OWASP

● OWASP (Open Worldwide Application Security Project) is an open ● OWASP helps developers, security professionals, and
community organizations understand potential threats and adopt security best
● Dedicated to enabling organizations to design, develop, acquire, practices.
operate, and maintain software for secure applications that can be ● OWASP maintains a list of the ten most critical web application
trusted. security risks, along with effective processes, procedures, and
● Its programs include community-led open-source software projects and controls to mitigate them.
local and global conferences, involving hundreds of chapters ● OWASP also provides a list of the Top 10 API Security Risks to
worldwide with tens of thousands of members. educate those involved in API development and maintenance and
● Give awareness about web application security risks, and provides increase awareness of common API security weaknesses.
valuable resources, tools, documentation, and best practices to address
the increasing challenges of web application security.

OWASP Top 10 Application Security Risks Broken Access Controls

1. Broken Access Controls ● Websites have pages that are protected from regular visitors, for example
2. Cryptographic failures only the site’s admin user should be able to access a page to manage other
3. Injection attacks users.
4. Insecure design ● If a website visitor is able to access the protected page/pages that they are not
5. Security misconfigurations authorised to view, the access control are broken.
● A regular visitor being able to access protected pages, can lead to the
6. Vulnerable and outdated components
following:
7. Identification and authentication failures
○ Being able to view sensitive Information
8. Software and data integrity failures ○ Accessing unauthorized functionality
9. Security logging and monitoring failures
10. Server-side request forgery (SSRF) OWASP have a listed a few attack scenarios demonstrating access control
weaknesses:
(Refer class notes for scenario)
Vulnerable and outdated components
● Using outdated, unpatched, or vulnerable components, such as libraries, frameworks,
or plugins can expose applications to known security flaws, increasing the risk of
exploitation.
● These risks can result from unsupported or out-of-date software, including the
operating system (OS), web/application server, database management system
(DBMS), applications, APIs, and all components, runtime environments, and
libraries.
● These threats are particularly dangerous when organizations do not have timely,
risk-based measures in place for fixing or upgrading a system’s underlying platform,
frameworks, and dependencies, leaving the system open to days or weeks of
unnecessary exposure to known risks.
● Complex software supply chains and automation via CI/CD pipelines increase the risk
of introducing vulnerable software into the IT stack.
● A WAF can serve as a critical stopgap to guard against vulnerability exploitation.

Identification and authentication failures

● Weaknesses in authentication, identity, and session management can allow attackers
to compromise user accounts, passwords, session tokens, or to exploit insecure
session handling.
● Failures in these areas can permit automated attacks such as credential stuffing.
● Password-related vulnerabilities are the most common source of these risks, as many
people reuse passwords or use default, weak, or well-known passwords.
● Session management issues can also lead to authentication-related attacks,
particularly if user sessions or authentication tokens aren't properly invalidated during
logout or a period of inactivity.
● Attacks that bypass authentication controls are an increasing risk for both web apps
and APIs, as detailed in the OWASP Top 10, API Security Top 10, and Automated
Threats projects.
Software and data integrity failures
● These vulnerabilities result from application code and infrastructure that fail to
protect against integrity violations of data and software.
● This can result when an application relies upon plugins, libraries, or modules from
untrusted sources, repositories, and CDNs.
● It can also occur during software updates, sensitive data modifications, and CI/CD
pipeline changes that are not validated.
● Attackers can potentially upload their own updates to be distributed and run on all
installations.
● Insecure deserialization, where an application takes untrusted serialized data and
consumes that data without ensuring that it is valid, is also a part of this risk category,
allowing for attacks such as remote code execution (RCE) and privilege escalation.

Security logging and monitoring failures

● Inadequate logging and monitoring can hinder timely detection and response to
security incidents, making it difficult to identify and mitigate attacks or unauthorized
activities.
● This can mean that auditable events, such as logins, failed logins, and high-value
transactions are not identified or logged, and that applications do not detect active
attacks in real-time.
Server-side request forgery (SSRF)
● These vulnerabilities occur when an application does not validate or sanitize a URL input by a user
before pulling data from a remote resource.
● Attackers can use these flaws to force applications to access malicious web destinations even if
protected by a firewall or other defense.
● These attacks can also result if the targeted resource has trust relationships with other systems, such as
a cloud metadata service or backend APIs, allowing an attacker to make requests to those trusted
services and extract sensitive information or perform unauthorized actions.
● To help mitigate SSRF, design systems for least privilege access and use a WAF to explicitly define
the uniform resource identifier (URI) parameters in your security policy and allow/disallow hosts that
can access them.

TryHackMe | OWASP Top 10 - 2021

Web Security Considerations Web Security Considerations
● Web Security deals with the security of data over the internet/network or web or while What is a Security Threat?
it is being transferred over the internet. ● A threat is nothing but a possible event that can damage and harm an information system.
● Web security is crucial for protecting web applications, websites, and the underlying ● A security Threat is defined as a risk that, can potentially harm Computer systems &
servers from malicious attacks and unauthorized access. organizations.
● Whenever an individual or an organization creates a website, they are vulnerable to security
What is Web Security?
attacks.
● Web Security is an online security solution that will restrict access to harmful ● Security attacks are mainly aimed at stealing altering or destroying a piece of personal and
websites, stop web-based risks, and manage staff internet usage. confidential information, stealing the hard drive space, and illegally accessing passwords.
● Web Security is very important nowadays.
● So whenever the website we created is vulnerable to security attacks then the attacks are
● Websites are always prone to security threats/risks.
going to steal your data alter our data destroy our personal information see our confidential
For example- when we are transferring data between client and server and we have to information and also it accessing our password.
protect that data that security of data is our web security.

