.

It also performs the task of error control, which means that it makes a checklist, so that it can be cross checked at the receiving end to ensure that all the data is transferred properly and not destroyed on the way. These checklists are known as checksums. 

Network Layer- At the network layer, the source and destination IP addresses are attached, for the purpose of identification of devices, and to decide the virtual path that needs to be taken by the data packet. So, we can say that this layer does network level routing and pathing of packets.

Data Link Layer- This layer attaches the source and destination MAC addresses, which are used to identify the hardware of the device. It also calculates checksums for error checking of the metadata that has been attached at all the previous layers, and also to manage the flow of data.

Physical Layer- This is where the data is converted to hardware friendly signals, like radio signals, light signals, or electric signals, depending on the hardware that is being used for data transfer.

This is the order in which the data passes at the sender’s end. At the receiver’s end, the order of the layers is reversed.

 

Uses of proxy servers:

General users:
1. Obscure their IP
2. Avoid surveillance
3. Bypass browsing restrictions
4. Access resources as from a different country

Developers:
1. Monitoring web traffic
2. Troubleshooting web applications

Network administrators:
1. To block malicious traffic
2. To balance overflowing traffic

 

 

Here are some key pieces of information that a security expert usually gathers about a website:

1. Related domains and subdomains

2. Technology and programming languages being used

3. Cached pages

4. Website history

5. Publically indexed files on search engines

6. Default pages and login forms

7. Related IP addresses

8. Other services running on those IP addresses

9. Version of the services/softwares being used

10. Publicly disclosed vulnerabilities in the softwares being used

11. Default users

12. Default passwords

13. Valid email address and usernames

 

 

Gathering targeted information about people 

1. Name-How to find out full names and their related information:

Social media platforms

Professional platforms

2. Email- How to find out the name behind an email address:

Forgot password

Services linked to that email

Google search

3. Mobile numbers- How to find out the name behind a phone numbers:

Login and forgot password pages

Google search

Gathering targeted information about organisations

1. How to find information about an organisation:

Social media platforms

Company review services

Organisation financial analysis services

Gathering information about websites and web servers

1. Getting an idea about the technology being used by websites and web servers:

www.builtwith.com

Important sections:

Frameworks: To see the programming languages used

Hosting providers: To see where the website is hosted

Webserver: To see the server software being used

2. Going through the history of a website

To see how the website looked in the past, its features, additions and deletions that have been made over time:

web.archive.org

Important sections:

Go to the year you want to see

Check out screenshots taken on any day, and also see the website as it was on that day

3. Finding out sub domains related to a domain

www.dnsdumpster.com

Important sections:

Host Records (A): To see a list of all the sub domains of any given domain. 

 

Gathering targeted information about people 

1. Name-How to find out full names and their related information:

Social media platforms

Professional platforms

2. Email- How to find out the name behind an email address:

Forgot password

Services linked to that email

Google search

3. Mobile numbers- How to find out the name behind a phone numbers:

Login and forgot password pages

Google search

Gathering targeted information about organisations

1. How to find information about an organisation:

Social media platforms

Company review services

Organisation financial analysis services

Gathering information about websites and web servers

1. Getting an idea about the technology being used by websites and web servers:

www.builtwith.com

Important sections:

Frameworks: To see the programming languages used

Hosting providers: To see where the website is hosted

Webserver: To see the server software being used

2. Going through the history of a website

To see how the website looked in the past, its features, additions and deletions that have been made over time:

web.archive.org

Important sections:

Go to the year you want to see

Check out screenshots taken on any day, and also see the website as it was on that day

3. Finding out sub domains related to a domain

www.dnsdumpster.com

Important sections:

Host Records (A): To see a list of all the sub domains of any given domain. 

 

 

 

Web servers can be of various types. Each one has a specific function, and hence a specific configuration. Let us read about some of the most common web servers.

Application Server- This server executes the main business logic of the application. Whenever the user requests for something, the application server runs the code written by the developer. 

Database Server- A database server is a system where all the data is stored. Whenever the user requests for some data, it is fetched from the database server. The data is stored here in an efficient and secure manner.

Backup Server- This server helps us create backups for files, data, etc. This is done to prevent the loss of data in case of an unexpected failure. A backup server can also act like the secondary server, in case the primary server is down. 

DNS Server- The Domain Name Server manages the domain names and their IP addresses. The main function of a DNS server is to map a domain name to its respective IP address. 

Mail Server- A mail server is used for sending and receiving emails. Some of the protocols used for this transfer are SMTP, POP, IMAP, etc. The Microsoft Exchange Server is an example of a mail server. 

Depending on the size of the web application, all these servers can be present on one physical server or on separate servers.

 

 

Server OS- Just like every computer has an operating system, similarly the computer that hosts the website also needs to have an OS.  

Examples are Linux, Windows, IBM AIX, etc. 

Server Software- We know that every website needs to address the incoming requests of the users. This request could be for a web page in the website, or for any other functionality that the website provides. For this, the server needs to run the code of the website to generate a response for the user. But, to handle all this function, the server needs a software which is called the server software. 

Examples are Apache, nginx, IIS, etc. 

Programming Language- Every website has a backend part which is basically written as lines of code, using a programming language. So, the web server architecture includes a particular programming language that is used to write this code. 

Examples are: PHP, Python, Perl, Ruby, ASP (.NET), JSP, etc. 

Database Software- Every website has users and it stores the information of these users in the database. So your login credentials, your preferences, cart items in case of an e-commerce, or any other details that you provide while accessing a website is stored in the database in a secure and efficient manner. And to access this data from the database, a software is required. This is known as the database software. 

Examples are: MySQL, MS SQL, MongoDB, Casandra DB, Postgre SQL, etc. 

Front End Components- So, we know that every website has a frontend or a user interface, which is what the user sees on the browser while browsing through the website. So, there needs to be a front end language to write the front ends code. 

Examples are: HTML, javascript, Jquery, CSS, Bootstrap, etc. 

 

 

 

 

 

 

 

Add

$a=50;

$b=90;

echo $a+$b;

Output: 140

Subtract

$a=50;

$b=90;

echo $a-$b;

Output: -40

Product

$a=50;

$b=90;

echo $a*$b;

Output: 4500

Divide 

$a=5;

$b=2;

echo $a/$b;

Output: 2.5

Modulus (remainder)

$a=11;

$b=2;

echo $a%$b;

Output: 1

Exponential

$a=2;

$b=3;

echo $a**$b;

Output: 8

Concat (join)

$a=50;

$b=90;

echo $a.$b;

Output: 5090

You can also do complex arithmetic operations, like we do in maths. 

An example is: $a+($b+$c/($d**($a-$d)))

It follows the bodmas rule for solving the problem. 

Try out all these logical operators. 

 

 

Comparison Operators

Now, let us look at comparison operators. 

The output for these operations is always true or false. 

These are:

$a==$b (check if two values are equal)

$a>$b (more than)

$a<$b (less than)

$a>=$b (more than equal to)

$a<=$b (less than equal to)

$a!=$b (not equal)

So in the first operator ($a==$b), if the value of variable ‘a’ is not equal to variable ‘b’, the output will be false. And if it is, the output will be true. 

The same holds true for all these comparison operators. 

Logical Operators

Here is a list of some logical operators that can be used.

 And

 Or

 Xor

 || (or)

 && (and)

 ! (not)

 

Q1. Write a program for a calculator with all other operations like add, subtract, multiply, divide, exponent, concat, modulus, triggered by separate buttons in the form instead of a text field.

• Solution Q1

 

<html> 

<head> 

    <script> 

        //function that display value 

        function dis(val) 

        { 

            document.getElementById("result").value+=val 

        } 

        //function that evaluates the digit and return result 

        function solve() 

        { 

            let x = document.getElementById("result").value 

            let y = eval(x) 

            document.getElementById("result").value = y 

        } 

        //function that clear the display 

        function clr() 

        { 

            document.getElementById("result").value = "" 

        } 

    </script> 

    <!-- for styling -->

    <style> 

        input[type="button"] 

        { 

        background-color:#0981F0; 

        color: black; 

        border: solid black 1px; 

        width:100% 

        } 

        input[type="text"] 

        { 

        background-color:white; 

        border: solid black 2px; 

        width:100% 

        } 

    </style> 

</head> 

<!-- create table -->

<body> 

    <table border="1"> 

        <tr> 

            <td colspan="3"><input type="text" id="result"/></td> 

            <!-- clr() function will call clr to clear all value -->

            <td colspan="2"><input type="button" value="c" onclick="clr()"/> </td> 

        </tr> 

        <tr> 

            <!-- create button and assign value to each button -->

            <!-- dis("1") will call function dis to display value -->

            <td><input type="button" value="1" onclick="dis('1')"/> </td> 

            <td><input type="button" value="2" onclick="dis('2')"/> </td> 

            <td><input type="button" value="3" onclick="dis('3')"/> </td> 

            <td><input type="button" value="/" onclick="dis('/')"/> </td> 

            <td><input type="button" value="%" onclick="dis('%')"/> </td>

        </tr> 

        <tr> 

            <td><input type="button" value="4" onclick="dis('4')"/> </td> 

            <td><input type="button" value="5" onclick="dis('5')"/> </td> 

            <td><input type="button" value="6" onclick="dis('6')"/> </td> 

            <td><input type="button" value="-" onclick="dis('-')"/> </td>

            <td><input type="button" value="^" onclick="dis('**')"/> </td>  

        </tr> 

        <tr> 

            <td><input type="button" value="7" onclick="dis('7')"/> </td> 

            <td><input type="button" value="8" onclick="dis('8')"/> </td> 

            <td><input type="button" value="9" onclick="dis('9')"/> </td> 

            <td><input type="button" value="+" onclick="dis('+')"/> </td> 

            <td><input type="button" value="*" onclick="dis('*')"/> </td> 

        </tr> 

        <tr> 

            <td><input type="button" value="." onclick="dis('.')"/> </td> 

            <td><input type="button" value="0" onclick="dis('0')"/> </td>

            <!-- solve function call function solve to evaluate value -->

            <td colspan="3"><input type="button" value="=" onclick="solve()"/> </td>

        </tr> 

    </table> 

</body> 

</html> 

 

Vulnerability	Explanation
Injection	It allows hacker to inject server side codes or commands. These are the flaws that allows a hacker to inject his own codes/commands into the web server that can provide illegal access to the data.
Broken Authentication and Session Management	These flaws generally arise when application functions related to security and session management are not implemented properly, which allows hackers to bypass authentication mechanisms. For eg. Login
Cross Site Scripting (XSS)	This is one of the most common flaw in which hackers injects codes like HTML, JS directly into the web pages allowing them to deface websites and stealing data of the users who trust these websites.
Insecure Direct Object References (IDOR)	These are the flaws that may cause severe impact as with IDORs, the hackers get access to objects in the database that belong to other users, which allows them to steal or even edit critical data of other users on the website. They can either steal that information or even delete someone’s account.
Security Misconfigurations	These are again one of the most common flaws as the developers/administrators forget to securely seal an application before making it live. Common flaws under this vulnerability includes keeping default password, default pages etc.
Sensitive Data Exposure	These type of flaws occur when websites are unable to protect sensitive data like credit card information, passwords etc. which allows hackers to steal this information and may cause credit card fraud or identity theft.
Missing Function-Level Access Controls	These flaws occur when security implementation are not implemented properly in applications on both User interface and server i.e. front and back end respectively. This allows hackers to bypass security and gain restricted access.
Cross Site Request Forgery	This vulnerability allows a hacker to send forged requests on behalf of a trusted user, which allows the hacker to act on behalf of the user. For example, telling the bank server to transfer money from X to Y on the victim’s behalf and the bank server accepting it.
Using Components with Known Vulnerabilities	There are certain applications or their components that are known to exhibit vulnerabilities. If anyone is using these applications, it becomes easy for hackers to exploit these vulnerabilities and steal user data for eg. using an older version of windows server can be exploited by using an exploit code which is available online.
Unvalidated Redirects and Forwards	This flaw redirects users from a trusted website to a malicious website, which allows hackers to steal sensitive user information. For eg. if a user visits website A which he trusts but is redirected to website X which has a malware. But as user trusts A, he ends up trusting X.

 

 

Q. What are injections?
Ans. These are the vulnerabilities through which attackers gains illegal access to the data. It allows attackers to directly insert their commands/codes into the web server.

Q. What is SQL?
SQL is abbreviated as Structured Query language which is used to query data from the database. It helps in communicating to database software to retrieve/store data from/in the databases.

Q. What is a database?
Databases is a part of database software in which all the application information like user information, messages, posts etc. are placed in a structured, easy to access and secured way. These databases contain tables.; tables contain columns and rows and each row has separate cells storing data against the specific column in a specific format.

Q. How is SQL used to communicate with database software?
 SQL is a language which is used inside Server Side Programming Languages to communicate to database software in order to Save data in databases and retrieve it later.

Q. What are the three types of commands used in MySQL?
Data Definition Language (DDL):- This command is used to define the structure of the data like how and where it would be stored. It is used in creating databases and tables, defining the structure of the tables and the columns. Examples include :- Create table, Alter table, Drop table.
Data Manipulation Language (DML):- These commands are used to manipulate already existing data inside  a table or insert new data (rows) inside a table. It helps to edit, delete, and create rows. Example Commands: Insert into <table>, update table (rows) and delete table (rows).
Data Query Language (DQL):- These commands are used to Query data from the database i.e. fetch required data from the database. It is used to fetch data from all the rows, fetch specific data, sort data and even calculate values inside the rows. Examples: Select <columns> from <table>, Order by <column>.

 

Concat Function:
SQL CONCAT function is used to concatenate two strings to form a single string within a single row. So while extracting usernames and passwords, generally you do something like this (Assuming column 3 is showing the output):

For usernames:
id=1’ UNION SELECT 1,2,username,4 from users--+

For passwords:
id=1’ UNION SELECT 1,2,password,4 from users--+

But with concat(), you can get both in a single column like this:
id=1’ UNION SELECT 1,2,concat(username,password),4 from users--+

Note that there will be no space in between them but you can add a dash with this:
id=1’ UNION SELECT 1,2,concat(username,’ - ’,password),4 from users--+

GROUP_CONCAT
The GROUP_CONCAT() function in MySQL is used to concatenate data from multiple rows into one field.

Example query:-
union select 1,group_concat(table_name),3,4 from information.schema.tables--+
Here in above query we are trying to fetch all tables present in the database in a single query. This is very helpful when a website is only giving one table at a time but we want to extract all tables

 

SQL_Injection

Burp-suite

SQL-mapping

So far, we have learnt 3 types of SQL Injections:
1. Basic Authentication Bypass
2. GET based SQL Injections
3. POST based SQL Injections

Practicing these SQL Injection methods are good to get you started. But there are other SQL Injection methods that you should know of. So we will briefly explain 3 more SQL Injection methods which you may encounter while researching or practicing.

