Category: Web App Security

24 Oct 2017

How to become a hacker in 10 mins?

Hey, welcome again everyone to this new blog post. This one is quite different from the other posts because in this post we will tell you how to become a hacker. Moreover, this post is mainly for people starting in the cyber-security field or someone who wants to learn how to hack after watching the super amazing hacks in “MOVIES” 😉

First thing first. Let’s get rid of the MISCONCEPTION:

Hey, a hacker’s work is really cool. They just open their laptop and just type something and WHOA..they hack into a company’s database, they hack a person’s social accounts and much more things. We agree that this is what most of the people will be thinking when they think of becoming a hacker.

So let me clear your misconception. This isn’t the slightest of the real world hacking. Yes, hackers do hack into a company’s system or steal wifi password, but this doesn’t happen in a course of 5 mins as shown in Movies and TV Shows. It takes a lot of time and unshakable enthusiasm to carry out these operations. Yes, it can take a couple of hours or even a month to do this kind of things. Yes, yes, you read it correctly, we said “MONTH”. What is the profit from hacking someone’s account if you get caught after doing so? Movies don’t show this kind of things. So stay sharp and welcome to the real world.

Ok, you are here now. There can be three reasons why you are reading this post:

    • You are completely bored with your job and want to take a dive in the security field.
    • Second, you were just randomly going through “security” posts and landed here.
    • And the best of all, Hail yeah, you really want to become a hacker. The idea of seeing something that the normal eyes can’t see, the freedom to learn anything and do anything is burning inside you. And you think that “Knowledge should be free”.

We are not trying to promote any malicious intent that the person might have. Take this in a good interest and yes, don’t think all hackers are bad persons. Hey, there are hackers which have done some awesome things in the past so stay right on the path because there is a very thin line of string between the right and the wrong.:)

Now, let’s get to the point. For whatever reason you are here, you are welcome. Read the entire post and hope that you become a hacker in 10 mins.;)

What do you require?

Knowledge is everything, hmm..somewhat correct, but not in this field.
The most important thing is the passion for learning And yeah by that, we mean to keep learning new things daily. Technology is changing every day. If you come across an old report, where a hacker found a vulnerability on a website or when MySpace was hacked by Samy’s worm, and you try to do the same thing, ALAS! it won’t work now. Those companies have already patched it and yes they have taken extra security measures in this current situation, where every day there have been cases of hacking with malicious intent. So, keep updated with the latest technologies because they will be your greatest tools for preparing a hack.

Let’s don’t waste time now and see what is that you need to learn as a beginner in hacking. And yes, we mean all of them.

1. Install Linux:

We have heard people saying, Linux is hard to use. It’s not meant for day to day use. We feel that quite embarrassing when we hear it from people who haven’t even spend a week with any of the Linux distributions. We use Ubuntu for our day to day work and yes, it works wonderfully. And yes, when we say that, it means that we are more happy with Ubuntu than we were with our Windows 8 distribution. And we are really sorry if any Window’s fan person is reading this post, and thinks that I am disrespecting Windows. We are just saying that Windows is very user-friendly and it’s the perfect for family and daily use if you are just watching movies or playing games on your laptop, some word and excel work and you are done. But Windows is a big No-No in the Hacking industry. Hacking tools are most of the times specifically written for different Linux distributions, also Linux gives you more security and control over your system.
So try Linux, there are different distributions available like Ubuntu, Fedora, Kali Linux, CentOS. If you haven’t used Linux before, install Ubuntu and you will also get a good community of Ubuntu users and can get all your doubts cleared in a very small span of time.

2. Learn Linux Commands:

What is the use of Linux if you could do everything through GUI? So, learn Linux commands. By that, we mean some basic commands. You don’t have to learn all the commands available and think that you are a Linux Expert now. When you are starting, just learn basic commands and move on.
This is the book I personally prefer for learning Linux commands. Here is a download link to the pdf Linux Command Line.
Also, for starters, you can take a Linux course from Cybrary and yes, it’s free. Here is the link.

So make sure to study it after installing Linux and you will learn many new things. Trust me Linux is best.:)

3. Scripting Language:

This is the best thing. Hacking always doesn’t mean to break into things, it also means how you make your tasks easier and automated. Scripting languages can be very handy. To write a small script which can download all the pdf’s on a certain page without going to the page and click on every link to do so. There are many scripting languages but Python and Bash is the most popular because many tools have already been written and they have a super fan following. You can learn both of them if you already have some knowledge of programming. Else, if you are new to programming, we will highly recommend you to learn Python in-depth. Python will help you both as a programming language and a scripting one and it will need much less time to understand program details in python. Also, there are a whole bunch of tutorials on Python on the internet and on Youtube, so start with some basics and then go to the advanced sections in Python.

4. Networking:

And here comes the Boss. This is some cool advanced stuff. Learn about TCP/IP, different ports, HTTP, HTTPS and much more. Read more about subnets, wireless technologies like WEP, WPA, WPA2.
Learn how a website works, how a request is sent and how the server sends the response. There are lots of things to learn in networking. So, devote sometime because it will come very handy in the hacking process.
If you are starting or want to refresh your skills, you can check out this awesome course at Networking on Cybrary. Just click on the link here.

