Introduction to Ethical Hacking
Temple University

Week X Reading Summary, Question, and recent Cyber Security News…

Published October 27, 2015 | By Paul V. Ihlenfeld
  1. Summarize one key point from each assigned reading…

1A. Regarding the “Burp Suite” Part #1 Basic Tools (Burp Proxy, Burp Site Map & Scope, Burp Spider) information (overall software application tools for security testing Internet based applications [initially mapping target web sites, identifying vulnerabilities, and performing exploitations]), Burp Proxy tool used for intercepting login credentials… Burp Site Map & Scope tools used to show target web site’s sub-domains to help with scope… and Burp Spider tool used to obtain complete list of URLs & parameters for target web sites.

1B. Regarding the “Burp Suite” Part #2 Intruder & Repeater Tools information, Burp Intruder tool used to automate customized SQL injection attacks against target web apps (target, positions, payloads)… and Burp Repeater tool used to manually modify HTTP requests & test the responses given by web pages (playback requests to server.)

1C. Regarding the “Burp Suite” Part #3 Sequencer, Decoder, and Composer Tools information, Burp Sequencer tool used to check for web app session token randomness… Burp Decoder tool used to send encoded requests… and Burp Composer tool used for comparison between two sets of data.

1D. Regarding the “Web Application Injection Vulnerabilities” information (client-side submission of unexpected data inputs into SQL dbs) have been so wide-spread for over the last 10 years. For remediations that should have occurred in the past, basically make today’s global online organizations (management, coders, and technologies) more secure!

*NOTE: The free version of the Burp Suite of web tools (although missing scanner tool) is included within the latest version of Kali Linux too. Also for more info on “Burp Suite SQL injection” from YouTube, goto following web link…

https://www.youtube.com/results?search_query=burp+suite+sql+injection

  1. Question to classmates (facilitates discussion) from assigned reading…

Regarding ongoing “Web Application Injection Vulnerabilities”, what are some examples of current best practices to minimize these vulnerabilities?

*Answers: web app firewalls, input validation (attempts to check all possible inputs), web app security scans (Burp Suite Pro, NMAP/Zenmap, Nessus, etc), and secure code writing training for web app developers.)

  1. Identify, read, and post to our blog a current event article regarding ethical hacking & penetration testing (follow theme topic of the week, or other interesting related article)…

In the Cyber Security News lately

“Starbucks fixes critical flaws that could allow an attacker to steal users’ credit-cards” (reported on eHackingNews.com on 9/22/2015 from an Egyptian security researcher)…
… “Remote File Inclusion Vulnerability occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution (found within Starbucks’ web sites… code execution on the web server, code execution on the client-side [JavaScript & cross site scripting {XSS}], data theft/manipulation via phishing attack to steal users accounts that contain credit cards and payment orders info)… Starbucks confirmed that it has fixed the vulnerabilities (for now).”
Posted in | Tagged , ,

Leave a Reply

Your email address will not be published. Required fields are marked *