Error Based SQL Injections:
Sometimes, we cannot exploit SQL Injection vulnerabilities simply by using UNION command. This may be because of some security checks in place or because of the complexity of the code. So to perform error based SQL injections, we make websites to throw SQL errors through which we can extract critical information. Now, different database servers employs different approach of performing error based SQL injections as the errors they throw are different in nature.

For better understanding, let us have a look at the example below:

In Microsoft SQL server, there is an SQL function called convert(), which is used to convert the second parameter to the data type given in the first parameter.
Have a look at the syntax: convert(<data type>,<value>)

This means, if we use convert(int,’145’), the output will be 145.
But, what if we try to convert a value which is not a valid data type like this convert(int,’abcd’)
As you might have expected, the server will throw an error saying:
“Cannot convert string ‘abcd’ into an int”

So, our motive is to perform SQL injection. This means, instead of using convert(int,’abcd) we ask the SQL server to convert(int,db_name()). As you know, db_name() is same as database() and suppose the database name is ‘secret_database’. If we try to convert it, the server will throw an error saying:
“Cannot convert ‘secret_database’ into int”

Now, if a website throws a message that shows SQL errors, this means we can definitely perform SQL injection here. Using SQL injection, we can easily retrieve the name of the database. And once the database name is known we can easily fetch the names of the tables, columns and finally the data too. These SQL injections are referred to as Error based SQL injection, where we perform SQL injections when a web application throws an SQL error.

Boolean Based Blind Injections:
To understand the injection, let’s fragment it as Boolean + Blind Injections.
So, Boolean in terms of programming simply means True or False. This means, while performing these injections, we might be asking server to respond us as either true or false.
Now, the second part is Blind Injections or Blind SQL injections. As the name suggests, these injections are used where we are successfully able to fetch critical data but somehow the extracted data is not visible on the website (hence, the name blind), which may be attributed to how the website is build.
So, combining both these parts, in Boolean based blind injections, we perform SQL injections by asking server True or False questions and on the basis of the response, we can extract crucial information.
Let’s have a look at the example below:
Suppose, If we want to fetch name of a student from a website, we will simply use this SQL query

Select name from students where id=121

The output will be the name of the student against the id 121.

Now, to perform Boolean based blind injections, we use AND operator. Have a look at the query below where we have used boolean based blind injection to fetch the name of the student.

Select name from students where id=121 AND 1=1+

As 1 equals to 1 us universally true, the output will fetch the name of the student. So, how is this injection different from others as we are just extracting the same information in a different way.
Well, what if we use this query instead.

Select name from students where id=121 AND 1=0+

Now, 1 can never be equal to zero, this means the output will be blank. So, in such cases boolean based blind injections comes into play. This is how the query will look like:

Select name from students where id=121 AND (get_first_character_of(password))=’a’--+

Look carefully, this time we are asking server to tell us the first character as ‘true’ or ‘false’. If the output shows the student name, this means the  password starts from ‘a’ and we can proceed further in a similar way to fetch the complete password and if there is no output, it means that the password must start with some other letter. This is how, Boolean based Blind Injections are performed.

Time Based Blind Injections:
These injections are used in those cases where we fail to extract data either by using UNION or ERROR based SQL injections and can neither ask a website questions as True or False. So, in order to extract critical information, we tamper with the server response time.
Whenever a request is made to the server, it takes some time to fetch the information and deliver it to us, this is called as response time. Now, if we tamper with this response time, we can extract some crucial information.

The syntax of Time based Blind injections is similar to Boolean based blind injections. Have a look at the query for time based blind injections.

Select name from students where id=121 AND (if the 1st character of the password = ‘a’ then sleep for 10 seconds)--+

Here, you can see, we are asking the server to tell us the first character of the password. If the password starts from ‘a’, the server will sleep for 10 seconds, which means increase in response time by 10 seconds. And, if the password does not start with ‘a’, the server will take it’s usual response time. In a similar way, we can predict the whole password. This is how, Time based blind injections are performed.

Using this injection has lot of disadvantages. Firstly, as you can see every time we are making a request to server, it sleeps for 10 seconds. This means, this injection will take a lot of time. Secondly, the response time is also dependent on the speed of the internet. If the connection drops in between, it will increase the response time and hence will lead to faulty results.

 

Sqlmapàhttps://github.com/sqlmapproject/sqlmap/wiki/Usage

 

If a hacker finds a website where he can inject code like HTML, JS, directly into the web pages allowing him to control how the website looks to a user, which one of the OWASP top 10 web vulnerability is this?

A

Injection

B

Insecure Direct Object Reference (IDOR)

C

Cross Site Request Forgery (CSRF)

D

Cross Site Scripting (XSS)

Correct Answer: D. Cross Site Scripting (XSS)

Cross Site Scripting is an attack where the attacker can inject some malicious script directly into vulnerable applications. This happens when an application takes some input from a user and then prints it in the website somewhere else (For example: Name while user registration). During this, if the website doesn’t block special characters, an attacker can inject HTML/JS code in the parameter (for example name can be <h1>hacked by bulla</h1>) and when the user visits that page where the parameter is printed on the website, the attacker’s code gets executed in the victim’s browser.

Question 2 1 Mark

Vulnerability Assessment is where a hacker or a security expert exploits a vulnerability and tests the damage caused by it.

A

True

B

False

Correct Answer: B. False

Vulnerability Assessment is a phase where a hacker or a security expert tries to find all the vulnerabilities in a system. Whereas, Penetration Testing is where a hacker or a security expert exploits a vulnerability and tests how much damage he can cause using that vulnerability.

Question 3 1 Mark

A pentester found a vulnerability on a website where he can get all the sensitive information of a user by just changing the alphanumeric user ID in the URL. What kind of attack is this?

A

Injection

B

Cross Site Request Forgery (CSRF)

C

Insecure Direct Object References (IDOR)

D

Open Redirection

Correct Answer: C. Insecure Direct Object References (IDOR)

IDOR is when an application provides direct access to sensitive data of other users based on user supplied input in a parameter. For example, let’s say for viewing your account information, the netbanking website redirects you to the following URL: lenabank.com/account_information.jsp?acc_no=9088765543467 Then you can try putting a different account number in the acc_no parameter and if you get the data of that account which belongs to someone else, it is an IDOR flaw as acc_no (which can be edited by the user) refers directly to the account information in the database of the bank.

Question 4 1 Mark

Given below is the sql query which is vulnerable to sql injection: SELECT * FROM students where Id=(“$sid”) order by id; The URL is x.com/student.php?sid=1 The sid parameter is sent to the query as shown above. Which of the following payloads will show the student information for all the students?

A

‘ or ‘1’=’1

B

" or “0”=”0

C

or 0=0--+

D

None of the above

E

All of the above

Correct Answer: D. None of the above

In the given query, whatever we enter will go in: id=(“HERE”) Now if you carefully notice, if we simply put a double quote and start writing our query after a “, the injection will happen: id=(“abcd” HERE”) As you can see we are still inside the brackets and we will have to close them too hence the correct payload will be: abcd”) or (“1”)=(“1 With this the query will become: id=(“abcd”) or (“1”)=(“1”).

Question 5 1 Mark

In order to do UNION based injections, which of the following conditions should be true?

A

Number of columns selected in the first select query should be same as number of tables selected in the second query

B

Number of tables selected in the first select query should be same as number of columns selected in the second query

C

Number of tables selected in the first select query should be same as number of tables selected in the second query

D

Number of columns selected in the first select query should be same as number of columns selected in the second query

Correct Answer: D. Number of columns selected in the first select query should be same as number of columns selected in the second query

In Union based injections the number of columns selected in the first select query should be same as the number of columns selected in the second query. If they are not, it would throw an error.

Question 6 1 Mark

The Content-Type Header in an HTTP request tells about which of the following?

A

The length of the data we are sending

B

The type of information we are sending to the server

C

The type of information we are expecting back from the server

D

The type of encoding in which we are sending the data

Correct Answer: B. The type of information we are sending to the server

In an HTTP request the Content-Type header tells the server the type of information we are sending it. Ex: Content-Type: application/jpeg tells the server that an image has been sent. Content-Type: application/pdf tells the server that a pdf file has been sent.

Question 7 1 Mark

In SQLmap we want to check if the DBMS current user is the Administrator of the database. Which of the the following switched will be used for this?

A

--is-dba

B

--current-user

C

--dbs

D

None of the above

Correct Answer: A. --is-dba

In order to check if the current user of the database has the admin privileges we use the --is-dba switch. This is extremely helpful since if sqlmap confirms this to be true, the attacker can dump data from all databases on the server and also gain further access to the server using the --os-shell option.

Question 8 1 Mark

Which of the following HTTP response codes correspond to the “Page Moved to a different location” category?

A

200

B

300

C

400

D

500

Correct Answer: B. 300

The 300 series of HTTP response codes tells the browser that the page being requested has been moved to a different location (permanently or temporarily). Also, when a 300 response code is generated by the server (for example 301, 302), it also sens another header by the name “Location: ” followed by the new location of the page being requested. So for example, if you request for x.com/abcd.php and the response is 302 Moved, Location: xyz.php, your browser will redirect you to xyz.php.

Question 9 1 Mark

Which of the following is not a valid HTTP method?

A

GET

B

POST

C

PUT

D

DELETE

E

None of the above

Correct Answer: E. None of the above

All of the above mentioned methods are valid HTTP methods. GET is used to send data via URL parameters, POST is used to send it via headers, PUT is used to upload files and DELETE is used to delete files on the server.

Question 10 1 Mark

You are using SQLmap to dump the columns “username” and “password” from the “users_tbl” table in the “main_db” database. What command will be used for doing this?

A

Sqlmap.py -u “url…” -p “parameter…” --tables=”users_tbl” --columns=”username” --column=”password” --database=”main_db”

B

Sqlmap.py -u “url…” -p “parameter…” -T ”users_tbl” -C ”username” -C ”password” -D ”main_db”

C

Sqlmap.py -u “url…” -p “parameter…” -T ”users_tbl” -C ”username,password” --dbs ”main_db”

D

Sqlmap.py -u “url…” -p “parameter…” -T ”users_tbl” -C ”username,password” --dbs ”main_db” --dump

E

None of the above

Correct Answer: E. None of the above

To specify the table to attack, the -T “table name” is used and to specify the column -C “column name” is used (separated by commas). To specify the database -D “database name” is used. Finally to dump the data from these specifications, the --dump switch is used. So the correct command becomes: Sqlmap.py -u “url…” -p “parameter…” -T ”users_tbl” -C ”username,password” -D ”main_db” --dump

Question 11 1 Mark

In SQLmap, to get the column names in the “transactions” table in the “banking_db” database, which of the following switches will be used?

A

-C -T “transactions” -D “banking_db”

B

-C --tables “transactions” -dbs “banking_db”

C

--columns -T “transactions” -D “banking_db”

D

--columns -T “transactions” -D “banking_db” --dump

Correct Answer: C. --columns -T “transactions” -D “banking_db”

-C is used to specify columns to attack but when we want to get the column names, we use --columns. Similarly --tables is used to get table names and --dbs is used to get the database names. To specify from which table, columns are to be fetched, we use --columns -T “transactions” telling sqlmap to get columns from the transactions table. Similarly to get tables in “banking_db” database: --tables -D “ banking_db”. We do not use --dump when we only need the names of the columns, tables or databases. So the correct switches will be: --columns -T “transactions” -D “banking_db” which is telling sqlmap to dump the columns (--columns) from the transactions table (-T “transactions”) in the banking_db database( -D “banking_db”).

Question 12 1 Mark

To test SQL injection in a shopping application, you apply a single quote in the “catid” parameter in the URL: x.com/products.php?catid=1’&prodid=9 The page throws a PHP error saying there is an issue at line 27. Which of the following injections you CANNOT do?

A

Union Based injection

B

Boolean Based Injection

C

Error Based Injection

D

Time Based Injection

Correct Answer: C. Error Based Injection

To perform Error based injection, the website must be throwing exact SQL errors and not custom errors like PHP error, Page not found, internal server error etc. Why? Because in Error based injection, we extract juicy data via creating SQL errors. In this case, upon applying a ‘ we are not getting an sql error like “Unclosed quotation mark ‘ “ (MSSQL) or “You have an SQL syntax error at…..” (MySQL). Instead we get a PHP error. This means that even if we are able to inject juicy data in SQL errors, as the website is showing us only the PHP errors, we won’t be able to see the data.

Question 13 1 Mark

To test for __________ sql injection we first ask the website to evaluate a true condition (and 1=1) and then a false condition (and 1=0). If the website responds differently to true and false with respect to the response length being 10000 when we ask a true question and 259 when we ask a false question, we can then use that information to ask things we don’t know about like if the length of the database name is 6 (and length(database())=6). If the response length is 10000, we would know that the length is indeed 6 else we can try a different length.

A

Union Based injection

B

Boolean Based Injection

C

Error Based Injection

D

Time Based Injection

Correct Answer: B. Boolean Based Injection

This is an example of boolean based injection. Boolean means true/false. This technique is useful to extract information during SQL injection when Union and Error Based injections fail.

Question 14 1 Mark

Which of the following places should you test an SQL injection for?

A

GET parameters like a,b,c in x.php?a=123&b=bulla&c=u8hqi9

B

HTTP headers like User-Agent: Mozilla Firefox 30.0, windows NT 10.0….

C

Cookies like login in Cookie:PHPSESSID=9128371209ijsaiuc89b;login=admin

D

In the URL even if there are no parameters like http://securesite.com/user/bulla

E

All of the above

Correct Answer: E. All of the above

Anything in an HTTP request that you think might be getting stored in the database (like the useragent, post parameters, etc.) or being used to fetch some data from the database (GET parameters, Cookies, additional http headers, URL etc), you must put ‘, “ etc. there and check the response to see if it changes. You can also use the * operator in the HTTP request .txt file and run sqlmap using -r option to test at all places where there is an *. Wherever there is SQL, there can be SQL injection too so don’t miss anything, test every parameter, header, cookie, etc. in every unique request.

Question 15 1 Mark

In SQL map if we want to keep changing the user agent, which of the following switches will we use?

A

--flush

B

--session

C

--random-agent

D

None of the above

Correct Answer: C. --random-agent

From the SQLmap help: --random-agent : Keep changing the User Agent - Helps in bypassing firewalls Intrusion Detection/Prevention Systems (IDS/IPS).

