DEV Community: Rahul Mishra

📱 Contact Me

📧 Write a mail

🚀 Other links

Web Application Penetration Test Checklist | Part - 01

Rahul Mishra — Sat, 10 Apr 2021 08:42:07 +0000

In this article I am going to share a checklist which you can use when you are doing a penetration test on a website, you can also use this list as a reference in bug bounties. This is beginner’s friendly list, so they can look it for reference.

Before stating the list I want to make something clear, that before you start using this list for finding bugs/vulnerabilities make sure that you have already completed the first step which is *Reconnaissance*. Otherwise you will find it hard to find bug/vulnerabilities.

You are not genius! Remember this thing, so if you don’t understand something just Google about it and so some research, I also don’t know everything and there could be things that I have missed, so don’t worry and keep learning.

General things to do

Create 2 accounts on the same website if it has login functionality. You can use this extension to use same browser for creating different accounts on the same website.
Try directory forcing using tools like Dirsearch, FeroBuster, Ffuf, might be possible some directory may reveal sensitive information.

Login page

Session expiration
Improper session validation
OAuth bypass (it includes features like login with Google, Microsoft, Instagram or any)
- OAuth token stealing
- Authentication bypass
- Privilege escalation
- SQLi

Registration page

XML file upload using SVG (if website asks for documents upload or profile upload then you can try this)
Bypassing limitation on file types to upload (if they just allow jpg, png then try to upload .php or .py)
Bypassing mobile or email verification
Brute forcing OTP sent
Try inserting XSS payload whenever possible (like If you can enter payload in first name/last name/address etc text box makes sure to enter because sometimes it may reflects somewhere else or maybe it’s stored XSS).

Forgot password page

Password reset poisoning (kind of similar way we do host header injection)
Reset token/link expiring (maybe they pay)
Reset token leaks (this can happen when some website interacts to third party services at that point of time maybe password reset token is sent via referrer part and maybe it can leak)
Check for sub-domain takeover.
Check for older version of service is being used by your target and if they so try to find existing exploit for the target.

So this was all about some basic things to check while doing penetration test on a website or in a bug bounty program. Hope you liked it and learned something new from it.

If you have any doubt, question, quires related to this topic or just want to share something with me, than please feel free to contact me.

🖥 My personal blog

📱 Contact Me

📧 Write a mail

🚀 Other links

Amass: A Beginner's Guide For Reconnaissance

Rahul Mishra — Sun, 28 Mar 2021 07:33:23 +0000

In this article we will see how to use a tool named “amass” which is used for reconnaissance when doing website penetration testing or bug bounty. This tool is used to list sub-domains related to the target domain.

This is not a complete guide for the amass tool, but instead this is an introduction to the reconnaissance using amass. Amass github

Introduction

Amass is an open source network mapping and attack surface discovery tool that uses information gathering and other techniques such as active reconnaissance and external asset discovery to scrap all the available data.
In order to accomplish this, it uses its own internal machinery and it also integrates smoothly with different external services to increase its results, efficiency and power.
This tool maintains a strong focus on DNS, HTTP and SSL/TLS data discovering and scrapping. Installation
To install this tool you can use the official package manager of kali Linux, and use this command sudo apt-get install amass
And if you are on Mac than use this command brew install amass

Usage

When using a new tool it is always a good habit to see the help menu or man page for that tool. So to get the help menu of this tool use this command amass -help or amass -h
Now at the end of the help menu you can see that there is a list of subcommand, with the help of these subcommand we can perform many different operations, I am not going in detail of every command rather I will just explain the most important and used subcommands of amass.

The main two subcommand that are used most are amass intel and amass enum.
To get the help for these subcommand you can use this command amass intel -help
amass intel it collects the intelligence on the target in order to determine the starting point. It give us various details such as AS number, whois record of the website. We can find AS number using amass like this amass intel –org uber.

An Autonomous System (AS) is a group of IP networks run by one or more network operators with a single, clearly defined routing policy. When exchanging exterior routing information, each AS is identified by a unique number: the Autonomous System Number (ASN). We can easily find AS number of website from this website https://bgp.he.net/
Now amass enum performs enumeration and mapping your target to determine possible attack avenues.
We can use amass enum for finding sub-domains of a website. For that we can use a command like this amass enum –d uber.com –o /root/uber.txt
In the above command “-d” is used to determine the domain name, -o is to determine the output file where we want to save our results. There are many more options available you can see that by using the help command like this amass enum -help.

So this was all about the basics of amass. Hop you like it and learned something new from it.

If you have any doubt, question, quires related to this topic or just want to share something with me, than please feel free to contact me.

🖥 My personal blog

📱 Contact Me

📧 Write a mail

🚀 Other links

CSRF & SSRF

Rahul Mishra — Sat, 27 Mar 2021 08:28:04 +0000

In this article we going to learn about CSRF and SSRF, both of these vulnerabilities take advantage of how server process URLs. These are very common and well known vulnerabilities and understanding about these vulnerabilities is very important for web application penetration testing.

