Sunday, 23 April 2017

Pentesting Node.js Application : Nodejs Application Security


Pentesting Node.js Application : Nodejs Application Security

Hello folks, Today we will see how we can do Pentesting Of NodeJS Application : Attacking NodeJS Application.

As we know that Javascript is a very common and important language and also a light wight which do our most of task very easily.

But we also know that, Great efficiency comes with great risk. Node JS is a kind of server side programming language derived from JS.

According to Wiki

Node.js is an open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side. Historically, JavaScript was used primarily for client-side scripting, in which scripts written in JavaScript are embedded in a webpage's HTML, to be run client-side by a JavaScript engine in the user's web browser. Node.js enables JavaScript to be used for server-side scripting, and runs scripts server-side to produce dynamic web page content before the page is sent to the user's web browser. Consequently, Node.js has become one of the foundational elements of the "JavaScript everywhere" paradigm,[4] allowing web application development to unify around a single programming language, rather than rely on a different language for writing server side scripts.


Today we will see some of the vulnerabilities which can be exploited in Node.JS application. We will also take a look on the source code for better understanding.

iOS Application Pentesting Part 5 : Insecure HTTP Data Transit



Just like Transmitting Sensitive Credentials Over HTTP, Application which used HTTP to communicate with their server and don`t using any kind of encryption are vulnerable to this issues.

In iGoat application, there is a simple demonstration that username & password passed in application is transmitting over http and without any encryption as result an attacker can capture/sniff those packages and could hijack victim`s account.

Sunday, 16 April 2017

iOS Application Pentesting Part 4 : Installing iGoat Application

Picture taken from : https://www.owasp.org/index.php/OWASP_iGoat_Project

To perform hands on practice and learning we will use iGoat iOS Application part of OWASP Security Project. You can find their Github page here. This Mobile Application is designed as vulnerable for Security Professionals and learner to enhanced their Skills over iOS Application Pentesting.

This project is Maintained by following folks.
Swaroop
masbog
mtesauro
DinisCruz

Here is the Project Details



For later practices we will install this application XCode and run it, But i recommended you to use a Physical device while performing pentesting.

Thursday, 13 April 2017

iOS Application Pentesting Part 3 : Extracting iOS App Class Information



Every application has his own group of codes which contents lots of information about the functionality and so on. It will always better if we can extract all the possible information about our application which we are going to attack.

Toady we will see How to Extract Class Information Of iOS Application.

Apple has made some modification in their security and now days most the app store apps are encrypted which first need to decrypt to extract class information.

So first we will see class dumping of non-encrypted apps.

Dumping Class Information Of Pre-Installed Applications
We have 2 ways the find the app.
1) find / -type d -iname "Dam*.app"
2) If the app is customly installed using IPA file then his save directory would be Applications/


I am using the command line search for Damm Vulnerable iOS Application which is developed by  Prateek Gianchandani.

Featured post

Pentesting Node.js Application : Nodejs Application Security

Pentesting Node.js Application : Nodejs Application Security Hello folks, Today we will see how we can do Pentesting Of NodeJS Appli...

Popular Posts