5. Virtualization technologies:

You will need a target to practice the hacking stuff. For this, you can download and install VMware or Virtualbox. This software let you make an instance of an operating system without making any changes to your host OS. So install different VM’s and practice hacking on it without breaking into someone’s system illegally.

6. Security concepts:

You won’t be able to do anything special if you don’t know how security works in the real world and what technologies are being used. For that, you will have to update your mind’s database with various knowledge on these topics. Topics like cryptography, password hashes, proxies, firewalls come under this.

Final summary

These 6 topics contain a lot of things. Do take your time learning these things and if you think that this is all it takes to become a super hacker, then sorry there are many other things to learn before you become one. But yes, you are already a hacker if you at least gain a basic knowledge of these topics.

With doing these, we will recommend you something that you should do:

    • Join some hacking forums and community. There are a lot of those and IRC channels also. You won’t understand everything but at least try to connect with different persons and ask them for help. They will give you a lot of ideas and experience matters so it will be a good learning experience for you.
    • Create an account on Cybrary. We suggest it highly. And don’t think that Cybrary is giving us money for promotions. It’s for your personal and professional growth. They have got some of the best courses you can find on the internet today and all of them are free. And yes, we did learn the basics of hacking on this platform.:)
    • Go for FREE. Hacking is for common people and it’s for free. Don’t get in the misconception that a paid course will make you a hacker. Instead, invest money in hacking books and there are a lot of free tutorials and courses on the internet and on Youtube. You just need to google correctly to find these. Also, spend time on your computer as it is your best friend. Believe me.:)
    • There are many websites where you can practice learning hacking online. Search for websites which let you practice hacking and you will 100’s of those. Pick your favorite and complete their missions. It’s really fun doing those like if you are playing some kind of game and improving yourself with each upcoming mission.

Everything is good and fine but all of these will go in vain, if you lack the passion and persistence for hacking, if you just want to hack your friend’s Facebook account or to take some kind of foolish revenge. Hacking is not only meant for breaking things but it is mainly for securing you and the people around you.
Take a look at the bigger and better picture. Hacking Google and going to Jail is nothing but a moron’s job. So instead try to make Google a better place so that people around you can search safely without worrying about their personal details.

So this is all for now. Now if you are thinking, that wasn’t the title of this post somewhat different? Then my friend, what will learn after going through this post, will act as the stepping stone for your new hacking skills. Hacking needs persistence. Noone learns it in a day, it takes years to practice. Go through these topics and do all that we have mentioned and again learn many more things, because it has been said:

” Hacking is not an end product but a process.”

You learn and do it daily.

So keep learning and happy hacking. Banzai..:)

20 Oct 2017

Everything you need to know to find CSRF vulnerabilities

Welcome, everyone. In this post, we will look at another critical web application vulnerability. CSRF or Cross-Site Request forgery basically means that the application isn’t able to distinguish between the original request that a user sends or a forged request that an attacker makes a user send.

The most important thing about CSRF attacks is that it generally targets state-changing requests. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does.So CSRF attacks target state change on the server, such as changing the victim’s email address or password or purchasing something.

Did you ever think why do you get so many spam emails from unknown users telling you that

"You are the winner of this week's Lucky Jackpot Click on this link to get your prize money."

Most of the times it’s an attack to do malicious things without your consent. You won’t know and funds from your account can be transferred to some other’s account.

How will it affect you?

Let’s suppose you get an email from a bank XYZ in which you have your savings account. The email looks legitimate saying that there has been a change in the bank’s terms and policies. So log in to your account and read the affected changes to be in practice from today.

You will think that yes banks do care for your benefit and security and something like this can’t possibly go wrong. You go and click on the link to “See here” in your email. And with it Rs.8000 from your bank got transferred into someone else’s account.

We are just giving you an example of how Cross-Site Request Forgery works. Nowadays, security professionals are smart enough to combat issues like this that’s why technologies like One Time Password has been developed. But it’s always possible to bypass things but it takes a lot of time and patient as an attacker to break it in a possible manner.

Moreover, CSRF attacks aren’t meant for bank transactions only. A click on a malicious link and some new items might be added to your cart or removed from your cart on your favorite e-commerce site without your knowledge.
But all this is possible if the website is vulnerable to CSRF and if you are already authenticated to this site i.e. you haven’t logged out from your previous session.

How do we check if the website is vulnerable to CSRF?

CSRF is an attack that tricks the victim into submitting a malicious request. For most sites, browser requests automatically include any credentials associated with the site, such as user’s cookies. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.

To understand how CSRF works, we need a tool to intercept Requests sent and their Responses. For this, we personally use Burpsuite.

Most of the times any POST request will contain 3 sections.

  • Header Section
  • Cookies section
  • Body parameters.

Nowadays, application security is all on a whole new level and there have been many proposals on how to stop CSRF attacks. The best option that has been implemented is the use of Anti-Csrf or X-Csrf-Token in the request.

Now, what is X-Csrf-Token?

Application developers nowadays add a pseudo-random token with either every request they sent or with every session in which the user is logged in. This token is used so that the application server can identify that this token has been generated by the user’s original request and not from a forged one.

