Web Application Security: Port Scanning, OSINT, and XSS Attacks
VerifiedAdded on 2024/06/03
|14
|2465
|94
AI Summary
This document explores key aspects of web application security, focusing on port scanning, OSINT techniques, and cross-site scripting (XSS) attacks. It delves into the functionalities of Nmap, a powerful security scanner, demonstrating its use for host discovery, port scanning, OS detection, and version detection. The document also examines the concept of Open Source Intelligence (OSINT) and its role in gathering information from publicly available sources. Furthermore, it provides a comprehensive analysis of persistent and non-persistent XSS attacks, outlining their mechanisms, prevention strategies, and mitigation techniques. The document concludes by discussing sensitive data exposure, highlighting its potential risks and outlining measures to protect sensitive information. Finally, it explores the OSWAP 10-2017 attacks, providing insights into real-world vulnerabilities and their exploitation.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Web Application Security, Port Scanning and OSINT
1
1
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Contents
List of figures...................................................................................................................................2
NMAP..............................................................................................................................................3
OPEN PORT:...............................................................................................................................3
CLOSED PORT:..........................................................................................................................3
FILTERED PORT:......................................................................................................................4
OSINT..............................................................................................................................................8
Persistent & Non- Persistent Cross Site Scripting attack:...............................................................9
Persistent Cross Site Scripting attack...........................................................................................9
Non- Persistent Cross Site Scripting attack:..............................................................................10
Sensitive Data Exposure................................................................................................................12
OSWAP 10-2017 attacks:..........................................................................................................13
References......................................................................................................................................13
List of figures
Figure 1: OS detection.....................................................................................................................5
Figure 2: Track Information............................................................................................................7
Figure 3: Host service version number............................................................................................7
Figure 4: Persistent attack..............................................................................................................10
Figure 5: Reflected XSS attack......................................................................................................11
2
List of figures...................................................................................................................................2
NMAP..............................................................................................................................................3
OPEN PORT:...............................................................................................................................3
CLOSED PORT:..........................................................................................................................3
FILTERED PORT:......................................................................................................................4
OSINT..............................................................................................................................................8
Persistent & Non- Persistent Cross Site Scripting attack:...............................................................9
Persistent Cross Site Scripting attack...........................................................................................9
Non- Persistent Cross Site Scripting attack:..............................................................................10
Sensitive Data Exposure................................................................................................................12
OSWAP 10-2017 attacks:..........................................................................................................13
References......................................................................................................................................13
List of figures
Figure 1: OS detection.....................................................................................................................5
Figure 2: Track Information............................................................................................................7
Figure 3: Host service version number............................................................................................7
Figure 4: Persistent attack..............................................................................................................10
Figure 5: Reflected XSS attack......................................................................................................11
2
NMAP
Nmap is a free security scanner which is used to determine the hosts & the services on the
computer network. We can see Nmap as building a ‘map’ on the computer network. To analyze
the response, crafted packets are sends to the hosts. Nmap is started for the Linux only, but now
it is ported to windows, Solaris and many other platforms. It can be adjusted to various network
conditions with latency & congestion during a scan and it continues to extend and improve the
tool periodically.
Following are the features of Nmap:
• Host discovery: host is discovered in the host discovery features.
• Port Scanning: Identifying the open ports on target has.
• OS detection: OS detection determine the operation system in addition with hardware
characteristics of the computing and network device.
• Version detection: It is used to discover the name of the application and the number of
the version (Lyon, 2009).
A)
OPEN PORT:
Open port is a port which accepts the TCP and UDP connections on this port. The primary goal
of scanning is to find the type of connection. The person who find the connection knows about
the possibility of attack. The open port are closed & protect by the administrators from the
firewalls. These ports are also doing non- security scanning to know about the available services
on the specified network.
CLOSED PORT:
Closed port cannot be listening but it can be accessible. This port shows that on a specified IP
address the host is up. The scanning is worthy in the closed port which might be realized later.
Such port can be blocked by using firewalls by administrator.