Question 16 1 Mark

In Burp Suite if we want to see the GUI view of the response, which of the following tabs will be used?

A

HTML

B

HEX

C

History

D

Render

Correct Answer: D. Render

Render is used to see the GUI view of the response though most javascript and css does not get executed here. All you can do with this one is to get a rough idea of what “text” would be displayed on the website.

Question 17 1 Mark

Cookies are basically text files that a website puts in the browser to uniquely identify us.

A

True

B

False

Correct Answer: A. True

Cookies are basically text files that a website puts in the browser to uniquely identify us, maintain our login states and show relevant content. Cookies contain a key-value pair which we can use along with --cookie switch in SQLmap. These cookies can be found in the Cookie Header of the HTTP request.

Question 18 1 Mark

select name from products where id=15 AND (if the 1st character of the password = ‘a’ then sleep for 10 seconds)--+. This is a syntax for which of the following injections?

A

Error based injections

B

Time based injections

C

Boolean based injections

D

Union based injections

Correct Answer: B. Time based injections

These injections are used in those cases where we fail to extract data either by using UNION or ERROR based SQL injections and can not even ask a website questions like True or False. So, in order to extract critical information, we tamper with the server response time. Whenever a request is made to the server, it takes some time to fetch the information and deliver it to us, this is known as response time. Now, if we tamper with this response time, we can extract some crucial information.

Question 19 1 Mark

There is a flaw where an application doesn’t handle sensitive data such has passwords, credit card numbers and other personal information securely enough and allows the attacker to steal them while they are being used. What is the name used for this vulnerability?

A

Insecure Direct Object References (IDOR)

B

Broken Authentication and Session Management

C

Missing Function-Level Access Controls

D

Sensitive Data Exposure

Correct Answer: D. Sensitive Data Exposure

Sensitive Data Exposure: This is a flaw where an application doesn’t handle sensitive data such has passwords, credit card numbers and other personal information securely enough and allows the attacker to steal them while they are being used.

Question 20 1 Mark

Broken Authentication and Session Management flaws are the ones which allow the hacker to inject his own code/commands on the web server.

A

True

B

False

Correct Answer: B. False

Broken Authentication and Session Management flaws are the ones which allow attackers to bypass authentication mechanisms like Logins and Sessions whereas Injection flaws are the ones that may allow a hacker to inject his own code/commands right on the web server.

 

 

Shell Attack:

B374K mini Shell Install Link:

https://raw.githubusercontent.com/tennc/webshell/master/php/b374k/mini_b374k

 

Question 1 1 Mark

When input validation and filtering occurs at the browser using language like JavaScript, it is called _____________.

A

Client side filters

B

Server side filters

Correct Answer: A. Client side filters

In server side filters, when a request is sent to the server, the server has certain code that checks the values of various parameters to see things like are they in the correct format, have the correct value, user is allowed to use that value, etc. and after all the validation returns success, further processing is done. This protects the applications from all kinds of attacks. Client side filtering occurs at the browser’s end and hence JavaScript is used to do it. This is good for user experience as the validation occurs instantly but is insecure for the application as an attacker can bypass them using proxies.

Question 2 1 Mark

Uploading an image in jpg format when the page says upload GIF, writing alphabets in the phone number field, disabled buttons, and non editable fields, are some examples of web application filters.

A

True

B

False

Correct Answer: A. True

While filling a registration form where you are supposed to enter an email address, if you don’t enter an ‘@’, it gives you an error. Writing alphabets in the phone number field, uploading an image in jpg format when the page says upload GIF, when your name must not be more than 10 characters and disabled buttons are some examples of web application filters that we encounter daily. When they are implemented in the browser, an attacker can simply intercept the validated request using Burp or OWASP ZAP and put the malicious value like a PHP file instead of a JPG file but if the server side is also making sure that file is a .jpg file, it becomes secure, hence called server side filters.

Question 3 1 Mark

Luke tried to order food online during the testing of a web application. At the checkout page he tried to tamper with the price of the item by intercepting the request .He noticed that there is a parameter: price=300 and changed it to price=100 and forwarded the request. The bank page showed him to pay Rs. 100. He did it and the order got placed successfully. Luke was hence able to purchase the item for lesser amount than the original one. The above case is an example of which of the following vulnerabilities?

A

Server side filters

B

Client side filters

C

Improper/missing server side checks/filters

D

IDOR

Correct Answer: C. Improper/missing server side checks/filters

This is an example of improper server side check. If the website would have cross checked the price of the product from its database and compared it with the price coming from the user, it would have been able to prevent the hack.

Question 4 1 Mark

IDOR occurs when an application provides access to data, based on the user supplied input without proper validation

A

True

B

False

Correct Answer: A. True

When an application provides direct access to objects based on user supplied input without proper validation it is called IDOR (Insecure Direct Object References).

Question 5 1 Mark

Which of the following can be the impact of an IDOR vulnerability?

A

Access private data of other users like name, contact number and address

B

Change or delete another user’s data

C

Carrying out transactions using someone else’s account

D

All of the above

E

None of the above

Correct Answer: D. All of the above

An IDOR occurs when any user controlled input controls a direct object in the application. Some examples of IDOR are: If an attacker can use the userid in a GET request to get any user’s data, or when an attacker changes his email id and he changes account_id parameter of another user thus changing victim’s email id, or an attacker can initiate a mobile recharge by changing from_acc_no to victim’s account number resulting in balance deducting from the victim’s account.

Question 6 1 Mark

If an attack requires different inputs to be inserted in multiple places within the request (e.g. when guessing credentials, a username in one parameter, and a password in another parameter) then which of the following burp intruder attack types will be used?

A

Cluster Bomb

B

Sniper

C

Battering Ram

D

Pitch Fork

Correct Answer: A. Cluster Bomb

Cluster bomb uses multiple payload sets. There is a different payload set in each position. It is used when an attack requires different and unrelated or unknown inputs to be inserted in multiple places within the request e.g. when guessing credentials.

Question 7 1 Mark

We use sniper burp intruder attack type when we need to send a single set of values to 1 or more number of injection points in a request.

A

True

B

False

Correct Answer: A. True

Sniper uses a single set of payloads no matter now many points you inject at. For example if you want to guess only passwords, then in the password value you put an injection point and then put all possible passwords in the payload set. But if you want to try users whose usernames and passwords are the same, then also you can use sniper as sniper attack has only one set of values. So both username and password values will be the same.

Question 8 1 Mark

In burp suite, the _____________ payload type lets you try all possible alphabets and numbers upto 5 characters.

A

Brute Forcer

B

Null Payloads

C

Number format

D

Dates

Correct Answer: A. Brute Forcer

The bruteforcer payload type has 3 important options. 1st is the list of characters you want to try example abcdefgABCDEFG123. 2nd is the minimum length and 3rd is the maximum length. So if we set minimum length to 2 and maximum length to 3, we will get values like aa2, a2D, ggg, 312 etc. Similarly for the case above, we can set the minimum and maximum length both to 5. Hence the bruteforcer is helpful in guessing small passwords and exploiting IDORs with alphanumerics in them.

Question 9 1 Mark

In burp suite, the _____________ payload type lets you make username combinations for a given name by using common username patterns.

A

Brute Forcer

B

Username Generator

C

Number format

D

None of the above

Correct Answer: B. Username Generator

Username generator lets you configure a list of names and provides a probability of potential usernames. For example if we submit a user with the name: “john wick” ..we get the following results: john.wick, wickjohn, jwick, johnw, etc. This can be very helpful for guessing usernames.

Question 10 1 Mark

What is a web shell?

A

A malicious admin panel uploaded by the attacker to gain access to the server and files on it

B

A backdoor uploaded by a hacker to have permanent access to a website

C

A malware that can be used to destroy a website

D

A code that can be used to execute system commands on the server

E

All of the above

Correct Answer: E. All of the above

All are properties of a web shell.

Question 11 1 Mark

Which of these functions in PHP is used to execute windows or Linux commands directly and print the response?

A

system

B

echo

C

whoami

D

none of the above

Correct Answer: A. system

System function in PHP is used to execute windows or Linux commands directly and print the response. While the ‘whoami’ command is used to show the current user like administrator, guest, root, etc. and echo function prints any value that is inside it.

Question 12 1 Mark

Aman is trying to upload a php file with the following code in shell.php using arbitrary file upload vulnerability in the image upload option of a website.

<?php

system(‘whoami’)

?>

If he then visits shell.php?cmd=ANY_COMMAND will the command get executed?

A

Yes

B

No

Correct Answer: B. No

The above shell will execute the whoami command only: system(‘whoami’). If you want to execute arbitrary commands using the GET parameter cmd like given, then the following line can be used: system($_GET[‘cmd’]);

Question 13 1 Mark

When downloading the order receipt from a shopping website, you realise that a POST request is sent to download.php with a POST parameter rcpt_hash=9f7ad455c3e79087. Can IDOR be tested over here?

A

Yes

B

No

Correct Answer: A. Yes

Even if a website uses long and complex tokens to fetch data from the database, IDOR can still be tested. How? By placing another order from a different test account B and generating a receipt from that will give you another rcpt_hash value of a valid order. If you try to download the receipt of account B after logging in into account A and the receipt gets downloaded, the it still is an IDOR.

Question 14 1 Mark

In the previous scenario, an attacker uses burp suite to generate 1 Million possibilities of rcpt_hash containing 16 characters with numbers, and small alphabets between a-f. He then tries all million combinations taking him a few hours in total and is able to find 10,000 valid rcpt_hash values returning receipts of other users. Which vulnerability is this?

A

CSRF

B

Rate Limiting Flaw

C

Sensitive Information Disclosure

D

Server Misconfiguration

Correct Answer: B. Rate Limiting Flaw

This is a clear example of an IDOR but is much more dangerous due to a rate limiting flaw. In a secure scenario, a website should never allow so many requests from a single user in such a small time and this should result in IP address blacklisting. This would help in slowing down the attacker.

Question 15 1 Mark

A web shell can be written in which of the following languages?

A

PHP

B

ASP

C

JSP

D

All of the above

E

None of the above

Correct Answer: D. All of the above

Depending what kind of a website it is, the attacker can write (or reuse) web shells written for that particular kind of server architecture, OS and programming language. It can be a PHP shell for a website using windows OS and PHP language, a JSP shell for a website using Linux server and Apache Tomcat server software and an ASP shell for a website running on Windows server 2003 and made with ASP.NET programming language. Based on what kind of files a server executes, the attacker has to upload the shell accordingly.

Question 16 1 Mark

Which of these vulnerabilities can an attacker use to make a victim visit a malicious website even when he clicks on a link to a website he trusts?

A

Cross Site Request Forgery

B

Insecure Direct Object Reference

C

Open Redirection

D

All of the above

E

None of the above

Correct Answer: C. Open Redirection

Open Redirection is a vulnerability that occurs in the following situation: Website has a URL x.com/somthing.php?redirect_url=/checkout.php Here whatever value rediret_url GET variable has, x.com redirects to that page. In this case x.com/checkout.php. Now as a user can control this GET parameter by editing the URL, an attacker can misuse this by creating a hyperlink with the following url: x.com/somthing.php?redirect_url=http://hacker.com/trojan.exe Now the attacker can send this link to a victim who trusts x.com but when he clicks on the above link on x.com, he gets redirected to hacker.com containing a Trojan. This flaw is called open redirection flaw.

Prev

 

So, in the previous module, we looked at some server side attacks. These attacks are used to attack the server or to take complete control of the server. It is important to know server side languages like PHP and sql to carry out these attacks, or to prevent them.

However, in this module, we will look at the client side attacks. These attacks are used to cause harm to the users of a web application directly.
So, by carrying out these attacks, the hacker can directly attack the browser of the victim. To understand these attacks, we need to know client side languages like HTML and Javascript.

To understand client side attacks, let us first understand how a web browser works.

We know that when we open a website, let’s say internshala, an HTTP request is sent to the server. The server then processes this request and sends back an HTTP response to our browser. Now, this HTTP response is parsed by our browser and displayed to us.
But, this HTTP response contains something called HTTP headers. These headers are the metadata that is not shown to us.
But, if we analyse these response headers, we can learn a lot about the way HTTP responses work.

Now usually the http response headers are very lengthy, and we are not going to look at each and every line.
We will mainly look at 3 important HTTP response headers.
The first line of the header, that tells us about the nature of the response.
The set-cookie header.
Content length header.
We will look at each one of these.

Let’s start with the first line of the response header.
So, this is a sample HTTP response captured by BurpSuite.

If we look at the first line of this response, it says,  HTTP/1.1 200 OK.
We have seen this response many times in the previous module. The 200 response means that everything is okay.

Now, this is just one type of response. There are a few more important responses that we must know about.

30X: A response in the 300 range is used to signify redirection. For example, if you requested for page 1, but are being redirected to page 2. In this case, the response will say, “301 Moved Permanently to Location: page2”.

40X: These responses depict errors that occur due to the user’s fault. The most common response we have all come across is 404:Not Found error. We get this response when the page we have requested for does not exist.
Another example is the 403: Forbidden response. This comes when you request for a page that you are not supposed to visit.
 
50X: These responses occur when there has been some error on the server side. For example, if a website is not able to connect to its database due to some server side code error, you might see 500 internal server error.

So, these were some important responses sent in headers.
You must remember these ranges and their meaning well, since by looking at this we can get an idea of what kind of response the server wants to give us.

Now, after the first line of the response headers, we see some standard HTTP response headers. These headers basically tell the browser about the response and how to handle it. They are like the configuration settings sent by a web server to be stored in the browser for later usage.
In these settings, you may choose to study about some of them in detail. These include the Content Security Policy, Referrer Policy, Allow Origin, X-powered-by, etc. We will not be covering these in our topic, but you can read more about them online.

 

Client Side Attack:

<Html>--- Root element

               <head> --- Parent element of title & child of <html>

                              <title> ----- Child of <head>

               <body> --- parent of <p> and <h1> and child of <HTML>

.

.

.

<HTML>

 

 

 

 

 

 

 

 

 

1. onclick and ondblclick: In this case the eventhandler listens to a “click” event. If any user clicks on the web page, this event listener will get triggered and will show an alert.

Eg:
<html>
<body>
<button name="test_button" onclick="alert('clicked!')" ondblclick="alert('double clicked!')">Click me!</button>
</body>
</html>

2. Iframe onload: Another very common event listener is ‘onload’, which simply gets triggered when some element (image, body, iframe, video etc. has finished loading.

Eg:
<html>
<body>
<iframe src="https://ipchicken.com" onload="alert('lo')"></iframe>
</body>
</html>

3. Image onerror: In this event listener, the src attribute in the img tag looks for the file given in the URL. But, if the url raises an error and cannot be accessed, we can have an onerror event listener to display an appropriate message to the user.

