Web Application Penetration Testing: Weak Cryptography

Cryptography is used to secure modern web applications. The problem is that quite many things can go wrong and weak cryptography can lead to very severe consequences. That’s why this subject is interesting for penetration testers.
Course info
Rating
(13)
Level
Intermediate
Updated
Apr 20, 2020
Duration
51m
Table of contents
Description
Course info
Rating
(13)
Level
Intermediate
Updated
Apr 20, 2020
Duration
51m
Description

Weak cryptography can lead to very severe consequences. In this course, Web Application Penetration Testing: Weak Cryptography, you will learn how to test for weak cryptography in modern web applications. First, you will learn about HTTPS enforcement and insecure cookie processing. You will see that users’ credentials can be disclosed over insecure channel when HTTPS enforcement is not implemented in the web application. You will also see a demonstration in which a cookie with sensitive data can be disclosed over insecure channel, even if secure HTTPS is enforced in the web application. Next, you will explore Transport Layer Protection, Heartbleed vulnerability, and mixed content vulnerability. You will see how to check if Transport Layer Protection is configured securely in your web application, and how the attacker can read sensitive data from the memory of the web server as a result of Heartbleed vulnerability (which is one of the most famous vulnerabilities in crypto libraries). You will also see what dangers can happen when there is mixed content vulnerability in your web application. Finally, you will discover session randomness analysis, insecure password storage, and Sub-resource Integrity Protection. You will see how you can analyze the randomness of session IDs in your web application with Burp Suite Sequencer. You will learn why you should store a hash of the password (instead of the password in plaintext) and how it can solve your problems with insecure password storage. You will also learn how Subresource Integrity can be used to protect the integrity of scripts and style sheets in your web applications. By the end of this course, you will know how severe consequences can happen as a result of weak cryptography and you will also know how to test for weak cryptography in modern web applications.

About the author
About the author

Dawid Czagan is listed among the Top 10 Hackers by HackerOne. He has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, and other companies. Due to the severity of these bugs, he has received numerous awards for his findings.

More from the author
Credential Access with Hashcat
Intermediate
28m
May 4, 2020
More courses by Dawid Czagan
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
[Autogenerated] Hi, everyone. My name is David. Welcome to my course. Web application ___________, Testing week cryptography. I am a security instructor, researcher and back Hunter. Cryptography is used to secure modern web applications. The problem is that quite many things can go wrong and we cryptography can lead to verse your consequences. That's why this subject is interesting for ___________. Test is first. You will learn about HTTP s enforcement and insecure cookie processing. I will show you that users credentials can be disclosed over insecure channels. When HTTP s enforcement is not implemented in the web application, and I will demonstrate that a cookie with sensitive data can be disclosed over insecure channels. Even if secure, https is enforced in the web application. Next, you will learn about transport layer protection, hardly vulnerability and mixed content. Vulnerability. I will show you how to check if transport layer protection is configured securely in your web application. I will present how the attacker can read sensitive data from the memory of the Web server as a result, off heartbleed vulnerability, which is one of the most famous vulnerabilities in crypto libraries. And I will explain to you what dangerous can happen when there is mixed content vulnerability in your web application, and finally you will learn about session randomness, analysis, insecure passwords, storage and sub resource integrity protection. I will show you how you can analyze the randomness of session ideas in your web application. With burbs you'd sequencer. I will tell you why you should start a hash of the password instead of the password in plain text and how it can solve your problems with insecure passwords Storage. And I will explain to you how sub resource integrity can be used to protect the integrity of scripts and style sheets in your web publications. By the end of the course, you will know how severe consequences can happen as a result of weak cryptography, and you will also know how to test for week cryptography in modern web applications. I hope you will join me on this journey to learn about testing for Rick Cryptography with the web Application ___________ Testing week Cryptography course at Pluralsight