3
Nmap is a free security scanner which is used to determine the hosts & the services on the
computer network. We can see Nmap as building a ‘map’ on the computer network. To analyze
the response, crafted packets are sends to the hosts. Nmap is started for the Linux only, but now
it is ported to windows, Solaris and many other platforms. It can be adjusted to various network
conditions with latency & congestion during a scan and it continues to extend and improve the
tool periodically.
Following are the features of Nmap:
• Host discovery: host is discovered in the host discovery features.
• Port Scanning: Identifying the open ports on target has.
• OS detection: OS detection determine the operation system in addition with hardware
characteristics of the computing and network device.
• Version detection: It is used to discover the name of the application and the number of
the version (Lyon, 2009).
A)
OPEN PORT:
Open port is a port which accepts the TCP and UDP connections on this port. The primary goal
of scanning is to find the type of connection. The person who find the connection knows about
the possibility of attack. The open port are closed & protect by the administrators from the
firewalls. These ports are also doing non- security scanning to know about the available services
on the specified network.
CLOSED PORT:
Closed port cannot be listening but it can be accessible. This port shows that on a specified IP
address the host is up. The scanning is worthy in the closed port which might be realized later.
Such port can be blocked by using firewalls by administrator.
3
FILTERED PORT:
Sometimes, Nmap is not available to determine whether the port is open or not because the
filtering of packets prevents it from reaching ports. These ports are considered as the firewall or
host based firewalls. These are useful when attacker wants to attack by providing little
information.
The scan is probably slow by forcing the Nmap to do the scan several times in the case of
network congestion..
B)
Command for identifying the OS:
-O is used to detect the operating system. –A can also be used to detect the Operating System in
addition with other things.
Syntax: nmap –O –v oversiondetect.txt 192.168.2.100
4
Sometimes, Nmap is not available to determine whether the port is open or not because the
filtering of packets prevents it from reaching ports. These ports are considered as the firewall or
host based firewalls. These are useful when attacker wants to attack by providing little
information.
The scan is probably slow by forcing the Nmap to do the scan several times in the case of
network congestion..
B)
Command for identifying the OS:
-O is used to detect the operating system. –A can also be used to detect the Operating System in
addition with other things.
Syntax: nmap –O –v oversiondetect.txt 192.168.2.100
4
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Figure 1: OS detection
Command for track the route information for the same URL
To track the route information, we use
Syntax: Namp –sn –traceroute <remoteip>
Where sn is a syntax to track the route information
5
Command for track the route information for the same URL
To track the route information, we use
Syntax: Namp –sn –traceroute <remoteip>
Where sn is a syntax to track the route information
5
To track the route information on a specific port we have to give the specific port no.
Nmap –p <port> --traceroute <dst_ip>
6
Nmap –p <port> --traceroute <dst_ip>
6
Figure 2: Track Information
C)
Command for finding the host service version number
-sV command is used to detect the version of the nmap. This command can be used with the
many options like –allports , –version-intensity, --version-all etc.
Syntax: nmap -sV
-sL is used to list the host available in the network without sending the packet to the target host.
The OS detection and ping facility is not available with this command.
Figure 3: Host service version number
7
C)
Command for finding the host service version number
-sV command is used to detect the version of the nmap. This command can be used with the
many options like –allports , –version-intensity, --version-all etc.
Syntax: nmap -sV
-sL is used to list the host available in the network without sending the packet to the target host.
The OS detection and ping facility is not available with this command.
Figure 3: Host service version number
7
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
OSINT
OSINT stands for Open Source Intelligence, which is used to collects the data from the different
public source and later on uses that data in intelligence context. Open refers to the publically
available source. Using the open sources there is a huge number of information gathering and
then the result of the research will be more effective and efficient. Some famous OSINT tools are
COMINT, Maltego, Shadon etc.
The command to identify all the email address available at the public domain is:
-d @latrobe.edu.au
-l 1000
-b google
Here, -d is used to specify the domain, -l is used to limit the search and –b is used to specify the
data source.
