Monday, 17 August 2015

Securing Web @ZAP Day-3


3rd Day ZAP workshop started at time in the Collab House and I started taking pics as I was feeling little bored. Then after some time Sumanth Damarla started the workshop, starting with Day-2 Worksheet discussion where he briefly explained about the important key terms that are present in the worksheet.





Key Terms:
-> Clickjacking   
-> X-Frame Options    
-> Port 80 & Port 443    
-> HTTP & HTTPS    
-> Privilege HTTPS    
-> Third-Party API function    
-> Input Validation       
-> Blocklisting        
-> Whitelisting

1) Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

2) X-Frame Options which offered a partial protection against clickjacking. There are three possible values for X-Frame-Options:-> Deny: The page cannot be displayed in a frame, regardless of the site attempting to do so.-> Sameorigin:The page can only be displayed in a frame on the same origin as the page itself.-> Allow-from uri:The page can only be displayed in a frame on the specified origin.  

3Port 80 & Port 443:
-> Port 80 is the port that the server "listens to" or expects to receive from a Web client, assuming that the default was taken when the server was configured or set up.
-> Port 443 is for SSL. Since SSL is "opaque" to outsiders, firewalls cannot see what is going inside it, and cannot do some transparent proxying.


4) HTTP & HTTPS:

-> Hypertext Transfer Protocol (HTTP) is a protocol used in networking. When you type any web address in your web browser, your browser acts as a client, and the computer having the requested information acts as a server.
-> Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.

5) Privilege HTTPS used to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges.  
        
6) Third-party API function: The idea behind developing applications with third-party APIs is that it’s often easier to use someone else’s service than spend your own time developing a product. Third-party merchants can grant you permission to execute many different operations on their behalf.  
7) Input Validation can be used to detect unauthorized input before it is processed by the application.   
-> A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received IS one of this correct conditions.  
-> A Blacklist is testing a desired input against a list of negative input's. Basically you would compile a listing of all the negative or bad conditions, then verify that the input received is not one of the bad or negative conditions.                                                                                                                                 
After that we all had a 10 minutes break and we started tweeting about the ZAP event in the twitter. Then I started talking about ZAP API UI and OWASP Summer Code Sprint 2015.

About it: The OWASP Summer Code Sprint 2015 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Summer Code Sprint a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

Follow this link- https://www.owasp.org/index.php/Summer_Code_Sprint2015

  Setting-up ZAP environment setting in the Eclipse.


ZAP Environment Setting:  
Myself,Sanjay Gouri and Sumanth helped out the Participants in installing ZAP in their Laptops.Ofcourse we faced few technical problems but at the end we successfully Installed the ZAP environment in all the laptops.


Again break for half an hour and had a palyed   OWASP Snakes & Ladders.


About it: Snakes & Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

Game Time:
Started with six players all of them throwing dice one by one to decide who should start the game first. There is also a crazy thing going over their when we were playing the game that's tweeting tweets in the twitter. So its a Game with a tweet.


After that we all had a group pic with Snakes & Ladders.



No comments:

Post a Comment