VAPT Tasks
VAPT Tasks
Title: H T T P / H T T P S P r o t o c o l s
1. HTTP:
Hyper Text Transfer Protocol (HTTP) is an application layer protocol that
is used to access and transfer data (text, images, video, multimedia, etc)
over the World Wide Web.
In HTTP, the client sends a request message to the server. After the client
responds, HTTP establishes a TCP connection between the client and the
server. HTTP delivers a request to the server, which collects the data that
was requested. After the server sends data to the client, the connection
will be terminated.
2. HTTPS:
Hypertext Transfer Protocol Secure is a secure extension or version of
HTTP that is used for providing security to the data sent over the World
Wide Web.
HTTPS protocol uses the 443 port number for communicating the data.
1
Web Application Security Basics
HTTP Request:
HTTP defines methods (sometimes referred to as verbs) indicate the desired action
to be performed on the identified resource.
GET
GET requests query or ask the server for a resource. In a typical web services
scenario this is typically data, but the query could also be for an image, a file or html.
GET requests can optionally include a query to limit/restrict the range of data or
resource to return.
Assuming a valid request the service should respond with desired resource. The
response may be textual (data, html) or a binary format (pdf, image, other file type).
This is the first part of the url, either http or https (other schemes exist).
Figure1:GET Request
POST
POST requests are typically to send the service some data such as an order, an
invoice, or customer.
POST requests typically have a body, which is the data (image, textual, file) being
sent to the server.
The response from a POST request will vary based on the request. The POST
request may respond just with an acknowledgement of the request. Or posts to data
2
Web Application Security Basics
Figure1.1:POST Request
HTTP Response:
The server, after processing the request will send a response.
GET requests respond with the requested resource whereas a POST request
may respond with success indicator only or it may respond with the fully
populated resource which was inserted/posted.
3
Web Application Security Basics
Figure1.2:HTTP Response
HTTP Headers:
HTTP headers let the client and the server pass additional information with an
HTTP request or response. Headers typically are used to pass authentication
values, indicate the content type of a request, the desired response content type,
and other custom values.
Example Headers
Accept: application/json
4
Web Application Security Basics
1. HTTPS Encryption
HTTPS, which stands for Hypertext Transfer Protocol Secure, is an internet
communication protocol that protects the integrity and confidentiality of data
between the user's computer and the site
HTTPS Works:
HTTPS Connection: When a user connects to an HTTPS-secured
website, the site sends its SSL/TLS certificate to the user's browser.
This certificate verifies the site's identity.
2. SSL Encryption
SSL, which stands for Secure Sockets Layer, is a standard security
technology for establishing an encrypted link between a web server and a
browser.
This link ensures that all data between the web server and browsers remains
private and integral.
SSL Certificates
SSL certificates are digital certificates that authenticate the identity
of a website and enable an encrypted connection.
5
Web Application Security Basics
3. TLS Encryption:
TLS, or Transport Layer Security, is a protocol that provides privacy and data
integrity between two communicating applications.
It's the most widely deployed security protocol used today for web browsers
and other applications that require data to be securely exchanged over a
network, such as file transfers, VPN connections, instant messaging, and
voice over IP.
TLS Works:
TLS Handshake: When a TLS connection is established, a process known as
the "TLS handshake" occurs. This involves the negotiation of various parameters
to create a secure connection between the client and server.
Key Exchange: During the TLS handshake, the client and server agree on a
protocol version, select cryptographic algorithms, and authenticate each other.
They also generate shared secret keys used for encryption and decryption of the
data.
6
Web Application Security Basics
Text-based protocol.
Uses persistent connections but still has head-of-line blocking.
HTTP/2:
HTTP/3:
Figure1.3:TLS Handshake
7
Web Application Security Basics
Web security protects networks, servers, and computer systems from damage to or the
theft of software, hardware, or data.
It includes defending computer systems from misdirecting or disrupting the services they
are designed to provide.
Functionality:
8
Web Application Security Basics
By defining a CSP, developers can control the sources of content that can be
executed, significantly reducing the risk of malicious content being executed.
Session Management:
Proper session management practices include using secure tokens,
implementing session timeouts, and ensuring that sessions are invalidated
after logout.
This helps protect user sessions from hijacking and ensures that sensitive
information remains secure.