There are 3 places where the developer can add the X-Csrf-Token.
Let us look at all the 3 scenarios one by one:

    • When the Anti-Csrf token is added to the Custom header:If the Anti-Csrf token is added as a custom header, the application is most probably not vulnerable to CSRF. Still, we can’t be sure just by that. So there are some other factors we need to check before confirming if the application is vulnerable to CSRF or not.
    • If the Anti-Csrf token is added in the Body parameter:If the developer chose to add the Anti-Csrf token in the body parameter field, in this case also the application has fewer chances of being vulnerable to CSRF like in case 1. The factors are the same as for case 1 which we will see later.
    • If the Anti-Csrf token is stored in the Cookie section:If any developer chose to add the token in cookies, in this case, the application has more chances of being vulnerable to CSRF. Now, why is that?
      Cookies are local to a user machine. If a request is sent, no matter if the token gets changed with every request or session, if it is stored in a cookie, then the attacker won’t have to worry about the token since it will be added automatically with the forged request. The attacker won’t have to think about the algorithm of token generation because every time a request is sent to that website, the browser will make sure that the cookie is sent each time.

Ok, now we have gone through the cases where the Anti-Csrf token can be added. Now as we told before, the next part covers the different parameters we need to check additionally for getting sure of a CSRF vulnerability.

How to get sure of a CSRF vulnerability?

Case 1: Perform the request without modifying anything and see the Response.

Case 2: Remove CSRF token completely and see if the response is same as in case 1.

Case 3: Modify one of the characters in the token but keep the length the same. Compare the response with the response of case 1.

Case 4: Remove the value of the token but leave the parameter in place.
What happens is the developers know to add the token but sometimes they don’t do the validation properly.
If they don’t validate properly then it’s a matter of time that the attacker may do some brute forcing and come to know the logic behind the tokens.

Case 5: Change the POST request to a get request and see if it is then vulnerable to CSRF or not.

How do attackers use CSRF vulnerability?

After finding out that this website has CSRF vulnerability, an attacker can make a link and make the user click it through a little application of social engineering. Like we said at the start of this post, about the different spam emails one gets saying “Click Here”.
This is of course not the only way. An attacker can also use a form with hidden fields as their way of performing CSRF.

This is how you can check for CSRF in a web application. CSRF is a very common attack and has been a regular in the OWASP Top 10 for quite a time. In this post, we have written everything that you need to get started. If you want to learn CSRF in depth, see the following references:

1. CSRF attack
2.CSRF Prevention Cheat sheet

Go through the references and watch some youtube videos and practice them on bug bounty targets. In the prevention cheat sheet, you will come across the different countermeasures that were taken and why they did not work. Go through that carefully. It’s important to know what won’t work than to know what will.

If you think you didn’t understand much or if the post is lacking something, don’t hesitate to comment. We will make sure to update it if required. Also in case you have some queries or missing out on something, just comment and we will always be there for your help.

Till then, happy hacking everyone.:)

20 Oct 2017

SQL injection exploitation with and without SQLmap

Hey everyone. Welcome in this brand new tutorial in which we are going to look at “SQL Injection”, one of the most dangerous web application vulnerability considered by the OWASP Top 10.

What really is SQL Injection?

SQL injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s query can then trick the interpreter into executing unintended commands or accessing data without any authorization from the site’s database.

The main purpose of SQL Injection is to dump the whole database to the attacker. Now it can be seriously dangerous. An attacker can change user’s credentials such as their passwords or can get the user’s credit card numbers and much more. The attacker can also delete the whole database and that can be a disaster for the company. That is why it has been considered as the most dangerous vulnerability because if exploited, personal data of each and every user is in danger.

Types of SQL Injections

SQL injection is generally divided into four sub-categories:

    • Classic SQLI
    • Blind or Inference SQL injection
    • Database management system-specific SQLI
    • Compounded SQLI

SQL Injection requires input fields to carry out the attack. An attacker needs to construct the input in such a way that it gets executed as a database command when being transmitted from the browser to the web application.

A successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. If the application returns an error message when the attacker uses an incorrect query or give out the details of the database or the table name, then it is vulnerable to SQL Injection.
Many times it will happen that the application will show error but will hide the error details such as which database is being used or the version, then the tester must be able to reverse engineer the logic of the original query.

How to test for SQL Injection(manual testing)?

In order to perform SQL injection attack, we need to make a list of the inputs which interacts with the database server for accessing some data. It can be username and password in a login form, search queries etc.

Let’s consider an e-commerce website. A normal user will visit the website and log in to his account there to see the various offers only for him.

Now how does this log in really work in the background?

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

Consider the above query. This query takes the input data by the user and matches it with the information in the database. If both the username and password matches, then the user is given can log in else the access is denied.

Now what an attacker does here is to inject code in place of giving a valid username and password.

1' or '1' = '1 in place of username and 1' or '1' = '1 in place of password

So the query now becomes something like this,

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

Now if the application is vulnerable to SQL Injection it will return a set of values because the condition 1=1 will be always true.

One thing which will come in quite handy is if you can find out which database is the application using. There are syntactical differences between Oracle, MSSql, and MySQL distributions. That’s why some queries might not work as expected.

Now let’s see some practical SQL Injection.
Here is an example of String SQL injection from WebGoat.