OUTPUT:
root@kali:~# theharvester -d kali.org -l 500 -b google
*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.2a *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************
8
OSINT stands for Open Source Intelligence, which is used to collects the data from the different
public source and later on uses that data in intelligence context. Open refers to the publically
available source. Using the open sources there is a huge number of information gathering and
then the result of the research will be more effective and efficient. Some famous OSINT tools are
COMINT, Maltego, Shadon etc.
The command to identify all the email address available at the public domain is:
-d @latrobe.edu.au
-l 1000
-b google
Here, -d is used to specify the domain, -l is used to limit the search and –b is used to specify the
data source.
OUTPUT:
root@kali:~# theharvester -d kali.org -l 500 -b google
*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.2a *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************
8
[-] Searching in Google:
Searching 0 results...
Searching 100 results...
Searching 200 results...
Searching 300 results...
Searching 400 results...
Searching 500 results...
Persistent & Non- Persistent Cross Site Scripting attack:
Cross-site scripting attacks are also known as XSS attacks, as are the attacks on the client site.
The attacker can see the private information of the client or can make the data viewed by other
users.
Persistent Cross Site Scripting attack
The persistent cross-site scripting attack, also known as XSS attack, is the most destructive type
of attack. In this type of attack the information which is sent by the attacker is saved by the
server and then the server shows that information on the site. This means the server shows the
wrong information on the site rather than the original information. This information is shown to
the user as a regular browsing. Example of this attack is showing the irrelevant information to
the user, hijack the user accounts, etc (Wurzinger, Platzer, Ludi, kirda and Kruegel, 2009).
9
Searching 0 results...
Searching 100 results...
Searching 200 results...
Searching 300 results...
Searching 400 results...
Searching 500 results...
Persistent & Non- Persistent Cross Site Scripting attack:
Cross-site scripting attacks are also known as XSS attacks, as are the attacks on the client site.
The attacker can see the private information of the client or can make the data viewed by other
users.
Persistent Cross Site Scripting attack
The persistent cross-site scripting attack, also known as XSS attack, is the most destructive type
of attack. In this type of attack the information which is sent by the attacker is saved by the
server and then the server shows that information on the site. This means the server shows the
wrong information on the site rather than the original information. This information is shown to
the user as a regular browsing. Example of this attack is showing the irrelevant information to
the user, hijack the user accounts, etc (Wurzinger, Platzer, Ludi, kirda and Kruegel, 2009).
9
Figure 4: Persistent attack
Prevention and mitigation from the XSS attacks:
1. Escaping: We can escape the user input. Here escaping means taking the input and
before rendering the data to the end user it should be checked.
2. Validating Input: Validating input is a technique of ensuring that the application is
sending the correct data to the user or not and prevents the data from the malicious
attacks which harms the site and the user generally.
Non- Persistent Cross Site Scripting attack:
The nonpersistent cross-site scripting attack, is also known as reflected XSS attack, is an attack
which occurs when the false script is reflected on to the Users’ browser as a web application.
This false script is also known as a malicious script and this script is generated using the link and
then the link sends a request to the website with the exposure which enables the execution of the
script. This allows the modification of the web application to the user’s browser (Polo, Lopez
and Martin, 2005).
To allocate the malicious link, the executor embeds the link with the email or some other link.
On clicking this link, the XSS initiate the exploitation of the website.
10
Prevention and mitigation from the XSS attacks:
1. Escaping: We can escape the user input. Here escaping means taking the input and
before rendering the data to the end user it should be checked.
2. Validating Input: Validating input is a technique of ensuring that the application is
sending the correct data to the user or not and prevents the data from the malicious
attacks which harms the site and the user generally.
Non- Persistent Cross Site Scripting attack:
The nonpersistent cross-site scripting attack, is also known as reflected XSS attack, is an attack
which occurs when the false script is reflected on to the Users’ browser as a web application.
