KNOX D3: October 2012

Hack A Facebook Account With ARP Poisoning

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrV-mxEQNTXMjjCG8QdPxZeb8ydFhGKmiVZroQ1Ppe11v-hXQxsf3JNk2KfF8Z2DgRmpkQl1FZHkTAaBN8yOIMdSdkRufVqvp3HZwkKIWaVXQo_ssBppoIIlaSLvKcB227PW1e-u96vFw/s1600/facebook_hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrV-mxEQNTXMjjCG8QdPxZeb8ydFhGKmiVZroQ1Ppe11v-hXQxsf3JNk2KfF8Z2DgRmpkQl1FZHkTAaBN8yOIMdSdkRufVqvp3HZwkKIWaVXQo_ssBppoIIlaSLvKcB227PW1e-u96vFw/s640/facebook_hacked.jpg" width="577" /></a></div> This article is a revised and a more advanced version of what we learned in the post "<a href="http://www.rafayhackingarticles.net/2011/07/facebook-cookie-stealing-and-session.html">Facebook Cookie Stealing And Session Hijacking</a>", before i get started, i would like to share that i have just passed my CCNP route examination with 95.3 percent and i am preparing for my CCNP switch examination therefore i would not be able to post for a while, however our Cheif Editor "Dr Sindhiya Junjeo" will continue to update you with latest hacking news until i return. So Let's get back to the tutorial. <a name='more'></a> In our previous post, "<a href="http://www.rafayhackingarticles.net/2011/07/facebook-cookie-stealing-and-session.html">Facebook Cookie Stealing And Session Hijacking</a>" i used a packet sniffer called "Wireshark" to capture packets on a wireless network and finally captured facebook's authentication cookie and replaced the victims authentication cookie with our own authentication cookie allowing us to <a href="http://www.rafayhackingarticles.net/2009/07/how-to-hack-facebook-account.html" target="_blank">hack the facebook account</a>. However this post would be more related to hacking a facebook account on a LAN with ARP Poisoning or Man in the middle attack. <h4>Lan Sniffing - Core Concepts</h4><ul style="text-align: left;"><li>If you are sniffing on a local area network (LAN), first of all you should make sure that your Network card is in the promiscuous mode. </li></ul><ul style="text-align: left;"><li>Next up you should know the difference between a hub and a switch based network, in case of a hub based network a normal packet sniffer would do the job, however in case of a switch based network we would need to launch an attack called "ARP Poisoning attack" or "Man in the Middle attack" in order to route the victims traffic through us. </li></ul><div><div>Before reading this tutorial I would recommend you to  part1, part2 and part 3 of my Gmail Session Hijacking and Cookie stealing series, So you could have better understanding of what I am doing here.</div><div><ul style="text-align: left;"><li><a href="http://www.rafayhackingarticles.net/2011/06/gmail-cookie-stealing-and-session.html" target="_blank">Gmail Cookie Stealing And Session Hijacking Part 1</a></li><li><a href="http://www.rafayhackingarticles.net/2011/06/gmail-cookie-stealing-and-session_26.html" target="_blank">Gmail Cookie Stealing And Session Hijacking Part 2</a></li><li><a href="http://www.rafayhackingarticles.net/2011/07/gmail-cookie-stealing-and-session.html" target="_blank">Gmail Cookie Stealing And Session Hijacking Part 3</a></li></ul></div></div><h4>Logic And Methodology:</h4><div>The tutorial is divided in to three main steps:</div><div> Step 1 <div class="separator" style="clear: both; text-align: center;"></div><div> First of all we would use "ARP Poisoning" or "Man In the Middle Attack" in order to poison victims "ARP CACHE" and route all the traffic through our computer. <div> </div><div>Step 2</div><div> </div><div>Since all the traffic would be rotued through our computer, we would simply launch a packet sniffer (Wireshark) and capture the authentication cookies for facebook.</div><div> </div><div>Step 3</div><div> </div><div>Finally we would replace the victims authentication cookie with our cookies and therefore hacking into victims Facebook account. </div><div> </div><div>Tools</div><div><ul style="text-align: left;"><li><a href="http://www.oxid.it/cain.html" rel="nofollow" target="_blank">Cain And Abel</a></li><li><a href="http://www.wireshark.org/download.html" rel="nofollow" target="_blank">Wireshark</a></li><li><a href="https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/" target="_blank">Cookie Manager Plus (FIREFOX ADDON)</a></li></ul></div><div><h4>Hack A Facebook Account [ARP Poisoning] {STEP 1 }</h4></div>I have wrote lots of tutorials on ARP Poisoning, therefore i won't got into much details on how it works. We would use a tool named "Cain And Abel" to accomplish this task. So here is how we will use "Cain And Abel" to carry out a Man in the Middle attack to hack a facebook account. Step 1 - Download "Cain and Abel" from the link above and launch it.