In this task, we had to input the last name in such a way that it will be a syntactically correct SQL query which will then dump all the details from the database. Here, the query which is being used by the Database was also given. It won’t happen in real life. You have to try out by injecting different codes there so that you could get some error or information which can tell you which query is being used in the backend.

The query in this case was

SELECT * FROM user_data WHERE last_name = 'Your Name'

So we injected Smith' OR '1'='1 there and the query became

SELECT * FROM user_data WHERE last_name = 'Smith' OR '1'='1'

The next condition is always TRUE, so it gives out all the records from the database.

It’s just a simple example but this is how SQL injection works in general.
It will require a whole page to write a complete tutorial on SQL injection. So we will recommend you to check the different types of manual testing from this page. Meanwhile, check out some youtube tutorials and solve SQL injection problems from DVWA, WebGoat, and Mutillidae to get a hang of it.

SQL injection using Sqlmap

We just saw how manual testing works, but there is a wonderful automation tool known as SQLmap for finding and exploiting SQL vulnerabilities in a website.

Sqlmap is one of the most powerful and famous automation tools for SQL injection. The only thing that Sqlmap requires is a vulnerable URL. Sqlmap can extract the whole database, tables, columns and all the data inside these columns. For downloading and installing sqlmap go here.

Now, let’s consider a PHP page which has an id parameter which looks something like this:

http://www.test.com/index.php?id=23

If we try to insert a single quote in the id parameter in the URL to check if the application does anything unusual or show us some unexpected error messages,

http://www.test.com/index.php?id=23'

If the developer did not escape the id parameter properly, then it will give us some error. Let’s consider for now that it works unexpectedly for the sake of this tutorial.

The first and basic command for Sqlmap is this one. The -u option is for the URL. This command will check if the parameter is really vulnerable to SQL injection or not.

$ python sqlmap.py -u "http://www.test.com/index.php?id=23"

This command will give us information like operating system, the database being used along with its version number. Now, we know that the parameter is vulnerable to SQL injection. So we dig a little deeper.

    • Getting the databasesTo find out all the databases, we will use the following command. The --dbs is used for getting all the databases.$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --dbs

      let’s assume that we get three databases:

      information_schema
      users
      purchase list

    • Getting the tables inside a databaseNow the next step is to find out all the tables inside a database. For this, we will use the below command:$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --tables -D users

      The --table is for getting all the tables and -D option specifies the database which in this case is users. Let’s say we get 2 tables but we are interested in the one which has User’s personal information named the table personal.

    • Getting the columns inside the tableTo get all the columns inside the table, we need to use the below command.$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --columns -D users -T personal

      It will give us the layout of the table.

      Column | Type |

      | email | text |
      | hash | varchar(128) |
      | id | int(11) |
      | name | text |
      | password | text |

  • Getting the data for each columnNow, this is what we hackers truly desire, the data. This command will dump the data of the entire table$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --dump -D users -T personal

    The output will look something like this:

    | id | hash | name | email | password |
    +———————————————– ————————————-
    | 1 | 5DIpzzDHFOwnCvPonu | admin | admin123@yahoo.com | letmein |

    | 2 | 8DIpzhfDHFkyndCvPo | john | john400@gmail.com | hackerxss |

These are the basic commands for Sqlmap. Sqlmap has several advanced features also, for this check their official page. There are tools like SqlNinja also. You can check that out also from here.

SQL injection is a very broad topic in itself. But it’s like a blessing for bug bounty hackers because companies will give a good amount of bounty if you can find a critical vulnerability such as SQL Injection. We will be writing on topics like Time Based SQL injection and various advanced SQL Injections in the meantime. Stay tuned for that. Also, if you have any queries or having any problems with SQL Injection please comment below and we will surely help you.

Till then, Happy hacking.:)

20 Oct 2017

3 must have tools for Penetration testers

Welcome folks. In the previous posts, we have been talking about web application penetration testing in depth. But in this post, we will look at the 3 most useful tools which many bug bounty hunters and penetration testers use for their daily testing and bug hunting.

Why only 3 tools?

This post is totally based on our own opinion after talking to many professionals in this field. If you see the Kali distribution itself, you will find a lot of tools for penetration testing. But it isn’t mandatory to use each and every tool. If we start talking about all the tools, then it will be a never-ending post because there are hundreds of tools available and one person’s choices may differ from the other. But there are some tools which come above all the rest and you can say that they are used "Generally and most of the times" by penetration testers and bug hunters.

And the Hall of Fame goes to

    • SubBrute
    • Nmap
    • BURP SUITE

Let’s discuss them one by one.

SubBrute

You must have come across the term Scope in penetration testing and in bug bounty programs. Most of the times it will be a target site like www.target.com But nowadays, many companies are going with the all domains penetration testing approach. Now, what does it mean?

If you are new to penetration testing, did you ever come across a Scope such as *.target.com? Maybe yes maybe no? So how do you find the whole scope in this case?
For targets like this, you will need a subdomain enumeration tool. That’s where a tool like Subbrute comes into play.

“SubBrute is a community-driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool.” You can download SubBrute from this Github page. There are many ways to use SubBrute but the command which I use personally the most is:

./subbrute.py target.com

This is the most basic command and it will give out all (not really) the subdomains of the domain www.target.com. It will give out the subdomains like:
sales.target.com
blog.target.com
users.target.com

In this way, you will get all the hosts on which you are required to do a penetration test. There are other tools also available for doing subdomain enumeration like Knockpy and Google Dorks. Feel free to use them also, and while testing use all the three to check which one works the best for you.

