Sunday, April 21, 2013 0 comments
Posted by Deepanker Verma Tuesday, April 16, 2013 0 comments
If you are a developer, owner of a software firm or a testing engineer, you must know the importance of security testing. Hackers are everywhere and they always try to intrude in the system, network and applications. If we talk about Web application penetration testing, there are so many tools available. In this post, we will see how to use Websecurify for penetration testing of web applications.
Posted by Deepanker Verma Friday, April 5, 2013 0 comments
World's most popular online document sharing website Scribd is the latest member of cyber attacker. Company has posted a security announcement in which it claims that attackers try to access users' information. Company is also asking users to change their passwords. Scribd has already sent mail to all affected users.
“Earlier this week, Scribd’s Operations team discovered and blocked suspicious activity on Scribd’s network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users,” Scribd posted in security announcement.
“Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords,” It added.
Scribd store password in strong hashing encryption, so it is very hard for attackers to see actual passwords of users. But company do not want to take chances. This is why it is asking users to change their passwords.
If you have not received any security email from the company, you can manually check whether your account was hacked or not by using the link below. Visit the link and enter your email address.
I also suggest users to have habit of selecting strong passwords. Read how to select a smart password and protect your accounts from being hacked.
Categories: Cyber News
Posted by Deepanker Verma Sunday, March 17, 2013 0 comments
Sometimes it is hard to find admin login pages on the website because they are not linked with main website. Once I found SQL injection vulnerability in a website and easily got the admin user name, password. Next step was finding the admin login page and try the password. But it took hours to get the page.
Posted by Deepanker Verma Friday, March 15, 2013 0 comments
Posted by Deepanker Verma Sunday, March 3, 2013 0 comments
Posted by Deepanker Verma Saturday, February 23, 2013 0 comments
Penetration testing is the process of finding of security vulnerabilities in web application. It can also be seen as security testing. To make the testing process simple, there are many manual tools and automatic tools available. By using these tools, we can find vulnerabilities faster than manual testing methods.
There are so many penetration testing tools available. You can find most of the tools here on Security testing tools collection.
As there are many opensource, free and premium tools available, it is hard to select best tool that will work for you. Here I am listing few penetration tools here along with process explanation.
Official web site: http://www.powerfuzzer.com/
License: Open Source (GNU General Public License)
Additional Information: No changes made since 2009
Usage and capabilities:
So the first tool I am going to describe is the Powerfuzzer v1 Beta. The reason why I chose this tool to be the first one is because it’s the simplest tool to use which makes it an excellent tool for starters.
Figure 1. User interface of Powerfuzzer v1 Beta
As you can see, its usage is straight forward. You have the “Target URL” which is the site that will be tested and “Exclude URL/s or dir” which is the part where you can exclude directories or links that you don’t want to be tested like some scripts for deleting users, etc. Then you have the part for “Credentials” if you have some parts of your web application that requires a username, password or a session. “Proxy” is used to make the testing anonymous. Next is the “Timeout” option where you set the timeout between requests. “Verbosity” is the part where you select the “strength” of the testing, like number of requests, tests and etc. According to the official website, this tool detects the following types of vulnerabilities:
- - Injections (SQL, LDAP, code, commands, and XPATH)
- - CRLF
- - HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)
The scan report (the results of the scanning) is displayed as simple as possible like in the following picture. As you can see, if a vulnerability is found, it is described in the following format: “
with parameters coming from
Figure 2.Displaying the results when the scanning is finished
- - Very simple usage
- - Pretty powerful for fast testing
- - Doesn’t require any experience for using
- - The options are placed randomly across the tool.
- - Report is not very detailed and it doesn’t group the results.
- - The tool hasn’t been updated since 2009.
- Official web site: http://www.nstalker.com/
- License: Enterprise, Infrastructure and Free edition
- Additional Information: Lots and lots of tools in one
Usage and capabilities:
Figure 3. User interface of N-Stalker
When you see this tool, you can conclude that it is made professionally for professional use. From the main screen, you can see that everything is nicely grouped and organized which makes penetration testing easy even for beginners. Because there are a lot of offered options, I will only explain the parts that look interesting to me such as the scanning process, the policy editor and the report manager.