</div><div>Step 2 - Turn on the sniffer by clicking on the Green button at the top, Next scan for the Mac Addresses by clicking on the plus sign (+) at the top. </div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc6V6jiRkTA6u2fuDo5rjPw3UI_BXSK3ONceVAzyuJ5ehkj0u8HIX9Zv-qqmYzlWY5WV49kBxtHDVccnzd4JQhNA6kZfN4CphxFeTohxvW6iWSvpXq8X_sAKhqpLJSFg0oq71JqU1_EAA/s1600/cain+and+abel.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="434" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc6V6jiRkTA6u2fuDo5rjPw3UI_BXSK3ONceVAzyuJ5ehkj0u8HIX9Zv-qqmYzlWY5WV49kBxtHDVccnzd4JQhNA6kZfN4CphxFeTohxvW6iWSvpXq8X_sAKhqpLJSFg0oq71JqU1_EAA/s640/cain+and+abel.png" width="577" /></a></div><div> </div><div>Step 3 - Once you have scanned all the Mac Addresses and IP addresses, it's time to perform the Man In the middle attack. For that, Click on the APR tab at the bottom and then click on the white area in the top frame. This will turn the "+" sign into blue color.</div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgclCaPf8O10W8DNeBInEjAR0n9Dmm8jmkDfdQCjOn8-bcq7Cfhd3FsTRT_WtRbNgsa5wCjkct7JeOJt4KuIUy516k9ULET92Q55ozwnAfOVYG25exswEC4JVkoN8pOsMC7XRVROPeG7Bk/s1600/cain+and+abel+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgclCaPf8O10W8DNeBInEjAR0n9Dmm8jmkDfdQCjOn8-bcq7Cfhd3FsTRT_WtRbNgsa5wCjkct7JeOJt4KuIUy516k9ULET92Q55ozwnAfOVYG25exswEC4JVkoN8pOsMC7XRVROPeG7Bk/s640/cain+and+abel+2.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: left;">Step 4 - Next click on the "+" sign, lists of hosts will appear, select the hosts which you want to intercept the traffic between. In my case at the left side would be my default gateway and on the right would be my victim hosts. </div><div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq_Q44jSDGWWV_A6ySNArkE-sRRuewQfw9y8itZS0OT7glkzRv99U8PP8L9ACMI6_2fbHo8_Hg7VMDp9ondBDaOohVJbCnnjtMpKB6VgbnS0WIHwf1qp6WkJ4jIDSk5wuZ6qlJRp7nZDU/s1600/cain+and+abel+54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq_Q44jSDGWWV_A6ySNArkE-sRRuewQfw9y8itZS0OT7glkzRv99U8PP8L9ACMI6_2fbHo8_Hg7VMDp9ondBDaOohVJbCnnjtMpKB6VgbnS0WIHwf1qp6WkJ4jIDSk5wuZ6qlJRp7nZDU/s640/cain+and+abel+54.png" width="577" /></a></div><div> Step 5 - Click ok and then finally click the "Yellow Button" just under the file menu of  "Cain and abel", Now it will start poisoning the routes in a short span of time and you would start to see traffic being captured by cain and abel. </div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBvos9VuMqfRPW3CMsgYjFQfLf19EKxwznjY_TSpBrBIV6cGRgNPX_slqe1tDilCo6Uw7psBTyRo_7e8fSMli__yExWw3QxuVI3aoQGuLG4h81yxGiqipTFH6FmTqwibV4qiql71H9PCE/s1600/new.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBvos9VuMqfRPW3CMsgYjFQfLf19EKxwznjY_TSpBrBIV6cGRgNPX_slqe1tDilCo6Uw7psBTyRo_7e8fSMli__yExWw3QxuVI3aoQGuLG4h81yxGiqipTFH6FmTqwibV4qiql71H9PCE/s640/new.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDClDmV8Ahp0dbpKzAtwFewklaZCH0i3RqvT392D3E3XenRD9coj-lQ7UCawEgQxRBNYXW7dOC3Ea3ja8cDfg64fZPG2O2QIpuKGb2Vmf34yMfZNbkhsMsc4OU2m_COgNd5Sr2CjoQbjQ/s1600/ARP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDClDmV8Ahp0dbpKzAtwFewklaZCH0i3RqvT392D3E3XenRD9coj-lQ7UCawEgQxRBNYXW7dOC3Ea3ja8cDfg64fZPG2O2QIpuKGb2Vmf34yMfZNbkhsMsc4OU2m_COgNd5Sr2CjoQbjQ/s640/ARP.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: center;">Monitor a Facebook Account from any where in the world</div><div class="separator" style="clear: both; text-align: center;"><a href="http://www.rafayhackingarticles.net/2010/01/remote-password-hacking-software_07.html" target="_blank"><img border="0" src="http://www.sniperspy.com/images/bnr/521396066_336x280.gif" /></a></div><div> Hack A Facebook Account [Packet Sniffing Wireshark] {STEP 2}</div><div> </div><div>So, since we have already poisoned victim's ARP Cache, all the traffic going from the victim to the router will be captured by our packet sniffer (Wireshark). But before we capture the cookie, i would like to explain briefly regarding "Facebook Authentication Cookies".</div><div><h4>Facebook Authentication Cookies</h4></div><div>Well, at the time i wrote the tutorial "Facebook Cookie Stealing And Session Hijacking" Facebook used "Datr" as their authentication cookie, Now facebook uses two cookies instead of one, namely "c_user" and "xs" for authenticating a user. Therefore we would need to capture both of these cookies and replace them with our cookie to hack a facebook account.  So here is how you would capture authentication cookies with facebook. </div><div> </div><div><div>Step 1 - First of all download wireshark from the official website and install it.</div><div> </div><div></div><div> </div><div>Step 2 - Next open up wireshark click on analyze and then click on interfaces.</div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Eb6NAOzydt2tEOWw4eAkO9fGgNLCsxpnd6wWdQvq92d8CiXcl5VO9O8u8ysIyZ3ovNOJ1pOsqH97nY-6ak0IfyV1vqjwN2_sn87L5A3q4OJDbuZ1DgnKd9WD4z4BZ7_XOzdpf5hQOJo/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Eb6NAOzydt2tEOWw4eAkO9fGgNLCsxpnd6wWdQvq92d8CiXcl5VO9O8u8ysIyZ3ovNOJ1pOsqH97nY-6ak0IfyV1vqjwN2_sn87L5A3q4OJDbuZ1DgnKd9WD4z4BZ7_XOzdpf5hQOJo/s640/Untitled.png" width="577" /></a></div><div> </div><div>Step 3 - Next choose the appropriate interface and click on start.