Eg:
<html>
<body>
<p>

Example of onerror event:
</p>
<img src="x" onerror="alert('No image found');">   
</body>
</html>

4. Using getElementById method: Here, we ask the user to input her name using <input> tag. Then we access this input using the getElementById method, and add a “Hi”, to it. Then we display it on the alert box. This alert is displayed when the user clicks on the button after giving the input.

Eg:
<html>
<body>
<input type="text" placeholder="Enter your name" id="textfield1">
<button onclick="alert('Hi '+document.getElementById('textfield1').value)">Click Me</button>
</body>
</html>

 

Notes:

1.     A cookie is a piece of data stored in the user’s browser while a session is some user data stored in server.

2.     document.getElementById() method returns the value of a specific id but the above statement will give an error due to ‘b’ of ‘by’ being in small letters. Javascript is case sensitive and hence each function and variable’s name is case sensitive unlike in HTML.

3.     Event listeners are simple code that wait for an event to happen on a specific element and when it does, carry out the written code after it. For every DOM event, you can setup an event listener like onClick, onMouseOver, onDblClick, onKeypress, etc. For example to setup onClick listener on the button we can write this code: <button id=”button1” onClick=”alert(‘hello’)”> Click me </button>

 

 

XSS:

 1>Temporay XSS

2>Permanent XSS

Q. What is temporary XSS?
The vulnerabilities that allows hackers to insert malicious codes into the HTML code of the browser are called as temporary XSS or reflected xss. This attack is called temporary as the injected attack is not stored within the application, rather it infects only those users who have access to these links.

Q. What is permanent XSS?
The vulnerabilities that allows hackers to inject and execute malicious client side scripts through the browser which gets permanently stored in the server are called as permanent XSS or stored XSS.

Q. What is an HTML injection?
When a hacker is not able to execute JavaScript using XSS, but still able to cause potential harm using HTML. This particular vulnerability is called as HTML injection which occurs due to improper output validation as the website without any proper sanitation attaches the user input to its own HTML code.

 

·        In XSS an attacker is able to inject his own HTML/JS code inside an application. Now this code is foreign code and can come either from the hacker or a website of the hacker hence it is “cross site” scripting i.e. the website executing code which is not its own.

·        If a user is not able to execute JS using XSS but is still able to potentially harm the website using HTML, this vulnerability is called HTML injection. HTML injection can still be harmful as even if the hacker cannot inject JS to steal user’s information but he can change the look and feel of the website using HTML and CSS which could be used to defame the website or host phishing pages to trick users in giving their data.

·        If the website is taking input from the user without proper sanitation, and attaching it to its own HTML code, this is called improper output validation i.e. before putting user controlled data into its HTML code, website is not sanitising it into safe characters that do not execute in the browser. An example of a good output validation is to convert all HTML characters like “ < > into $quot; < (less than) > (greater than), etc.

·        Permanent XSS is much more dangerous as it effects all the users of the website and the attacker need not send infected links to victims and trick them into clicking them.

·       There are multiple cases in which a security expert can know about the existence of a link that is available after login:

·       1. As part of a White/Grey box exercise, he gets both all the user roles to test.

·       2. He guesses or brute forces (makes a script that tries all common page names).

·       3. He reads the source code and finds interesting links in the comments or in the code or even in other files like JS, CSS, etc. linked inside the source code.

·       4. He finds a user manual or other screenshots of the application (from search engines or on the website itself) and reads it to find a screenshot or a step telling the admin to visit a specific post login page.

·       5. He uses google dorks like site:x.com inurl:seller/actions and find a page indexed in google.

·       6. He finds sitemap files like sitemap.xml and robots.txt using google dork site:x.com sitemap robots.txt which contains list of links on the website.

·       7. He uses social engineering on a phone call to the seller support and asks them their present URL.

 

 

When you connect to a website, it creates a unique session for you and relates all your activities with a long alphanumeric token called Session token. This session token is stored in 2 places, one at the server and the other at the client (in the user’s browser). The client part is called a session cookie. This session cookie, in a secure website acts as an authentication and authorisation token.

 

Notes:

·        Authorisation determines whether a user has access to a particular resource or not. For example it checks whether a user has access to specific pages in a website.

·        Authentication confirms your identity to provide access to the system. For example, when you try to login into a website, it checks whether the entered username and password is valid or not.

·        Each page that is supposed to be accessed after login, should check it at every request that the user is still logged in but in certain cases, if you know a post login URL (site.com/admin/controlpanel.php), you can directly put it in the browser without logging in and you would still be able to access the functionality. This is called Forced Browsing.

 

 

 

 

 

CSRF(Cross Site Request Forgery):

·        CSRF is a flaw using which an attacker, after making a user visit hacker controlled website (let’s say x.com) sends a request to the vulnerable website from the user’s browser with the user’s cookies which authorises actions carried out on the website on the victim’s behalf. I.e the attacker can forge requests as to being sent by a victim from a “Cross Site” (different website) than the website to which the request is going and since there is no checking as to where the request is coming from, the forged request is accepted and actions are carried out on behalf of the user who visited the “Cross Site”.

·       Open Redirection is a vulnerability where an attacker can use a link on the vulnerable website to redirect the user to a malicious website. Open redirection means if an attacker can control what is the destination of a particular URL by inserting a malicious URL in the parameter and that URL is not checked to be trusted or not.

Dictionary Based Brute Force Attack

            Used mostly for Username,Password

Q & A:

Brute Forcing is an attack where an attacker sends a large number of requests to guess certain value like __________.

A

Login credentials

B

ID and token numbers

C

File and folder names

D

All of the above

Well done. Correct Answer.

Explanation:

Any point in a web application where an attacker feels that upon guessing a specific value can lead to juicy information, he does it. But guessing a few possible values is useless and not efficient until we are trying all possible values or at least a couple 100 of commonly used values.

 

Which kind of brute forcing is beneficial when the range of possible values is so high that trying them all is not efficient and would take ages?

A

Dictionary Based Brute Forcing

Well done. Correct Answer.

Explanation:

When we are guessing passwords, or hidden file names in a website for example, there are endless possibilities to what can be a valid value. Passwords can be anywhere from 4 characters to 20 characters and are not even sequential. Same goes with filenames which can be anywhere from a few characters to 50 characters. All these can be symbols, numbers etc. Hence, trying all possibilities is not practical. Instead, we can try some 500 common passwords used or 1000 common juicy filenames. Using such a set of commonly used values during a brute forcing attack is called a Dictionary Based Attack.

 

In a dictionary based brute forcing attack, one or more parameters have logically generated values like numbers or alphanumerics in a given range or pattern. List of possible values are computed first then tried.

A

True

B

False

Well done. Correct Answer.

Explanation:

Dictionary Based Brute Forcing means one or more parameters is bruteforce with a single or multiple files, containing list of possible values for the parameters. This is generally used for unpredictable values such as usernames, passwords, filenames, etc.

34% students get this answer correct at their first attempt

Which of these signs suggest that bruteforcing cannot be done (or would be very difficult to do)?

A

A captcha on the form which you are trying to bruteforce

B

Website blocking your IP address and giving you error 403 for 1 hour after crossing 100 requests in 5 minutes

C

Website needs multiple inputs to give information like orderID and registered mobile number

D

All of above - in all these scenarios bruteforcing won’t be practical

Well done. Correct Answer.

Explanation:

These are the best way to protect against brute forcing attacks. A captcha will simply make bruteforcing almost impossible as Burp cannot solve captchas. IP blocking also makes it difficult to do brute forcing although auto changing proxies can be used and finally if the website is taking multiple parameters in cases of IDORs then it becomes impractical to bruteforce 2 entities at the same time.

When is Cluster Bomb used in the Burp Intruder?

A

An attack requires different unknown inputs to be inserted in multiple places within the request

Well done. Correct Answer.

Explanation:

Cluster bomb is used when an attack requires different unknown inputs to be inserted in multiple places within the request. For example, the username and password parameters. In cluster bomb attack, all payload sets are checked will all values of all other payload sets. i.e. each username will be checked for all given passwords.

41% students get this answer correct at their first attempt

 

Logical Brute Forcing

Logical Brute Forcing is done when the value we are trying to guess has an identifiable pattern or sequence.

A

True

Well done. Correct Answer.

Explanation:

Logical Brute Forcing means one or more parameters have logically generated values like numbers or alphanumerics in a given range or pattern and possibly even in a sequence. Hence a list of all possible values are computed using the deduced logic (like all 5 character long strings with numbers and small english letters) first and then they all are tried. This is generally the case when bruteforcing OTPs, Tokens and ID numbers in case of IDORs. It can also be used for small passwords like all possible 4 or 5 character passwords in lowercase but these will hardly wok and will take a lot of time given that it won't be able to guess admin@123 which is a super easy and common password.

 

In burp intruder we use ________ payload when we want to replay the same request without any changes.

A

Null

Well done. Correct Answer.

Explanation:

Null payloads payload type generates payloads whose value is an empty strings, while number payload type generates numeric payloads with a specified range. Username generator makes possible usernames of given keywords and bruteforcer is used to create a list of all possible values containing given characters, minimum length and maximum length.

B

Numbers

C

Username Generator

D

Brute Forcer

 

Which of the following is NOT a sign to identify a successful guess during an intruder attack on IDORs?

A

Success attempt will have a bigger response length than others

B

Success attempt will have a smaller response length than others

C

Status of the bruteforce attack may change

D

Success attempt will have the same response length but content may change

E

None of the above

Well done. Correct Answer.

Explanation:

A success attempt may have a bigger response length or small response length compared to the original response or in some cases status of the response may change and then sometimes the length might be exactly the same but the content might differ. You can use Burp Suite’s Comparer to compare 2 responses by sending a true response and a false response that you already know, to the comparer.

 

You run a cluster bomb attack with 2 injection points- 10 values in payload set 1 and 12 values in payload set 2. How many guesses will the intruder make?

A

10

B

12

C

120

Well done. Correct Answer.

Explanation:

Cluster bomb attack tries all values of A with all values of B i.e. 10*12 = 120. This is helpful when we neither know which values of A & B are to be used together nor we know which ones are correct. For example: Guessing username and password combinations. On the other hand, in pitch fork attack. From both sets, 1-1 value is picked and checked together and then the next value pairs are checked.

74% students get this answer correct at their first attempt

D

22

 

PII (Personal Information Leakage) :

Personally Identifiable Information (PII) leakage is when personal data of users is leaked due to any form of vulnerability.

A

True

B

False

Well done. Correct Answer.

Explanation:

PII Leakage is leakage of specific personal user information that can be used to exactly pinpoint (identify) a person and distinguish him/her from others with similar details.

 

PII can be a single piece of information like aadhaar number, PAN number or a combination of multiple details like full name and date of birth, etc.

A

True

Well done. Correct Answer.

Explanation:

PII is information that can be used to identify a user. Information like aadhaar number and PAN number can be used directly to identify the person but name cannot as there can be multiple people with same name. Though, a combination of full name and date of birth can be used to pinpoint to a person with high accuracy. Hence PII leakage is considered with either single solid information or combinations of multiple pieces of information.

 

4 websites are leaking the details of users due to an IDOR. The information given in each of the given options is being leaked on individual websites. Which of these is most vulnerable to PII leakage?

A

First name + date of birth

B

Place of birth + full name

C

Address

D

Mobile number + name

Well done. Correct Answer.

Explanation:

Mobile numbers are unique in an area (country) hence if a user’s name and mobile number is being leaked, it can be deemed PII leakage. Hence website D is vulnerable to PII Leakage.

 

Q4/4

PII cannot occur due to which of the following vulnerabilities?

A

IDOR

B

SQL Injection

C

Arbitrary File Upload

D

Reflected XSS

Well done. Correct Answer.

Explanation:

XSS is a client side vulnerability and in case of Reflected XSS, the attacker will need to make the user click on specific links and then maybe he might be able to steal personal data of the user. But that's not a direct leakage of PII. IDORs and SQLi are one of the most common sources of PII leakage and if an attacker is able to upload a shell on the website using Arbitrary File Upload, then he gets access to all data, hence it can also lead to PII Leakage.

 

 

Question 1 1 Mark

What does the HTTP 403 response status code mean?

A

Temporary redirection

B

Moved permanently

C

Forbidden

D

HTTP version not supported

Correct Answer: C. Forbidden

403 response code means that the resource you are requesting for has been “Forbidden” for you to access due to permission issues.

Question 2 1 Mark

A PHPSESSID cookie is added by a website when you (user “x”) login to it. What is the purpose of this cookie?

A

Provide personalised experience

B

Act as token for authentication

C

Act as token for authorisation

D

All of the above

E

None of the above

Correct Answer: D. All of the above

When you login to a website like facebook, the website puts a cookie in your browser containing a similar token like: PHPSESSID: 5695a5d9a58a9b90c7369e4d7. Facebook on its server then stores that "user x" is 5695a5d9a58a9b90c7369e4d7. This is then used to give you your personalised “Facebook Wall” and other features + it acts as an authentication token as you don’t need to login before opening every page on facebook. This also acts as an authorisation token and prevents you from being able to edit a group’s settings whose admin is someone else.

Question 3 1 Mark

document.appendChild(element) is used for which of the following purposes?

A

Create an HTML element

B

Replace an HTML element

C

Add an HTML element

D

Remove an HTML element

Correct Answer: C. Add an HTML element

document.appendChild(element) is used to Add an HTML element whereas document.createElement(element) is used to create an HTML element.

Question 4 1 Mark

Reflected XSS can be used to inject malicious HTML inside the website that a user trusts and then can attack the users by sending them the link containing the malicious exe files.

A

True

B

False

Correct Answer: A. True

In Reflected XSS the server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS can be used to inject malicious HTML inside the website that a user trusts and then can attack the users by sending them the link containing the malicious payload.

Question 5 1 Mark

When a user might not be able to execute JS using XSS but is still able to potentially harm the website using HTML, this vulnerability is called HTML injection.

A

True

B

False

Correct Answer: A. True

HTML injection can still be harmful since even if a hacker cannot inject JS to steal user information, but he can change the look and feel of the website using HTML and CSS which could be used to deface the website or host phishing pages to trick users into giving their data.

Question 6 1 Mark

Which of the following methods is used to prevent XSS attacks?

A

Convert HTML tags to HTML entities like &lt; &gt; before printing the user supplied data

B

Disallow input of HTML special characters into fields

C

Block specific keywords like script, onload, onerror, javascript, on[anything], img, iframe, etc.