Figure 4. Selected option from the menu – Policy Editor
I’ll start with the Policy Editor, because before performing a scan, you need to set a Policy with well defined rules. When you start the Policy Editor, you will see a nice tree of rules shown on the left side and its description displayed on the right side.
Figure 5. Options of Policy editor
The description of the current rule is pretty good and detailed and it is composed of: name of the vulnerability, level of severity, vulnerability class, target server, common references, description, solution/fix for the vulnerability and URL references.
Figure 6.Description of a rule
Figure 7. Create, close and save options
When you are finished setting the rules for the policy, you can also give it its own name (usually I name it after the target that I scan).
Figure 8. Create, close and save options
So, the next option that I will explain will be the scanning.When you start the Scan Wizard (you can do that by clicking the top-left button Start), the following screen will appear (Figure 7). Here you can add your application URL then choose the Scan Policy which will define what kind of test you will perform, or you can choose a previous Scan Session. The Load Spider Data option will not be described since it’s not available for the free version of N-Stalker.
After setting up the target, the next step is to Optimize Settings. Here you can find a lot of options where you can customize your scan policy even more. There are options where you can set information about Authentication (if there is any authentication set on your web application), False-Positive mechanism where you can set rules for skipping links that have some file extensions, info pages for displaying status of the web application (like 404, 403 and etc.) or set up a regular expression for a filter. The Engine is an option where you can define the settings for the web spider and Miscellaneous is the part where you set which host is allowed to be scanned or not.
You can try these options by yourself; I will just continue with the optimization, so click Optimize and see what will happen.
Figure 9.Options for the step Optimizing Settings
When you are finished with the optimization proccess, the next step is the summary step, where you can see detailed information about the scan session that will be performed.
Figure 10.Summary of the defined setting for the scan session
When you start with the scanning (you can do that by clicking the button of top-left Start Scan), you will notice that the scanning environment is really something special. That’s because of the Website Tree tab and the Scanner Events tab where every action is nicely grouped and where the directory of the scanned web application can easily be viewed. The Website Tree is the grouping made for the files that the application is composed of (but not all files of the application, because sometimes there could be a scenario where there are defined rules for access restriction). Then there’s the Scanner Events – the event viewer for the results of the scanning and the Scanner Dashboard where you can see the information for a chosen event from the Scanner Events tab.
Figure 11.Performing a scan
When you have finished with the scanning process, the Results Wizard will appear and here you can choose to save or discard the results of the scanning session.
Figure 12.Finishing touch of the scanning process
When you’re finished with the session, open the Report Manager. On the left side on the Available Scan Session tab, choose the report of the scan session that you have saved. Here is my favorite part: right click on the result and choose Technical Report -> Generate PDF. When you have finished generating the PDF, open it and you’ll see that this is an awesome feature of N-Stalker. The report is well organized, very detailed, the results are nicely grouped, and even the scanning policy is part of the report where you can see what rules you have used. That’s all for N-Stalker.
- - So many tools
- - Great policy management
- - Detailed and professional report
- - Great community
- - Annoying advertising window
- - The interface of N-Stalker is very similar to the software from Microsoft Office.
- - The free version is useless; see the options that are offered in the free version –http://www.nstalker.com/products/compare-editions/security-checks/.
- - The enterprise edition has a very expensive price for unlimited website license – $5,000 (should be named Overpriced Edition).
- Official web site: http://w3af.sourceforge.net
- License: Open Source (GNU General Public License)
- Additional Information: On the official website, every plugin is described in detail. w00t!
- Tested version: v1.2 Revision:6647
Usage and capabilities:
The first time you open w3af, you will find it pretty confusing because all the options displayed at the top are icons that do not have text on them to describe what kind of tools they are. With a mouse-over though, you will find the description of these icons but that’s not a pretty good thing to do (especially when you are doing the same thing multiple times). I hope that the developers will change this.
