background preloader

Home - Browserscope

Home - Browserscope

Scanning Web Applications That Require Authentication Web applications that manage sensitive data are usually protected with either basic or form-based authentication. Nessus can be configured with the appropriate credentials for these authentication schemes as they relate to web application testing. This post covers these authentication schemes in-depth, and explores some of the potential problems you may experience when scanning with credentials and how to overcome them. Basic Authentication For web applications, or sections of web applications, that require basic authentication, you can enter one username and password pair that Nessus can use each time it is prompted for credentials. It is important to note that the password in this case could be sent in clear-text, or most likely Base64 encoded depending on the encryption method implemented by the web server. Without successful authentication, none of these pages and CGI programs would be tested for vulnerabilities. Form Based Authentication

BLADE - Block All Drive-by Download Exploits Web Application Exploits and Defenses Setup To access Gruyere, go to AppEngine will start a new instance of Gruyere for you, assign it a unique id and redirect you to (where 123 is your unique id). Each instance of Gruyere is "sandboxed" from the other instances so your instance won't be affected by anyone else using Gruyere. You'll need to use your unique id instead of 123 in all the examples. If you want to share your instance of Gruyere with someone else (e.g., to show them a successful attack), just share the full URL with them including your unique id. The Gruyere source code is available online so that you can use it for white-box hacking. Running locally WARNING: Because Gruyere is very vulnerable, it includes some protection against being exploited by an external attacker when run locally. To run Gruyere locally, you'll first need to install Python 2.7, if you don't already have it. $ cd <gruyere-directory> $ . Reset Button About the Code

OWASP

Related: