Applications where information is being sent to third parties, such as endpoints from shopping portal to payment gateway information, such as credit card details, the information is encrypted by a mutually agreed upon key. An automated scanner will not be able to scan such instances. If any endpoint is left exposed accidentally by the application, then by manual analysis, the pentester can test these cryptographic parameters for vulnerabilities.
Pentesting cryptographic parameters
by Riyaz Ahemed Walikar, Dhruv Shah, Carlos A. Lozano
Hands-On Application Penetration Testing with Burp Suite
- Title Page
- Copyright and Credits
- Contributors
- About Packt
- Preface
- Configuring Burp Suite
- Configuring the Client and Setting Up Mobile Devices
- Setting up Firefox to work with Burp Suite (HTTP and HTTPS)
- Setting up Chrome to work with Burp Suite (HTTP and HTTPS)
- Setting up Internet Explorer to work with Burp Suite (HTTP and HTTPS)
- Additional browser add-ons that can be used to manage proxy settings
- Setting system-wide proxy for non-proxy-aware clients
- Setting up Android to work with Burp Suite
- Setting up iOS to work with Burp Suite
- Summary
- Executing an Application Penetration Test
- Exploring the Stages of an Application Penetration Test
- Preparing for an Application Penetration Test
- Identifying Vulnerabilities Using Burp Suite
- Detecting Vulnerabilities Using Burp Suite
- Exploiting Vulnerabilities Using Burp Suite - Part 1
- Data exfiltration via a blind Boolean-based SQL injection
- Executing OS commands using an SQL injection
- Executing an out-of-band command injection
- Stealing session credentials using XSS
- Taking control of the user's browser using XSS
- Extracting server files using XXE vulnerabilities
- Performing out-of-data extraction using XXE and Burp Suite collaborator
- Exploiting SSTI vulnerabilities to execute server commands
- Summary
- Exploiting Vulnerabilities Using Burp Suite - Part 2
- Using SSRF/XSPA to perform internal port scans
- Using SSRF/XSPA to extract data from internal machines
- Extracting data using Insecure Direct Object Reference (IDOR) flaws
- Exploiting security misconfigurations
- Using insecure deserialization to execute OS commands
- Exploiting crypto vulnerabilities
- Brute forcing HTTP basic authentication
- Brute forcing forms
- Bypassing file upload restrictions
- Summary
- Writing Burp Suite Extensions
- Breaking the Authentication for a Large Online Retailer
- Exploiting and Exfiltrating Data from a Large Shipping Corporation
- Other Books You May Enjoy
Pentesting cryptographic parameters
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.