</div><div> </div><div> </div><div>Step 4 - Continue sniffing for around 10 minutes.</div><div> </div><div>Step 5 - After 10minutes stop the packet sniffing by going to the capture menu and clicking on Stop.</div><div> </div><div>Step 6 - Next set the filter to http.cookie contains “datr” at top left, This filter will search for all the http cookies with the name datr, And datr as we know is the name of the facebook authentication cookie.</div><div> </div><div><div><img height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2jSs-tOnSVyRXvkJYgEfLkIe_qDJqxdroxMunZh2AS62HVpt24bDOGRPGSrpiKSm8ZuCMiFGntuQ2XaNFa_hhTUwe88YOmRO6k6aqegDsS9zGC2GDUS4HC0FKYnW8t8TSWhLzWzn1T4I/s640/Auth+1.png" width="577" /></div></div><div> </div><div> </div><div>Step 7 -  Next right click on it and goto Copy - Bytes - Printable Text only.</div><div> </div><div><div><div><img height="545" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy_GfxrSnvYokZNkMsC59TkKB0-c-qpf44rQp4FN1cBkkvUxGWrBL3xzb21MLVxt-x7pIssRnVB10vlokh3wCVNcyau6wIp7Q0A_TW_ulCHvCmRWNqsDWaN8k2fqQskp81tynxpom2UXs/s640/2.png" width="577" /></div></div></div><div> </div></div><div>Step 8 - Now you would see lots of cookie values, however c_user and xs would be the only ones of our interest. Copy both of the values in a notepad. </div><div> <h4>Hack A Facebook Account [Cookie Editing] {Step 3}</h4></div><div>Now, finally it's time to hack a facebook account by using the cookie values we captured, for this purpose you would need a cookie editor, I will use a firefox addon called "Cookie Manager" to replace the cookies.</div><div> </div><div>Step 1 </div><div> First of all open up firefox and browse to http://facebook.com.</div><div> </div><div>Step 2   Next open up the cookie manger (Tools - CookieManager+)</div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4u124L1mAIuok9b5VO8XmHa7wEJDpqv-bfJpQov9cUzMeoPCGfPk-YaTL8XIJQHXnuFpw3-x7UnuPmlxBmxE8OQJukJJ2v3h-0BIaO86rpBVvPeqAFXbzgAsuSlQFdSh0rEGi1pSq0qY/s1600/cookie+manager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="504" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4u124L1mAIuok9b5VO8XmHa7wEJDpqv-bfJpQov9cUzMeoPCGfPk-YaTL8XIJQHXnuFpw3-x7UnuPmlxBmxE8OQJukJJ2v3h-0BIaO86rpBVvPeqAFXbzgAsuSlQFdSh0rEGi1pSq0qY/s640/cookie+manager.png" width="577" /></a></div><div> </div><div> </div><div>Step 3   Next click the "add" button.  Fill in the following values: (Take a look at the screenshots below for more clarification)</div><div> </div><div>For Authentication Cookie: c_user</div><div> </div><div>Name: c_user</div><div>Value: The value of the cookie that was captured.</div><div>Host: .facebook.com</div><div> </div><div>For Authentication Cookie: xs</div><div> </div><div><div>Name: xs</div><div>Value: The value of the cookie that was captured.</div><div>Host: .facebook.com</div></div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtxQ5zaG7pvUXLI2GrIU3fCBoOZ56LSJA3G8wjtVMOFTWywWyYN9pPIAxj36H4vKOulomTyENUUpj_XfXqblJJXIqNffZ5d5PCNFSjppM71lKn3CVGxIpWtkrnwbR2jkKmttWyHtPNb0I/s1600/cookie.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="438" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtxQ5zaG7pvUXLI2GrIU3fCBoOZ56LSJA3G8wjtVMOFTWywWyYN9pPIAxj36H4vKOulomTyENUUpj_XfXqblJJXIqNffZ5d5PCNFSjppM71lKn3CVGxIpWtkrnwbR2jkKmttWyHtPNb0I/s640/cookie.png" width="577" /></a></div><div> </div><div>Step 4 -</div><div> </div><div>Next click on the save button, Finally you just need to refresh your page and you would be logged in to the victims account, thus you have hacked a facebook account by session hijacking attack. </div><div> </div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitJZUJMwuenZPCOZr2Ra370UkZia4PqJB-bDzfYzmUc7w-QUUIAZ7dOAck7sjDgCdn8Gcy-WFo0NsLd7s6SZZ2GqYTRux_O46mDvAEgCEWIhy9A1oC2V26c2tdcefCRxUSCEVjXkyJRXc/s1600/Fb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitJZUJMwuenZPCOZr2Ra370UkZia4PqJB-bDzfYzmUc7w-QUUIAZ7dOAck7sjDgCdn8Gcy-WFo0NsLd7s6SZZ2GqYTRux_O46mDvAEgCEWIhy9A1oC2V26c2tdcefCRxUSCEVjXkyJRXc/s640/Fb.png" width="577" /></a></div><div><div> </div><div> </div><div></div><div></div><div>Note: This Attack will only work if victim is on a http:// connection and even on https:// if end to end encryption is not enabled.</div></div><div> </div><div>I hope you have enjoyed the tutorial as much as i have enjoyed while making it, if you have any questions feel free to ask, Feel free to share it with your friends so they can know the dangers of browsing over a http connection. </div><div></div><div> </div><div>P.S: If you would like to learn more methods to hack in to facebook account, kindly refer my <a href="http://facebookhackingcourse.com/">Facebook Hacking Course</a></div><div></div></div></div>