Web Security Considerations SQL Injection

Top Web Security Threats ● SQL Injection is a security flaw in web applications where attackers
insert harmful SQL code through user inputs.
● Cross-site scripting (XSS) ● This can allow them to access sensitive data, change database contents or
● SQL Injection
● Phishing even take control of the system. It’s important to know about SQL
● Ransomware Injection to keep web applications secure.
● Code Injection ● SQL Injection typically works when a web application improperly
● Viruses and worms validates user input, allowing an attacker to inject malicious SQL code.
● Spyware ● For example, if a web application takes user input (e.g., a username or
● Denial of Service password) and directly inserts it into an SQL query without proper
sanitization, an attacker can manipulate the query to perform unintended
actions.
Types of SQL Injection 3. Blind SQL Injection

1. In-band SQL Injection In blind SQL injection, the attacker does not receive error messages but can
infer information about the database by observing the behavior of the
the attacker sends malicious SQL queries directly through the application
application. The attacker uses boolean conditions to test various aspects of the
interface. This method allows attackers to extract sensitive information or
database.
manipulate the database.
4. Out-of-band SQL Injection
2. Error-based SQL Injection
Out-of-band SQL injection relies on the attacker using a different
This type of SQL injection exploits error messages generated by the database.
communication channel to exfiltrate data from the database. This type of
Attackers can use the information provided in error messages to learn about
attack is less common but can be very effective.
the database structure and craft more sophisticated attacks

Impact of SQL Injection Attacks Detecting SQL Injection Vulnerabilities

● Unauthorized access to sensitive data: Attackers can retrieve ● Input validation testing: Test inputs by inserting special characters
personal, financial, or confidential information stored in the database. like --, ;, ', or " to see if they cause errors or unintended behavior.
● Data integrity issues: Attackers can modify, delete, or corrupt critical ● Automated tools: Use tools like SQLMap, Burp Suite, or OWASP
data, impacting the application’s functionality. ZAP to scan for vulnerabilities.
● Privilege escalation: Attackers can bypass authentication mechanisms ● Review source code: Inspect source code for insecure coding practices
and gain administrative privileges. such as concatenating user inputs directly into SQL queries.
● Service downtime: SQL injection can overload the server, causing ● Monitor error messages: Unexpected or detailed error messages can
performance degradation or system crashes. indicate that the application is vulnerable.
● Reputation damage: A successful attack can severely harm the ● Penetration testing: Regularly perform penetration testing to identify
reputation of an organization, leading to a loss of customer trust. security gaps.
Preventing SQL Injection Attacks Ransomware

1. Use Prepared Statements and Parameterized Queries

● Ransomware is a type of malware that is designed to block user
2. Employ Stored Procedures access from own system until a ransom fee is paid to ransomware
creator.
3. Whitelist Input Validation ● Ransomware is a lot dangerous than a regular malware and spread
4. Use ORM Frameworks through phishing emails having infected attachments.
● Ransomware has emerged over the last few years and can attack
5. Restrict Database Privileges individuals or organizations.

6. Error Handling

Recent case of Ransomware Phishing

● Phishing is a form of online fraud in which hackers attempt to get
your private information such as passwords, credit cards, or bank
account data.
● This is usually done by sending false emails or messages that appear
to be from trusted sources like banks or well-known websites.
● They aim to convince you so that they can manage to have your
information and use it as a fraudster.
● It is an unethical way to dupe the user or victim to click on harmful
sites.
● The attacker crafts the harmful site in such a way that the victim feels
it to be an authentic site, thus falling prey to it.
● The most common mode of phishing is by sending spam emails
that appear to be authentic and thus, taking away all credentials
from the victim.
● The main motive of the attacker behind phishing is to gain
confidential information like:
i. Password
ii. Credit card details
iii. Social security numbers
iv. Date of birth

How is Phishing Carried Out

Types of Phishing Attacks

● Clicking on an unknown file or attachment: ● Email Phishing

● Using an open or free wifi hotspot ● Spear Phishing
● Responding to social media requests ● Whaling
● Clicking on unauthenticated links or ads ● Smishing
● Vishing
● Clone Phishing
Impact of Phishing How To Stay Protected Against Phishing?

● Authorized Source: Download software from authorized sources only

● Financial Loss where you have trust.
● Identity Theft ● Confidentiality: Never share your private details with unknown links
● Damage to Reputation and keep your data safe from hackers.
● Check URL: Always check the URL of websites to prevent any such
● Disruption to Business Operations attack. it will help you not get trapped in Phishing Attacks.
● Spread of Malware ● Avoid replying to suspicious things: If you receive an email from a
known source but that email looks suspicious, then contact the source
with a new email rather than using the reply option.

● Phishing Detection Tool: Use phishing-detecting tools to monitor the

websites that are crafted and contain unauthentic content.
How to identify fake sites
● Try to avoid free wifi: Avoid using free Wifi, it will lead to threats and
Tools for anti phishing
Phishing.
● Keep your system updated: It’s better to keep your system always
updated to protect from different types of Phishing Attacks.
● Keep the firewall of the system ON: Keeping ON the firewalls helps
you filter ambiguous and suspicious data and only authenticated data
will reach you.
Code Injection
● Attackers are able to introduce (or inject) code into a computer
● Code injection is the term used to describe attacks that inject program with this type of vulnerability.
code into an application. ● Code injection differs from command injection, where the goal is
● That injected code is then interpreted by the application, to hijack a vulnerable application in order to execute arbitrary
changing the way a program executes. commands on the host operating system.
● Code injection attacks typically exploit an application ● Command injection consists of leveraging existing code to execute
vulnerability that allows the processing of invalid data. commands, usually within the context of a shell.
● This type of attack exploits poor handling of untrusted data, and
these types of attacks are usually made possible due to a lack of
proper input/output data validation.

