During this week lab session, En. Mohd Zaki had discussed two lab to us which are lab 4 Cryptography Extended and lab 5 Web Application Security. The lab session start with En. Mohd Zaki showed us steps on how to use RSA algorithms to produce private and public key. En.Mohd Zaki told us that answer on mod calculation can get from Goggle search. RSA key setup using formula as below:
Give p, q which is prime number, e and M, and then calculate
n = p*q
Ø (n) = (p-1) (q-1)
d= e-1 mod Ø (n)
Public encryption key, PU = {e, n}
Private decryption key, PR = {d, n}
Ciphertext, C= Me mod n
Message, M= Cd mod n
After finished discussion on lab 4, En.Mohd Zaki proceeds to lab 5 which is about Web Application Security. This lab session focus on three web application vulnerabilities which are cross site scripting XSS, injection flaws, and malicious file execution. During this lab session, we are given a chance to perform real attacks against a web application on WebGoat application and WebScarab. WebGoat is a simulation toolkit used to demonstrate how to exploit the vulnerabilities of a poorly design web application. Web application in WebGoat is design with insecure J2EE framework which allows user apply security knowledge to exploit vulnerability in WebGoat application in order to understand security issue. WebScarab is used for analyzed applications that communicate using HTTP and HTTPS protocols. WebScarab is exploit tools that can be used as main in the middle attack which allows user to review and modify data request by web browser before it send to the server and vice versa.
After performing lab 5 activities, I understand that cross site scripting XSS happen when an application sends data from the client to the web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, defects web sites, insert hostile content and conduct phishing attacks. Injection flaw like SQL injection will cause web application to run an SQL code that was not intended by the application. This allows attackers to create, read, update, or delete any arbitrary data available to the application. Malicious File execution is another web application vulnerabilities caused by failing to control application input. Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system.
No comments:
Post a Comment