Hack A Facebook Account With ARP Poisoning

This article is a revised and a more advanced version of what we learned in the post " Facebook Cookie Stealing And Session Hijacking ...

+ Read more »

How to exploit CSRF vulnerability(CSRF tutorial)?

<div dir="ltr" style="text-align: left;" trbidi="on">Today, I'm going to explain you about WEB vulnerability that not everyone knows...but it very popular.This vulnerability is very dangerous and effective.Usually, the vulnerability exploiting never leave evidences.This vulnerability called: Cross Site Request Forgery(CSRF).CSRF and the way to exploit it is extremely easy; Much easier then all the complicated injections. <div style="line-height: 0.19in; margin-bottom: 0in;">How does it works?</div><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0.2in;"> It works by forcing the slave's browser to run HTTP requests in order to implement a range of actions, for example :</div><ul><li><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;">Permission faking\stealing.</div></li><li><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;">Transfer of funds from the Bank</div></li><li><div align="LEFT" style="line-height: 0.19in;">Disruption of the normal sequence of the site</div></li></ul><div align="LEFT" style="line-height: 0.19in;">And much more.</div><a name='more'></a>Requirements to exploiting CSRF. <ul><li><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;">Make sure that the slave have SESSION \ COOKIE on the target site.</div></li><li><div align="LEFT" style="line-height: 0.19in;">slave must be identified by the network protocol verification (HTTP Authentication)                                                                                                  </div></li></ul><div align="LEFT" style="line-height: 0.19in;">Actually, In order to cause the slave to perform unwanted actions he is not aware of, the slave must be logged to the target site with cookies and verified by the browser \ server.</div><div align="LEFT" style="line-height: 0.19in;"> </div><div style="line-height: 0.19in; margin-bottom: 0in;">Common uses CSRF attacks.</div><div align="LEFT" style="line-height: 0.19in;"> Common attack is using the image tag (img src) in the HTML document. I mean, in the SRC of the image tag must be inserted malicious link should send HTTP requests to the target, such as a GET request can be excellent. The benefits of using an image tag on the normal link tag (a href) are :</div><ol><li><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;">Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request.</div></li><li><div align="LEFT" style="line-height: 0.19in;">Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user's permissions. This means the user does not need to perform any action in order to see the image on the page, all he has to do is go to a certain site specific browser sends HTTP requests have to load the image. In this case, since the browser recognizes the HTML code of the image tag, it sends HTTP requests to load the image even if the SRC of the image is not really a picture, but a malicious link ...</div></li></ol><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;"> For those of you that uses Fire-Bug(Firefox add-on) can see in the next snapshot example of sending an HTTP request from the browser to the server to load an image during the login of the user:</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd1zmpyXQ3XVpiV4Vj_MuYm006sOfai3Kbp67MjzQ7MBiWWYS_sPnUskM5uqWifTXRewoxzPkWk0fJ592Wx0qTZkEOmz71FbMapDyhUv6VyZn4fed5UvWNTs-mK8xHRyiRSOXTL6_u4P2E/s1600/InUNu.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="csrf-tutorial" border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd1zmpyXQ3XVpiV4Vj_MuYm006sOfai3Kbp67MjzQ7MBiWWYS_sPnUskM5uqWifTXRewoxzPkWk0fJ592Wx0qTZkEOmz71FbMapDyhUv6VyZn4fed5UvWNTs-mK8xHRyiRSOXTL6_u4P2E/s400/InUNu.png" title="csrf-tutorial" width="400" /></a></div><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;"> Also, CSRF attacks can be implemented not only through websites but through email messages. Since the mail boxes allow sending data to HTML format, the attached image perfectly legal. In this case I can send a malicious email message to huge amount of recipients, put a photo tag email body when the SRC contain a malicious link, when the slave opens the email, the desired action done. Exploiting code examples:  HTML</div><div align="LEFT" style="margin-bottom: 0in;">Using img tag: </div><div align="LEFT" style="margin-bottom: 0in;">PHP Code:</div><div align="LEFT" style="margin-bottom: 0in;"><img style="display:none;" src="http://targetsite.com/change_password.php?new_password=123456"> </div><div align="LEFT" style="margin-bottom: 0in;"> </div><div align="LEFT" style="margin-bottom: 0in;">Using iframe tag:</div><div align="LEFT" style="margin-bottom: 0in;">PHP Code:</div><div align="LEFT" style="margin-bottom: 0in;"><iframe src="http://targetsite.com/change_password.php?new_password=123456"></iframe> </div><div align="LEFT" style="margin-bottom: 0in;"> </div><div align="LEFT" style="margin-bottom: 0in;">Java Script</div><div align="LEFT" style="margin-bottom: 0in;">using image object.