D

All of the above

Correct Answer: D. All of the above

The main way to prevent XSS is to not allow users to enter HTML characters and code. This can either be done by encoding all special characters into HTML entities before printing them into a response or simply by not allowing users to enter special characters anywhere, or by blocking specific keywords that can be harmful.

Question 7 1 Mark

Authorisation determines whether a user has logged in to the correct account.

A

True

B

False

Correct Answer: B. False

Authorisation determines whether a user has access to a particular resource or not. For example, it checks whether a user has access to specific files/pages on a website. Authentication on the other hand checks if the user is logged in as a valid user or not.

Question 8 1 Mark

When a user clicks on logout, the cookie is deleted from his browser, but if a hacker is also logged in to the user’s account using the same cookie, his cookie is not invalidated, hence he still stays logged in. What is the name given to this type of flaw?

A

Cookie expiration flaw

B

Authentication flaw

C

Access control flaw

D

Forced browsing

Correct Answer: A. Cookie expiration flaw

This is a clear case of cookie expiration flaw. Once logged out, although a cookie might get deleted from the browser, you should copy it before logout and after logout, put the cookie back in. If you get logged in, the website is vulnerable to cookie expiration flaw as the cookie is only getting deleted from the browser and not the server.

Question 9 1 Mark

CSRF attack happens when ____________.

A

Application includes untrusted data in a new web page

B

Many applications do not properly protect sensitive data

C

Authentication functionality is implemented incorrectly

D

None of the above

Correct Answer: D. None of the above

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. This happens when a website allows transactions originating from unknown sources and does not implement unique user specific tokens (like passwords, OTPs and other random token) in critical actions.

Question 10 1 Mark

A website has a logout button with the following hyperlink: sitexyz.com/logput.php?redir=http://sitexyz.com/home.php You change this URL to sitexyz.com/logput.php?redir=http://google.com and the page does not redirect. Can open redirection be possible here?

A

Yes

B

No

Correct Answer: A. Yes

Open Redirection is a vulnerability where an attacker can use a link on the vulnerable website to redirect it to a malicious website. This is usually done by identifying a parameter whose value is what a page redirects to. In our case, when the value of redir is http://sitexyz.com/home.php it redirects but when we try http://google.com it doesn’t work. It means that the website might be checking if the resultant domain belongs to sitexyz.com. This check can however be bypassed if we changed it to http://google.com/sitexyz.com or http://google.com/?abcd=sitexyz.com or http://sitexyz.com.google.com

Question 11 1 Mark

At which of these common places can CSRF be found?

A

Shopping cart

B

Delete account

C

Change password

D

Edit information

E

All of the above

Correct Answer: E. All of the above

Any form where you see a critical action is happening and if it happens without the user knowing, can cause trouble to the user, and hence must be checked for CSRF.

Question 12 1 Mark

In the burp suite intruder, the pitchfork attack type is used for which of the following reasons?

A

All values of all payload sets need to be checked with each other ie. #Set1 x #Set2 x …#SetN

B

When 1st value from all sets is picked and tried, then the 2nd value from all sets is picked and so on

C

When the attacker wants to send the same request multiple times without any changes

D

None of the above

Correct Answer: B. When 1st value from all sets is picked and tried, then the 2nd value from all sets is picked and so on

Pitchfork uses multiple payloads. It is used when an attack requires different but related inputs to be inserted in multiple places within the request i.e. 1st of Set1 is tried with 1st of Set2 then 2nd of both then 3rd of both and so on.. Hence if there are 10 values in each of 2 payload sets, 10 requests will be sent and not 100.

Question 13 1 Mark

In burp intruder we use _____________ payload type to generate payloads of specified lengths with all possible characters.

A

Null payloads

B

Bruteforcer

C

Number format

D

Username generator

Correct Answer: B. Bruteforcer

Bruteforcer is used to generate payloads of specific length ranges with all combinations of given character lists.

Question 14 1 Mark

Which of the following is not a client side attack?

A

Open Redirection

B

Cross Site Request Forgery

C

Rate Limiting Bypass

D

HTML Injection

Correct Answer: C. Rate Limiting Bypass

Client Side Attacks are attacks that are focused on attacking and exploiting users by making them visit specific pages, links, etc. These attacks do not steal data from the server and instead exploit the users of the website. In case of Rate Limiting flaw, it can be used to attack the servers and steal data from the servers directly.

Question 15 1 Mark

Which of the following is an example of PII Leakage?

A

Landline number

B

First name + landline number

C

Country code + area code + landline number

D

First name + school name + birth day and month + blood group

Correct Answer: C. Country code + area code + landline number

Only option 3 can be used to exactly pinpoint to a person. Rest although are leaking information but won’t come under PII leakage. Instead they can still be reported as Sensitive Data Disclosure.

 

 

Authentication

·        Authentication is used by a server when the server needs to know exactly who is accessing their information or site.

·        Authentication is used by a client when the client needs to know that the server is system it claims to be.

·        In authentication, the user or computer has to prove its identity to the server or client.

·        Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.

·        Authentication by a client usually involves the server giving a certificate to the client in which a trusted third party such as Verisign or Thawte states that the server belongs to the entity (such as a bank) that the client expects it to.

·        Authentication does not determine what tasks the individual can do or what files the individual can see. Authentication merely identifies and verifies who the person or system is.

Authorization

·        Authorization is a process by which a server determines if the client has permission to use a resource or access a file.

·        Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access.

·        The type of authentication required for authorization may vary; passwords may be required in some cases but not in others.

·        In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization.

Encryption

·        Encryption involves the process of transforming data so that it is unreadable by anyone who does not have a decryption key.

·        The Secure Shell (SSH) and Socket Layer (SSL) protocols are usually used in encryption processes. The SSL drives the secure part of “https://” sites used in e-commerce sites (like E-Bay and Amazon.com.)

·        All data in SSL transactions is encrypted between the client (browser) and the server (web server) before the data is transferred between the two.

·        All data in SSH sessions is encrypted between the client and the server when communicating at the shell.

·        By encrypting the data exchanged between the client and server information like social security numbers, credit card numbers, and home addresses can be sent over the Internet with less risk of being intercepted during transit.

Using authentication, authorization, and encryption

Authentication, authorization, and encryption are used in every day life. One example in which authorization, authentication, and encryption are all used is booking and taking an airplane flight.

·        Encryption is used when a person buys their ticket online at one of the many sites that advertises cheap ticket. Upon finding the perfect flight at an ideal price, a person goes to buy the ticket. Encryption is used to protect a person’s credit card and personal information when it is sent over the Internet to the airline. The company encrypts the customer’s data so that it will be safer from interception in transit.

·        Authentication is used when a traveler shows his or her ticket and driver’s license at the airport so he or she can check his or her bags and receive a boarding pass. Airports need to authenticate that the person is who he or she says she is and has purchased a ticket, before giving him or her a boarding pass.

·        Authorization is used when a person shows his or her boarding pass to the flight attendant so he or she can board the specific plane he or she is supposed to be flying on. A flight attendant must authorize a person so that person can then see the inside of the plane and use the resources the plane has to fly from one place to the next.

Here are a few examples of where encryption, authentication, and authorization are used by computers:

·        Encryption should be used whenever people are giving out personal information to register for something or buy a product. Doing so ensures the person’s privacy during the communication. Encryption is also often used when the data returned by the server to the client should be protected, such as a financial statement or test results.

·        Authentication should be used whenever you want to know exactly who is using or viewing your site. Weblogin is Boston University’s primary method of authentication. Other commercial websites such as Amazon.com require people to login before buying products so they know exactly who their purchasers are.

·        Authorization should be used whenever you want to control viewer access of certain pages. For example, Boston University students are not authorized to view certain web pages dedicated to professors and administration. The authorization requirements for a site are typically defined in a website’s .htaccess file.

·        Authentication and Authorization are often used together. For example, students at Boston University are required to authenticate before accessing the Student Link. The authentication they provide determines what data they are authorized to see. The authorization step prevents students from seeing data of other students.

 

These are also referred to as default files/folders/url that contain crucial information of servers. Hackers exploit these default files which further helps them to plan their attacks. Below are few examples of default files that you may find in a website.

1. Robots.txt - One can find this file in the base directory of a website. This file is used by server administrators to disallow search engines like Google, Bing, etc. to record certain pages/folders as it may contain interesting folders and files which a developer is trying to hide.

2. Phpinfo.php - This file is a common debug file in PHP applications that contains huge amount of information regarding the server.

3. Users.xml - This file generally contains usernames and passwords which hackers may exploit.

4. Backup.sql - This default file is crucial as it may contain complete database backup.

5. Config.bak - This may be a configuration file that stores passwords and keys.

6. error_log / error.log - This file contains all error logs of the server which can reveal vulnerabilities to hackers.

7. server-status and server-info - These are common Apache page that contains server information.

8. manager/html - This default url takes you to Tomcat login page that can further disclose sensitive server information.

9. phpmyadmin - It is the login page for PHPmyadmin - a software used for managing SQL databases from the website. Exploiting a database can compromise all the data inside it.

Apart from these, there are many more default files that you should check and search for. You might not be able to find these default files as they may have been restricted by server administrators.

 

 

 

Vulnerabilities that occur due to the server admins keeping weak passwords on login pages and services or not changing/deleting the default accounts in applications that are created automatically during installation are known as ________________.

A

Insecure default configuration flaws

B

Outdated software related flaws

C

Flaws due to components with known vulnerabilities

D

None of the above

Well done. Correct Answer.

Explanation:

Vulnerabilities that occur due to the server admins keeping weak passwords on login pages and services or not changing/deleting the default accounts in applications that are created automatically during installation are known as Default/Weak Passwords misconfiguration flaws.

 

Q2/5

Flaws that arise due to components with known vulnerabilities happen simply when the website/server is using software that are outdated or unmanaged.

A

True

Well done. Correct Answer.

Explanation:

When a website uses themes, addons, plugins, libraries and other software (of a specific version) that have a known public vulnerability and fails to update (or remove) these when a patch is released in a newer version, then it becomes vulnerable to hackers who can then view the public vulnerability and misuse it to gain access to the server.

Which of the following are some default files in a website?

A

error.log

B

phpMyAdmin

C

Config.bak

D

Backup.sql

E

All of the above

Well done. Correct Answer.

Explanation:

error.log, phpmyadmin, config.bak, backup.sql, robots.txt etc. are some of the most used default files in a website.

Which of these is the default path to load the Tomcat Manager application?

A

URL/admin.php

B

URL/login.html

C

URL/manager/html

Well done. Correct Answer.

Explanation:

The default path to load the Tomcat Manager application is http://{host}:{port}/manager/html This manager applications is also commonly found at http://domain.com:8080/manager/html (port 8080 instead of 80).

69% students get this answer correct at their first attempt

 

 

For Top 10 most common username:

https://lifehacker.com/the-top-10-usernames-and-passwords-hackers-try-to-get-i-1762638243

 

Default/Weak passwords are a part of using components with known vulnerabilities.

A

True

B

False

Well done. Correct Answer.

Explanation:

Default/Weak passwords are present when a website administrator installs a server side addon/library/software/web-application and forgets to change the default password or keeps a weak guessable password.

 

When fingerprinting a component, which of the following is NOT helpful?

A

Path of folders and files in page source

B

Footer text

C

Text on the page

D

All of the above

E

None of the above

Well done. Correct Answer.

Explanation:

The URL, file/folder names in page source, HTTP request/response headers, cookies, logos, favicons, page titles, text on the page, title, footers, etc. can all be used to fingerprint components in a website.

 

 

Default passwords can be found on youtube videos of the product.

A

True

Well done. Correct Answer.

Explanation:

A lot of times, products make youtube channels with tutorial videos on how to setup/use the product. In such cases, there are chances that the developer might talk about the default passwords.

 

You can commonly see default passwords in the page source.

A

True

B

False

Well done. Correct Answer.

Explanation:

No, a developer will never put default password in the page source, but you should still read the HTML page source for other hints.

 

 

 

 

 

 

 

A website is using a third party product with a publicly known vulnerability without being patched. This type of flaw is known as using components with known vulnerabilities.

A

True

Well done. Correct Answer.

Explanation:

If a hacker finds a product which is outdated, he tries to find its vulnerabilities and exploits and uses it against the website. When a website is using a third party product with a publically known vulnerability without being patched, this type of flaw is known as using components with known vulnerabilities.

92% students get this answer correct at their first attempt

Which of the following ways are used to fingerprint applications?

A

HTTP headers

B

HTML source code

C

Favicons

D

All of the above

Well done. Correct Answer.

Explanation:

HTTP headers, HTML source code, banners and titles, default files like README.html are some common ways to fingerprint an application.

To find vulnerabilities in a product, we look for some vulnerability repositories and exploit repositories for leaked exploits.

A

True

Well done. Correct Answer.

Explanation:

Vulnerability Repositories - CVEdetails.com vulnhub.com, securityfocus.com etc Exploit repositories - Exploit-DB.com, Rapid7.net Google - “[Product Name] vulnerability/exploit]

 

A flaw in a software that can be used by a hacker to gain access to a system or network is called ___________.

A

Vulnerability

Well done. Correct Answer.

Explanation:

Vulnerability is a flaw in a software that can be used by a hacker to gain access to a system or network.

 

 

Q1/5

__________ is a security scanner to scan vulnerabilities in Joomla.

A

WPseku

B

WPScan

C

CMS scanner

Well done. Correct Answer.

Explanation:

CMS Scanner is used to Scan WordPress, Drupal, Joomla, Bulletin websites for security issues.

Vulnerability in the version of CMS and vulnerability in a specific version of a theme installed in the CMS are some common ways to find vulnerabilities in CMS.

A

True

Well done. Correct Answer.

Explanation:

To find vulnerabilities in CMS there can be 2 ways: 1) Vulnerability in that version of CMS itself. 2) Vulnerability in a specific version of a theme/plugin/addon installed on in the CMS.

Q3/5

Which of the following files can be used to check the version of the installed Drupal CMS?

A

License.txt

B

CHANGELOG.txt

Well done. Correct Answer.

Explanation:

CHANGELOG.txt is the name of the default file which can be used to check the version of the installed Drupal CMS.

57% students get this answer correct at their first attempt

C

Readme.html

D

All of the above

WordPress themes and plugins can be enumerated using page source.

A

True

Well done. Correct Answer.

Explanation:

If the HTML source contains wp-* it means that that specific folder has WordPress installed. You can even spot themes with CSS and JS files containing /themes in the URL and /plugins for plugins.

 

A vulnerability in a WordPress plugin may help an attacker upload a shell on the website.

A

True

Well done. Correct Answer.

Explanation:

Plugins, themes etc. can contain any vulnerability be it XSS, SQLi, IDOR, File upload etc. That's why making sure that all plugins and themes are updated and outdated ones deleted is extremely important.