Code injection prevention

DoS and DDoS attacks

● Data input interfaces can be vulnerable to code injection attacks. • In computing, a denial-of-service (DoS) or distributed
● Fuzzers and scanners can find code injection vulnerabilities. denial-of-service (DDoS) attack is an attempt to make a
● Fixing incorrect server configurations, avoiding untrusted data machine or network resource unavailable to its
sources, and eliminating other vulnerabilities can help prevent code intended users.
injection attacks. • A DoS attack generally consists of efforts to temporarily
or indefinitely interrupt or suspend services of a host
connected to the Internet.
 A DoS attack may do the following
Symptoms of DoS attacks
●Flood the traffic, thereby preventing legitimate traffic
●Slow network performance ●Disrupt connections between two systems- preventing access to
●Unavailability of a particular website service
●Inability to access any website ●Prevent a particular individual from accessing a service
●Dramatic increase in number of Spam E-mails ●Disrupt service to a specific system or person
received

How Do DoS Attacks Work? Classification of DoS

DoS attacks typically exploit vulnerabilities in a target’s 1. Volume based attacks/Bandwidth attack
network or computer systems. Attackers can use a variety of ● Ping flood attack
methods to generate overwhelming traffic or requests, ● TCP SYN flood attack
including: ● UDP flood attack
1. Flooding the target with a massive amount of data 1. Protocol Attacks
2. Sending repeated requests to a specific part of the system ● Ping of death

3. Exploiting software vulnerabilities to crash the system ● Smurf attack

1. Application layer attacks
Volume based(Bandwidth) attacks Flood attack

● The most common DoS attacks

● Flooding is a Denial of Service (DoS) attack that is designed to
bring a network or service down by flooding it with large
● target the computer's network bandwidth or connectivity. amounts of traffic.
● Bandwidth attacks flood the network with such a high volume of ● Flood attacks occur when a network or service becomes so
traffic, that all available network resources are consumed and weighed down with packets initiating incomplete connection
legitimate user requests can not get through. requests that it can no longer process genuine connection
requests.
● Includes UDP, ICMP and other spoofed packet floods.
● By flooding a server or host with connections that cannot be
● Goal: saturate bandwidth of attacked site. completed, the flood attack eventually fills the hosts memory
buffer. Once this buffer is full no further connections can be
made, and the result is a Denial of Service.

SYN attack SYN attack

● A SYN flood occurs when a host sends a flood of TCP/SYN packets,
often with a forged sender address.
● Each of these packets are handled like a connection request, causing
the server to generate a half-open connection, by sending back a
TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in
response from the sender address (response to the ACK Packet).
● However, because the sender address is forged, the response never
comes. These half-open connections saturate the number of available
connections the server can make, keeping it from responding to
legitimate requests until after the attack ends.
2. Protocol attacks
Ping of death attack
● Denial of service attacks may take advantage of certain
standard protocol features. ● Ping of death is a denial of service (DoS) attack caused by an
attacker deliberately sending an IP packet larger than the 65,536
● Several attacks capitalize on the fact that IP source bytes allowed by the IP protocol.
addresses can be spoofed.
● In addition, connection depletion attacks take advantage of
the fact that many connection-oriented protocols require
servers to maintain state information after a connection
request is made but before the connection is fully
established.
● The most common connection depletion attack is SYN
flooding.

Smurf attack
Smurf attack
● A smurf attack is a type of denial of service attack in which a
system is flooded with spoofed ping messages.
● This creates high computer network traffic on the victim’s network,
which often renders it unresponsive.
● The DDoS Smurf malware creates a network data packet that
attaches to a false IP address. This is known as spoofing.
● The packet contains an ICMP ping message, which commands
network nodes to send a reply.
● This process, known as ICMP echoes, creates an infinite loop that
overwhelms a network with constant requests.
Unintentional DoS attack 3. Application Layer attacks
●This describes a situation where a website ends up denied, not ● Low and slow attacks
due to a deliberate attack by a single individual or group of ● targets windows and loopholes more
individuals, but simply due to a sudden enormous spike in ● Goal: crash server
popularity. ● target is flooded with incoming requests and responses for
● This can happen when an extremely popular website posts a files, images etc
prominent link to a second, less well-prepared site, for example, ● DoS occurs due to additional requests from legitimate
as part of a news story. traffic sources.

Tools used to launch Dos attack DDoS attack

● Jolt2 ●A Distributed Denial of Service (DDoS) attack is an attempt to
● Nemesy make an online service unavailable by overwhelming it with
● Targa traffic from multiple sources.
● Crazypinger ●They target a wide variety of important resources, from banks
● sometrouble to news websites, and present a major challenge to making sure
people can publish and access important information.
 Tools used to launch DDoS attacks

● Trinoo
● Tribe flood network
● Stachedraht
● Shaft
● Mstream

How to prevent dos/ddos attacks ● Buy more bandwidth

● Filtering: Routers at the edge of the network can be trained to ● Build redundancy in your architecture
spot and drop DDOS connections, preventing them from
slowing the network or the server. ● configure your network hardware against DDoS attacks
● Moving: If the attack is pointed at a specific IP address, the ● Deploy anti-DoS hardware and software modules
site’s IP can be changed.
● Deploy DDoS protection appliance
● Blackholing: A host may simply “blackhole” a site that is being
DDOSed, directing all traffic to it to an address that doesn’t
exist. This is normally a last resort.
Tools used for detection of Dos and DDoS attacks Web Security Considerations
● We need to always update our software.
● Zombizapper ● Hackers may be aware of vulnerabilities in certain software, which are sometimes
caused by bugs and can be used to damage your computer system and steal personal
● Remote intrusion detector data.
● Older versions of software can become a gateway for hackers to enter your network.
● SARA ● SQL Injection is an attempt to manipulate our data or our database by inserting a
rough code into our query.
● Find_Ddos ● XSS allows the attackers to insert client-side script into web pages.
● DDosping ● E.g. Submission of forms.
● It is a term used to describe a class of attacks that allow an attacker to inject
client-side scripts into other users’ browsers through a website.
● As the injected code enters the browser from the site, the code is reliable and can do
things like sending the user’s site authorization cookie to the attacker.
● If the user fails to login the error message should not let the user know which field is
incorrect: Username or Password.