This false script is also known as a malicious script and this script is generated using the link and
then the link sends a request to the website with the exposure which enables the execution of the
script. This allows the modification of the web application to the user’s browser (Polo, Lopez
and Martin, 2005).
To allocate the malicious link, the executor embeds the link with the email or some other link.
On clicking this link, the XSS initiate the exploitation of the website.
10
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Figure 5: Reflected XSS attack
There are five major steps for the reflected XSS attack:
1. Executor embeds the link with the email or the other like using session cookies.
2. The link is sent to the victim’s browser.
3. Victim clicks to the link.
4. The malicious script is executed on the victim’s browser.
5. The session cookies are reflected back to the executor. Executor starts accessing the
private data.
The examples of reflected XSS attack are:
1. By entering the query, an alert box is generated saying ‘XSS’.
2. The page not found error is displayed on the screen etc.
Prevention & mitigation from the reflected XSS is as follows:
11
There are five major steps for the reflected XSS attack:
1. Executor embeds the link with the email or the other like using session cookies.
2. The link is sent to the victim’s browser.
3. Victim clicks to the link.
4. The malicious script is executed on the victim’s browser.
5. The session cookies are reflected back to the executor. Executor starts accessing the
private data.
The examples of reflected XSS attack are:
1. By entering the query, an alert box is generated saying ‘XSS’.
2. The page not found error is displayed on the screen etc.
Prevention & mitigation from the reflected XSS is as follows:
11
1. The user should not click on the malicious link, which includes emails from unspecified
senders or unknown users feed.
2. The user should block the requests to a website. This will protect the user along with the
damage to all other visitors to the website.
3. Imperva Incapsula firewall should be there which is used to collects all the attack data
from the entire network.
Sensitive Data Exposure
In Australia, many customer of ABC commercial have been uncovered in many data breach
which affects the business activities over there. Kromtech security center said that there is a data
leak in huge amount and hence there is a leak of the sensitive data of the customer.
As the name suggests, the sensitive data exposure occurs when the sensitive information or data
is not protected by the application adequately. The sensitive data can be password, token, credit
card information or anything which is private to the user.
Following are the prevention measure for the sensitive data exposure:
1. Encryption: We should keep the data encrypted all the time. We should keep in mind
that if we are saving the data in original format than we are inviting the data for attacking.
All the sensitive data should be in encrypted form.
2. Storing Backups: Storing the data onto the system, make the attacking easier for the
attackers. So we should delete the data from the computer after the job is done. This leads
the security of our private information. Hence, we can say that the data should not be
stored unnecessarily and data should be deleted as soon as the job is completed.
3. Auto-complete: Auto-complete is the process in which browser input the information
automatically. For example, the FB username and password are saved within the browser.
To protect the data we should off the Auto-complete option.
4. Password: The strength of the password should be excellent so that it is difficult for an
attacker to attack. The password should be randomly generated and should be encrypted
properly.
5. Caching: the caching should be disabled because it contains the sensitive data (Shu, Yao,
and Bertino, 2015).
12
senders or unknown users feed.
2. The user should block the requests to a website. This will protect the user along with the
damage to all other visitors to the website.
3. Imperva Incapsula firewall should be there which is used to collects all the attack data
from the entire network.
Sensitive Data Exposure
In Australia, many customer of ABC commercial have been uncovered in many data breach
which affects the business activities over there. Kromtech security center said that there is a data
leak in huge amount and hence there is a leak of the sensitive data of the customer.
As the name suggests, the sensitive data exposure occurs when the sensitive information or data
is not protected by the application adequately. The sensitive data can be password, token, credit
card information or anything which is private to the user.
Following are the prevention measure for the sensitive data exposure:
1. Encryption: We should keep the data encrypted all the time. We should keep in mind
that if we are saving the data in original format than we are inviting the data for attacking.
All the sensitive data should be in encrypted form.
2. Storing Backups: Storing the data onto the system, make the attacking easier for the
attackers. So we should delete the data from the computer after the job is done. This leads
the security of our private information. Hence, we can say that the data should not be
stored unnecessarily and data should be deleted as soon as the job is completed.