NMAP

Nmap(Network Mapper) is a security scanner which is used to discover hosts and services on a computer network. It’s one of the most common tools used by penetration testers as it gives out a lot of information on the application.

Aside from telling which ports are open and which are closed, Nmap also provides further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. These are very useful information for a penetration tester. Once known, they can use this information to then exploit the vulnerability.

Also, take a look at the Nmap Scripting Engine. It is one of the Nmap’s most powerful features.Vulnerability Detection and Exploitation both are important features of the Nmap scripting engine. Learn more about this from here.

Nmap is such a big topic that it will need a post on itself. I have already done that. Check out this post if you want to learn different scan types for Nmap.

Moreover, there is no place better than the official documentation itself for in-depth learning. When you are done with all the above references, keep in mind to check out the Official page to have a solid understanding of how to use Nmap.

Burp Suite

Here comes the best one. If you ask most of the bug bounty hunters on their favorite tool for bug hunting, almost 90% of them will say that it’s Burp Suite. Burp Suite is considered to be the best tool (not official data, but we believe it’s true) for web application penetration testing.
Burp Suite comes in two editions: Free and Professional. If you are new to Burp Suite, download the Free edition and play along with it. There are many useful features like the Proxy, Spider, Repeater, and Intruder. Features like Active and Passive scanning of the target comes with the Professional version of Burp Suite. Go with the Professional version only when you have practiced on the free version because it’s quite expensive but useful at the same time.

For Burp Suite to work, you will have to change the proxy settings in your favorite browser(Recommended Firefox) for Burp Suite to work. You can do that with an add-on like FoxyProxy. Get it from here. Just choose the target as 127.0.0.1 and Port as 8080 and you will be good to go. You can also do it manually by changing the proxy in Network Proxy Settings in Firefox preferences. Take a look at this page for instructions on how to do that.

Here is a screenshot when you first open Burp Suite:

This is what you will get with a new installation of Burp Suite. Burp Suite comes for all the major operating systems and pre-installed in Kali Linux.

Don’t get overwhelmed with a lot of information here.
The main thing you have to do now is:

    • Download and install Burp Suite.
    • Setup BurpSuite by changing the proxy and check that the proxy works for https:// sites also (import the Burp’s SSL cert inside the browser).
    • Then learn the 4 most used features in Burpsuite Proxy, Spider, Intruder, and Repeater.

This tool is highly recommended if you are thinking of a career in bug hunting or penetration testing. There are a whole lot of tutorials and videos available on the internet which can give you a head start.
Meanwhile, the official documentation is also a great place to start learning Burp Suite. Check the documentation here.

If you are thinking why we are focussing so much on this one tool, then first learn and use this and you will see it can do miracles for you.

Learn Burp Suite: Swiss Army Knife for penetration testers and bug bounty hunters here

Final points

There will always be alternatives. As we told before, we can use Knockpy in place of SubBrute. Similarly, you can also opt for OWASP ZAP in place of Burp Suite for intercepting the Request-Response and doing other things like vulnerability scanning. The only thing which matters is which one is easiest for you to use and how well does it perform the task at hand. So check out all of them and then refine your arsenal of tools.

We may have left out many people’s favorite tools. We wanted to make this post to tell you about the general tools which are required most of the times. There are other tools like SqlMap, WebSlayer, Wfuzz which are very helpful in penetration testing. Bugcrowd has got an awesome thread mentioning different tools used by bug bounty hunters and their references. Have a look at the thread here.

Meanwhile, if you think that another tool will better fit here, do write in the comment section. We are open to suggestions and will keep updating this post with time. In case of any problems regarding installation or something which you can’t understand, don’t be shy to comment because we will be always there for your help.

Till then, Keep learning and Start hacking now..:)

12 Oct 2017

How to approach for XSS hunting in a web application.

Hi, every security enthusiast out there. In this blog, we are going to tell you how to approach to find Cross-Site Scripting vulnerabilities in a web application.

So what is XSS and why is it so dangerous?

XSS or Cross-site scripting is a type of web application vulnerability. It is considered to be one of the most dangerous vulnerabilities present in a website.

An attacker can get various sensitive and personal details like the username or password by redirecting you to a spoofed website, steal your cookies and the worst of them hijack your user-session.

If you are new to XSS please check out these two references before reading any further. Since in this post we will only focus on how to test for XSS instead of what it is and the prerequisites.

Read the second reference and all the other links mentioned in it carefully. In case you don’t understand check out some videos on Youtube on XSS, it will give you a basic knowledge of what XSS is and why many web applications are vulnerable to them.

Bug bounty hunters, try different platforms to learn and practice XSS. These are one of the most dangerous vulnerabilities and have been in the OWASP Top 10 for quite a long time. Companies provide good bounties for XSS hunting in their web application.

How do I test if this web application has XSS vulnerability?

A web application can contain several XSS vulnerabilities in different parts of the application. That’s why an application needs to be thoroughly tested without leaving any page because even “one vulnerable input field” can lead to the privacy leakage of users.

XSS can be found in the places where there is some sort of user input required. For example, it can be a search box, a comment section and form input fields like name, address or credit card information.