User Authentication
Web Security Considerations
● Data validation is the proper testing of any input supplied by the user or application. ● User authentication is the security paradigm as it refers to
It prevents improperly created data from entering the information system. Validation the mechanism by which the identity of a user is first
of data should be performed on both server-side and client-side. If we perform data
validation on both sides that will give us the authentication. Data validation should
confirmed before being granted access to a resource.
occur when data is received from an outside party, especially if the data is from ● It is the process of establishing the identity of an individual who
untrusted sources. wants to have access to a particular system or service.
● Password provides the first line of defense against unauthorized access to our device
● It involves a process of ensuring that the user claiming to be a
and personal information. It is necessary to use a strong password. Passwords must be
complex to protect against brute force. specific personality is substantial through providing credentials like
● It is good to enforce password requirements such as a minimum of eight characters passwords, biometric data, security tokens, or other authenticity
long must including uppercase letters, lowercase letters, special characters, and
factors.
numerals
How User Authentication Works
● Presentation of Credentials: It may be in the form of a user ID ● Granting Access: If the identification details provided are tied
and password, a fingerprint, or other such scans, a token that the up with that in the records and the system has succeeded in
user presents, or any other form of authentication factor that the authenticating the user, access can be granted to the system or
user presents. the service.
● Transmission to the Authenticating System: It forwards the ● Access Denied: If many of the details of the credentials given
materials to the authenticating system for verification and do not match the details of the database provided, or there is
authorization based on the included information in the evidence of phishing or hijacking, access can be denied, and
document. further security issues could arise, such as alerting the user or
● Verification: It checks that the provided information is system administrator or even authenticating the credentials
sufficient for the type of access by verifying it with the stored further.
entries.

User Authentication Types Password Based Authentication

● Password-based Authentication ● User authentication types include password-based authentication,
whereby people use a unique code to be allowed entry and use a
● Biometric Authentication given system or service.
● Two Factor Authentication (2FA) ● It is an easy-to-implement and commonly used technique, though it
may be exposed to password theft or guessing attacks.
● Multi-factor Authentication (MFA) ● These practices would include proper password management, such
as adopting and implementing strict password management
● Single Sign-On (SSO) policies, besides practicing techniques such as salting and hashing
● Token-based Authentication of passwords.
Biometric Authentication Two factor Authentication (2FA)
● The technique used for validation is a print of a finger, face ● This relies on something in the user's possession, such as the
recognition, or an iris scan, where it is the biometric structure of a password, and also something the user has at a particular period,
user that is identified. such as a smartphone or a token.
● Biometric data cannot be easily duplicated, and for that reason, its ● Generally, the security level is too high because if an intruder has
existence guarantees high security. access to one of the used factors, the data won't be available.
● But the flipside is privacy issues, the other instances include the ● After all, it is impossible to access something we don't have.
false negatives and false positives being a bit questionable.

Multi Factor Authentication (MFA) Single Sign-on

● Need to input two or more independent values that can be ● SSO is needed when a user needs to get into many related or
something they know, possess, or are, namely biometric data. integrated systems or services but using the same username and
● It takes this idea further to enhance security even further, but there password.
can be downsides both in terms of the technical complexity and ● Before, the user had to remember a handful of passwords to log
convenience for an end user. in to his accounts on websites, now, this is only reduced to
memorizing just a single password.
Token Based Authentication
● A unique token is created for the users. What is Cookie?
● To continue using the system, the users must hold on to this token. ● Cookie is just the textual information about some website.
● There are three types of tokens: physical tokens, such as the USB token, ● When you visit a website you actually requests the web page from
the server. For a server, every request is a unique request. So if you
digital tokens and web token which are entirely software-based. visit hundred times, the server will consider each and every request
● This is a more secure form. The links are activated with a password rather unique. Since the intensity of requests that arrive at a server is high, it
than through a token, which is really hard to break or easily duplicated. is obvious and logical not to store every user’s information to the
server. Maybe you never visit again and the same information will be
● This might pose an operational issue concerning the process of control and
redundant. So, to uniquely remember you, the server sends the
distribution of tokens. cookies along with the response which is saved in your local
machine. Now the next time you hit the same server, you will get a
response according to you as the server will recognize you.

● Cookies are small text files that websites store on a user's device How cookies are used
to track their browsing activity. While cookies can be useful, ● Authentication
they can also be a security vulnerability. Cookies can help identify a user and their account when they log
in to a website.
● When we visit a particular website, some information is saved ● Tracking
in your local system so that when you visit the same website Cookies can track a user's browsing history, including what pages
again, this website is able to recognize you and show you the they visit and what items they add to their shopping cart.
results according to your preferences. Cookies have been long ● Personalization
used in the internet history and have developed in a Cookies can be used to show personalized ads and improve a user's
magnificent way.
browsing experience.
 Where are Cookies Stored?
● Session Management: Cookies store things like items in your
shopping cart or your language preference, so you don’t have to Cookies are stored on your device in special folders or files within
re-enter this information each time you visit. Cookies let your web browser. Here’s where they can typically be found:
websites allow users and recollect their individual login ● On Your Computer or Device: Cookies are stored as small text
information and preferences. files on your hard drive or in your device’s storage.
● In Your Web Browser: Each browser (like Chrome, Firefox, or
Safari) has its own way of storing cookies. They keep cookies in
a specific location within the browser’s data storage.

● In the Browser’s Data Folder: For instance, in Chrome, cookies

are kept in the “Cookies” file located in the browser’s profile
directory, while Firefox uses a database file called cookies.sqlite.
● In the Browser’s Settings: You can usually view and manage
stored cookies through your browser’s settings or preferences
under privacy or security sections.
To access cookies in chrome browser, you need to follow these
steps:
● Chrome: Settings > Privacy and Security > Cookies and other
site data > See all site data and permissions.
 Parameter for Cookies
Cookie-based attacks Cookies have six parameters that can be passed to them :
1. Name of the cookie
● Malicious actors can use cookies to steal personal information 2. Value of the cookie
or infect a device with malware. 3. The expiration date of the cookie – determines how long the cookie will
● Security vulnerabilities can allow attackers to read cookie data remain active in your browser.
4. Valid path for the cookie – This sets the URL path in which the cookie is
and gain access to user data or the website. valid. Web pages or websites outside the path of the cookie cannot use the
cookie.
5. Valid domain for the cookie – This takes the path parameter one step
further. This makes the cookie accessible to pages on any of the servers when
a site uses multiple servers in a domain.
6. Need for a secure connection – It specifies that a cookie can only be used
under a secure server condition, such as a site using SSL.