 

Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter of _________________.

A

login.html

B

manger/html

C

server.log

D

admin.php and index.php

Well done. Correct Answer.

Explanation:

Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter of (1) index.php and (2) admin.php in advanced_comment_system/

Remote file inclusion allows an attacker to do which of the following?

A

Code execution on the web server

B

Denial of service

C

Sensitive information disclosure

D

All of the above

Well done. Correct Answer.

Explanation:

RFI allows an attacker to include a file, execute code on the web server, execute code on the client side such as javascript, DOS and sensitive information disclosure. Remote File Inclusion allows an attacker to temporarily upload malware and backdoor shells from a remote URL located on a different domain.

Q3/5

Remote file inclusion is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.

A

True

Well done. Correct Answer.

Explanation:

Remote file inclusion is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. It is the process of including remote files through the exploitation of vulnerable parameters in the application.

In this topic we used 34992.py to run the python file. Here if we want to create a new instance we can use which of the following syntax?

A

34992.py -t (target url)

B

34992.py -u USER -p PASS

C

34992.py exploit

D

None of the above

Well done. Correct Answer.

Explanation:

34992.py -t http[s]://TARGET_URL -u USER -p PASS will be used to create a new instance.

Arbitrary file upload vulnerability allows an attacker to do which of the following?

A

To put a phishing page

B

To upload malicious files that trigger client side attacks

C

Upload a shell script

D

All of the above

Well done. Correct Answer.

Explanation:

File upload vulnerability allows an attacker to perform attacks on an application platform where he can upload .exe files, .html file containing script, .jpg file containing a flash object, and many more.

 

 

Question 1 1 Mark

Vulnerabilities that occur due to the server admins keeping weak passwords on login pages and services or not changing/deleting the default accounts in applications that are created automatically during installation are known as ________________ flaws.

A

Outdated software related vulnerabilities

B

Insecure Default configuration

C

Insecure Direct Object Reference

D

None of the above

Correct Answer: D. None of the above

Vulnerabilities that occur due to the server admins keeping weak passwords on login pages and services or not changing/deleting the default accounts in applications that are created automatically during installation are known as Default/Weak Passwords misconfiguration flaws.

Question 2 1 Mark

Descriptive Error Messages are error messages that contain more information than they should, leading to an attacker getting critical knowledge about the server.

A

True

B

False

Correct Answer: A. True

Descriptive Error Messages and Debug Messages are error messages that contain more information than they should, leading to an attacker getting critical knowledge about the server/application architecture helping him/her to plan deeper attacks. This is extremely common because by default, all applications are supposed to disclose full description in case of error so that it’s easy for developers to fix them.

Question 3 1 Mark

Which file in PHP applications contains information about the PHP license, version and other information?

A

default.php

B

index.php

C

view.php

D

Phpinfo.php

Correct Answer: D. Phpinfo.php

Phpinfo contains information about PHP version, HTTP headers, PHP license and some other information about PHP.

Question 4 1 Mark

Robots.txt is a file used by server admins to disallow search engines like Google, Bing, etc. to record certain pages/folders.

A

True

B

False

Correct Answer: A. True

Web site owners use the /robots.txt file to give instructions about their site to web robots; this is called The Robots Exclusion Protocol. Robots.txt is a file used by server admins to disallow search engines like Google, Bing, etc. to record certain pages/folders. This can contain interesting folders and files that a developer is trying to hide.

Question 5 1 Mark

HTTP headers, HTML source code, favicons and default files like readme.html are some ways to fingerprint applications.

A

True

B

False

Correct Answer: A. True

There are numerous ways to fingerprint applications. Some of them are fingerprinting HTTP methods, favicons, banners and titles and searching for some default files like README.html etc.

Question 6 1 Mark

While testing for a hotel booking websites, you intercepted the request and changed the start date to 30 Apr 2019 and the end date to 28 Feb 2019. Upon forwarding the request, you got an Internal Server Error which says “Days cannot be negative” with descriptive file names and line numbers as to where the error happened on the server. Which vulnerability is this?

A

Information disclosure due to descriptive errors

B

Fuzzing

C

Default misconfigurations

D

None of the above

Correct Answer: A. Information disclosure due to descriptive errors

Information Disclosure due to Descriptive Errors is a vulnerability where in server errors reveal critical information about the server architecture, file names, code, configuration, etc. To trigger such errors we generally do fuzzing containing unexpected values in GET/POST parameters, headers, and even cookies.

Question 7 1 Mark

A CVE ID is a unique ID given to each public exploit of a vulnerability.

A

True

B

False

Correct Answer: B. False

A CVE ID is a unique ID give to each public vulnerability, and not the exploit. Whenever an ethical hacker reports a vulnerability in a specific version of a product to a vendor and the vendor accepts it, it is listed on CVE platforms like cvedetails.com with a unique CVE ID. One CVE ID can have multiple exploits but each vulnerability has a unique CVE ID.

Question 8 1 Mark

Exploit-db.com is the largest database of all public vulnerabilities disclosed.

A

True

B

False

Correct Answer: B. False

Exploit-db.com is a database of exploit codes that can be used to misuse a vulnerability. CVEdetails on the other hand is a database of vulnerabilities.

Question 9 1 Mark

__________ is a type of wordpress vulnerability.

A

Vulnerable/old version of Wordpress

B

Vulnerable version of wordpress plugin

C

Vulnerable version of wordpress theme

D

Option 1 and 3

E

All of the above

Correct Answer: E. All of the above

In wordpress, there can be 3 types of vulnerabilities -Vulnerable/old version of Wordpress itself. -Vulnerable version of wordpress plugin (used for additional functionality other than a blog like contact form, shopping cart, customer support chat, etc) installed on the website. -Vulnerable version of a wordpress theme installed on the website.

Question 10 1 Mark

Which of the following scanner is used to scan Drupal?

A

DroopeScan

B

Drupwn

C

CMS scanner

D

All of the above

Correct Answer: D. All of the above

There are different scanners available to scan Drupal. Commonly used scanners are Droopescan, Drupwn, CMS scanner and nmap drupal script.

Question 11 1 Mark

An exploit to do SQL Injection in a wordpress plugin can be written in which of these programming languages?

A

C

B

SQL

C

Python

D

HTML/JS

E

All of the above

Correct Answer: E. All of the above

Exploits can be written in any language that the writer is comfortable with. There is no specific language to write exploits but it is generally seen that web based exploits are written in python.

Question 12 1 Mark

In wordpress, themes are stored in which of these folders?

A

wp-admin/themes

B

license.txt

C

wp-themes

D

wp-content/themes

Correct Answer: D. wp-content/themes

In wordpress, themes and plugins are stored in wp-content folder containing folders named “plugins” and “themes”.

Question 13 1 Mark

The Advanced Comment System Exploit 9623 has which of these types of vulnerabilities?

A

File Inclusion

B

Shell Upload

C

SQL Injection

D

Cross Site Scripting

Correct Answer: A. File Inclusion

The type of vulnerability in Advanced Comment System Exploit 9623 is File Inclusion, where an attacker is able to open a local/remote file and view/execute it. exploit is www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?] /advanced_comment_system/admin.php?ACS_path=[shell.txt?]

Question 14 1 Mark

Which is the best way to know how to use a python exploit downloaded from exploit-db.com?

A

By reading the source code

B

Searching for videos on youtube

C

Run the file: python filename.py

D

Read the code

Correct Answer: C. Run the file: python filename.py

Most exploits and tools regardless of the programming language, have a inbuilt help text that explains how to run the exploit, what all parameters it requires, and how to configure other settings in the exploit. To view this, you can simply run the file without any parameters and it will most of the times, show you the help text. You can also try: python filename.py --help Or: python filename.py -h

Question 15 1 Mark

John was able to get access to the admin panel of a website by entering the admin and password USER:USER. He found that he can execute any command on the server, so he entered cat index.php. What result can he expect once the command executes?

A

List of all the files on the server with the name index.php

B

Create a folder with the name “index”

C

Shows the user of the server

D

Print the source code of index.php

Correct Answer: D. Print the source code of index.php

cat command is used to print the text of any file on a linux server. So cat filename.php --- will print the source code of the particular php file.

 

 

 

 

 

 

Information gathering means gathering as much information about the vulnerabilities in various assets of an organisation, and to organise it in a structured manner.

A

True

B

False

Well done. Correct Answer.

Explanation:

Information gathering means gathering as much information about the target as possible. This includes all its assets like websites, ports and servers. Finding vulnerabilities comes under vulnerability assessment.

 

Crunchbase.com platform is used to find ____________.

A

Subdomains of a website

B

Mergers and acquisitions of a company

Well done. Correct Answer.

Explanation:

Crunchbase information includes investments and funding information, founding members and individuals in leadership positions, mergers and acquisitions, news, and industry trends.

 

Reverse Whois allows you to search for domains by the name, address, telephone number, and email address of the registrant listed in Whois records.

A

True

Well done. Correct Answer.

Explanation:

Reverse Whois allows you to search for domains by the name, address, telephone number, and email address of the registrant listed in current or historical Whois records. So for example, if you get the name of a websites admin using whois, you can search his name in reverse whois, this way you will get all domains registered by that admin.

Fierce tool is used for which of the following purposes?

A

Scan open ports of a domain

B

Subdomain finder

Well done. Correct Answer.

Explanation:

Fierce is a reconnaissance tool. It is a semi-lightweight scanner that helps you find subdomains of a given domain.

 

DirBuster is a java application designed to brute force directories and file names on web application servers.

A

True

Well done. Correct Answer.

Explanation:

DirBuster is a multi threaded java application designed to brute force directories and file names on web application servers.

 

NMap Offers this (Automating VAPT) :

Scans in Nmap and their role:-

1. Intense scan: This scans top 1000 commonly used ports and then tries to find what exact service and version of that service is running in an open port. This scan also helps in detecting the type of operating system. 

2. Intense scan + UDP: Normal intense scan only scans TCP ports and using this scan, we can also scan UDP ports too.

3. Intense scan all ports: Instead of scanning only the 1000 common ports, this will scan all the possible ports 0-65535 (As it scans all the ports, this scan takes a lot of time to complete).

4. Intense scan no ping: This scan is used where firewalls are placed at the target.

5. Ping scan: This scan only checks if the host is reachable or not. The scan doesn’t scan any port.

6. Quick scan: This scans lesser ports and does no service version detection. It is faster than intense scan but can be a bit unreliable.

7. Quick scan plus:  It scans fewer ports (same as the quick scan) but does version detection. The scan is much more aggressive and hence can put a little stress on the network and be a bit unreliable.

8. Regular scan: Runs Nmap with default options i.e. simple port scanning and no service version detection. 

9. Slow comprehensive scan: It is an extremely slow scan that does deep level scanning with the highest accuracy and least stress on the network.

 

NMAP is used for which of the following?

A

Scan open ports on a domain

B

Scan services running on an IP address range

C

Find vulnerabilities in services installed on a server

D

None of the above

E

All of the above

Well done. Correct Answer.

Explanation:

NMAP is an open source tool which is used to perform network scans, find open ports on remote host, fingerprint services installed and running on ports and even find vulnerabilities in those services. It is one of the most widely used tools.

 

In Zenmap if we want to just check if the host is reachable or not without doing port scanning we use_________scan.

A

Quick scan

B

Intense scan

C

Intense scan no ping

D

Ping scan

Well done. Correct Answer.

Explanation:

In Zenmap if we want to just check if the host is reachable or not without doing port scanning we can use ping scan.

In Zenmap, slow comprehensive scan is used to do which of the following?

A

To scan all possible TCP ports on a given host

B

To scan all possible UDP ports on a given host

C

To control the rate of scanning so that not a lot of traffic is generated

D

All of the above

Well done. Correct Answer.

Explanation:

Slow comprehensive scan: Extremely slow scan that does deep level scanning with the highest accuracy and least stress on the network. It scans all 65535 possible ports for both TCP and UDP. It can take several hours to complete.

In Nmap we use -A switch to do port scan, tell us the exact service and version and to detect which OS the host is using.

A

True

Well done. Correct Answer.

Explanation:

-A switch not only does port scan, but tells us the exact service, its version and even runs some scripts based on the service found to get more information. -A switch also tries Operating System detection along with the reverse dns and other additional stuff.

B

False

 

Here is a list of some tools that are used for automating VAPT:

• Burp Suite Pro - Complete overall semi-automated VAPT for technical flaws such as SQLi, XSS, Command injection, CSRF, etc.
• Acunetix - Completely automated VAPT with minimal human intervention (like for login pages) for overall bugs - technical or non technical.
• Nikto - Free open-source tool which is a bit old and is mainly used to find configuration issues on the web server.
• OWASP ZAP Proxy - Similar to Burp Suite, but available free of cost.
• Nessus - Completely automated VAPT for network-based and server-based vulnerabilities.
• Metasploit - One of the most widely used free tool containing various semi-automated modules to check for and exploit vulnerabilities.

Since massive amount of research and testing goes into developing these tools, most of these are paid.
But, most paid tools also have a free to use alternative.
This alternative may not be as user friendly as the paid version and may not generate impressive reports, but they can give you a hint of where to do manual attacks. BurpSuite community version that we have used in this training is a free alternative for the paid version called BurpSuite Pro.

 

Inserting unexpected input in standard fields in an application and studying the response is called Fuzzing.

A

True

Well done. Correct Answer.

Explanation:

Inserting unexpected input in standard fields in an application and studying the response is called Fuzzing and the inputs that are tried are called payloads.

87% students get this answer correct at their first attempt

Which of the following is not a VAPT tool?

A

ZAP Proxy

B

Nikto

C

Burp Suite

D

Active Perl

Well done. Correct Answer.

Explanation:

Active Perl is just a software to make and run perl scripts in windows. Some of the widely used VAPT tools are Aircrack-ng, Burp suite pro, nikto, OWASP ZAP Proxy, Metasploit, wireshark, etc.

Nikto web server scanner is used to do which of the following?

A

Checks for outdated server components

B

Scan multiple ports on a server, or multiple servers via the input file

C

Subdomain guessing

D

All of the above

Well done. Correct Answer.

Explanation:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, checks for outdated versions of over 1250 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated and has many more usages.

78% students get this answer correct at their first attempt

If Burp reports that it has found SQL injection in the given target, it means that the website is definitely vulnerable to SQL injection.

A

True

B

False

Well done. Correct Answer.

Explanation:

A lot of times automated scanners may report a false positives. In burp suite, when burp is not sure, it even gives a “tentative”/”unsure” status which suggests that you must revalidate the bug. So we always need to check each reported vulnerability manually and confirm if it’s a false positive or not.

