Wednesday, February 3, 2016

URI, URL and URN

URI : A URI "Uniform Resource Idetifier" can be further classified as a locator, a name, or both.

 URL: The term "Uniform Resource Locator" (URL) refers to the subset of URIs that, in addition to identifying a resource, provide a means of locating the resource by describing its primary access mechanism (e.g., its network "location").

 URN: The term "Uniform Resource Name" (URN) has been used historically to refer to both URIs under the "urn" scheme [RFC2141], which are required to remain globally unique name.



Posted by at No comments:

Monday, February 1, 2016

Clickjacking


On Clickjacked page the attacker load another page over it. The user think that they clicking visible button while they are actually performing actions on the hidden invisible page.

Clickjacking is known as "UI Redress Attack" , here attacker is hijacking user click for their page and routing them another page.

Example:
  • Tricking users into making their social networking profile information public
  • Making users follow someone on Twitter
  • Sharing links on Facebook
  • Getting likes on Facebook fan page
  • Making illegal revenue from Google Adsense program

More practical example is when user going to play  movie after clicking on play button then sometime it redirect user in another link this is clickjacking.
Posted by at No comments:

Saturday, January 30, 2016

ZAP OWASP security testing tool

1. First I have download ZAP OWASP from : https://github.com/zaproxy/zaproxy/wiki/Downloads for Windows.
2. Then install it and it will create a short cut on your desktop
3. After click on this link it will asking for your desire application link for security testing

4. Click on Attack button and wait for result
5. After finish checking it will give some alerts inside alert menu.

Here I am going to elaborate  the meaning of alerts also discuss about the importance of alerts that were given by ZAP

alert-1: X-Frame-Option Header not set: Here May be the first question is what is :
        X-Frame-Option Header: It allows/disallows rendering of the document when document inside iframe. Now the 2nd question is what is iframe:
        iframe: iframe usually use for use another document inside parent/current  document. We can use another document inside parent document using CSS but it may breaks CSS. That's why we use <iframe>.
When X-Frame-Option Header is not set it's actually do not allow rendering data of other domain. Webpage cannot able to show advertisement when X-Frame-Option Header is set. When X-Frame-Option Header is not set then the the side effect is  Clickjacking.

X-Frame-Options Header Types

There are three possible values for the X-Frame-Options header:
  • DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.
  • SAMEORIGIN, which only allows the current site to frame the content.
  • ALLOW-FROM uri, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com) Check Limitations Below this will fail open if the browser does not support it. 
alert-2: Cookie Set Without Http Only flag: 
   


Posted by at No comments:
Subscribe to: Posts (Atom)