Breaking the Application with Shritam Bhowmick – Application Bruteforce Demystified.

Web Form Brute Force Methods

Demonstration by Shritam Bhowmick
Web Application Penetration Tester
Independent Consulting Security Evangelist

Abstract

This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it reflects several challenges for web application security researchers to break in a safe environment. This is for Lab practice only and no part of this document were provided by the original authors. Having to pull out my old research on application security, I thought to give back to the community but not all releases are meant to be pushed here. This research is part of my private application security research and proudly serves as an opening opportunities for others to dwell and work further on the same as provided and as long as the original authors are credited.

Contents

Hack.
Method 1: Using Hydra to Brute Force Web Logins
Method 2: Using Burp Suite Intruder to Brute Force Web Logins

Method 3: Using Python to break Web-Form Login
Method 4: Using WebSlayer to Brute Force Web Logins
Method 5: Nmap Script Code to break web form
Contact Information.

Continue reading

Advertisements

Adaptive Application Framework Driven Vulnerabilities and the Padding Oracle

Securing Web Applications before Deployment.

An analysis focused on various framework used to deploy web applications.

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

Dedicated vulnerability and bug researchers go deep into the application security aspects while studying application internals and there is a prominent rise in hidden attack vectors which are never common. There is a default common misconception among the developers that deploying applications which are vendor-enabled with 3rd party proprietary framework libraries will add security to the application. Libraries which the developers rely on are themselves vulnerable if properly dissected and studied. This brings business concerns to the business assets. The business assets could be anything from bank details to storing credit card information for customers to easily access such numbers for the ease of the customers. Although data integrity is maintained when storing and is encrypted, it takes a while for an attacker to get in and get out without being really noticed. Contrary to the statements above, there is yet another belief that Open source libraries will be safer since they go revisions by the mass community but the truth is bitter. Again, deep down in the open-source libraries, there exist multiple critical vulnerabilities which needs to be addressed before deploying them as they are. The information given below will detail the vulnerabilities which are deep inside the libraries which are used to deploy rich internet based applications.

open2 open

What Developers see as a convenient way for deploying a web application?

  • Languages used: PHP, JAVA, Ruby, SCALA, Perl, Python, HASKELL, Cold Fusion and more.
  • Framework Used:NET, Zend, CodeIgniter, Spring, Catalyst, Snap, CakePHP, Yii, Fusebox, and more. Even more popular ones are Django, Sinatra, Mason, Pyjamas, Symfony and Grails.

Continue reading