First let’s get an introduction about these attacks.

CSRF:

CSRF stands for cross-site request forgery.
This vulnerability was present in OWASP top 10 list, but was removed after in the edition came after 2017.
This vulnerability is still present in 5% of the web applications.
CSRF happen at the client side, in technical terms the forgery happens at the client side.
The main purpose of CSRF attacks is to force user to take undesirable actions on their online account.
Suppose we have a website named example.com and we are logged in to that website, in this case there will be some cookies that will be stored and these cookies will be use when we make some request to the website to perform some action. Now what happens in CSRF a malicious website can perform the same action using cookies related to the example.com. And this could happen if somehow we visit that malicious website or click on the URL of that website.
There are many actions that could be performed on a website using this vulnerability such as changing the password or making online transactions. The action is highly depends on the nature and use case of that website.
CSRF attacks work because the user is already authenticated to the target website and the forced request includes the cookies containing session information.
Standard CSRF attacks assume that a user is already authenticated to a website, but CSRF attacks can also be stored.

SSRF

SSRF stands for server-side request forgery.
SSRF attacks are designed to exploit how a server processes external information.
If an attacker can modify the target URL, they can potentially exfilterate sensitive information from the website or inject untrusted input into it.
Suppose we have a website named example.com, it uses an API to fetch some data from the web server. If we make a request to localhost/admin and get the response than this is a serious problem.
If we can access the admin panel using the localhost than we do not need to authenticate to use admin panel, because here server is making a request to the localhost to access the /admin page and it is displaying the result on the client side.
The vulnerability associated with SSRF vulnerabilities is not limited to data exfiltration. In some cases application may be designed to read data from URL. If this URL is trusted, the application may not perform data validation. This could allow an attacker to provide malicious input that could exploit a buffer overflow, integer overflow, SQL injection or other vulnerability in the web application.
The impact of SSRF vulnerability can be significant. A recent example of an attack exploiting SSRF (and the difficulty of protecting against it) is the Capital One data breach, which expose the personal information of 106 million people.

Difference between CSRF and SSRF:

Both CSRF and SSRF vulnerabilities take advantage of how a web server handles URLs. However, they differ on the bases of target of the attack and purpose of the attack.

Attack Target

The target of a CSRF attack is the user. While it accomplished suing flaws in how the website is designed, its purpose is to perform legitimate but unauthorized actions on the user’s account with the web-based service.
SSRF on the other hand is designed to primarily target the server. While, in the long run, the attack may affect users of the service, the primary purpose of the attack is theft of sensitive information on the server or exploiting other vulnerabilities by using SSRF to bypass input validation countermeasures.

Attack purpose

In the case of SSRF, the primary purpose of the attack is to gain access to sensitive information/data. This could be performed directly (by forcing it to write data to an attacker-supplied URL) or indirectly (by allowing exploitation of a vulnerability that can be used to steal data).
CSRF vulnerabilities, on the other hand, do not provide an attacker with any access to sensitive data. While the attacker forces a user’s browser to visit the target site, the actual request and response are performed independently. Even if the attack results in sensitive data being sent in response to the malicious request, this data only goes to the target user’s computer, not the attacker’s. The purpose of exploiting CSRF vulnerability is to force the target user to take action in the attacker’s interest, like changing an account password to one known to the attacker.

Conclusion:

While CSRF and SSRF vulnerabilities are very different, they both enable by the same problem “a failure to properly use URLs by the server.” When looking for potential vulnerabilities in a website, examining how the website uses URLs and the types, formats and destination of request made to or by it can help in identification of these vulnerabilities.

So this was all about CSRF and SSRF. Hope you liked it and learned something new from it.

If you have any doubt, question, quires related to this article or just want to share something with me, than please feel free to contact me.

🖥 My personal blog

📱 Contact Me

📧 Write a mail

🚀 Other links

File Encrypter and Decrypter

Rahul Mishra — Mon, 08 Mar 2021 12:08:22 +0000

In this article I am going to show you how to make a command line tool that will encrypt a file or decrypt a file. This command line tool is going to be a shell script.

Before diving into the development phase let’s clear some concepts and terminologies.

What is encryption?
Encryption is a way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also known as ciphertext. In simple terms, encryption takes readable data and alters it so that it appears random. Encryption requires the use of a cryptographic key. It is a set of mathematical values that both the sender and the recipient of an encrypted message agree on.

What is decryption?
The conversion of encrypted data into its original form is called decryption. It is generally a reverse process of encryption. It decodes the encrypted information so that an authorized user can only decrypt the data because decryption requires a secret key or password.