SSL
Types of cookies ● SSL or Secure Sockets Layer, is an Internet security protocol that
encrypts data to keep it safe.
1. Session cookies
● It was created by Netscape in 1995 to ensure privacy, authentication,
2. Persistent cookies
and data integrity in online communications.
3. First-party cookies ● SSL is the older version of what we now call TLS (Transport Layer
4. Third-party cookies Security).
5. Secure cookies ● Websites using SSL/TLS have “HTTPS” in their URL instead of
“HTTP.”
● Secure Socket Layer is a public key cryptosystem, which is used over
application layer to provide encryption to the data passing over HTTP.
● SSL breaks the incoming data into fixed size blocks, fragments
them, compresses them, encrypts and adds a MAC header and
passes it to the receiving end. It has four protocols.
i. Handshake protocol- Used for establishing a connection.
ii. Cipher-spec protocol- To notify the handshake is over.
iii. Record–protocol– Carries actual data.
iv. Alert protocol– Used for any notification.

Working of SSL

● Encryption: SSL encrypts data transmitted over the web,

ensuring privacy. If someone intercepts the data, they will see
only a jumble of characters that is nearly impossible to
decode.
● Authentication: SSL starts an authentication process called a
handshake between two devices to confirm their identities,
making sure both parties are who they claim to be.
● Data Integrity: SSL digitally signs data to ensure it hasn’t
been tampered with, verifying that the data received is exactly
what was sent by the sender.
HTTPs
How HTTPS works

● HTTPS uses Transport Layer Security (TLS) or Secure Sockets

Layer (SSL) to encrypt data sent between a user and a website.
● HTTPS verifies the identity of a website or service.
● HTTPS protects information like cookies, user agent details, and
form submissions.
● HTTPS protects against eavesdropping, man-in-the-middle attacks,
and hijackers.

Working of HTTPs ● HTTP transfers data in a hypertext format between the browser
and the web server, whereas HTTPS transfers data in an
encrypted format.
● As a result, HTTPS protects websites from having their
information broadcast in a way that anyone eavesdropping on
the network can easily see.
● During the transit between the browser and the web server,
HTTPS protects the data from being accessed and altered by
hackers.
● Even if the transmission is intercepted, hackers will be unable to
use it because the message is encrypted.
 Advantage of HTTPS
It uses an asymmetric public key infrastructure for securing a
communication link. There are two different kinds of keys used for ● Secure Communication: HTTPS establishes a secure
encryption: communication link between the communicating system by
providing encryption during transmission.
● Data Integrity: By encrypting the data, HTTPS ensures data
● Private Key: It is used for the decryption of the data that has integrity. This implies that even if the data is compromised at any
been encrypted by the public key. It resides on the server-side point, the hackers won’t be able to read or modify the data being
and is controlled by the owner of the website. It is private in exchanged.
nature. ● Privacy and Security: HTTPS prevents attackers from
● Public Key: It is public in nature and is accessible to all the
accessing the data being exchanged passively, thereby protecting
users who communicate with the server. The private key is
the privacy and security of the users.
used for the decryption of the data that has been encrypted by
the public key. ● Faster Performance: TTPS encrypts the data and reduces its
size. Smaller size accounts for faster data transmission in the
case of HTTPS.

Account Harvesting
Account Harvesting is the process of collecting legitimate ● Social Engineering: Manipulating individuals into divulging
account names on a system. Attackers use techniques like brute confidential information.
force, phishing, social engineering, and data breaches to gather ● Brute Force: Exhaustive attempts to guess passwords by trying all
this information. possible combinations.
● Domain Spoofing: Creating fake websites or email domains that
Techniques: appear legitimate to trick users.
● Phishing: Emails that lure recipients to malicious websites to
enter their credentials.
● Malware: Infected attachments in emails that deploy malware
to capture login credentials.
Signs Your Account May Be Compromised Preventing Account Harvesting: Best Practices
Preventing account harvesting is crucial for maintaining cybersecurity.
Recognizing the signs of a compromised account is crucial for maintaining
Implementing best practices can significantly reduce the risk of credential theft
cybersecurity. Here are some common indicators that your account may have
and unauthorized access. Here are some effective strategies to prevent account
been compromised:
harvesting:
● Unusual Activity: Unexpected login attempts or activity from unfamiliar ● Two-Factor Authentication: Adds an extra layer of security by requiring
locations. additional verification steps.
● Password Changes: Receiving notifications of password changes you ● Data Encryption: Ensures that intercepted data cannot be easily read or
did not initiate. used by attackers.
● Security Alerts: Alerts from services you use about suspicious activity. ● Regular Security Scans: Detects suspicious activities on the network
● Unauthorized Transactions: Unexplained transactions or changes in early.
your account. ● Employee Training: Educates staff to recognize and respond to
● Phishing Emails: Receiving emails asking for personal information or credential-harvesting attempts.
login credentials. ● Strong Password Policies: Enforces the use of complex, unique
passwords that are changed regularly.

