Hacking Tricks

A new bad news comes in the form of new Android Malware called BadNews. This new malware has been found in more than 9 million downloads. Security Firm Lookout found this malware in 32 apps. Most of these 32 apps were available in Google Play and target Russian users.

If you are a developer, owner of a software firm or a testing engineer, you must know the importance of security testing. Hackers are everywhere and they always try to intrude in the system, network and applications. If we talk about Web application penetration testing, there are so many tools available. In this post, we will see how to use Websecurify for penetration testing of web applications.

World's most popular online document sharing website Scribd is the latest member of cyber attacker. Company has posted a security announcement in which it claims that attackers try to access users' information. Company is also asking users to change their passwords. Scribd has already sent mail to all affected users.

“Earlier this week, Scribd’s Operations team discovered and blocked suspicious activity on Scribd’s network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users,” Scribd posted in security announcement.

“Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords,” It added.

Scribd store password in strong hashing encryption, so it is very hard for attackers to see actual passwords of users. But company do not want to take chances. This is why it is asking users to change their passwords.

If you have not received any security email from the company, you can manually check whether your account was hacked or not by using the link below. Visit the link and enter your email address. 

http://www.scribd.com/password/check

I also suggest users to have habit of selecting strong passwords. Read how to select a smart password and protect your accounts from being hacked.

With the increasing popularity of Android devices, security companies are developing penetration testing tools for this platform. If you own a WordPress website, now you can scan it for known security vulnerabilities with WpScan Android app. 

Few hours ago, Popular tech company Evernote has also confirmed that hackers have broken into their systems. Company revealed that hackers have access the emails addresses and encrypted passwords.

• -          Injections (SQL, LDAP, code, commands, and XPATH)
• -          CRLF
• -          HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)

• -          Very simple usage
• -          Pretty powerful for fast testing
• -          Doesn’t require any experience for using

• -          The options are placed randomly across the tool.
• -          Report is not very detailed and it doesn’t group the results.
• -          The tool hasn’t been updated since 2009.

• -          So many tools
• -          Great policy management
• -          Detailed and professional report
• -          Great community

• -          Annoying advertising window
• -          The interface of N-Stalker is very similar to the software from Microsoft Office.
• -          The free version is useless; see the options that are offered in the free version –http://www.nstalker.com/products/compare-editions/security-checks/.
• -          The enterprise edition has a very expensive price for unlimited website license – $5,000 (should be named Overpriced Edition).

• -          Clear and concise user guide
• -          Lots of plugins
• -          On the official web site, every plugin is described in detail.
• -          Scanned URLs are nicely displayed.

• -          Need some time to get used to it
• -          Unhandled exception was raised – you will probably find the Bug Detected screen annoying.

Its a bad news for Twitter users. Today, Twitter has announced that some hackers gained access to its network and compromised few user accounts. According to Twitter, 250,000 Twitter accounts may be compromised. Twitter has also started sending notification emails to all compromised account users.

If you are a regular Twitter user, I will advise you to change your Twitter password now. 

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users,” Twitter announced in a blog post.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Twitter quoted to a news agencies. “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked.” 

Nothing about this hack was explained in the announcement. But few researcher claimed that this hack had been performed by using Java Vulnerability produced earlier this month. A Twitter employee’s home or work computer was compromised through a vulnerability in Java.  

Twitter users have to face this kind of breaches every year. I also advised users to follow all security tips to protect their account from hackers.

If you have few knowledge about password cracking and know few password crackers, I am sure you already know about Cain and Able. Cain and Able is one of the most popular password cracking tools. You can learn more about this tool in our security tools gallery.

Officially, Cain and Able is a password recovery tool available for Windows operating systems and supports all available version of Windows. It allow users to crack various types of passwords.To crack the password, it uses various methods that includes Brute-Force, cracking encryption using Dictionary, sniffing on network, decoding scrambled passwords, revealing password boxes, uncovering cached passwords, recovering wireless network keys and analyzing routing protocols. There are few other methods and more is being added in each new version of the tool.

Cross Site Scripting is also a well known vulnerability and it can be found in most of the popular websites. If you are regular reader of Hacking Tricks, you already know that I found XSS in Amazon, Adobe, eBay, PandaSecurity, Symantec, QuickHeal, K7Antivirus and many other popular websites.

Cross Site Scripting (abbrivated as XSS) is a web application vulnerability that allows attackers to execute external JavaScript and VBScript code on a web application. By taking the advantage of this, attacker can cause a web page to execute a malicious code on any user's browser. Most popular use of this attack is cookie stealing that can cause session hijacking. The malicious code could provide a hacker with full Read/Write access to browser cookies, browser history files, or even permit the download/installation of malware.
How to find XSS in a website?
XSS is performed as a form of user input. If a website does not filter and sanitize user input properly. To test a website, we will take each place in a website that accepts user input (such as search forms, login forms, profile forms etc.)

Now enter the following codes one by one and see whether it shows a pop up box saying 
'XSS' or not

<script>alert('XSS')</script>

<script>alert(/XSS/)</script>

"><script>alert(/XSS/)</script>

'>><script>alert(/XSS/)</script>

'></style><script>alert(/XSS)</script>

'></script><script>alert(/XSS)</script> 

<b onmouseover=alert('Wufff!')>click me!</b>

<img src="0" onerror=alert(document.cookie);>

If you are successful in getting a pop-up, you have found a XSS vulnerable website.

Now you need to know one thing that a website not showing pop-up is not necessary to be safe. These codes were for finding simple XSS. Most of the websites already have proper mechanism to filter these code. Developers now filter <script> tags and alert() functions to prevent users from injecting these testing codes.

Read: Cookie Stealing via XSS

Types of XSS

There is no standard classification of Cross Site Scripting but most of the experts classified it in two main flavors. Non-persistent and Persistent. Now DOM based CSS is also very famous and people now classify as traditional and DOM based.

Non-persistent or Reflected XSS
Non-persistent (or Reflected) XSS is a most common type of XSS. In which injection codes are are reflected off the browser. Websites's search form is the example of this. When we search  in a website. Website shows the search results with the query. If we inject a code in place of query, it will execute the query where it has to display the query in the search results page.


Persistent or Stored XSS Attacks
Persistent or Stored attacks are those where the injection code is permanently stored in the website's database. The page that shows the database information will execute the stored code. 

This can be found in message boards. Suppose a message board is vulnerable to XSS. If we post a message with XSS injection, it will execute the script whenever we show the message page.

DOM based XSS or type-0 XSS
DOM based XSS or type-0 XSS is an attack in which attack payload is executed as a result of modifying the DOM of a website. In this the page remains the same but malicious injection is executed by modifying the dom.

Read Whitepaper on DOM based XSS


How to reduce the threat?

Primary defense against XSS is encoding/ escaping the output. These are several escaping that must be used. Proper sanitization and encoding is the way to protect website against this attack.

Users can also disable scripts on their browser to protect themselves.

Download "Key Website Security Facts to Know for Small Business" free whitepaper