Learning Something New: 06/08/2018




                                     What have I enjoyed today?

1. Took a new approach to test a case at work. Found defects in the application.
--------------------------------------------------------------------------------------------------
2. Started learning about Web Application Security Testing
--------------------------------------------------------------------------------------------------

                                       What have I learned today?

1.  Started learning about a Tool: Burp Suite. Lessons from @SunnyWear
2.  What is meant by Proxy?
3.  How Burp Suite tool interacts between Browser and Application.
--------------------------------------------------------------------------------------------------
2.  Task: Configuring the browser to use Burp Suite as local proxy.
3.  Task: Did a Automated Web Spidering on a website using the Burp Suite.
4.  Task: Reviewing the site map generated by Burp Suite.
5.  Task: Reviewing the content which site map has discovered.


Posted in , | Leave a comment

Learning Something New: 20/07/2018

Allow nothing or no one to slow your pace or affect your energy; stay consistently flowing, forever growing.




Subject: Java Fundamentals


Topics:
  1. Arithmetic Operators
    • Basic Operators: + - * / %
    • Prefix/Post fix Operators:  ++  --
    • Compound/Assignment Operators:  +=  -=   /=   *=   %=
  2. Basic Operators Example:
 public class BasicOperators {  
      public static void main(String[] args) {  
           /**  
            * Floating Point Examples  
            */  
           //Addition of two variables  
           float valAddA = 1.0f;  
           float valAddB = 2.0f;  
           System.out.println("valAddA + valAddB: " + (valAddA + valAddB));  
           //Subtraction of two variables  
           float valSubA = 5.0f;  
           float valSubB = 4.0f;  
           System.out.println("valSubA - valSubB: " + (valSubA - valSubB));  
           //Multiplication of two variables  
           float valMulA = 4.0f;  
           float valMulB = 2.0f;  
           System.out.println("valMulA * valMulB: " + (valMulA * valMulB));  
           //Division of two variables  
           float valDivA = 13.0f;  
           float valDivB = 5.0f;  
           System.out.println("ValDivA / ValDivB: " + (valDivA / valDivB));  
           //Modulus of two variables  
           float valModA = 13.0f;  
           float valModB = 5.0f;  
           System.out.println("valModA % valModB: " + (valModA % valModB));  
           /**  
            * Integer Examples  
            */  
           //Addition of two variables  
           int valAddAB = 1;  
           int valAddBA = 2;  
           System.out.println("valAddAB + valAddBA: " + (valAddAB + valAddBA));  
           //Subtraction of two variables  
           float valSubAB = 5;  
           float valSubBA = 4;  
           System.out.println("valSubAB - valSubBA: " + (valSubAB - valSubBA));  
           //Multiplication of two variables  
           int valMulAB = 4;  
           int valMulBA = 2;  
           System.out.println("valMulAB * valMulBA: " + (valMulAB * valMulBA));  
           //Division of two variables  
           int valDivAB = 13;  
           int valDivBA = 5;  
           System.out.println("ValDivAB / ValDivBA: " + (valDivAB / valDivBA));  
           //Modulus of two variables  
           int valModAB = 13;  
           int valModBA = 5;  
           System.out.println("valModAB % valModBA: " + (valModAB % valModBA));  
      }  
 }  

Output:
valAddA + valAddB: 3.0
valSubA - valSubB: 1.0
valMulA * valMulB: 8.0
ValDivA / ValDivB: 2.6
valModA % valModB: 3.0
valAddAB + valAddBA: 3
valSubAB - valSubBA: 1.0
valMulAB * valMulBA: 8
ValDivAB / ValDivBA: 2
valModAB % valModBA: 3



Subject: Web Application Security

Topics:

  1. Owasp #6: Unvalidated forwards and Redirects
    • Example: When an attacker sends you a link, with malicious site embedded in URL to redirect.
    • www.mysite.com/login?page=www.hackersite.co.au
    • You might follow the link and use the web application after login, without looking at the URL and page redirecting to, where hackersite.co.au resembles the mysite.com
    • This is also referred as Open redirect vulnerabilities

Posted in , , | Leave a comment

Learning Something New: 19/07/2018


An investment in knowledge pays the best interest.




Subject: Web Testing 101 - How to test World Wide Web

Topics:
  1. HTML <input> readonly Attribute
The readonly attribute is a boolean attribute.

When present, it specifies that an input field is read-only.

A read-only input field cannot be modified (however, a user can tab to it, highlight it, and copy the text from it).

The readonly attribute can be set to keep a user from changing the value until some other conditions have been met (like selecting a checkbox, etc.). Then, a JavaScript can remove the readonly value, and make the input field editable.

 <!DOCTYPE html>  
 <html>  
 <body>  
 <form action="/action_page.php">  
  Email: <input type="text" name="email"><br>  
  Country: <input type="text" name="country" value="Norway" readonly="readönly"><br>  
  <input type="submit" value="Submit">  
 </form>  
 </body>  
 </html>  


When any application shows: read-only attribute field.

Perform below steps.

a. Open chrome web developer tools 
b. Right-click on the button you want to test, and click "Inspect".  
c. In the developer tools panel, you will now see the html for that field highlighted.
d. Right-click on that highlighted text and choose "Edit as HTML".  An editable text window will open up.  
e. If you see text such as readonly="readonly" delete the attribute.  
f. Click away from the editable field, and see if your button is now enabled. 
g. If it is, click on it, update the values and see what happens in the database.








A note on Security, It's important to remind that even using readonly attribute, you should never trust user input which includes form submissions. Because, it can still be modified with Firebug, DOM Inspector, etc, or they can just submit a HTTP request without using the browser at all. 
Validate to check if there are client Side and Server Side Validations.
Or Provide only the text value of email address.

Posted in , | Leave a comment