 

Question 1 1 Mark

Improper Input Sanitisation is when an application gives output to the user and doesn’t sanitise it properly. An attacker exploits this by injecting malicious commands, codes, tokens, etc. and when the application injects this data into HTTP responses, attacker is able to control the HTTP/HTML response and attack the users of the application.

A

True

B

False

Correct Answer: B. False

Improper Output Sanitisation is when an application gives output to the user and doesn’t sanitise it properly. An attacker exploits this by injecting malicious commands, codes, tokens, etc. and when applications inject this data into HTTP responses, the attacker is able to control the HTTP/HTML response and attack the users of the application. Whereas, Improper Input Sanitisation is when an application takes input from the user and doesn’t sanitise it properly. An attacker exploits this by injecting malicious commands, codes, tokens, etc. and when the application parses this data input by the user, the malicious code executes and gives the attacker access he/she shouldn’t have.

Question 2 1 Mark

If Burp scanner shows an alert sign which is white in color, it means the issue is ___________.

A

Critical and confirmed

B

High

C

General information

D

Critical and not sure but maybe

Correct Answer: D. Critical and not sure but maybe

For Burp here are some common colours that are used and there meaning: Red Alert - Critical - Confirmed White Alert - Critical - Not sure but maybe Orange Alert - High Yellow Alert - Medium Grey i Icon - General Information

Question 3 1 Mark

Dirbuster is a tool which can be used to find each and every folder and file on the website.

A

True

B

False

Correct Answer: B. False

Dirsearch cannot find each and every file and folder on the website instead it finds if the files with common file/folder names exist on the server. So it guesses the file/folder names using a dictionary file which contains common folder and file names.

Question 4 1 Mark

Dirbuster dictionary will contain file names like admin.php, login.asp and robots.txt since these are common filenames.

A

True

B

False

Correct Answer: B. False

Dirbuster dictionaries do not contain any extensions. Remember that you provide the list of extensions to try. The dictionaries only contain filenames like admin, login and robots. When you provide extensions to try like php, asp and txt, it will search for admin.php admin.asp admin.txt login.php login.asp login.txt robots.php robots.asp and robots.txt too. Whichever of these exist on the website, dirbuster will notify you.

Question 5 1 Mark

Let’s say you enter this URL in dirbuster http://x.com/admin/ . It will search for files and folders in which of these directories?

A

http://x.com/HERE

B

http://x.com/admin/HERE

Correct Answer: A. http://x.com/HERE

By default dirbuster will start the searching in x.com/ because there is an option in dirbuster for “Dir to start with” which has the value of /. If you want to search specifically after x.com/admin/HERE then you have to put /admin/ in the “dir to start with field”.

Question 6 1 Mark

In the previous scenario if Dirbuster finds a folder x.com/images/, dirbuster will automatically start searching for files in /images/ too. This happens due to which of these options?

A

Bruteforce Dirs

B

Bruteforce files

C

Be Recursive

D

List Based bruteforce

Correct Answer: C. Be Recursive

The “Be recursive” option in dirbuster will first find folders and files in the / directory and then repeat the same wordlist for all folders it found in step 1 and this will keep happening until all found folders are searched. To avoid this, you can uncheck this option and if let’s say you do find an interesting folder like /backup/ then you can set the “Dir to start with” option to “/backup/”.

Question 7 1 Mark

Which of these is the purpose of an Intense Scan + UDP in zenmap?

A

Scans services running on all 65535 ports

B

Scans top 1000 UDP ports

C

Scans top 1000 TCP and UDP ports

D

Scan all 65535 TCP and UDP ports

E

None of the above

Correct Answer: C. Scans top 1000 TCP and UDP ports

Normal intense scan only scans TCP ports but Intense scan +UDP scans both TCP and UDP ports and the intense scan scans only the top 1000 ports.

Question 8 1 Mark

In Zenmap, the quick scan is quick because of which of the following reasons?

A

It uses multi threading

B

It scans even less than 1000 common ports

C

It does not do version detection and OS detection

D

All of the above

Correct Answer: D. All of the above

Quick scan uses -F switch which by default scans only the most common ports like 80, 443, 23, 22, etc. and not that standard 1000 ports in case of Intense Scan (-A). Also, it does not do version detection and OS detection. It will only give you the list of open ports. Although, you can use Quick Scan plus to do version detection quickly.

Question 9 1 Mark

In nmap if we want to print verbose output, run stealth syn scan, T5 timing(maximum speed setting), OS and version detection for all possible TCP ports, we use which of the following?

A

nmap -v -sS -p0-65535 -O -sV -T5 target

B

nmap -v -p- -sV -O -T5 target

C

nmap -v -p0-65535 -A -T5 target

D

nmap -v -sS -p- -sV -O -T5 target

E

All of the above

Correct Answer: E. All of the above

-v is used to print debug information (verbose mode) and tell you how much time is remaining for the scan to complete By default, nmap does a TCP stealth syn scan (-sS) hence putting a -sS is optional as nmap uses it anyway. To scan all possible ports you can either use -p0-65535 or -p- -O is used for OS detection and -T5 is used to run nmap at maximum speed setting. -sV is used for version detection. -A does -sS -sV -O Hence all options are correct.

Question 10 1 Mark

To scan the ports 0-1000 we can do an Intense Scan.

A

True

B

False

Correct Answer: B. False

The intense scan (-A) scans the top 1000 ports i.e. the most commonly used 1000 ports. So even though 3306>1000 it is a common port used by MySQL and it is included in the most commonly used 1000 ports. This does not mean that intense scan will scan port 1 or port 90 or port 999 which are uncommon ports. To scan only ports between 0-1000, you can give -p0-1000 instead. In that case, it wont scan port 3306.

Question 11 1 Mark

Finding subdomains of a given domain is extremely important as developers might host protected/private/secret applications and do not expect people to find it.

A

True

B

False

Correct Answer: A. True

Subdomains often contain more bugs than the main website as the developers spend more focus on the main website. Subdomain generally contain internal panels, servers login pages, etc. So you should always try to find all subdomains of a given domain. You can do this using tools like Fierce, Google dorks, and a website called dnsdumpster.com.

Question 12 1 Mark

Reverse Whois allows you to search which of the following?

A

If the domain is available to purchase

B

If the subdomain is working

C

Domains by the name, address, telephone number and email address of the registrant

D

All of the above

Correct Answer: C. Domains by the name, address, telephone number and email address of the registrant

Reverse Whois allows you to search for domains by the name, address, telephone number and email address of the registrant listed in Whois records.

Question 13 1 Mark

Burp Suite automated scanner is free to use.

A

True

B

False

Correct Answer: B. False

Although there are some old pirated versions of Burp suite, to use Burp suite automated scanner legally, one needs to buy Burp Suite pro.

 

 

 

 

 

Documentation:

Some common tips for taking a PoC:

• Take a screenshot of everything. You might not need it but it’s better than to regret later.
• Take relevant screenshots with only the required region. The developer doesn’t need to see your entire desktop and taskbar while you are trying to show him an XSS popup.
• Make mute videos and use text editors to type instructions. It is much more convenient.
• Write down every step of your process in your text editor, be it information gathering and the information you found, vulnerabilities found, interesting blogs/links that you read to find, test and exploit vulnerabilities, links to automate scripts/exploits you found online, data you found after exploitation, everything!
• Use proper folder and file structure.
• Make sure that this data is backed up and secure. Use Google Drive, Dropbox, Onedrive, etc. to constantly backup the screenshot folders and VAPT project folders to the cloud.
• Also, make sure these are safe and secure, since if someone gets hold of this, he/she will be able to cause critical damage to the organisation and you will get into trouble.

 

What does proof of concept mean?

A

A presentation describing the tools that are used to exploit the vulnerability

B

A video showing how the attacker can exploit a vulnerability in a website

C

A text file showing the steps that are used to find the vulnerability

D

All of the above

Well done. Correct Answer.

Explanation:

A PoC in ethical hacking is a collection of evidences like screenshots, videos and HTTP requests along with a sequence of steps that were used to test and exploit a loophole. These steps must be explained in such a way that a technical person like a developer should be able to follow the steps and replicate the same vulnerability at his own end. A POC can be in any format like pptx, text file or video.

If you find an SQL injection vulnerability, which of the following parts should you provide as a proof of concept in your report to the developers?

A

The URL and parameter you found the SQL injection in

B

Databases, table names and data you were able to extract

C

Screenshot of the vulnerability with the step by step guide on how to replicate it

D

All of the above

Well done. Correct Answer.

Explanation:

You need to provide complete information in your proof of concept like including what you found, where you found it, how you exploited it with steps and guide, how to fix it and some references so that the developer can read more about it.

 

Let’s look at the key parts of a Detailed Developer Report:

• Index of all the vulnerabilities.
• Information about what exact URL and parameters are affected.
• The payload you used to confirm the vulnerability.
• Observations (screenshots/videos) explaining a complete step by step exploitation of each vulnerability.
• Outcome (if any) i.e. the data you were able to extract using the vulnerability, commands you were able to run, etc.
• Business Impact - A detailed description of the impact of the vulnerability with examples (screenshots/videos).
• Recommendations on how to patch the vulnerability.
• References about the vulnerability, including links explaining the vulnerability, the patches and the impact.

Let’s look at the key parts of a High Level Management Summary:

• Information summarising everything a hacker can do if an attack happens, containing maximum possible impacts of each vulnerability (multiple if they exist).
• Information about what exact URL and parameters are affected.
• Brief observations containing only the application affected and impact information i.e no step by step guide is required, but only outcome observations.
• Detailed business impact with proofs of all kind of information you extracted during the exploitation.
• References about the vulnerabilities (not the patches).

Let us discuss some basic recommendation points for common OWASP Top 10 vulnerabilities and some others (assuming that for almost all major vulnerabilities, OWASP has Wiki documents that can be used for Referencing):

Injections (SQL): SQL injections exist when an application doesn't sanitise user input before passing it into an SQL command. Here are a few recommendations:

• Sanitise user input and remove or encode special characters like ‘ “ - () # etc.
• Use whitelist filters, which means if a parameter is supposed to have integer values, do not allow non-numeric input. If it is an email field, allow alphanumerics, @ and .(dot)
• Use strong web application firewalls to make exploitation difficult
• Never run SQL server software (MySQL, MsSQL, etc.) as high privilege user such as ‘root’
• Use prepared statements for SQL queries instead of inserting user controlled input into SQL queries
• Remove default databases and accounts such as test, guest, admin, etc.

Cross Site Scripting (XSS):
This happens when a user controlled input is reflected somewhere else in an HTML page and is not encoded/sanitised properly. This leads to an attacker being able to inject HTML code in the affected page. So, the fix is to make sure that any input which is taken from a user, while being written into an HTTP response must be cleaned first. So, the recommendations can be written as:

• Perform proper output encoding of special characters like < > “ ‘
• For example, before printing untrusted user-supplied data into an HTML response, convert special characters into HTML encoding (< > " etc.) or URL encode them (%3C %3E %22 %27)

Insecure Direct Object References (IDOR) + Rate Limiting (Brute forcing) flaws:
This happens, when an application doesn't check if a user who is requesting a resource actually is requesting data that he is supposed to view/edit. So, the recommendations can be:

• Sensitive information must only be accessible to authorised users
• Implement proper authentication and authorisation checks at every function to make sure the user requesting access to a resource whether to view or edit is his own data and no one else's
• Implement proper Rate Limiting checks that disallows large number of requests from/to a single resource. For example, if from a single device, a single module like OTP check, password check, signup, etc. is being called 100 times in a single minute, it should be blocked
• Similarly, if an account’s password is being attempted to reset even from different devices, the account should be locked for a while
• Implement these checks on the basis of IP addresses and sessions

Arbitrary File Uploads:
This happens when applications do not implement proper file type checking and allow uploading of files of different file formats. For example, a PHP file instead of a jpeg profile picture.

• Perform proper server-side validations on what kind of a file user is uploading
• Use white lists filters instead of black list filters. Example: in case of a resume upload feature, instead of banning PHP and .exe files, only allow .pdf, .doc and .docx files
• Rename the files using a code, so that the attacker cannot play around with file names
• Use static file hosting servers like CDNs and file clouds to store files instead of storing them on the application server itself

Cross Site Request Forgery (CSRF):
This happens, when an application accepts allows critical actions without any additional tokens like passwords and also allows HTTP requests without checking from where exactly they are coming from. To prevent CSRF, all critical actions must be password protected, CSRF token technology should be used to prevent and all requests must first check and make sure that the request is coming from the website itself and not some third party page. So, recommendations can be:

• Ask the user his password (temporary like OTP or permanent like login password) at every critical action like while deleting account, making a transaction, changing the password etc.
• Implement the concept of CSRF tokens which attach a unique hidden password to every user in every <form>. Read the documentation related to the programming language and framework being used by your website
• Check the referer before carrying out actions. This means that any action on x.com should check that the HTTP referrer is https://x.com/* and nothing else like https://x.com.hacker.com/*

Using components with known vulnerabilities:
In this, the attacker finds that the server is using an older version of any software, plugin, theme, OS etc. and then uses publicly disclosed vulnerabilities of that specific version to exploit the server. So, the recommendations are:

• Upgrade to the latest version of Affected Software/theme/plugin/OS which means latest version number
• If upgrade is not possible for the time being, isolate the server from any other critical data and servers

Security Misconfigurations:
The category of security misconfigurations is rather wide and the recommendations are completely different for each misconfiguration but the concept is the same. For example, if a website is using an Apache Tomcat server and is configured with default credentials like tomcat:tomcat, the recommendations would contain the steps to change the password for apache tomcat and suggest to keep a strong alphanumeric password which is difficult to guess.

Session and Cookie Flaws:
Again these depend upon the exact flaw but below are some common good practices:

• Do not store critical information such as passwords in cookies
• Set relevant (based on business requirements) expiration time on sessions and cookies
• Disallow concurrent logins (login into the same account from multiple devices/locations)
• Make sure all cookies are HTTPs protected
• Destroy sessions and cookies properly once a user logs out
• Do not allow access to any resource without an authenticated and authorised cookie
• Cookies and session tokens should be at least 30-40 character long with alphanumerics, which are in no way related to the actual data they are referencing and should be impossible to guess

Client Side validation flaws:
These issues basically occur when an application does user input sanitisation only at the client side. Like taking the quantity of product to buy using non-editable text fields and + - buttons but once the request is generated using a proxy, you can pass negative or decimal values in quantity and on the server side no checks are in place. Hence, its patch is simple too.

• Implement all critical checks on server side code only
• Client-side checks must be treated as decoratives only
• All business logic must be implemented and checked on the server code.
• This includes user input, the flow of applications and even the URL/Modules a user is supposed to access or not

 

Which of the following recommendations are correct for fixing an SQL vulnerability in an application?

