a4apphack

Archive for the ‘Tutorials’ Category

Gruyere – Vulnerable Web Application At Google Code (Previously Jarlsberg)

Posted by rajivvishwa On May - 18 - 2010

Gruyere is a vulnerable application which can be used to learn and understand web vulnerabilities. Detailed documentation is provided on the type of the vulnerabilities present in the application and ways to exploits it.

Update: Jarlsberg is now Gruyere

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you’ll learn the following:

  • How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
  • How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

Documentation Here

Jarlsberg - Hosted Vulnerable App

Read the rest of this entry »

Code, Tutorials

XSS Made Simple- Flash Animation

Posted by rajivvishwa On March - 26 - 2009

CrossSite Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.” – OWASP

Understanding XSS or to make one understand it ain’t easy. Too much of theory will confuse the person rather than helping him out. The best way of explaining it!; through flash animations and that is how virtualforge guys have done. This animation is intended for both a layman and a security analyst.

They have published two set of flash applications which demonstrates XSS. Here cookie theft and file access are demonstrated.

Screenshot
XSS Animation Screenshot

Check the following links

Example 1 : Car Auction

http://www.virtualforge.de/vmovie/xss_lesson_1/xss_selling_platform_v1.0.swf

Example 2 : Online Application

http://www.virtualforge.de/vmovie/xss_lesson_2/xss_selling_platform_v2.0.swf

Read More about XSS at Wiki and OWASP

See CrossSiteRequestForgery (XSRF) in action, here.

Security, Tutorials

Subscribe RSS
Follow me on TwitterTechnoratiYoutube VidsLinkedIn ProfileDelicious

    Popular Posts

    Most Commented

    Recent Posts

    Recent Comments