Account Harvesting: Legal and Ethical Implications Web Bugs

Account harvesting carries significant legal and ethical implications.
Unauthorized collection of account credentials can lead to severe legal ● A Web bug is a computer program that is designed to monitor user
consequences, including fines and imprisonment. Ethically, it raises behavior and collect information.
concerns about privacy and consent, as individuals' data is often collected ● Most web bugs are harmless, and do not attempt to identify
without their knowledge or permission. visitors.
● Legal Risks: Engaging in account harvesting can result in violations ● They are placed on web pages and e-mail messages to improve the
of privacy laws and data protection regulations, leading to legal performance of a website.
actions such as fines and imprisonment.
● The average person has no way of determining if they have
● Ethical Concerns: Collecting data without consent undermines trust
and violates ethical standards, potentially causing reputational damage received a web bug. However, there are a few ways to detect if
and loss of customer trust. your computer has one.
 ● Email marketers are able to add web bugs to newsletters and other
● Web bug is a simple 1-pixel-by-1-pixel image tag that can
messages sent out to their mailing lists.
be added to an HTML message.
● In emails, web bugs can note whether an email is read or if it was
● This image can be embedded into a web page or an email forwarded to other users.
message to track users who have visited a landing page or ● When email clients prepare to send emails with these embedded
opened an email. tracking images, it will send a request to the receiving server for
● They are able to gather details about who is reading the web additional information.
page or newsletter, when and from what computer. ● These requests encompass the IP address of the requesting
● Web bugs are generally invisible to users, but are extremely computer, the time content was requested, the web browser that
valuable to online and email marketing success made the request and the existence of that server’s previously set
measurement. (Users may also refer to the small tracking cookies.
images as a web beacon, tracking bug or pixel tag.) ● This information is then associated with the web bug’s unique
tracking token and stored on the server.

● Spammers are also frequent users of web bugs, making Types of Web Bugs
email users leery of this tracking method. Functional bugs
● Again, these images help to determine which spam UI Bugs
Performance Bugs
recipients open and read the messages before deleting them.
Security Bugs
● Many email clients take steps to prevent this use of web
Compatibility Bugs
bugs by turning off the HTML display in emails and only Content bugs
displaying the text (though users have the option to turn Browsing bugs
HTML display back on for trusted mailers) or by turning off Mobile responsive bug
the image display function while still allowing HTML to run Validation Bug
any other functions. Session management bug
 How to Protect Yourself from Web Bugs Sniffing
While web bugs can be difficult to detect and avoid, there are several steps ● Sniffing is the process of monitoring and capturing all the packets
users can take to protect themselves from online tracking and surveillance. passing through a given network using sniffing tools.
Here are some tips for protecting yourself from web bugs: ● It is a form of “tapping phone wires” and get to know about the
conversation. It is also called wiretapping applied to the computer
1. Updates
networks.
2. Codes and Coding
3. Create an Easy Way to Contact ● A sniffing attack in system hacking is a form of denial-of-service
4. Check for Broken Links and Errors attack which is carried out by sniffing or capturing packets on the
5. Use secure passwords network, and then either sending them repeatedly to a victim
6. Test your Website Thoroughly machine or replaying them back to the sender with modifications.
7. Use Third Party Software or Plugins

● Sniffers are often used in system hacking as a tool for analyzing

traffic patterns in a scenario where performing more intrusive
and damaging attacks would not be desirable.
● A sniffing attack can also be used in an attempt to recover a
passphrase, such as when an SSH private key has been
compromised.
● The sniffer captures SSH packets containing encrypted versions
of the password being typed by the user at their terminal, which
can then be cracked offline using brute force methods.
 ● Another sniffing attack called ARP spoofing involves ● The combination of these two headers is often referred
sending forged Address Resolution Protocol (ARP) messages to as a “packet” by those who work with internet
to the Ethernet data link layer. These messages are used to communications. An attacker can, therefore, view and
associate a victim machine’s IP address with a different modify an IP packet’s IP header without having to see
its payload.
MAC address, leading the targeted machine to send all its
● The Ethernet header contains information about the
traffic intended for the victim through an attacker-controlled destination MAC address (the hardware address of the
host. recipient machine) and the Ethertype field contains a
● This is used to both hijack sessions and also cause flooding value indicating what type of service is requested (e.g.,
of the network via a denial-of-service attack (see Smurf precedence or flow control).
attack).
Every IP packet contains, in addition to its payload, two
fields: an IP header, and an Ethernet header encapsulating it.

ARP Spoofing Countermeasures:

There are a number of different methods that an attacker can use to perform
ARP spoofing. They include:
There are a number of ways that the attacker can be prevented from
using these methods, including:
● The attacker has access to the “ARP cache” on their infected machine,
which also contains other machines’ MAC addresses, but who do not ● ARP spoofing is not a very effective attack, except in
have or are not using the same IP addresses as other machines with the networks that are poorly secured.
same MAC addresses in their ARP caches. ● In order for an attacker to use this method as a form of
● The attacker does not know what method the other machines use for masquerading, they must be able to send packets directly to
keeping a table of MAC addresses, and so simply sets up a network
the network (either through access to Wi-Fi or by finding a
with many duplicate entries.
● The attacker sends out forged ARP messages, trying to associate their
security flaw). Because of this, the attacker’s IP address is
infected machine with another machine’s MAC address. likely to become known very quickly.
 ● A sniffing attack is a form of attack where the attacker tries to What can be sniffed?
access certain data over the network and sniffing is used as an
essential task in capturing data. The term “sniffing” comes Email traffic
from the action of sniffing or smelling. The attacker gets hold FTP passwords
of this information by using special software called “network Web traffics
analyzer”. Telnet passwords
● Sniffing in Hacking: it is considered to be an intrusion on Router configuration
your computer system without permission, without your Chat sessions
knowledge, and without legal authorization. It’s called
DNS traffic
hacking, which can be performed by several methods.

How it works
● A sniffer normally turns the NIC of the system to the
promiscuous mode so that it listens to all the data transmitted on
its segment.
● Promiscuous mode refers to the unique way of Ethernet hardware,
in particular, network interface cards (NICs), that allows an NIC to
receive all traffic on the network, even if it is not addressed to this
NIC.
● By default, a NIC ignores all traffic that is not addressed to it,
which is done by comparing the destination address of the
Ethernet packet with the hardware address (a.k.a. MAC) of the
device.
● While this makes perfect sense for networking, non-promiscuous
mode makes it difficult to use network monitoring and analysis
software for diagnosing connectivity issues or traffic accounting.
Sniffing In a network that uses hubs to connect systems, all hosts on the network
A sniffer can continuously monitor all the traffic to a computer through can see the traffic. Therefore, an attacker can easily capture traffic going
the NIC by decoding the information encapsulated in the data packets. through.