3. Auto-complete: Auto-complete is the process in which browser input the information
automatically. For example, the FB username and password are saved within the browser.
To protect the data we should off the Auto-complete option.
4. Password: The strength of the password should be excellent so that it is difficult for an
attacker to attack. The password should be randomly generated and should be encrypted
properly.
5. Caching: the caching should be disabled because it contains the sensitive data (Shu, Yao,
and Bertino, 2015).
12
OSWAP 10-2017 attacks:
1. In the first attacks, the attacker gets the credit card number of the applicant which is
already in encrypted form. This data is decrypted using the SQL queries when retrieved.
The data is decrypted using SQL queries because it is stored in the database. Attacker
received the credit card number in plain text.
2. In the second attack, there is a password database which contains the password of every
user. Now there is a flaw in the file which allows the user to retrieve the password from
the database. Hashtable is used to store the password. This table generate the hashes
which might be cracked
by the cracker using the GPUs no matter whether it is salted or unsalted.
Conclusion:
I have successfully, performed the assignment on the web application security. I have used the
nmap scammer in the first question and implement the commands on the scanner itself. Then I
have found the number of email addresses present on the public domain and attached the output
with the answer. I learn about the various attacks like persistent and non-persistent cross site
attacks. I have written about the sensitive data exposure. The sensitive data exposure occurs
when the sensitive information or data is not protected by the application adequately exposure.
13
1. In the first attacks, the attacker gets the credit card number of the applicant which is
already in encrypted form. This data is decrypted using the SQL queries when retrieved.
The data is decrypted using SQL queries because it is stored in the database. Attacker
received the credit card number in plain text.
2. In the second attack, there is a password database which contains the password of every
user. Now there is a flaw in the file which allows the user to retrieve the password from
the database. Hashtable is used to store the password. This table generate the hashes
which might be cracked
by the cracker using the GPUs no matter whether it is salted or unsalted.
Conclusion:
I have successfully, performed the assignment on the web application security. I have used the
nmap scammer in the first question and implement the commands on the scanner itself. Then I
have found the number of email addresses present on the public domain and attached the output
with the answer. I learn about the various attacks like persistent and non-persistent cross site
attacks. I have written about the sensitive data exposure. The sensitive data exposure occurs
when the sensitive information or data is not protected by the application adequately exposure.
13
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
References
Polo, V., López, P. and Martín, J., 2005. Balancing the thermal costs and benefits of refuge
use to cope with persistent attacks from predators: a model and an experiment with an alpine
lizard. Evolutionary Ecology Research, 7(1), pp.23-35.
Wurzinger, P., Platzer, C., Ludl, C., Kirda, E. and Kruegel, C., 2009, May. SWAP:
Mitigating XSS attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on
Software Engineering for Secure Systems (pp. 33-39). IEEE Computer Society.
Shu, X., Yao, D. and Bertino, E., 2015. Privacy-preserving detection of sensitive data
exposure. IEEE transactions on information forensics and security, 10(5), pp.1092-1103.
Lyon, G.F., 2009. Nmap network scanning: The official Nmap project guide to network
discovery and security scanning. Insecure.
14
Polo, V., López, P. and Martín, J., 2005. Balancing the thermal costs and benefits of refuge
use to cope with persistent attacks from predators: a model and an experiment with an alpine
lizard. Evolutionary Ecology Research, 7(1), pp.23-35.
Wurzinger, P., Platzer, C., Ludl, C., Kirda, E. and Kruegel, C., 2009, May. SWAP:
Mitigating XSS attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on
Software Engineering for Secure Systems (pp. 33-39). IEEE Computer Society.
Shu, X., Yao, D. and Bertino, E., 2015. Privacy-preserving detection of sensitive data
exposure. IEEE transactions on information forensics and security, 10(5), pp.1092-1103.
Lyon, G.F., 2009. Nmap network scanning: The official Nmap project guide to network
discovery and security scanning. Insecure.
14
1 out of 14
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.