Scribd
Upload
2 views

Assignment - 5

The document covers various topics related to web security, including HSTS, browser developer tools, HTTP headers, Google Dorking, and the AWS Shared Responsibility Model. It highlights the importance of secure connections, potential vulnerabilities, and the responsibilities of both cloud providers and customers in maintaining security. Additionally, it discusses the Capital One data breach, emphasizing the consequences of misconfigured security settings.

Uploaded by

Dauntless
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Assignment - 5

The document covers various topics related to web security, including HSTS, browser developer tools, HTTP headers, Google Dorking, and the AWS Shared Responsibility Model. It highlights the importance of secure connections, potential vulnerabilities, and the responsibilities of both cloud providers and customers in maintaining security. Additionally, it discusses the Capital One data breach, emphasizing the consequences of misconfigured security settings.

Uploaded by

Dauntless
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Assignment - 5

1) What is HSTS ?

The initial request made via HTTP is not protected by TLS and can be an attack vector.

Potential attack

The client is unaware about the man in the middle, and will assume that they have sent a
http response and received a http response. They will enter the credentials which the
attacker can access.
This is known as an SSL stripping attack.
This problem is solved by HSTS.
HSTS
When a user first visits a website, the server sends an HSTS header in the response. This
only allow secure HTTPS connections for that particular domain.
It prevents any downgrade to HTTP, even if an attacker tries to force it.
Forces encrypted connections and protects from misconfigured links or user mistakes.

HSTS Header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This setting is kept for the duration that is mentioned in max-age.

DEMONSTRATION

2) In Developer tools of browser, what does each tab do? Network performance, memory
application security. 3) Where can you find the sensitive info here?

1. Elements Tab

Shows the HTML structure and CSS styles of the page.


You can edit HTML/CSS live.
Sensitive information like tokens, API keys, or user info could be embedded in the DOM.

2. Network Tab
Displays every HTTP request the page makes (e.g., API calls, image loads, scripts).
You can inspect headers, responses, request payloads, and timing.
Sensitive information like authentication tokens (example JWTs in headers or cookies),
API keys, Personally identifiable information (PII) in request/response bodies, URLs
revealing sensitive endpoints can be found.

3. Console Tab

Shows JavaScript logs, errors, warnings, and lets you run JS manually.
Devs often log variables here for debugging.
Possible sensitive information — devs might accidentally console.log() sensitive data
like user info or tokens.

4. Sources Tab

Lets you explore all loaded JavaScript, CSS, and other source files.
You can place breakpoints and debug code line-by-line.
Possible sensitive information — hardcoded secrets or configuration data could be
visible in JS files.

5. Performance Tab

Helps analyze runtime performance (e.g., render time, scripting, painting).


Useful for diagnosing slow pages or animation jank.
No sensitive information can be found here.

6. Memory Tab

Used for profiling memory usage, detecting memory leaks.


Useful for advanced debugging.
Possible sensitive information: objects stored in memory might expose some app state
when debugging.

7. Application Tab

Shows local storage, session storage, cookies, IndexedDB, service workers, etc.
Sensitive information like, JWTs, session tokens, user preferences, cached sensitive data
can be found.

8. Security Tab

Shows HTTPS status, certificates, and mixed content issues.


No sensitive information can be found here.

9. Lighthouse / Audits Tab

Provides audits for performance, accessibility, best practices, SEO, etc.


No sensitive information can be found here.
4) What are HTTP headers, what does each header do?

HTTP headers are key-value pairs sent between the client and server with an HTTP request or
response. They provide important information about the request or response, such as
content type, authentication, caching behavior, and more.

Types of HTTP Headers

1. Request Headers – Sent from client to server:


Host: Specifies the domain name of the server.
User-Agent: Describes the client (browser or app).
Accept: Indicates the media types the client can handle.
Authorization: Contains credentials (like tokens or API keys).
Content-Type: Type of data being sent (e.g., application/json).

2. Response Headers – Sent from server to client:


Content-Type: Type of data being returned.
Set-Cookie: Sets a cookie on the client.
Cache-Control: Defines caching rules.
Content-Length: Size of the response body in bytes.
WWW-Authenticate: Indicates how to authenticate if 401 Unauthorized.

3. General Headers – Can appear in both request and response:


Connection: Controls whether the connection stays open (keep-alive or close).
Date: Date and time at which the message was sent.

4. Entity Headers – Give info about the body of the request/response:


Content-Encoding: Compression type (e.g., gzip).
Content-Language: Language of the resource.
ETag: Identifier for a specific version of a resource (used in caching)

Example: Response headers returned by the Juice Shop server for a GET request to
http://localhost:3000
5) What is Google Dorking? Tools used.

Google Dorking is the use of advanced search operators in Google to uncover hidden,
sensitive, or misconfigured information on websites. It uses Google's indexing (via
crawlers/spiders) to find data that isn't easily accessible through normal browsing.

Tools that can be used:

Google Hacking Database (GHDB)

It is a collection of Google dorks maintained by Exploit-DB. It provides ready-made dorks for


finding vulnerable files, login pages, exposed devices, etc.

DorkSearch

Automates the process of running multiple dorks to find exposed info - used by pen-testers
and hackers.
6) Work on business logic labs on port swigger and owasp juice shop.

7) Build a small android application using android studio?

8) Install genymotion and andro goat in it.

Androgoat in genymotion:

Cross-Site Scripting (XSS)


SQL Injection
Webview
9) AWS Shared responsibility model.
The AWS Shared Responsibility Model defines the security responsibilities shared
between AWS and the customer.
AWS is responsible for security of the cloud, which includes infrastructure, hardware,
networking, and managed services.
The customer is responsible for security in the cloud, meaning they must secure their
applications, data, and access controls.

10) Capital one breach

The Capital One data breach was one of the largest data breaches in banking history,
affecting over 100 million customers in the U.S. and Canada.
Capital One hosted their data in AWS S3 buckets.
Their firewall was improperly configured, allowing SSRF (Server-Side Request Forgery)
attacks.
Thompson used SSRF to trick AWS metadata service into giving her credentials (IAM role
tokens).
The IAM role she obtained had too many privileges, giving her access to sensitive
customer data stored in AWS S3.
She downloaded about 100 million customer records.
She uploaded parts of the stolen data to her personal GitHub repository, allowing a
cybersecurity researcher to find and report it.

You might also like