A

Remove default databases and accounts such as test, guest, etc.

B

Use strong web application firewalls to make exploitation difficult

C

Sanitise user input and remove/encode special characters like ‘ “ - () # etc.

D

All of the above

Well done. Correct Answer.

Explanation:

Best way to fix an SQL injection vulnerability is to sanitise user input and remove special characters, use whitelist filters, use strong web application firewalls, remove default databases, etc.

Insecure Direct Object References (IDOR) can be prevented by which of the following methods?

A

Iplementing proper authentication and authorisation checks at every function to make sure the user requesting access to a resource- whether to view or edit, is his/her data and no one else's.

Well done. Correct Answer.

Explanation:

IDOR can be prevented in many ways like making sensitive information accessible to authorised users, implementing proper authentication and authorisation checks at every function to make sure the user requesting access to a resource whether to view or edit, is his/her data and no one else's.

 

Session and Cookie Flaws can be prevented by which of the following methods?

A

Disallow concurrent logins (login into the same account from multiple devices/locations) and make sure all cookies are HTTPS protected

Well done. Correct Answer.

Explanation:

Session and cookie flaws can be prevented by making sure all cookies are HTTPS protected, destroying sessions and cookies properly once a user logs out, not allowing access to any resource without an authenticated and authorised cookie, etc.

To prevent XSS, the application must sanitise the ____________.

A

Input before taking it from the user

B

Output before giving it to the user

C

HTTP headers

D

Cookies

Wrong answer. Let's try again

Answer: B. Output before giving it to the user

Explanation:

XSS vulnerability happens due to improper/missing output sanitisation hence to protect from it, applications must remove/encode special characters like ‘ “ < > / -- ! ; before giving output to the users. This is called output encoding.

What is meant by Preventing from exploitation of “Components with known vulnerabilities”?

A

Make sure all installed 3rd party components are regularly updated and patched

Well done. Correct Answer.

Explanation:

Make sure all installed 3rd party components are regularly updated and patched.

 

Statistics about the audit part in a VAPT report consist of which of the following?

A

Vulnerabilities per category

B

Scan start and end date and time

C

Vulnerabilities per assets

D

All of the above

Well done. Correct Answer.

Explanation:

Statistics about the audit part contains important numbers like total number of vulnerabilities in various categories like critical, severe, moderate, low with some general color coding like critical is generally dark red, severe is orange moderate is yellow and low is green.

77% students 

When curating a VAPT report, the recommendation part should contain information about which of the following?

A

Explaining each step you did to perform the hack

B

Tools required to exploit the vulnerability

C

Impact caused by the flaw you discovered

D

Steps mentioning how to patch the flaw

Well done. Correct Answer.

Explanation:

In the recommendation part, you have to explain how to patch the bug (generalised for all counts) and also provide recommendations and good practices to avoid breaches.

Providing links to reputed documents/blogs that explain the vulnerability, its impact and prevention comes under the references part when producing a VAPT report.

A

True

Well done. Correct Answer.

Explanation:

The references section contains links to reputed documents/blogs that explain the vulnerability, its impact and prevention and also links to specific tutorials, blogs, tools, scripts, exploits, etc. you used to confirm/exploit the vulnerability.

 

Kenny found an SQL injection vulnerability while testing a website. So while curating a PoC for the vulnerability he should mention the steps for the vulnerability in which of these parts?

A

Reference

B

Exploit way

C

Observation

Well done. Correct Answer.

Explanation:

Observation part is a collection of slides (per step) as a step by step guide to test the vulnerability with a valid PoC.

36% students get this answer correct at their first attempt

Business Impact part in a VAPT report should contain which of the following?

A

Scan started and end date and time

B

Steps mentioning how to patch the flaw

C

Loss caused by the vulnerability to the company

Well done. Correct Answer.

Explanation:

Business impact slide contains the realistic and possible impact of the vulnerability along with proofs of business impact (if available).

 

 

Here are a few bad practices we must avoid while writing a report:

• Avoid any spelling and grammatical errors/mistakes.
• Do not flood the report with too many irrelevant statistics.
• Do not write the report from a hacker's perspective as you cannot expect the reader to understand hacking concepts.
• Do not use screenshots in which the details are not clearly visible. To solve this issue, take multiple small screenshots of the same page instead of taking an extremely big screenshot.
• Never stretch images/screenshots that you are using in the report. Stretching the images/screenshots will make them distorted. So, if you want to make an image bigger, you can stretch it from the bottom right corner but not too much.
• Don't include and explain all the steps you did to get to the hack. In the report include the steps like initial payload that acts as a PoC (like showing the database name/version) and then show what all data you extracted (like usernames and passwords etc.). The steps followed in the middle are hacker centric and are not required in the report.

 

Which of the following is a good practice to follow when curating a VAPT report?

A

Identify the difference between Observation and Business Impact

Well done. Correct Answer.

Explanation:

Many pentesters clearly don't know the difference between Observation and Business Impact. Observation contains steps followed to find the vulnerability and Business Impact contains what could happen in case of a black hat hacker. So when producing a report you need to clearly mention what is the business impact of the vulnerability you found and Observation.

Which of the following is a bad practice to avoid when curating a VAPT report?

A

Take screenshots that contain relevant information

B

Writing the recommendation for the vulnerability you found

C

Spelling and grammatical mistakes and flooding it with too many irrelevant statistics

Well done. Correct Answer.

Explanation:

While curating a VAPT report, a security expert must avoid any grammatical errors and mistakes and also should not include too many irrelevant statistics for the readers.

69% students get this answer correct at their first attempt

Explaining each step you did to get to the hack and writing the report from a hacker’s perspective is considered as bad practice.

A

True

Well done. Correct Answer.

Explanation:

Even though mentioning each step you did is a good thing to show in the report, you need to avoid submitting a very lengthy and boring observation. Because when a developer is reading the observation or POC he need to understand easily what and how the vulnerability occurs.

__________ is one of the best pro tips you need to keep in mind while generating a VAPT report.

A

Highlight key areas with red boxes in a screenshot

B

Add Video PoCs for complicated attacks

C

Convert the report to PDF for cross compatibility

D

All of the above

Well done. Correct Answer.

Explanation:

Following are some of the pro tips you need to consider when producing a report. Use a good theme, sdd video PoCs for complicated attacks, highlight key areas with red boxes in a screenshot to make it easier for the reader to understand, add complete HTTP requests for the attack so that the reader can replicate the bug easily using Burp suite, etc.

 

Question 1 1 Mark

Which of the following is a good practice to follow when curating a VAPT report?

A

Take full-screen screenshots showing the entire browser.

B

Refer to the links in recommendations instead of explaining them.

C

Put all the screenshots especially the ones that shows how you found a bug.

D

Highlight/Bold the important things and use red boxes to help the reader focus on the important parts of screenshots.

Correct Answer: D. Highlight/Bold the important things and use red boxes to help the reader focus on the important parts of screenshots.

While presenting a report, one of the best practice is to bold important things like payloads, parameters or anything that needs to catch the eye of the reader. You must use red boxes in screenshots to highlight the important parts. Reference links must be put in reference section and not in recommendations. Screenshots should only contain relevant part of the screen instead of the entire window.

Question 2 1 Mark

Writing a report from a hacker's perspective is the best way to convey your bug findings.

A

True

B

False

Correct Answer: B. False

Writing a report from a hacker's perspective is a ‘Big No’. You cannot expect the reader to understand the hacking concepts. You need to write a report in such a way that the developer can understand it easily and patch it. This means putting screenshots of how you found a bug is not required while how you exploited it and what data it’s leaking is important.

Question 3 1 Mark

Which of the following is a bad practice to avoid when curating a VAPT report?

A

Use the standard format for colors, font, and formatting.

B

Take screenshots of small regions of the screen instead of one big screenshot.

C

Use references like OWASP, SecurityFocus, CVEdetails, Wiki, etc.

D

Stretching screenshots so that they fit the slide.

Correct Answer: D. Stretching screenshots so that they fit the slide.

Never stretch the images you put in the report. They will get distorted and will look ugly. If you want to make an image bigger, stretch it from the bottom right corner, that too, not too much.

Question 4 1 Mark

The reference part in a VAPT report should contain?

A

Scan Start and End Date Time.

B

The impact caused by the flaw you discovered.

C

Recommendations on how to fix the bug.

D

Links to reputed documents/blogs that explain the vulnerability.

Correct Answer: D. Links to reputed documents/blogs that explain the vulnerability.

Providing links to reputed documents/blogs that explain the vulnerability, its impact and prevention comes under the references part when producing a report.

Question 5 1 Mark

Let's say if you find an IDOR vulnerability in a website. So, while curating a VAPT report ___________should be added.

A

screenshot of Google dork using which you have found the URL

B

screenshot of the Burp Intruder settings

C

screenshot of the extracted details

D

screenshot of the intruder result

Correct Answer: C. screenshot of the extracted details

When submitting IDOR vulnerability report, you need to mention the details explaining extracted details, recommendation, business impact, and reference. But this should not include the steps you took to find the bug as they are irrelevant. The reader only has to know which URL and parameter were affected, how you exploited it (no screenshots of the tools you have used) and what all details you were able to extract.

Question 6 1 Mark

Index part in VAPT report should contain ________________ information.

A

a welcome page of the report that contains a title containing Logo of your organisation

B

loss caused by the vulnerability to the company

C

tools required to exploit the vulnerability

D

a table having vulnerability name and count

Correct Answer: D. a table having vulnerability name and count

An Index is a simple table that contains following information - S.no, Vulnerability Name, Criticality, and Count.

Question 7 1 Mark

Observation part in a VAPT report should contain ______________ information.

A

loss caused by the vulnerability to the company

B

links to reputed documents/blogs that explain the vulnerability

C

the impact caused by the flaw you discovered

D

each step you did to perform the hack

Correct Answer: D. each step you did to perform the hack

Observation is a collection of slides (per step). It acts as a step by step guide to test the vulnerability with a valid PoC.

Question 8 1 Mark

Which of the following is a key part of a detailed developer level report?

A

Detailed business impact with proofs of all kind of information you extracted during the exploitation

B

Observations containing step by step explanation and outcome of exploitation

C

References about the vulnerability including the links explaining the vulnerability, the patches, and the impact

D

All of the above

E

None of the above

Correct Answer: D. All of the above

A detailed developer level report helps the developer that where exactly is the bug, how to confirm if it is getting exploited, the proof of damage/data leakage, it’s business impact along with the guidelines on how to fix the vulnerability and some reference links that explains more about the vulnerability, its impact, and the solution.

Question 9 1 Mark

Detailed Business impact with proofs of all kind of information you extracted during the exploitation and information summarizes everything a hacker can do if an attack happens. These are some of the key points in High Level Management Summary report:

A

True

B

False

Correct Answer: A. True

The In-charge for the security operations of a company mainly needs to know the business impact of the bug, how it can be used to affect the organisation and its customers. Also, he needs to get an overview of the security status of the application/organisation in general.

Question 10 1 Mark

A PoC in ethical hacking is a collection of evidence like screenshots, videos, and HTTP requests along with a sequence of steps that were used to test and exploit a loophole.

A

True

B

False

Correct Answer: A. True

A PoC in ethical hacking is a collection of evidence like screenshots, videos, and HTTP requests along with a sequence of steps that were used to test and exploit a loophole. These steps must be explained in such a way that a technical person like a developer should be able to follow the steps and replicate the same vulnerability at his own end. A PoC can be in any format like pptx, text file, or a video.

Question 11 1 Mark

Making mute videos and using text editors to type instructions and taking the screenshots of every step is an important tip while taking a PoC.

A

True

B

False

Correct Answer: A. True

When generating a PoC there are many important things to consider like taking relevant screenshots with only required region, making mute videos and using text editors to type instructions and writing down every step of your process in your text editor (information you found, vulnerabilities, interesting blogs/links that you read to find the vulnerability, links to automated scripts/exploits you found online, data you found after exploiting everything).

Question 12 1 Mark

Client Side validation flaws can be prevented by:

A

Implementing all critical checks on the server side code only

B

Client-side checks must be treated as decoratives only

C

Implementing and checking all business logic on the server code

D

All of the above

Correct Answer: D. All of the above

Client Side validation flaws can be prevented by implementing critical checks on the server side code, treating client-side checks as decoratives only, implementing and checking all the business logic on the server code. This includes user input, the flow of applications and even the URL/Modules a user is supposed to access or not.

Question 13 1 Mark

Cross Site Request Forgery can be prevented by:

A

Implementing randomized tokens in each form

B

Implementing all critical checks on the server side code only

C

Implementing proper authentication and authorisation checks at every function to make sure that the user requesting access to a resource (whether to view or edit) is his/her own data and no one else’s

D

All of the above

Correct Answer: A. Implementing randomized tokens in each form

To prevent CSRF, all critical actions must be either password protected or should happen with randomised tokens called CSRF tokens. All requests must first check and make sure that the request is coming from the website itself and not some third party page.

Question 14 1 Mark

Arbitrary File Uploads vulnerability can be patched by:

A

Implementing all critical checks on the server side code only

B

Implementing and checking all business logic on the server code

C

Performing proper server-side validations on what kind of file a user is uploading and using static file hosting servers like CDNs and File Clouds to store files

D

None of the above

Correct Answer: C. Performing proper server-side validations on what kind of file a user is uploading and using static file hosting servers like CDNs and File Clouds to store files

Arbitrary File Uploads happens when applications do not implement proper file type checking and allow uploading files other than what should be. Example: Uploading a PHP file instead of a jpeg profile picture. These type of flaws can be prevented by performing proper server-side validations on the kind of file a user is uploading, using white lists filters instead of black list filters. Example: In case of a resume upload feature, instead of banning PHP and EXE files, allow only pdf, doc and docx files. Rename the files using code so that the hacker cannot play around with file names. Use static file hosting servers like CDNs and File Clouds to store files instead of storing them on the application server itself.

Question 15 1 Mark

Cross Site Scripting vulnerability can be prevented by Performing proper output encoding of special characters like < > “

A

True

B

False

Correct Answer: A. True

Cross Site Scripting happens when the user controlled input is reflected somewhere else in an HTML page and is not encoded/sanitised properly. This allows a hacker to inject HTML code in the affected page. So, the fix is to make sure that any input which is taken from a user, when being written into an HTTP response should be cleaned first like performing proper output encoding of special characters like < > “ ‘
For example, before printing untrusted user-supplied data into an HTML response, convert special characters into HTML encoding (< > " etc) or URL encode them (%3C %3E %22 %27).