Figure 13.w3af interface
We will begin with the Profiles tab that serves like a policy of rules defined for the scanning. You can create, delete or modify a Profile. The grouping is nicely organized but the title of the profile lacks description.
Figure 14.Grouping of the profiles
When you select a profile, the pair Plugin and Active will notify you which tools and type of tools are selected for the current scanning session. Again the grouping is nicely done, but this tab lacks in description so I am looking forward to the developers to consider improving this.
Figure 15.Scanning options for the profiles
Figure 16. Defining the target that will be scanned
In the Target bar, just input the URL of your web application and click start in order to start the scanning process.
Figure 17. Creating a profile wizard
To create a profile for a scanning session, start the wizard by clicking the first icon on the top bar. To be honest, the wizard is excellent. In the first step, you select what kind of wizard, infrastructure or short,will be used. The next thing is to define the target that will be scanned.
Figure 18. Defining the target
Figure 19. Selecting type of plugin/s
After defining the target’s link, you choose which type of plugins will be included for your scanning sessions.
Figure 20. Selecting type of plugin/s
Figure 21. Naming the profile
The last step is to define the name of the profile (I just skipped some). After you finished creating the profile, start the scanning session and see what will happen.
Figure 22. Display of logs
The log tab is the place where you can view additional information about the current scanning session.
Figure 23. Display of the scanned URLs
In the Results tab, you can view the directory tree of your application which looks pretty awesome.
Figure 24. Exploiting the vulnerabilities found
And the last part is the Exploit tab where you can exploit the vulnerabilities that have been found.
- - Clear and concise user guide
- - Lots of plugins
- - On the official web site, every plugin is described in detail.
- - Scanned URLs are nicely displayed.
- - Need some time to get used to it
- - Unhandled exception was raised – you will probably find the Bug Detected screen annoying.
You can make a conclusion for a tool after you experienced using it. I hope you liked my selection of tools for penetration testing. I don’t want to offend anybody with this review; it’s just my point of view that every tool could be improved and become even better. Hope you liked my selection of tools and see you in the next edition.
Dame Jovanoski is a security researcher for InfoSec Institute. InfoSec Institute is a computer security training company that provides popular CEH v8 Ethical Hacking Boot Camps.
Posted by Deepanker Verma Saturday, February 2, 2013 0 comments
Its a bad news for Twitter users. Today, Twitter has announced that some hackers gained access to its network and compromised few user accounts. According to Twitter, 250,000 Twitter accounts may be compromised. Twitter has also started sending notification emails to all compromised account users.
If you are a regular Twitter user, I will advise you to change your Twitter password now.
“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users,” Twitter announced in a blog post.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Twitter quoted to a news agencies. “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked.”
Nothing about this hack was explained in the announcement. But few researcher claimed that this hack had been performed by using Java Vulnerability produced earlier this month. A Twitter employee’s home or work computer was compromised through a vulnerability in Java.
Twitter users have to face this kind of breaches every year. I also advised users to follow all security tips to protect their account from hackers.
Posted by Deepanker Verma Saturday, January 26, 2013 0 comments
If you have few knowledge about password cracking and know few password crackers, I am sure you already know about Cain and Able. Cain and Able is one of the most popular password cracking tools. You can learn more about this tool in our security tools gallery.
Officially, Cain and Able is a password recovery tool available for Windows operating systems and supports all available version of Windows. It allow users to crack various types of passwords.To crack the password, it uses various methods that includes Brute-Force, cracking encryption using Dictionary, sniffing on network, decoding scrambled passwords, revealing password boxes, uncovering cached passwords, recovering wireless network keys and analyzing routing protocols. There are few other methods and more is being added in each new version of the tool.