Types of Sniffing The good news is that hubs are almost obsolete nowadays. Most modern
networks use switches. Hence, passive sniffing is no more effective.
● Passive Sniffing
● Active Sniffing Active Sniffing

Passive Sniffing In active sniffing, the traffic is not only locked and monitored, but it may
also be altered in some way as determined by the attack. Active sniffing is
In passive sniffing, the traffic is locked but it is not altered in any used to sniff a switch-based network. It involves injecting address
way. Passive sniffing allows listening only. It works with Hub resolution packets (ARP) into a target network to flood on the switch
devices. On a hub device, the traffic is sent to all the ports. content addressable memory (CAM) table. CAM keeps track of which
host is connected to which port.

Active Sniffing Techniques Protocols which are affected

● MAC Flooding Protocols such as the tried and true TCP/IP were never designed with
● DHCP Attacks security in mind and therefore do not offer much resistance to potential
intruders. Several rules lend themselves to easy sniffing
● DNS Poisoning
● Spoofing Attacks HTTP − It is used to send information in the clear text without any
● ARP Poisoning encryption and thus a real target.
SMTP (Simple Mail Transfer Protocol) − SMTP is basically utilized in the
transfer of emails. This protocol is efficient, but it does not include any
protection against sniffing.
NNTP (Network News Transfer Protocol)− It is used for all types of
communications, but its main drawback is that data and even
passwords are sent over the network as clear text.
POP (Post Office Protocol) − POP is strictly used to receive emails ARP Poisoning
from the servers. This protocol does not include protection against
sniffing because it can be trapped. ● ARP Poisoning (also known as ARP Spoofing) is a type of cyber attack
FTP (File Transfer Protocol) − FTP is used to send and receive files, carried out over a Local Area Network (LAN) that involves sending
but it does not offer any security features. All the data is sent as clear malicious ARP packets to a default gateway on a LAN in order to change
text that can be easily sniffed. the pairings in its IP to MAC address table. ARP Protocol translates IP
IMAP (Internet Message Access Protocol) − IMAP is same as SMTP addresses into MAC addresses.
in its functions, but it is highly vulnerable to sniffing. ● Because the ARP protocol was designed purely for efficiency and not for
Telnet − Telnet sends everything (usernames, passwords, keystrokes) security, ARP Poisoning attacks are extremely easy to carry out as long
over the network as clear text and hence, it can be easily sniffed. as the attacker has control of a machine within the target LAN or is
directly connected to it.

● The attack itself consists of an attacker sending a false ARP reply

message to the default network gateway, informing it that his or her ● ARP Poisoning rarely realize that their traffic is being inspected or
MAC address should be associated with his or her target's IP address modified. Besides Man-in-the-Middle Attacks, ARP Poisoning can be
(and vice-versa, so his or her target's MAC is now associated with the used to cause a denial-of-service condition over a LAN by simply
attacker's IP address). intercepting or dropping and not forwarding the target's packets.
● Once the default gateway has received this message and broadcasts
its changes to all other devices on the network, all of the target's
traffic to any other device on the network travels through the attacker's
computer, allowing the attacker to inspect or modify it before
forwarding it to its real destination.
 Two types of ARP attacks exist.

● ARP spoofing: A hacker sends fake ARP packets that link an attacker's
MAC address with an IP of a computer already on the LAN.
● ARP poisoning: After a successful ARP spoofing, a hacker changes the
company's ARP table, so it contains falsified MAC maps. The contagion
spreads.

The goal is to link a hacker's MAC with the LAN. The result means any
traffic sent to the compromised LAN will head to the attacker instead.

Protection Tools
At the end of a successful ARP attack, a hacker can:
● Arpwatch: Monitor ethernet activity, including changing IP and
● Hijack: Someone may look over everything that heads to the LAN MAC addresses, via this Linux tool. Look over the log every day, and
access timestamps to understand just when the attack happened.
before releasing it.
● Deny service: Someone may refuse to release anything from the ● ARP-GUARD: Tap into a graphic overview of your existing network,
infected LAN unless some kind of ransom is paid. including illustrations of switches and routers. Allow the program to
develop an understanding of what devices are on your network and
● Sit in the middle: Someone conducting a man-in-the-middle attack
build rules to control future connections.
can do almost anything, including altering documents before sending
them out. These attacks both threaten confidentiality and reduce user ● XArp: Use this tool to detect attacks happening below your firewall.
Get notified as soon as an attack begins, and use the tool to determine
confidence. They are among the most dangerous attacks anyone can
what to do next.
perpetrate.
● Wireshark: Use this tool to develop a graphic understanding of all
Clickjacking
the devices on your network. This tool is powerful, but you may need
Definition: Clickjacking is an interface-based attack in which a user is
advanced skills to implement it properly.
tricked into clicking on actionable content on a hidden website by clicking
● Packet filtering: Use this firewall technique to manage network on some other content in a decoy website.
access by monitoring incoming and outgoing IP packets. Packets are
Example: A web user accesses a decoy website (perhaps this is a link
allowed or stopped based on source and destination IP addresses,
ports, and protocols. provided by an email) and clicks on a button to win a prize. Unknowingly,
they have been deceived by an attacker into pressing an alternative hidden
● Static ARP: These ARPs are added to the cache and retained on a button and this results in the payment of an account on another site. This
permanent basis. These will serve as permanent mappings between is an example of a clickjacking attack.
MAC addresses and IP addresses.