</div><div align="LEFT" style="margin-bottom: 0in;">PHP Code:</div><div align="LEFT" style="margin-bottom: 0in;"><script></div><div align="LEFT" style="margin-bottom: 0in;"> var poniz = new Image();</div><div align="LEFT" style="margin-bottom: 0in;"> test.poniz = "http://targetsite.com/change_password.php?new_password=123456";</div><div align="LEFT" style="margin-bottom: 0in;"></script> </div> Exploiting sequence <div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;"> Here a cool example that actually belong to Black-SEO. What I want to check in my user control panel is the parameters are sent as a request to HTTP server when I'm updating my home page via the user control panel. There are a variety of fields that can be updated, such as address, phone, email, name, content, and most importantly for this example: The favorite website\home page address. These parameters are sent to the server when updating my website address. So it seems to Firebug: </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOuQNWegxoc35_gNs9MTb4luXS-WfVtIgKObpgwaCryQqIOobOq9yCuPcRVdFyiQ9euSEWgZI2o3WS2diSV2BwJRxDcw4YuteJ8fEGj1rh74THb2DIj80Rqt2GJYSPpZkdqVbv0z1bokiV/s1600/UYIgx.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="csrf-tutorial" border="0" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOuQNWegxoc35_gNs9MTb4luXS-WfVtIgKObpgwaCryQqIOobOq9yCuPcRVdFyiQ9euSEWgZI2o3WS2diSV2BwJRxDcw4YuteJ8fEGj1rh74THb2DIj80Rqt2GJYSPpZkdqVbv0z1bokiV/s400/UYIgx.png" title="csrf-tutorial-2" width="400" /></a></div><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;">   These parameters are sent to the server using POST method. So we do not see the parameters in the URL address. But, if the parameters will be written via GET method, the data will sent? Let's see.</div><div align="LEFT" style="margin-bottom: 0in;">Code:</div><div align="LEFT" style="margin-bottom: 0in;">http://targetsite.com?users.php?db[webaddress]=http://www.PonizSite.com&action=save</div><div align="LEFT" style="margin-bottom: 0in;">It works! (Actually...in the server-side code(php), the variable was in REQUEST method...but it's not matter)</div><div align="LEFT" style="margin-bottom: 0in;"> </div><div align="LEFT" style="margin-bottom: 0in;">Now ... Imagine that Dork like this one:</div><div align="LEFT" style="margin-bottom: 0in;">Quote:</div><div align="LEFT" style="margin-bottom: 0in;">site:targetsite.com & intext:"Homepage" & intext:"email: "</div><div align="LEFT" style="line-height: 0.19in;"> Now, I've got all the emails of users and I can send them an emails with img tag, and when they will open it, their home page\website addressfield in their profile will change(To <a href="http://www.ponizsite.com/" target="_blank">http://www.ponizSite.com</a>) <img align="BOTTOM" alt="Oui" border="0" height="20" name="graphics4" src="http://cdn2.hackforums.net/images/blackreign/images/smilies/oui.gif" width="20" /> </div><div style="line-height: 0.19in; margin-bottom: 0in;">How to prevent?</div><div align="LEFT" style="line-height: 0.19in;"> There are not many hermetical familiar solutions to prevent CSRF attacks. Except from one: Tokens. What are actually tokens? This is a hidden random ID responsible for sending structured data, such as logging into forms, forms that allow registered users to update data or home page(in our case <img align="BOTTOM" alt="Evilgrin" border="0" height="20" name="graphics5" src="http://cdn2.hackforums.net/images/blackreign/images/smilies/evilgrin.gif" width="20" />)</div><div align="LEFT" style="border-bottom-style: none; border-color: initial; border-image: initial; border-left-style: none; border-right-style: none; border-top-style: none; border-width: initial; line-height: 0.19in; margin-bottom: 0.04in; margin-top: 0.04in; padding-bottom: 0in; padding-left: 0in; padding-right: 0in; padding-top: 0in;"> </div><div align="LEFT" style="margin-bottom: 0in;"><input type="hidden" name="8pssf18ssdmf8s7p80fodi" value='1' id="token" /></div><div align="LEFT" style="border-bottom-style: none; border-color: initial; border-image: initial; border-left-style: none; border-right-style: none; border-top-style: none; border-width: initial; line-height: 0.19in; margin-bottom: 0.04in; margin-top: 0.04in; padding-bottom: 0in; padding-left: 0in; padding-right: 0in; padding-top: 0in;"> Since the tokens are defined, the attacker can not know what is the token of the slave, because every loading of the page the token will change to other random number\string.</div><div align="LEFT" style="line-height: 0.19in;"> Tips :</div><ul><li><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;">Don't forget to delete your cookies.</div></li><li><div align="LEFT" style="line-height: 0.19in; margin-bottom: 0in;">Use tokens(Captcha is safer).</div></li><li><div align="LEFT" style="line-height: 0.19in;">When you built your php site, don't use GET \ REQUEST super-global variables.</div></li></ul></div>