How does XSS occur?

Let’s consider a site www.askyourqueries.com. The website has a search box where a user can ask any personal or professional queries. But the attacker instead of that tries to insert a payload something like this:

“;alert('XSS');”

If the search input field is vulnerable to XSS, a popup will be shown in the browser on clicking the Submit button. The popup will look something like this,

Now, what is happening here?

Improper HTML sanitization and encoding lead to this. This payload instead of being treated as a simple text is getting executed as a code. Read more about sanitization here.

Note: Payload is a fancy term for code snippets simply. Different payloads are injected at different input fields for XSS testing.

Cool, I get the theoretical part, but in practice how do we approach for finding XSS vulnerabilities?

This is the main part of the blog. We hope that you have already gone through all the previous references about XSS and HTML sanitization.

As mentioned before, the code “;alert('XSS');” is actually a payload. An attacker tries to insert different payloads in an input field for finding an XSS vulnerability. You can find many XSS payloads on the internet but you need to understand which type of payloads will work for that particular field. When you can distinguish between the different contexts then you will be able to create your own payloads.

For choosing a payload, you need to understand the context.
Now, what is a context?

When hunting for XSS, we need to check where the payload shows up in the source code. You can use a proxy like Burp Suite for this and in the Repeater tab can take a look at both the Request and Response side by side. Now in the Response tab, you need to search for the payload you injected. Make a note where the payload is going. It can be directly between HTML tags, or between script tags or in the attribute field.

Burpsuite is an excellent tool for Web Application penetration testing. Try to learn to use Burpsuite more proficiently and effectively. Check the official site here for getting started.

For example when the Response shows the payload in between the script tags:

You will need to inject payloads like

";alert(1);"
in the Injection Point.

The motive of payloads is to insert the code in such a way that it gets executed instead of being treated as raw data. If you look at the two payloads closely and insert it in place of the injection point, you will note that all they are trying to do is to execute the payload simply by closing and opening the script tags or opening and closing of quotes.

There is another type of context called the Attribute context. For example, if the place where your payload gets reflected is:

So what should we do now? You can’t just use the previous payload "alert(1);" and think that it will work somehow. It is not the correct attribute for this context. Look again and you will find that there are no script tags present here to execute the code alert(1).

That’s why we need to think of some other payload that will make the code execute. Something like this, "onmouseover=" alert(1);. It will close the first quotes and then it will execute the code after that.

Some developers use single quotes instead of the double quotes, so make sure you are using the correct payload for that context. That means use 'alert(1);' instead of "alert(1);".

Few points to remember:

  • Don’t get discouraged if you can’t find XSS. Nowadays, developers are taking special care by properly sanitizing their tags so that there is no chance for vulnerabilities like XSS. Just keep checking on all the input fields on all the pages of the website.
  • Not only this but Encoding is also being used so that the code can be treated as normal text. Take a brief look on HTML encoding at this page. It’s an important topic for understanding XSS.

Important tips for finding XSS

Penetration testers do know how to search for XSS and which payloads they should use but sometimes they miss out on the little things. Some of these are:

  • “Try 100 different input fields instead of using 100 different payloads on the same field.” You should try out a maximum of 10 different payloads on a field, else start moving on to the other. That’s the basic formula for finding an XSS.
  • Many times while testing, the popup will be on a different page than the one you were testing on. So keep that in mind.
  • Use Mozilla instead of Chrome when testing for XSS vulnerabilities. Google Chrome uses an XSS auditor, which when testing thinks that you are doing that with malicious intent and many times you won’t get the popup. So try using Firefox until you learn how to bypass the XSS auditor.

This post was intentionally written to give you the approach to finding XSS vulnerabilities. It’s not a post on XSS or XSS payloads or different types of XSS present. For that, you can read the OWASP reference. Many times new professionals can’t understand where to start and that’s what this post was for.
To sum up the blog you need to do these things in sequence,

  • Learn using Burpsuite(Watch Youtube videos and the official site here).
  • Read the OWASP reference from here.
  • Practice on vulnerable applications like Webgoat and DVWA. When ready for live action, switch to bug bounty sites like Hackerone and Bugcrowd. Pick up a target of your choice and start XSS hunting using Burpsuite.

Feel free to comment in case you need to clarify any query, can’t understand something on XSS or think that we should update this blog with something. We will be more than happy to help you and will reply to you as soon as possible.

Till then keep learning and start hacking now.:)

06 Oct 2017

Pentesting a wordpress website using WPSCAN

Ever thought of quickly testing a WordPress website for known vulnerabilities and expired plugins or themes? Well, here is a blog on one of such fantastic tool

$wpscan

What is WordPress and why is it famous?

WordPress is an online, open source website creation tool. It makes website creation super easy and is very user-friendly. Nowadays people tend to use WordPress more instead of learning to code in HTML, CSS, and Javascript to create the website. The reason is even a non-technical guy can learn how to use WordPress and can create a website in a couple of hours. That’s why it is famous and most of the personal blogs, websites for various startups, are mostly on WordPress.

Pro Tip: If you are a bug bounty hunter or a penetration tester, finding a vulnerable wordpress installation under scope may give you numerous easily exploitable vulnerabilities and huge cash rewards.