Protection against CSRF attacks is

The technique depends upon the incorporation of an invisible, actionable often provided by the use of a CSRF
token: a session-specific, single-use
web page (or multiple pages) containing a button or hidden link, say,
number or nonce. Clickjacking attacks
within an iframe. The iframe is overlaid on top of the user's anticipated are not mitigated by the CSRF token
decoy web page content. This attack differs from a CSRF attack in that the as a target session is established with
user is required to perform an action such as a button click whereas a content loaded from an authentic
website and with all requests
CSRF attack depends upon forging an entire request without the user's happening on-domain. CSRF tokens
knowledge or input. are placed into requests and passed to
the server as part of a normally
behaved session. The difference
compared to a normal user session is
that the process occurs within a
hidden iframe.
 How to construct a basic clickjacking attack

Clickjacking attacks use

CSS to create and
manipulate layers. The
attacker incorporates the
target website as an
The target website iframe is positioned within the browser so that there is a precise overlap
iframe layer overlaid on
of the target action with the decoy website using appropriate width and height position
the decoy website. An values. Absolute and relative position values are used to ensure that the target website
example using the style accurately overlaps the decoy regardless of screen size, browser type and platform. The
tag and parameters is as z-index determines the stacking order of the iframe and website layers. The opacity value is
follows: defined as 0.0 (or close to 0.0) so that the iframe content is transparent to the user. Browser
clickjacking protection might apply threshold-based iframe transparency detection (for
example, Chrome version 76 includes this behavior but Firefox does not). The attacker
selects opacity values so that the desired effect is achieved without triggering protection
behaviors.

What is Clickjacking? Tutorial & Examples | Web Security Academy (portswigger.net)

Phishing and Pharming Techniques
Lab: Clickjacking with form input data prefilled from a URL parameter | Web Security Academy (portswigger.net)
● Phishing is the fraudulent attempt to obtain sensitive information such as
usernames, passwords and credit card details by disguising oneself as a
trustworthy entity in an electronic communication.
● Typically carried out by email spoofing or instant messaging it often directs
users to enter personal information at a fake website which matches the look
and feel of the legitimate site.
● Email spoofing is one of the easiest types of phishing used to get data from
users without their knowledge.
● It can be done in different ways: – Sending an email through a familiar
username, – Impersonating the identity of an organization and asking
employees to share internal data.
Just by seeing the company’s name and the urgency of action, some users
may click on the link.
How to prevent email phishing?

● The best way to prevent these attacks is by carefully reading the sender’s email
address.
● If you are not sure about the characters in an email address, then copy and paste it in
the notepad to check the use of numeric or special characters
● Misspelled URL Hackers buy domains that sound similar to popular websites.
● Then, they phish users by creating an identical website, where they ask targets to log
in by submitting personal information.
● In the example below, you can see that there’s a typo in the link that people can easily
miss: “www.citiibank.com…” instead of “www.citibank.com…”

Session Phishing

● Pop-Up Messages: In-Session Phishing Pop-up messages are the easiest

way to run a successful phishing.
● Through pop-up messages, attackers get a window to steal the login
credentials by redirecting them to a fake website.
● This technique of phishing is also known as “In-session phishing.” Look at the
pop-up window given below.
Session Phishing example OAuth 2.0
In this example, doesn’t the foreground pop-up seem legitimate enough to mislead In the traditional client-server authentication model, the client requests an OAuth 2.0 is the
customers? access-restricted resource (protected resource) on the server by authenticating with industry-standard protocol for
the server using the resource owner's credentials. In order to provide third-party authorization. OAuth 2.0
applications access to restricted resources, the resource owner shares its credentials
with the third party. This creates several problems and limitations: focuses on client developer
simplicity while providing
o Third-party applications are required to store the resource specific authorization flows for
owner's credentials for future use, typically a password in
clear-text. web applications, desktop
applications, mobile phones,
o Servers are required to support password authentication, despite
the security weaknesses inherent in passwords.
and living room devices. This
specification and its extensions
o Third-party applications gain overly broad access to the resource are being developed within the
owner's protected resources, leaving resource owners without any
ability to restrict duration or access to a limited subset of
IETF OAuth Working Group.
resources.

o Resource owners cannot revoke access to an individual third party

without revoking access to all third parties, and must do so by
changing the third party's password.

(A) The client requests authorization from

client OAuth 2.0 flow the resource owner. The authorization

request can be made directly to the
Roles An application making protected resource
resource owner (as shown), or preferably
indirectly via the authorization server as an
requests on behalf of the resource owner and with intermediary.
OAuth defines four roles: its authorization. The term "client" does not imply
any particular implementation characteristics (e.g., (B) The client receives an authorization
resource owner whether the application executes on a server, a grant, which is a credential representing
desktop, or other devices). the resource owner's authorization,
An entity capable of granting access to a protected expressed using one of four grant types
resource. defined in this specification or using an
extension grant type. The authorization
When the resource owner is a person, it is referred to as authorization server grant type depends on the method used by
an the client to request authorization and the
The server issuing access tokens to the client types supported by the authorization
end-user. after successfully authenticating the resource owner server.
and obtaining authorization. The interaction between
resource server the authorization server and resource server is (C) The client requests an access token
beyond the scope of this specification. The by authenticating with the authorization
The server hosting the protected resources, capable of authorization server may be the same server as the server and presenting the authorization
accepting resource server or a separate entity. A single grant.
(E) The client requests the protected resource from the resource server and
authorization server may issue access tokens
authenticates by presenting the access token. (D) The authorization server
and responding to protected resource requests using accepted by multiple resource servers.
access tokens. authenticates the client and validates
(F) The resource server validates the access token, and if valid, serves the the authorization grant, and if valid, issues
request. an access token.
Security Considerations in OAuth 2.0 Demonstration of hacking tools on Kali Linux

● Always use PKCE (Proof Key for Code Exchange) to prevent ● SQLMap
● HTTrack
authorization code interception.
● hping
● Use refresh tokens securely to extend sessions without ● Burp Suite
re-authentication. ● Wireshark
● Implement scopes and permissions to limit API access.