Posts

Showing posts from February, 2017

Daily Learning - Day 25

Image
Date: 25th February 2017 Below are the topics i learnt today.. Follow Hashtag: #SKC100DaysofLearning Topic 1: Security - Find the Technology Components used in Web Application. Are you interested to know which websites use a certain technology Wappalyzer is a browser extension that uncovers the technologies used on websites. It detects content management systems, eCommerce platforms, web servers, JavaScript frameworks, analytics tools and many more. Install this on your web browser:   https://wappalyzer.com/download Topic 2: Security -  Massive Bug May Have Leaked User Data From Millions of Sites. So … Change Your Passwords THE INTERNET INFRASTRUCTURE  company Cloudflare, which provides a variety of performance and security services to millions of websites, revealed late Thursday that a bug had caused it to randomly leak potentially sensitive customer data across the internet. And the Bug is called as - " CloudBleed " Lessons L

Daily Learning - Day 24

Image
Date: 22nd February 2017 Below are the topics i learnt today.. Topic 1: Security - User Supplied Input-Data on URL  If you are testing any website and see any URL and add some characters in the URL. Check what happens. You may see errors from application or from web server. Note: Receiving error from web server could share information about your server. Topic 2: Security - User Supplied Input-Data for Login  Consider a logon screen that asks for a username and password. If the application returns one error message for an incorrect username and another message for an incorrect password. This means, attacker has guessed either of them . The danger is that the attacker now knows that he has correct username. Now his next step is to crack the password. Topic 3: Non-Tech: Apology  There are 6 kinds of Apologies. "It's Regretful that.." - It doesn't require you need to admit you did wrong. You're just so

Daily Learning - Day 23

Image
Date: 21st February 2017 Below are the topics i learnt today.. Topic 1: HTTPS -- But NOT Completely If you are testing any website and Chrome Browser says: Secured. Don't Assume, its completely secured. Exercise: Visit the website : https://threatpost.com  It is HTTPS and Secured Padlock in Chrome Browser. But if you see the Icons below: Twitter, Facebook etc. are actually not  HTTPS URL's. Note: Everything should be in HTTPS to be Secured completely.

Daily Learning - Day 22

Image
Date: 20th February 2017 Below are the topics i learnt today.. Topic 1:  Basics of testing There are two kinds of Bugs, which i have never heard before. Latent Bugs:  The bug that is not identified in the past versions of the software application. Latent Bugs are dormant or unhidden. These bugs are not found until one or more releases of the product. Golden Bugs:     The bug that is occurred in every instances of the application with severity level high and with high priority. Golden bugs may affect the critical functionality of the system. Topic 2: Task Management  Started using a Task Management Chrome Application " TickTick " to track my learning tasks.

Daily Learning - Day 21

Image
Date: 19th February 2017 Below are the topics i learnt today.. Topic 1: Did a Course on "Fiddler" Tool. Course:  https://www.pluralsight.com/courses/fiddler Why did i do this course? To Understand, what happens between a client browser and web server. To Use the tool as base to capture the website and know about Request Headers, Response Headers, Status Codes, Source Code  For Security Testing: Changing the Cookies and data and Executing, to see if the application allows it or not. Finally, to learn one tool so that i can use it anytime. Topic 2: Is Your Website Secured? - Line of Death in Browser Even if the form submits over SSL, loading the form without SSL means it can be modified by somebody before it's submitted. The " jetairways.com " website asks to provide sensitive info whilst the browser warns them about your security. Topic 3:  Basics before testing The learning abou t: How World Wide Web Ca

Daily Learning - Day 20

Image
Date: 18th February 2017 Below are the topics i learnt today.. Topic 1: How to Encode the Script using Notepad++ Enter the Script in the Notepad++  Then Navigate to Plugins -> MIME Tools  Then Select FULL URL Encode or URL Encode. This will Encode the Script. Topic 2: Exploratory Testing with Test & Feedback Chrome Extension Visit:   https://marketplace.visualstudio.com/items?itemName=ms.vss-exploratorytesting-web Now everyone on the team can own quality. Capture findings, create issues, and collaborate with the team, directly from the browser  on any platform: Windows, Mac, or Linux. Available for Google Chrome and Mozilla Firefox (required version 50.0 or above)   I have used Chrome Extension, Although it takes time to understand. We can use it and export the Report and Attach the HTML File. Topic 3: Line of Death in Browser Learn about "Line of Death" in the Browser Window. https://textslashplain.co

