1 00:00:00,120 --> 00:00:03,580 ‫Here is the classification of Web attack types. 2 00:00:03,600 --> 00:00:10,140 ‫It's based on OWASP testing guy always open web application security project is a worldwide not for 3 00:00:10,140 --> 00:00:13,800 ‫profit organization focused on improving the security of software. 4 00:00:14,460 --> 00:00:19,920 ‫It means you collect information about the app, attack surfaces, application users, et cetera, as 5 00:00:19,920 --> 00:00:20,820 ‫much as possible. 6 00:00:21,870 --> 00:00:25,350 ‫This information is used to determine the attack method. 7 00:00:25,830 --> 00:00:31,740 ‫It's a good approach to test the configurations of each mechanism, while information gathering the 8 00:00:31,890 --> 00:00:37,230 ‫configurations may cause weaknesses and those weaknesses might be used to hack the app. 9 00:00:38,320 --> 00:00:42,760 ‫Then data exchanged between the client and the server is manipulated. 10 00:00:42,970 --> 00:00:45,610 ‫The application is forced to make mistakes. 11 00:00:45,640 --> 00:00:50,260 ‫We analyze what the application does in unexpected situations. 12 00:00:51,160 --> 00:00:54,700 ‫Authentication mechanism is a critical part of an app. 13 00:00:55,300 --> 00:00:57,870 ‫We'll try to find out the flaws of the mechanism. 14 00:00:57,880 --> 00:01:03,130 ‫If the application has more than one user type, authorisation problems may appear. 15 00:01:03,820 --> 00:01:09,640 ‫We manipulate user rights and roles and try to do something that we are not allowed to do. 16 00:01:10,610 --> 00:01:13,880 ‫Session management mechanism is the next target. 17 00:01:14,090 --> 00:01:21,710 ‫The session is a unique identifier of the user and the person who steals the session of a user can act 18 00:01:21,950 --> 00:01:22,820 ‫as that user. 19 00:01:23,830 --> 00:01:30,010 ‫Business logic flaws are not found by the automated tools, analyze the procedures of the carefully. 20 00:01:31,120 --> 00:01:36,310 ‫Tamper with the procedure flows, change the order of procedures, etc..