How to exploit CSRF vulnerability(CSRF tutorial)?

Today, I'm going to explain you about WEB vulnerability that not everyone knows...but it very popular. This vulnerability is very danger...

+ Read more »

Online Hacking tools

<div dir="ltr" style="text-align: left;" trbidi="on">Here are some online hacking tools. If your internet connection is slow then you don`t want to download some security software for just information gathering & exploit searching. So you can use online website for this purpose, although big advantage is your i.p is not directly flashing to victim. If you use proxy then it`s more secure because website don`t have your i.p also. <div align="LEFT" style="margin-bottom: 0in;"> </div><div align="LEFT" style="line-height: 0.17in; margin-bottom: 0in;"><a href="http://www.novirusthanks.org/">http://www.novirusthanks.org/</a>(Online File Scanner) <a href="http://www.virustotal.com/">http://www.virustotal.com</a>(Online File Scanner) <a href="http://anubis.iseclab.org/">http://anubis.iseclab.org/</a>(Online File Scanner) <a href="http://www.ipvoid.com/">http://www.ipvoid.com/</a>(IP Address scanner) <a href="http://www.threatlog.com/">http://www.threatlog.com/</a>(HoneyPot Database) <a href="http://www.idoproxy.com/">http://www.idoproxy.com</a>(proxy) <a href="http://whois.domaintools.com/">http://whois.domaintools.com/</a>(Whois lookup) <a href="http://www.robtex.com/">http://www.robtex.com/</a>(swiss army knife internet tool) <a href="http://www.netirk.com/">http://www.netirk.com/</a>(Pinger) <a href="http://www.ahbl.org/lktool">http://www.ahbl.org/lktool</a>(IP Lookup) <a href="http://www.blocklist.de/" target="_blank">http://www.blocklist.de/</a> <a href="http://www.cirt.net/passwords">http://www.cirt.net/passwords</a>(Default password list) <a href="http://www.cirt.net/ports">http://www.cirt.net/ports</a>(Default Ports List) <a href="http://www.urlvoid.com/extract-url/">http://www.urlvoid.com/extract-url/</a>(URL Shortener extractor) <a href="http://www.urlvoid.com/http-headers/">http://www.urlvoid.com/http-headers/</a>(Show the HTTP headers of a link) <a href="http://www.urlvoid.com/find-parasites/">http://www.urlvoid.com/find-parasites/</a>(Find Parasites) <a href="http://www.urlvoid.com/url-dump/">http://www.urlvoid.com/url-dump/</a>(URL Dump) <a href="http://www.fail2ban.org/wiki/index.php/Main_Page">http://www.fail2ban.org/wiki/index.php/Main_Page</a>( For your website) <a href="http://www.nmap.org/">http://www.nmap.org</a>(port scanner)</div><div align="LEFT" style="line-height: 0.17in; margin-bottom: 0in;"></div><a name='more'></a> Exploit Search: <div align="LEFT" style="line-height: 0.17in; margin-bottom: 0in;"><a href="http://exploitsearch.com/">http://exploitsearch.com/</a>(google engine) <a href="http://www.exploitsearch.net/">http://www.exploitsearch.net/</a>(nvd,osvdb,metasploit,…) <a href="http://shodan.surtri.com/">http://shodan.surtri.com/</a>(engine) <a href="http://www.hack0wn.com/advisories.php">http://www.hack0wn.com/advisories.php</a> <a href="http://www.1337day.com/">http://www.1337day.com/</a> <a href="http://www.exploit-db.com/">http://www.exploit-db.com/</a> <a href="http://securityvulns.com/">http://securityvulns.com/</a></div><div align="LEFT" style="line-height: 0.17in; margin-bottom: 0in;"><a href="http://www.zerodayinitiative.com/advisories/published/">http://www.zerodayinitiative.com/advisories/published/</a> <a href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a> <a href="https://web.nvd.nist/">https://web.nvd.nist</a></div><div align="LEFT" style="line-height: 0.17in; margin-bottom: 0in;"><a href="https://web.nvd.nist.gov/view/vuln/search?cid=3">https://web.nvd.nist.gov/view/vuln/search?cid=3</a> <a href="https://www.us-cert/">https://www.us-cert</a></div><div align="LEFT" style="line-height: 0.17in; margin-bottom: 0in;"><a href="https://www.us-cert.gov/cas/techalerts/">https://www.us-cert.gov/cas/techalerts/</a> <a href="http://www.cvedetails.com/">http://www.cvedetails.com/</a> <a href="http://routerpwn.com/">http://routerpwn.com/</a></div></div>

Online Hacking tools

Here are some online hacking tools. If your internet connection is slow then you don`t want to download some security software for just info...

+ Read more »

Acknowledged By Adobe Security Team

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWYRgFfwXai7uj5mQ-Ii-KGVX6bk-fXOQVTl-564iiTD6AgQHZYYeFJkEfyM_SVtS5_tZJNY4T2nrqFUyBfEdCIq4958llyFtazH2rQvXPCVkHdTI2Tq8RZmL4dX4kmsy9cbTVqh_jFYw/s1600/adobe-radiation.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWYRgFfwXai7uj5mQ-Ii-KGVX6bk-fXOQVTl-564iiTD6AgQHZYYeFJkEfyM_SVtS5_tZJNY4T2nrqFUyBfEdCIq4958llyFtazH2rQvXPCVkHdTI2Tq8RZmL4dX4kmsy9cbTVqh_jFYw/s1600/adobe-radiation.jpg" /></a></div> About three months back I reported an XSS (Cross Site Scripting) vulnerability in Adobe, Recently i came to know that Adobe has finally managed to fix the vulnerability after three long months. <a href="http://www.rafayhackingarticles.net/2012/10/automatically-bypass-xss-filter-with.html">XSS </a>for those of you who don't know is a web application vulnerability which enables the attacker to inject your own javascript inside the webapplication. XSS, at times can become so dangerous that it could enable an attacker to compromise your entire computer system apart from stealing your cookies and redirecting you to phishing pages. <a name='more'></a>You can find my name under the "Adobe Security Researchers Acknowledgement Page": <a href="http://www.adobe.com/support/security/bulletins/securityacknowledgments.html">http://www.adobe.com/support/security/bulletins/securityacknowledgments.html</a> <h4>PROOF OF CONCEPT</h4></div><iframe allowfullscreen="allowfullscreen" frameborder="0" height="300" mozallowfullscreen="mozallowfullscreen" src="http://player.vimeo.com/video/51981987" webkitallowfullscreen="webkitallowfullscreen" width="400"></iframe> Pass the comments!</div>

Acknowledged By Adobe Security Team

About three months back I reported an XSS (Cross Site Scripting) vulnerability in Adobe, Recently i came to know that Adobe has finally mana...

+ Read more »

