UG

OUNTY

Ignite Technologies
 Where we are today

Web Servers & Web Applications

What is a Bug Bounty Program

Introduction
.

Web Penetration Testing & its Methodologies

Introduction to OWASP

Introduction to Burp Suite

Ignite Technologies
 “ A Web Server can be referred to as a hardware or
software, or both of them working together.”

What is “Web Server”

Major of Web Servers:
Apache Web Server
IIS Web Server
Nginx Web Server
Google Web Server
Web Servers & Web
Ignite Technologies
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP Burp Suite
 A Web Server has been categorized into 3 major types as:

Types of Web
Servers
Content
Static Dynamic
Management
Web Server Web Server
System
(CMS)

Web Servers & Web

Ignite Technologies
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP Burp Suite
 A Web Server must contain up the website's files, namely all
HTML documents and their related assets, including images, CSS
stylesheets, JavaScript files, fonts, and videos..

It must have the following services installed in it.

A Web Server APACHE

PHP
Configurations PHPMyAdmin
MySQL
FTP
SSH

To setup a Apache Server, click here Ignite Technologies

Web Servers & Web
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP Burp Suite
 A Web Application is an application software that runs on a web
server.
It includes online forms, shopping carts, word processors,
spreadsheets, video and photo editing, file conversion, file
scanning, and email programs such as Gmail, Yahoo and AOL.
A Web Popular applications include Google Apps and Microsoft 365.

Application

Web Servers & Web

Ignite Technologies
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP Burp Suite
 Let’s setup & configure some vulnerable Web Applications as at:

DVWA
BWAPP
SQLILAB
Web Application MUTTILDAE

Configuration

Click here Click here Click here Click here

Web Servers & Web

Ignite Technologies
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP Burp Suite
B
A Bug Bounty program is a deal offered by many websites,
organizations and software developers by which individuals can
receive recognition and compensation for reporting bugs,

ug especially those pertaining to security exploits and

vulnerabilities.
ounty Platforms where you can hunt for the “bugs”:
Program
Hackerone
Bugcrowd

Ignite Technologies
Web Servers & Web Bug Bounty Program
What is HTML?
Applications Web Penetration testing OWASP Burp Suite
 SCOPING PREPARE

Identify the scope and Choose a way to connect

prepare a document with host URL and prepare your
questionnaires asking from attacking machine & select

Web Security client regarding clear scope tool of your choice

Assessment
(Vulnerability Assessment) SCANNING REPORT

Identify the vulnerability as prepare a document on the

per OWASP Top 10 or Web basis of your finding and
Checklist provide possible solution to
mitigate it.

Ignite Technologies
Web Servers & Web Web Penetration testing
What is HTML?
Applications Bug Bounty Program OWASP Burp Suite
 REPEAT
PREPARE VULNERABILITY
ASSESSMENT

Choose a way to connect

host URL and prepare your On the basis of VA,
attacking machine & select penetration testing is

Web Security tool of your choice performed

Assessment
(Penetration Testing) EXPLOIT REPORT

Identify the vulnerability as prepare a document on the

per OWASP top 10 or Web basis of your finding and
Checklist and exploit it by provide possible solution to
injecting malicious code. mitigate it.

Ignite Technologies
Web Servers & Web Web Penetration testing
What is HTML?
Applications Bug Bounty Program OWASP Burp Suite
 “OWASP or the Open Web Application Security Project is
an international non-profit organization dedicated to web
application security.”
What is “OWASP &
its TOP 10” The OWASP Top 10 is a regularly-updated report outlining
security concerns for web application security, focusing on
the 10 most critical risks.

OWASP refers to the Top 10 as an ‘awareness document’ and

the thus all companies incorporate the report into their
processes in order to minimize and/or mitigate security risks.

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
OWASP Top 10 (2013) OWASP Top 10 (2017)<New>
Injection Injection
Broken Authentication & Broken Authentication
Session Management
Cross Site Scripting (XSS) Sensitive Data Exposure
Insecure Direct Object References XML External Entities (XXE)
Security Misconfiguration Broken Access Control
Sensitive Data Exposure Security Misconfiguration
Missing Function Level Access Control Cross-Site Scripting XSS
Cross-Site Request Forgery (CSRF) Insecure Deserialization
Using Known Vulnerable Components Using Components with Known Vulnerabilities.
Unvalidated Redirects and Forwards Insufficient Logging & Monitoring

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 “Injection attacks occurs when an untrusted data is sent to

Injection the code interpreter through a form input or some other

data submission to a web application”, egs : SQL Injection

#1
OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 Broken “Broken Authentication is the vulnerability in the (login)
systems which provides up the attacker to access the user

Authentication accounts and even gives the ability to compromise an entire

system using an admin account”.

#2
OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 “Web applications sometimes don’t protect sensitive data, thus
Sensitive Data the attackers can access that data and can utilize it for some
malicious purposes.

Exposure The best method to steal sensitive information is a man-in-the-

middle attack.”.

#3
OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
XML External “This is an attack against a web application that parses XML*
Entities (XEE) input”. Many poorly configured XML processors evaluate
external entity references within XML documents. Thus

#4
these external entities can be used to disclose internal files.

OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
Broken Access “Broken access controls allow attackers to bypass
authorization and perform tasks as though they were

Control privileged users such as administrators”.

#5
OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 Security “Security misconfiguration is the most common vulnerability

Misconfiguration on the list, and is often the result of using default

configurations or displaying excessively verbose errors.”

#6
OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 Cross-Site “Cross-site scripting vulnerabilities occur when web
applications allow users to add custom code into a URL path

Scripting or onto a website that will be seen by other users. This

vulnerability can be exploited to run malicious JavaScript

#7
code on a victim’s browser.”

OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 Insecure “This attack is over many web applications which frequently
serialize and deserialize the data. ”
Deserialization Serialization means taking objects from the application code and

#8
converting them into a format that can be used for another
purpose, such as storing the data to disk or streaming it.

Deserialization is just the opposite: converting serialized

data back into objects the application can use.

An insecure deserialization exploit is the result of

OWASP TOP 10 deserializing data from untrusted sources, and can result in
serious consequences like DDoS attacks and remote code
execution attacks.

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 “Many modern web developers use components such
Using Components as libraries and frameworks in their web applications in
With Known order to avoid redundant work and provide needed
functionality ”
Vulnerabilities Attackers look for vulnerabilities in these components

#9
which they can then use to orchestrate attacks.

OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 “Many web applications are not taking enough steps to
detect data breaches. The average discovery time for a
Insufficient Logging breach is around 200 days after it has happened. This
gives attackers a lot of time to cause damage before
And Monitoring there is any response.”

10
OWASP recommends that web developers should
implement logging and monitoring as well as incident

#
response plans to ensure that they are made aware of
attacks on their applications.

OWASP TOP 10

Ignite Technologies
Web Servers & Web OWASP
What is HTML?
Applications Bug Bounty Program Web Penetration testing Burp Suite
 “Burp” or “Burp Suite” is a set of tools used for penetration
testing over web applications.

It tools work seamlessly together to support the entire

testing process, from initial mapping and analysis of an
application’s attack surface, through to finding and

Introduction to exploiting security vulnerabilities.

It is developed by the company named “Portswigger.”

Burp Suite

Ignite Technologies
Learn more about burpsuite from here
Web Servers & Web Burp Suite
What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP
 “Burp Suite” over Kali Linux

Burp Suite is already installed by default in Kali Linux and can be

opted from its menu.

Initializing
Burp Suite
“Burp Suite” over Windows

We can download the community edition of Burp Suite from here.

Ignite Technologies

Web Servers & Web Burp Suite

What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP
 As soon as we boot up the burpsuite we’ll be presented with
its dashboard as:

Initializing
Burp Suite

Ignite Technologies

Web Servers & Web Burp Suite

What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP
 Burp Suite
Setting up the Port and the Address for the
“Burpsuite” to listen on:

Burp Suite [Link] : 8080

Configuration

Ignite Technologies

Web Servers & Web Burp Suite

What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP
Browser
Configuring up the “PROXY” over the Burpsuite’s Port and Address to send the HTTP traffic:

Manual Proxy Setup

3

Foxy Proxy Setup

Download Foxy Proxy

from here
Ignite Technologies

Web Servers & Web Burp Suite

Applications Bug Bounty Program Web Penetration testing OWASP
 Browser

For the HTTPS traffic, Burpsuite certificate as:

In burp, turn “ON” the Intercept option to capture the
ongoing request, with the Proxy enabled in browser.

Burp Suite
Configuration
Surf at [Link] to download the certificate

Ignite Technologies

Web Servers & Web Burp Suite

What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP
Browser

Importing the Burpsuite certificate:

Learn more about burpsuite certificate from here

Ignite Technologies

Web Servers & Web Burp Suite

Applications Bug Bounty Program Web Penetration testing OWASP
Burp Suite Tools

Proxy
To intercept the browser’s request:

Enable proxy in the browser.

Start Burp and go to proxy tab, ensure nothing is enabled at the
initial phase
Open to target URL in same browser where proxy is enabled.
In Burp turn on the INTERCEPT option and navigate to URL for
capturing its request in burp.

Ignite Technologies

Web Servers & Web Burp Suite

Applications Bug Bounty Program Web Penetration testing OWASP
Burp Suite Tools
Intruder
A burp Intruder is fuzzer, which helps in brute forcing:

Ignite Technologies

Web Servers & Web Burp Suite

Applications Bug Bounty Program Web Penetration testing OWASP
Burp Suite Tools
Repeater Lets a user to send requests repeatedly with manual modifications

Ignite Technologies

Web Servers & Web Burp Suite

Applications Bug Bounty Program Web Penetration testing OWASP
 Decoder
Lists the common encoding methods like URL, HTML,
Base64, Hex, etc.

Burp Suite
Tools

Ignite Technologies

Web Servers & Web Burp Suite

What is HTML?
Applications Bug Bounty Program Web Penetration testing OWASP
Ignite Technologies

[Link]

info@[Link]
+91 959 938 7841
THANK YOU

Ignite Technologies