This can lead to data theft, session hijacking, and other malicious activities.
Role of SOP:
Isolation of Origins: SOP restricts scripts from one origin
(e.g., example.com) from accessing data on another origin
(e.g., malicious.com). This means that even if an attacker manages to
inject a script into a page, that script cannot access sensitive data from
another domain.
Example: If a user is logged into their bank account on bank.com, and they visit
a malicious site that tries to execute a script, SOP prevents that script from
accessing the user's banking session or any sensitive information stored in
cookies.
Real-World Examples:
Google CSP Bypass:
In another case, researchers found that Google’s CSP could
be bypassed by using data URIs. By encoding malicious
scripts as data URIs, attackers could circumvent the
restrictions set by CSP, allowing them to execute harmful
scripts.
10
Web Application Security Basics
1. OWASP TOP 10
A06:2021-Vulnerable and
A01:2021-Broken Access Control
Outdated Components
11
Web Application Security Basics
Burp gives you full control, letting you combine advanced manual techniques
with state-of-the-art automation, to make your work faster, more effective, and
more fun.
Proxy: -
Burp Suite contains an intercepting proxy that lets the user see and
modify the contents of requests and responses while they are in
transit. It also lets the user send the request/response under
monitoring to another relevant tool in Burp Suite, removing the burden
of copy-paste.
Intruder: -
It is a fuzzer. This is used to run a set of values through an input point.
The values are run and the output is observed for success/failure and
content length. Usually, an anomaly results in a change in response
code or content length of the response. BurpSuite allows brute-force,
dictionary file and single values for its payload position. The intruder is
used for: - Brute-force attacks on password forms, pin forms, and other
such forms. - The dictionary attack on password forms, fields that are
suspected of being vulnerable to XSS or SQL injection. - Testing and
attacking rate limiting on the web-app
Repeater: -
Repeater lets a user send requests repeatedly with manual
modifications. It is used for: - Verifying whether the user-supplied
values are being verified. - If user-supplied values are being verified,
how well is it being done? - What values is the server expecting in an
input parameter/request header
12
Web Application Security Basics
1.
Open Redirect Using HTML Injection
Description
- HTML injection is a type of injection vulnerability that occurs when a user is able to control an input
point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can
have many consequences, like disclosure of a user’s session cookies that could be used to
impersonate the victim, or, more
generally, it can allow the attacker to modify the page content seen by the victims.
13
Web Application Security Basics
2.
Cross Site Scripting (XSS) - Reflected
Description
- Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code
within a single HTTP response. When a web application is vulnerable to this type of attack, it will
pass unvalidated input sent through requests back to the client.
- The value of request parameter is copied into the value of an HTML tag attribute which is
encapsulated in double quotation marks. The input was echoed unmodified in the application's
response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript
into the application's response.
Affected Resource / Parameter Severity
Location Search bar Medium
Impact / Consequences
- It allows an attacker to circumvent the same origin policy, which is designed to segregate different
websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to
masquerade as a victim user, to carry out any actions that the user is able to perform, and to access
any of the user's data. If the victim user has privileged access within the application, then the
attacker might be able togain full control over all of the application's functionality and data.
Recommendations
- It is recommended to Apply context-dependent encoding and/or validation to user input rendered
on a page by putting the Location dropdown menu.
14
Web Application Security Basics
3.
Cross Site Scripting (XSS) - Stored
Description
- Stored cross-site scripting (also known as second-order) arises when an application receives data
from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Suppose a website allows users to submit comments on blog posts, which are displayed to other
users.
-
Affected Resource / Parameter Severity
Insert Video Medium
Impact / Consequences
- The xss attack allow a malicious individual to insert java script code into input fields which then are
executed the clients browser to perform malicious actions under the established clients browser
and it will store in database.
Recommendations
- It is recommended to Apply context-dependent encoding and/or validation touser input rendered
on a page.
- Escaping user input.
- Validating Input
Tools Used References
Manual https://portswigger.net/web-security/cross-
site-scripting
CWE OWASP Top 10
Improper Neutralization of Input DuringWeb A04 XSS
Page Generation ('Cross-site Scripting')
[CWE-79]
15
Web Application Security Basics
16
Web Application Security Basics
17