Automatically Bypass XSS Filter With Snuck

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGBikRzjeeTYdJcmo6loWiBxF5qR-SB1Tf6e7cZeCG6bWBhMGqm72xumQR0iqmVoL-uIHsRXikBsK3yLaBmk0_Fhk4PIxPXtB5IfOwdIupQJSDHSfdM8K3O0Ipj3PXrCWcbI3OVY8wyfA/s1600/Screen+Shot+2012-10-27+at+3.57.01+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGBikRzjeeTYdJcmo6loWiBxF5qR-SB1Tf6e7cZeCG6bWBhMGqm72xumQR0iqmVoL-uIHsRXikBsK3yLaBmk0_Fhk4PIxPXtB5IfOwdIupQJSDHSfdM8K3O0Ipj3PXrCWcbI3OVY8wyfA/s640/Screen+Shot+2012-10-27+at+3.57.01+AM.png" width="640" /></a></div> Snuck is a Selenium based automated tool programmed, which is different from typical web security scanners, to help discovered XSS vulnerabilities in web applications. It's approach is related to the inspection of the injection's reflection context, specialising them in order to increase the success rate of breaking a given XSS filter. The attack vectors are chosen on the basis of the reflection context (the pinpointed location where the injection falls in the reflection web page's DOM). This is possible through Selenium web driver that allows to duplicate operations in web browsers. It requires an XML configuration file to be filled in order to make snuck a wiz at what it needs to do with respect to the test web application. It supports Mozilla Firefox, Google Chrome and Internet Explorer and the XSS testing in performed on a real web browser to mirror the attacker's and (possibly) the victim's behaviour. <a name='more'></a> Snuck is a Java-based open-source software and is released under the Apache 2.0 license. To download you can use the following source using snv: <pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em; text-align: -webkit-auto;">svn checkout http://snuck.googlecode.com/svn/trunk/ snuck-read-only</pre><div style="font-family: arial, sans-serif; font-size: 13px; line-height: 1.25em; max-width: 64em; text-align: -webkit-auto;"> </div><div style="max-width: 64em; text-align: left;">Once done, you can use the build.xml for Ant to compile the source files and generate the jar file</div><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em; text-align: -webkit-auto;">cd snuck-read-only ant jar</pre><div style="font-family: arial, sans-serif; font-size: 13px; line-height: 1.25em; max-width: 64em; text-align: -webkit-auto;"> </div><div style="font-family: arial, sans-serif; font-size: 13px; line-height: 1.25em; max-width: 64em; text-align: -webkit-auto;"></div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">Then you will be able to generate an executable jar file which is ready to run.</div><div style="line-height: 1.25em; max-width: 64em; text-align: left;"> </div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">You can also download it via a ready-to-run executable jar by click <a href="http://code.google.com/p/snuck/downloads/detail?name=snuck.zip" target="_blank">here</a>.</div><div style="line-height: 1.25em; max-width: 64em; text-align: left;"> </div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">We would like to mention here that you just need a working JVM and Firefox to run this software. To run a test with Google Chrome/Chromium, you must download and use the <a href="http://code.google.com/p/chromedriver/downloads/list" target="_blank">appropriate server </a>which is a bridge between the web browser and the driver.</div><div style="line-height: 1.25em; max-width: 64em; text-align: left;"> </div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">To run the software on Internet Explorer and its appropriate server please refer to the following <a href="http://code.google.com/p/selenium/downloads/list" target="_blank">link</a>.</div><div style="line-height: 1.25em; max-width: 64em; text-align: left;"> </div><div style="max-width: 64em; text-align: left;">You will also need to familiarise yourself with the command line options. Below you can find the available arguments and the correspondent description:</div><div style="max-width: 64em; text-align: -webkit-auto;"> </div><div style="max-width: 64em; text-align: -webkit-auto;"></div><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;">>java -jar snuck.jarUsage: snuck [-start xmlconfigfile ] -config xmlconfigfile -report htmlreportfile [-d # ms_delay] [-proxy IP:port] [-chrome chromedriver ] [-ie iedriver] [-remotevectors URL] [-stop-first] [-reflected targetURL -p parameter_toTest] [-no-multi] Options :   -start         path to login use case (XML file)   -config        path to injection use case (XML file)   -report        report file name (html extension is required)   -d             delay (ms) between each injection   -proxy         proxy server (IP: port)   -chrome        perform a test with Google Chrome, instead of Firefox. It needs the path to the chromedriver   -ie            perform a test with Internet Explorer, instead of Firefox.                  Disable the built in XSS filter in advance   -remotevectors use an up-to-date online attack vectors source instead of the local one   -stop-first    stop the test upon a successful vector is detected   -no-multi      deactivate multithreading for the reverse engineering process - a sequential approach will be adopted   -reflected     perform a reflected XSS test (without writing the XML config file)   -p             HTTP GET parameter to inject (useful if -reflected is setted)   -help          show this help menu </pre> <h3 style="text-align: left;">Sample Scenarios and How-Tos <a href="http://code.google.com/p/snuck/wiki/Tutorial" target="_blank">According to Google</a>:</h3><div style="text-align: left;"></div><ul style="line-height: normal; max-width: 62em; padding-left: 25px; text-align: left;"><li style="margin-bottom: 0.3em;">Scenario I: Stored XSS</li></ul><ul style="line-height: normal; max-width: 62em; padding-left: 25px; text-align: left;"> Let us assume to have an e-commerce web site, which allows sellers to modify the description of their items. Items' descriptions are publicly accessible, thus leading to stored XSS in the case of XSS filter bugs. Testing the XSS filter needs three steps to be performed before landing in the reflection page. Since the injection is reflected within a P html element, the tool will reverse the fi lter and report the allowed tags and attributes in the final report. Obviously detected XSS are reported as well. See the following image for better understanding the context.</ul> <div><ul style="font-family: arial, sans-serif; font-size: 13px; max-width: 62em; padding-left: 25px; text-align: -webkit-auto;"><blockquote style="margin: 20px; max-width: 60em;"><img src="http://www.sneaked.net/snuck/images/tutorial_I.png" style="border: 0px; max-width: 100%;" /></blockquote>In the aforementioned case snuck need to know which operations are required to connect the injection page, that is the web page in which the malicious payload is supplied, to the reflection one, that is the web page in which the payload is reflected. This task can be done by passing an XML configuration file, such as the following. In particular every <tt style="max-width: 66em;"><command></tt> reports a tuple in the form of Selenium commands, refer to Selenium selectors for further information. </ul><blockquote style="margin: 20px; max-width: 60em; text-align: -webkit-auto;"><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;"><?xml version="1.0" encoding="UTF-8"?