Now that you have a basic understanding of encryption and decryption, the image of this project is becoming clear, but now you want to know that how will we do this. So for that we will be using GPG, and you will be thinking that what this GPG is.
GPG or GnuPG, stands for GNU Privacy Guard. GPG is a different implementation of the open PGP standard and a strong alternative to Symantec’s official PGP software.
GPG is defined by RFC 4880 (the official name for the Open GPG standard.) The GPG project provides the tools and libraries to allow users to integrate encryption with emails and operating systems like Linux. GPG can open and decrypt files encrypted by PGP or open PGP, meaning it works well with other products.

Enough theory let’s start coding our file encrypter and decrypter.

Step one make a shell script file using touch command and give whatever name you want to give it. I am giving it encrypt.sh
```
touch encrypt.sh
```
Make sure to make changes in the file permissions so that you can execute this shell script file, you can do it like this
```
chmod 744 encrypt.sh
```
Now start coding the script. First prompt a message to the user and ask what they want to do encrypt or decrypt.
```
echo "File encrypter/decrypter"

echo "Please select what you want to do"

choise="Encrypt Decrypt"
```
Then we will use a select statement and make a decision on the basic of input
```
select option in $choise; 
do
    # Code will come here
done
```
Then use if-else statement and perform encryption or decryption.

If user entered 1 than write the logic of encrypting a file, if user enter 2 than write the logic to decrypt the file and if the user enter something other than this, that prompt an error.
So the code for it will be like this.

if [ $REPLY = 1 ];
then 
    echo "You have selected Encryption"
    echo "Please enter the name of the file (including extension)"
    read file;
    gpg -c $file
    echo "File is encrypted"
    break

elif [ $REPLY = 2 ]
then 
    echo "You have selected Decryption"
    echo "Please enter the name of the file (including extension)"
    read file2;
    gpg -d $file2
    echo "File is decrypted"
    break

else
    echo "You have selected invalid option"
fi

The code for file encryption and decryption completed. You can also see the complete code here

So this was all about file encrypter and decrypter. Hope you liked it and learned something new from it.

If you have any doubt, question, quires related to this article or just want to share something with me, than please feel free to contact me.

🖥 My personal blog

📱 Contact Me

📧 Write a mail

🚀 Other links

Thrashing | Operating System - M05 P16

Rahul Mishra — Thu, 31 Dec 2020 11:13:32 +0000

This is a multipart blog article series, and in this series I am going to explain you the concepts of operating system. This article series is divided into multiple modules and this is the fifth module which consists of 26 articles.

In this article we will see that what is thrashing? Why it is used and what are the problems thrashing has and also how can be solve those problems.

Thrashing

We divide process into multiple pages and load them in RAM. Our main focus is to increase degree of multiprogramming so CPU utilization can also increase.
One way to do this is we can load one page of every process in RAM so degree of multiprogramming would be highest.
But there is a problem with this approach that suppose CPU request a page from P1 process which is not present in RAM than it will be termed as page fault and there could be a worst case scenario that RAM is full with different pages of different processes but CPU call a page which is not present in RAM.
In this scenario to recover from page fault a large amount of time is required, and during that time CUP utilization will also decrease.

When the system is recovering from page fault and CPU utilization is less that is known as thrashing.
We can remove thrashing when we use long term scheduler.

So this was all about thrashing. Hope you liked it and learned something new from it.

If you have any doubt, question, quires related to this article or just want to share something with me, than please feel free to contact me.

📱 Contact Me

📧 Write a mail

🚀 Other links

Question on Inverted Paging | Operating System - M05 P15

Rahul Mishra — Wed, 30 Dec 2020 12:40:58 +0000

In this article we will see a question on inverted paging and try to understand the concept of inverted paging.

Question: Consider a virtual address space of 32 bits and page size of 4 KB, system is having a RAM of 128 KB. Than what will be the ratio of page table and inverted page table size, if each entry in both is of size 4 B?

Answer: Virtual address space = 32 bits

Page size = 4 KB = 2² x 2¹⁰ = 2¹²

Therefore, Number of page = 2²⁰

Number of page bits = 20

Size of page table = 2²⁰ x 4 B

In inverted paging table number of entries = number frames in main memory

Physical address = 128 KB = 2⁷ x 2¹⁰ = 2¹⁷

Frame offset = Page offset

Therefore, number of frames in main memory = 2⁵

Size of inverted page table = 2⁵ x 4 B

Therefore, according to the question

2²⁰ x 4 B/ 2⁵ x 4 B = 2¹⁵:1

So this was a simple question on inverted paging. Hope you liked it and learned something new from it.

If you have any doubt, questions, quires related to this article or just want to share something with me, than please feel free to contact me.

📱 Contact Me

📧 Write a mail

🚀 Other links

Inverted Paging | Operating System - M05 P14

Rahul Mishra — Tue, 29 Dec 2020 12:53:45 +0000

In this article we will see about inverted paging, we will see that what is the need of inverted paging and why it is used.