Posted by Deepanker Verma Friday, January 18, 2013 0 comments
Cross Site Scripting is also a well known vulnerability and it can be found in most of the popular websites. If you are regular reader of Hacking Tricks, you already know that I found XSS in Amazon, Adobe, eBay, PandaSecurity, Symantec, QuickHeal, K7Antivirus and many other popular websites.
How to find XSS in a website?
XSS is performed as a form of user input. If a website does not filter and sanitize user input properly. To test a website, we will take each place in a website that accepts user input (such as search forms, login forms, profile forms etc.)
Now enter the following codes one by one and see whether it shows a pop up box saying
'XSS' or not
If you are successful in getting a pop-up, you have found a XSS vulnerable website.<script>alert('XSS')</script><script>alert(/XSS/)</script>"><script>alert(/XSS/)</script>'>><script>alert(/XSS/)</script>'></style><script>alert(/XSS)</script>'></script><script>alert(/XSS)</script><b onmouseover=alert('Wufff!')>click me!</b><img src="0" onerror=alert(document.cookie);>
Now you need to know one thing that a website not showing pop-up is not necessary to be safe. These codes were for finding simple XSS. Most of the websites already have proper mechanism to filter these code. Developers now filter <script> tags and alert() functions to prevent users from injecting these testing codes.
Read: Cookie Stealing via XSS
Types of XSS
There is no standard classification of Cross Site Scripting but most of the experts classified it in two main flavors. Non-persistent and Persistent. Now DOM based CSS is also very famous and people now classify as traditional and DOM based.
Non-persistent or Reflected XSS
Non-persistent (or Reflected) XSS is a most common type of XSS. In which injection codes are are reflected off the browser. Websites's search form is the example of this. When we search in a website. Website shows the search results with the query. If we inject a code in place of query, it will execute the query where it has to display the query in the search results page.
Persistent or Stored XSS Attacks
Persistent or Stored attacks are those where the injection code is permanently stored in the website's database. The page that shows the database information will execute the stored code.
This can be found in message boards. Suppose a message board is vulnerable to XSS. If we post a message with XSS injection, it will execute the script whenever we show the message page.
DOM based XSS or type-0 XSS
DOM based XSS or type-0 XSS is an attack in which attack payload is executed as a result of modifying the DOM of a website. In this the page remains the same but malicious injection is executed by modifying the dom.
Read Whitepaper on DOM based XSS
How to reduce the threat?
Primary defense against XSS is encoding/ escaping the output. These are several escaping that must be used. Proper sanitization and encoding is the way to protect website against this attack.
Users can also disable scripts on their browser to protect themselves.
Download "Key Website Security Facts to Know for Small Business" free whitepaper
Posted by Deepanker Verma Thursday, January 17, 2013 0 comments
The last 3-4 years have observed a tremendous positive growth ladder in the success rate of Facebook, a social networking website. Phenomenal success of Facebook has made it the No.1 social networking website presently. In fact, it has beat Google by the maximum number of visitor visits for one entire week. But things always go the same way as one may think of. Both positive and negative experiences go head to head. Facebook is also not flawless. Recently, many flaws were revealed Most of the Facebook flaws are in it's privacy policies and accounts settings. Sharing information may not be all that great through this social networking site. It can happen that marketing efforts of Facebook may well lead to serious threat to account holders' privacy policies. This article discusses about some of the most important hidden dangers of Facebook.
Categories: facebook hacking
Posted by Deepanker Verma Wednesday, January 16, 2013 0 comments
Hello readers, Although I am not active enough now due to less availability of time. But I try my best to provide best resource to you all. Today, I got a nice ebook on Windows 8 that costs $9.95 but you can download it for free from Hacking Tricks.
This book covers most of the problems users are facing with Windows 8. Windows 8 is totally different from older version of Windows and it does not has start button. So people are facing problems while using it. This new version of Windows is also optimized for touchscreen. According to security researchers, Windows 8 is also the most secure operating system from Microsoft.
If you are interested in Windows 8 operating system, you can use this step by step guide to solve all your Windows 8 problems.