1 / 4

Tools used by web hackers

Web hacker’s toolkit Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011. Tools used by web hackers. Web browsers & browser extensions e.g., HttpWatch (IE and FireFox), Web developer toolbar (FireFox and Chrome)

lluvia
Télécharger la présentation

Tools used by web hackers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web hacker’s toolkitNote: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

  2. Tools used by web hackers • Web browsers & browser extensions e.g., HttpWatch (IE and FireFox), Web developer toolbar (FireFox and Chrome) • Intercepting web proxies (e.g., Achilles proxy) • Integrated testing suites (e.g., Burp suite) • Standalone web application scanners Web Security

  3. Integrated testing suites • Web crawlers/spiders • Fuzzers • “Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program.” (http://encyclopedia.thefreedictionary.com/fuzzer) • If the program fails, the defects can be noted. e.g., Fuzzing exercise using Burp Intruder (Fig. 20-9) • Vulnerability scanners • Uncover common web vulnerabilities in the given application • passive vs active scanning Web Security

  4. Questions • In Figure 20-3, an intercepting proxy was shown to intercept, view and modify HTTPS communications. What are the prerequisites that enable such attacks to work? (That is, if you plan to launch such an attack, what configurations/installations are required?) Hint: HTTPS, as discussed before, enables authentication of the web server by the web client, via the use of server certificates. In addition, a shared key is established between the server and the client to provide confidentiality, data integrity, and origin integrity. Explain how ‘server authentication’ may be cracked by the attacker using an intercepting proxy. • Identify the top five of the vulnerabilities that a standalone vulnerability scanner can help to uncover. Explain why you think those are the most critical vulnerabilities that hacker would want to uncover. Web Security

More Related