Inverted paging

In normal paging each process has its own page table and page table is present in main memory.
So some place in main memory is used to store the page table and it is not good.
In inverted paging instead of making page table for every process we make a global page table.
Number of entries in global page table will be equal to total number of frame number in main memory.
There is a problem in inverted paging that its searching time is more.
While it uses less memory than normal paging because of the use of global page table.

So this was a brief description about inverted paging. Hope you liked it and learned something new form it.

If you have any doubt, question, quires related to this topic article or just want to share something with me, than please feel free to contact me.

📱 Contact Me

📧 Write a mail

🚀 Other links

2-Level Paging | Operating System - M05 P13

Rahul Mishra — Mon, 28 Dec 2020 12:11:16 +0000

In this article we will see what 2 level paging is, and with the help of a question we will try to understand the need of 2 level paging.

2-level paging

Suppose the size of page table is greater than that of frame table, so it cannot fit in frame that’s why we use multiple page tables.
Because it divides the page table in smaller parts which can get fit in frame table.

Let’s see an example to get better understanding of the topic.

Question: Physical address space = 256 MB = 228, logical address space = 4 GB, frame size = 4 KB = 212, page table entry = 2 B. Solve and find that whether outer page table is required or not.

Answer: As we know that frame number = physical address space – frame size

Frame number = 228 – 212 = 216

Size of page table = 210 x 2 = 2 MB

Size of frame and page is not equal. So, we have to divide page into smaller parts.

Therefore,
2 MB/ 4 KB = 221/212 = 29

Now we will make another page table and it will be known as outer page table, which will have 29 entries.

Total size of outer page table = 29 x 2 B = 1 KB

So this was all about 2 level paging, I tries to explain you the concept with the help of a question. Hope you liked it and learned something new from it.

If you have any doubt, question, quires related to this article or just want to share something with me, than please feel free to contact me.

📱 Contact Me

📧 Write a mail

🚀 Other links

Page Table Entry | Operating System - M05 P12

Rahul Mishra — Sat, 26 Dec 2020 13:52:43 +0000

In this article we will see that what is present inside a page table. We will discuss about all the different fields present in page table briefly.

Page table entry

In the page table in one row there are many things/details that are placed/ situated.
We use page table because by the help of page table MMU (Memory management unit) maps the logical address into physical address.

Frame No.:
- At this place frame number is written.
- One or multiple frames can reside in a frame, so when we want to map frame, fame number is used.
Valid/invalid:
- Suppose we are finding a page so we go to frame number, this section tell us that whether the page is actually present or not at the frame number. If not than 0 will be written there.
- It can happen we are using the concept of virtual memory.
Protection:
- (rwx) r-> read, w-> write, x-> execute.
- This section will tell us that the file is protected or not and what type of permission is given to the user who is trying to access the file.
Reference:
- We generally do swap-in swap-out of pages from main-memory. So here, we have to tell that whether in past does this page came in the memory or not.
- When the page is coming first time in the memory than at this place 0 will be written.
Cashing:
- It contains a value of enable and disable which means that if we want to enable or disable cashing.
- When a data is being called multiple times, than we will place that in cash due to which less time will be required to execute that process.
- But this is not valid at every place such as while doing transactions.
Dirty/modify:
- By the help of dirty we can check that whether the page is modified or not. So by it we can easily and effetely update the hard disk when data is changed.

So this was all about page table classification. Hope you liked it and learned something new from it.

If you have any doubt, question, quires related to this article or just want to share something with me, than please feel free to contact me.

📱 Contact Me

📧 Write a mail

🚀 Other links

Question on Logical Address & Physical Address | Operating System - M05 P11

Rahul Mishra — Fri, 25 Dec 2020 14:52:35 +0000

In this article we will see a question on logical address and physical address space, to understand the concept of paging in operating system.

Question: Consider a system which has LA = 7 bits, PA = 6 bits, page size = 8 words, then calculate number of pages and number of frames.

Answer: Total bits of LA = 7 bits, which means it is equal to 2⁷

The page size = 8 words which means 2³ so we can say it is of 3 bits

Therefore, Page No. = 4 which we can say is 2⁴ and then total number of pages = 2⁴ = 16

While total number of bits required to respond total number of page = 4 bits.

PA = 6 bits, total size of PA = 2⁶ = 64

Now, we know that frame offset = Page offset

Number of frames = 2³ = 8

Total number of entries in page table = number of pages

Total number of entries = 16

Total size of page table = 24 x 8

So, this was a simple question on logical address and physical address space. Hope you liked it and learned something new from it.

If you have a doubt, question, quires related to this article or just want to share something with me, than please feel free to contact me.

📱 Contact Me

📧 Write a mail

🚀 Other links