Authentication and Session management ensure that you know who is using the application. Similarly, Access Controls is defense mechanism which limits what actions are possible for authenticated users. It must be tested for every request and operation.
This notes is for learning/educational purpose only. Use it at your own risks. THE NEED FOR STATE Session management enables application to identify a given user over number of different requests. It is fundamental security component and also a prime target for attackers. With session management attacks, a user can masquerade as another user or…
This notes is for learning/educational purpose only. Use it at your own risks. AUTHENTICATION TECHNOLOGIES Wide range of technologies are available for authentication mechanism : HTML form-based authentication Multifactor mechanism like combining password and physical tokens Client SSL certificates and/or smartcards HTTP authentication Windows-integrated authentication using NTLM or Kerberos 90% of web apps use…
This is lesson five of Web Application Security Testing blog series. In this lesson, you’ll learn about how data is transmitted from client to server, and how client side controls can be bypassed to capture the data and how those data can be secured at client side.
This is lesson four of Web Application Security Testing blog series. This part of series talks about how a web penetration tester should map the application for further attack. You’ll learn about how to enumerate content and functionalities and map the attack surfaces of application.
This is lesson three of Web Application Security Testing blog series. In this lesson, we’ll learn about basics of web communication, HTTP and HTTPS protocol, Various HTTP request and response headers, HTTP Request methods and various encoding schemes used during communication.
This is lesson two of Web Application Security Testing blog series. This lesson will introduce you about the core elements of defense mechanisms often employed by current web applications. It describes how user input, user access and attackers are handled by application.
This is lesson one of Web Application Security Testing blog series. This lesson will introduce you to common web applications we use today and current and future of web security.