But how am I supposed to know if a website is created on WordPress?

Don’t worry, you don’t have to get very technical for that. There are several tools already available for it. The tool I personally use is:

Just install any of these add-ons for your favorite browser and when you visit a website it will show all the technologies that have been used on the website. For websites created through WordPress, it will show an icon W. In this way, you will be able to find out which part of the Website is on WordPress.

Note that in many cases, the whole website might be built on a different framework, but a part of the website like Blog Section can be on WordPress. So keep watching the addon.

Why is it important to test vulnerabilities in a WordPress website? Won’t the people who manage WordPress take care of that?

Yes, WordPress will make sure that no one will be able to use your site in a way that it isn’t meant to. WordPress security engineers maintain their own database of vulnerabilities and they patch it in the next upcoming version. So you just have to make sure that you keep the version of your WordPress updated and don’t use any old plugins or themes.

So where do I need to start then?

While browsing the target, you came to know that this domain is on WordPress platform. The first thing you can do is try adding wp-admin in the URL at the end.

For example, let’s consider that the domain blog.examplewebsite.com is on WordPress platform(by looking at the addon). Now you just have to do blog.examplewebsite.com/wp-admin/ to get the below form.

This page is what users use to login to their respective accounts. So how to crack the username and password? We all know that cracking the password is every hacker’s dream.

This is where a tool like Wpscan comes into play. Wpscan has several different options to get the vulnerabilities in a WordPress website and also brute-force a user login.

How to download and install Wpscan?

Using Wpscan is rather pretty easy. Just go to this page and download Wpscan the way most suitable for you. If you have downloaded the zip or tar file just extract them and you are good to go. Wpscan comes pre-installed in Kali Linux, so need to do all of these. Just jump to the next section.

Important commands

For all the below commands to work, you need to go the folder where you have extracted the Wpscan zip file using terminal.

Command 1: Update WPScan’s databases.

ruby wpscan.rb --update

This command is the first command to use when you are using Wpscan for the first time. It will update the full Wpscan database which contains the whole vulnerabilities and exploits list for WordPress websites.

Command 2: To enumerate all the usernames

ruby wpscan.rb --url www.example.com --enumerate u

Let’s break the command step by step.

Since wpscan.rb is a ruby file, we need to use ruby to run it. Then we are using --url option with the target’s URL. And for the last part, the --enumerate is the argument and we are giving ‘u’ as the option to enumerate all the usernames available.

If the site owner isn’t using any plugin to stop the attackers from enumerating the usernames, this command will list out all the available usernames registered on the WordPress.

Command 3: Password brute-force attack

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

Knowing only usernames won’t do us any good. We need to know the password before thinking of it as a critical vulnerability.

Here, we are using two new arguments. The first argument is --wordlist and with it, you need to give the full path to where you have downloaded the wordlist file. If you have the wordlist in the folder of Wpscan you just need to write the name of the wordlist. The --thread argument is the number of threads to use for multi-threading. Greater the number the faster will be the Wpscan but it depends on your computer architecture also. So it’s better to use it between 20-50.

It has been said that “Human is the weakest link in any company’s security”. We as humans tend to use passwords which are easy to remember. Many times admin use passwords like their date of birth, letmein, password, 123456789 and many other which can be cracked with a little use of social engineering and in many cases by brute force attack. This command uses dictionary-based attack and in case such passwords are used it will be very easy to crack.

A good place to download passwords lists is here. It’s very useful, don’t forget to $git clone.

Command 4: Enumerating vulnerable plugins

ruby wpscan.rb --url www.example.com --enumerate vp

This command is specially used to find the vulnerable plugins in the WordPress website. vp option denotes vulnerable plugins. The wpscan will also give you the reference to where you can read about the vulnerability. The vulnerabilities will have different color flags on them. The Red flag means that this vulnerability is the most critical whereas Green means it’s the least.

Command 5: Enumerating vulnerable themes

ruby wpscan.rb --url www.example.com --enumerate vt

This command checks for vulnerable themes within the website. vt denotes vulnerable themes. Here also, try to find vulnerabilities with the Red sign because they are the most critical vulnerability which if exploited could be lethal for a company.

Important points

  • First of all, don’t try to use this on any WordPress site you come across. Many times after a certain number of incorrect logins, or wpscan, the site may permanently block your IP, so that you won’t be able to access it and not to forget it would be illegal.
  • Don’t think that you will get results every time. Brute Forcing username and password will be useless if the admin is using a password with the strong password policy( to use each of small and capital letters, numbers, and special characters).
  • Check each and every vulnerability and try to exploit those. Even one vulnerability can lead to the breaking of the whole system.

There are many more commands and arguments available for Wspcan. To see the complete list available, check out the Wpscan official page.

In case of any queries while downloading or using wpscan or anything, feel free to ask them in the comment section and we will be more than happy to help you out.

Till then, keep learning and Happy hacking..:)

06 Oct 2017

5 nmap scans to help you in Penetration testing

Hi, everyone. In this post, we are going to discuss the 5 Nmap scans every penetration tester should add in their arsenal.

So what is Nmap and why is it widely used?