Daily Learning - Day 19

Image
Date: 16th February 2017 Below are the topics i learnt today.. Topic 1: Read about Yahoo's Another Security Breach  This week, Yahoo sent another wave of emails to users warning their accounts may have been breached as recently as last year.  A flaw in Yahoo's mail service could have allowed a hacker to use a forged "cookie" created by software stolen from within Yahoo's systems to access accounts without a password. Read  more:   http://www.wired.co.uk/article/yahoo-verizon-deal Topic 2: Fiddler Exercise on Composer Tab Using Fiddler Composer Option to Drag and Drop the session from view panel  Delete the Cookie and Execute the POST Method -- Test:  Whether you can still access application or not. Expected: It should send 302 Error and Session Expiry. Copy the Cookie 1 to the Cookie 2 and Execute the GET Method -- Test: whether you can still access application or not. Expected: It should session expire and application

Daily Learning - Day 18

Image
Date: 15th February 2017 Below are the topics i learnt today.. Topic 1: Knowing about IP Address of Client Website. We always try to know the ip address of our local machine. But we can also get to know the IP Address of Client Website. Two Options: Using Ping from Command Line Interface Navigation:  Windows + R = Run , Then type CMD and Enter for console , Type "ping google.com" It displays:  Replying from IP Address of Website Using Chrome Extension - Shodan https://chrome.google.com/webstore/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap The Shodan plugin tells you where the website is hosted (country, city), who owns the IP and what other services/ ports are open. Complete Host Details can be viewed from :  https://www.shodan.io/host/208.80.153.224   Topic 2: Knowing about Rise and Fall of Airlines Comapany - PEOPLExpress Rise & Fall of PEOPLExpress: http://avstop.com/History/HistoryOfAirlines/peoplexpress.htm

Daily Learning - Day 17

Image
Date: 8th February 2017 Below are the topics i learnt today.. Topic: E xamining web requests and responses   I had three options for this topic. 1. Chrome / IE Web Developer Tools 2. Addons - Chris Pederick's Web Developer Tool , FireBug 3. Fiddler. I am familiar with 1st and 2nd options earlier. Then... Getting Started with Fiddler . Fiddler tool is developed by Eric Lawrence. What is HTTP and Status Codes What is Fiddler and How to use Fiddler Download:  http://www.telerik.com/download/fiddler Installing the Fiddler:  http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/InstallFiddler Configuring Browser for Fiddler:  http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureBrowsers#ie-chrome-safari-and-opera Basic exercises on examining the web requests and responses and Understanding them. Observing the Web Requests and Responses:   http://docs.telerik.com/fiddler/Observe-Traffic/Tasks/CaptureWebTraffic

Daily Learning - Day 16

Image
Date: 7th February 2017 Below are the topics i learnt today.. Topic 1: Email Server Test Today, I saw an interesting Email. It looks like:   support@tv&s.com I was sure, it will not work. As i remember, I have read  RFC 2822 Internet Message Format 3 years ago. Reference:   https://tools.ietf.org/html/rfc2822 Although, I thought to test the email server. Used a Free Online Email Server Test. (There is no specific reason for choosing this tool - Google has provided it) Reference:   https://www.ultratools.com/tools/emailTest  Entered the email address and Sent for Checking. And Tried another Valid Email Address and It looks like this. Note: If some one provides the SMTP Email Address. Make sure you test it without sending an email. 

Daily Learning - Day 15

Image
Date: 6th February 2017 Below are the topics i learnt today.. Topic 1: Inspecting the Web Page There are free tools available without installing to inspect the webpage code, step through the code and view network traffic between Web server and Client (Browser) By Installing the Browsers on your machine and accessing the Web Developer Tools via F12 - or Settings/Tools -> Developer Tools. Exercise: The below mail snippet is from Amazon.in and It is Promotion Email of Store-News. For Amazon.in Company Logo, It shows Alt Text="Amazon.ca"  And when Logo is selected, it will redirect to "amazon.in" website. Like Wise, For Amazon.in Company Logo, It shows Alt Text = "Junglee.com" And when Logo is selected, it will redirect to "amazon.in" website. Lesson Learnt: Alt Texts should indicate the image correctly. Topic 2:  Analyse your Server HTTP Headers  There is a web application developed by Scott Helm