8th Feb 2014 : Ebay paypal office 11th tower

ISSA Bangalore chapter

Defending the Digital Fortress
by Parag Deodhar
He is ethical hacker … Chief Risk officer

AFCE is also a group.

Enemy with infinite arsenal

Fight with Invisible Enemy

Rise of the bots

new weapons of mass destruction

internet of things : tv, refrigeratos ,cars etc are getting connected to internet.

cars automatically starts … stops in a high speed in a highway.
refrigerators releasing poisionous gases to the food items which we kept in fridges.

War in the Air:
skyjack to hunt,hack and control other commercial drones.

scamware/fakeware : in middle, a popup comes and tells u that ur computer is infected with

virus.instead of fixing they will download virus into ur computer
ransomware : files are encrypted. for unlocking we have to pay money to hacker

pen (penetration) testing


members :

workshop on penetration testing by Justin Searle
Managing Partner – UtiliSec company

samurai wtf framework .

black box testing : trial and errors. just give input and expect output
white box testing : going thru the code and finding the bugs
grey box testing : combination of above both

tool sqlmap for testing sql injection

FOllow the below steps for penetration testing
recon -> mapping -> discovery -> Exploitation

cross site scripting


web app sec for dummies qualys publication
vulnerability mngt for dummies
it policy compliance for dummi
pci compliancw for dummies


zap free
burp but not free
sessions not stored in fred version of burp but zap can be used to store sessions .that

communication can be made

issa info security
audit policy
owasp tech front app security
network security firewall router

pen testing: he showed the password that is flowing in the wire. intruder can check password


dirbuster… favorite list of filenames
raft directory : list popular defaults
Refer : http://files.meetup.com/3503072/dirbuster_owasp_20130117.txt

mobile and web versions : files are same and only css changes most often

zap checks background running apps for an application

w3af automated vulnerability tool

imacro recording tool like selenium

testing lock out functionality for wrong attempts of logins provided in imacro

devs wrote lockout based on cookies .so create a new cookie

cewl tool to guess passwords

session mngt testing

session cannot be set cannot be read from javascript which is called httponly in turn avoids

crosssite scripting

for session tracking sequencer is the tool

authentication and authorisation can be tested using zap

u can encode and decode using zap

in firefox type http://dojo-basic after enabling zap firewall

code injection
denial of service

webinspect. burp but not free but valuable
abscan : not free

mvc is tough to hack as urlrewriting is different

sqlmap tool good


About ambatisreedhar


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s