In simple terms, Nmap(Network Mapper) is a security scanner which is used to discover hosts and services on a computer network. It is widely used during penetration testing process because lots of information can be gathered by doing the correct Nmap scan on your target.
Information like

  • Which operating system the target is using
  • Which ports are open or closed
  • Identifying different hosts on the network
  • Which version of software the target is running

can be found out from a Nmap scan which is very useful in the information gathering process.

Installing Nmap

To use Nmap, you need to download and install it on your system. Nmap comes for all flavors of Operating Systems. It comes pre-installed with Kali Linux. We would like this post to be on the specific topic of Nmap commands so it will be better if you could search on how to install Nmap for your respective Operating System. There are many Youtube videos tutorials on that. In case of any problems, please comment and we will be glad to help.

Basic Syntax for Nmap:

nmap [ Scan Type ] [ Options ] { target specification }

e.g. nmap -A -T4 192.168.213.129

Don’t worry about what -A and -T4 for now. Just keep reading and you will understand everything by the time you complete this post.

Tools required to follow along with this post

1. Nmap correctly installed on the system.Check by using the command nmap in terminal.

2. Install VMware Player or VirtualBox.

3. Download metasploitable from here -> Extract the zip file -> Open VMware or VirtualBox whichever you have installed -> select the Open a Virtual Machine option -> Browse to where you have extracted Metasploitable -> Select Metasploitable.vmx -> Both Username and password are msfadmin.

Everything has been set up and you are good to go now. Let’s start some Nmap scanning.

Previously we used. nmap -A -T4 192.168.213.129
Let’s break it part by part.

You need to use the nmap command for doing Nmap scan. '-A' is the scan type. It is to enable OS and version detection, script scanning, and traceroute. '-T4' is the option for faster scanning. Its values can be from 0 (slowest) to 5 (fastest). The last part is the target’s name or IP address.

Note that '-A' and '-T4' are not the only scan type and option available, there are others available also. To check out the full list of different flags that can be used just use the command nmap in the terminal.

Now, let’s do something practical.

In the real world, you will either be given the target specification or the IP address for penetration testing. We can’t just do Nmap scan on any application available on the internet because it is illegal so we are using Metasploitable as our target because it is meant to be used for testing purposes.

Step 1: To find the IP address of Metasploitable. Since we have already downloaded and installed Metasploitable just use the command ifconfig in the Metasploitable terminal.
It will show two options eth0 and lo. The inet addr given in the eth0 section is the IP address of Metasploitable.

Now, we know the target’s address, so all we have to do is scan using different scan types and options to get the most useful information. This information can then be used to test if malicious activities could be performed on the open ports and how the version of different services running can lead to the hacking of the whole system.

We have installed nmap on my Ubuntu OS. The IP address for Metasaploitable in my case is 192.168.213.129.

Command 1: Scanning for open ports.(Default stealth scan)

$ nmap -sS 192.168.213.129

This is the most used default scan for nmap. It is used for checking if the host is up. With the help of this scan, Nmap attempts a TCP SYN connection to 1000 of the most common ports.
Type the command as it is by changing the IP address with the IP address of your Metasploitable instance.
The command and the output will look like this:

Command 2: TCP Connect Scan.

$ nmap -sT 192.168.213.129

This command is similar to the first one i.e TCP SYN scan however rather than sending a SYN packet and reviewing the headers it will ask the OS to establish a TCP connection to the 1000 common ports.

The output will look like this. On first glance, both the results will look same. But if you look at the execution time they will be different because the first command performs a stealth scan while the second is a non-stealthy scan.

After reading this far, if you are still confused what TCP,SYN or packets mean, search for how TCP works and the 3 way handshake for TCP.

Command 3: To scan a specific port or a port ranges

To scan a specific port, use the command

$ nmap -p 80 192.168.213.129

Here, we are scanning the port 80 which is the HTTP port.

To scan ports between a certain range, use
$ nmap -p 80-2000 192.168.213.129
Nmap scanning for ports between 80 and 2000

Command 4: Aggressive scan
$ nmap -T4 -A 192.168.213.129

This is used for aggressively scanning of the target system.
The ‘-A‘ simply means to perform OS and version checking.
-T4‘ is the speed factor on how quickly to perform the scan. Its values can be from 0(slowest) to 5(fastest).
The output will look like this and most of the times the output can be quite large.

Command 5: TCP SYN and UDP scan for all ports.

$ nmap -sS -sU -Pn -p 1-65535 192.168.213.129

This command is used when we are scanning all the 65535 TCP and 65535 UDP ports. The flag ‘-Pn‘ means that we are assuming that the host is up. This is done because sometimes firewalls are setup which prevents ICMP replies.

Some Important Points:

  • Many times, some Nmap features will not work if you are not a root user(Linux) or an user with Administrative privileges (Windows). So in case of any errors, try to use Nmap as the root user.
  • Try different combinations for scan types and options. Nmap has many interesting things. We have only described the most common scans that are used by penetration testers.

Additional references:

Now if you think that you are ready to learn Nmap in depth, check out this page:

Nmap Official page

You can find the whole list of things for which Nmap is used. Also, we have left an important portion Nmap scripts. We will write about it in depth in another post. But feel free to learn what it is and why is it so popular.

Have any questions about a problem in installation or any errors obtained during scanning? Feel free to comment and we will reply back as soon as possible.

Till then keep learning and Happy hacking..:)