> <root>   <post>         <commands>             <command>                 <name>open</name>                 <target>http://wtfbay.com/modify.php?id=90</target>                 <value></value>             </command>             <command>                 <name>type</name>                 <target>name=name</target>                 <value>${RANDOM}</value>           </command>                                                                               <command>                 <name>type</name>                 <target>id=description</target>                 <value>${INJECTION}</value>            </command>            <command>                 <name>click</name>                 <target>name=submit</target>                 <value></value>            </command>           <command>                 <name>select</name>                 <target>id=cat</target>                 <value>Bike</value>             </command>             <command>                 <name>click</name>                 <target>name=submit</target>                 <value></value>             </command>         </commands>     </post> </root></pre></blockquote>In addition, since it is obvious that a login operation is required for managing our items, then another XML configuration file is needed. <blockquote style="margin: 20px; max-width: 60em; text-align: -webkit-auto;"><div style="font-family: arial, sans-serif; font-size: 13px; line-height: 1.25em; max-width: 64em;"></div><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;"><?xml version="1.0" encoding="UTF-8"?> <root>     <post>         <commands>             <command>                 <name>open</name>                 <target>http://wtfbay.com/login.php</target>                 <value></value>             </command>             <command>                 <name>type</name>                 <target>name=user</target>                 <value>admin</value>            </command>                                                                                                              <command>                 <name>type</name>                 <target>name=pwd</target>                 <value>admin</value>            </command>            <command>                 <name>click</name>                 <target>name=submit</target>                 <value></value>            </command>         </commands>     </post> </root></pre></blockquote>So far so good, now, how can we start the tool? By assuming that we want an HTML report named report.html and the aforepresented XML files are named usecase.xml and login.xml, then: > java -jar snuck.jar -config usecase.xml -report report.html -start login.xml <div style="text-align: left;">What will the tool do? Basically the tool will firstly reverse engineer the HTML filter used against the user-supplied description, then it will start injecting multiple attack vectors and check whether an XSS is triggered - the important point here is that alert dialog windows are grabbed in order to decide whether an injection is successful; this means that false positive rate is equal to 0 as a vulnerability is reported just in case an alert dialog window is grabbed by the used web browser (note that this is automatically performed).</div><ul style="max-width: 62em; padding-left: 25px; text-align: left;"><li style="margin-bottom: 0.3em;">Scenario II: Stored XSS</li> Let us assume to have a blog, which allows visitors to leave comments. As in the previous case, our goal is to bypass the filter the web application is using against user generated content. Since the tool just need to fill some field and perform the attack, this is actually comparable to a fuzzy approach. See the following image for better understanding the context:.</ul> <ul style="font-family: arial, sans-serif; font-size: 13px; max-width: 62em; padding-left: 25px; text-align: -webkit-auto;"><blockquote style="margin: 20px; max-width: 60em;"><img src="http://www.sneaked.net/snuck/images/tutorial_II.png" style="border: 0px; max-width: 100%;" /></blockquote></ul>The XML configuration file (use case) and the necessary parameters for starting snuck are reported below. <blockquote style="margin: 20px; max-width: 60em; text-align: -webkit-auto;"><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;"><?xml version="1.0" encoding="UTF-8"?> <root>                   <post>                                                                                                                <parameters>             <parameter>                 <name>username</name>                 <value>hal9001</value>             </parameter>         </parameters>         <commands>             <command>                 <name>open</name>                 <target>http://examplecom/post.php?id=90</target>                 <value></value>             </command>             <command>                 <name>type</name>                 <target>name=name</target>                 <value>${USERNAME}</value>            </command>                                                                                                   <command>                 <name>type</name>                 <target>id=comment</target>                 <value>${INJECTION}</value>            </command>            <command>                 <name>click</name>                 <target>name=submit</target>                 <value></value>            </command>         </commands>     </post> </root></pre><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;">java -jar snuck.jar -config usecase.xml -report report.html</pre></blockquote><div style="text-align: left;"> The remarkable points here are that variables can be defined through the <tt style="max-width: 66em; text-align: -webkit-auto;"><parameter></tt> tags and referenced by using strings in the form of <tt style="max-width: 66em; text-align: -webkit-auto;">${variable_name}</tt>. In addition you can use <tt style="max-width: 66em; text-align: -webkit-auto;">${RANDOM}</tt> or <tt style="max-width: 66em; text-align: -webkit-auto;">${RANDOM_EMAIL} </tt>within <tt style="max-width: 66em; text-align: -webkit-auto;"><value></tt> tags for asking the tool to supply a random alphanumeric string or a random email.</div> <ul style="max-width: 62em; padding-left: 25px; text-align: left;"><li style="margin-bottom: 0.3em;">Scenario III: Reflected XSS</li> Here we present a basic scenario in which the value of an HTTP GET parameter is reflected in a web page, in particular in the attribute <tt style="max-width: 66em;">value</tt> of an <tt style="max-width: 66em;">input</tt> element, whose <tt style="max-width: 66em;">type</tt> is setted to <tt style="max-width: 66em;">hidden</tt>. As usual, we want to test whether injecting this parameter could result in a reflected XSS vulnerability - see below for the XML configuration file and how it is possible to start snuck - in this case we have two different opportunities.</ul> <blockquote style="font-family: arial, sans-serif; font-size: 13px; margin: 20px; max-width: 60em; text-align: -webkit-auto;"><img src="http://www.sneaked.net/snuck/images/tutorial_III.png" style="border: 0px; max-width: 100%;" /> <pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;"><?xml version="1.0" encoding="UTF-8"?> <root>     <get>         <parameters>             <targeturl>http://example.com/xss.php</targeturl>             <reflectionurl></reflectionurl>             <paramtoinject>param</paramtoinject>             <parameter>foo=bar</parameter>         </parameters>     </get> </root></pre><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;">> java -jar snuck.jar -config config.xml -report report.html </pre><pre class="prettyprint" style="background-color: #eeeeee; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; max-width: 70em; overflow: auto; padding: 0.5em;"># faster mode (no XML file required) > java -jar snuck.jar -report report.html -reflected "http://example.com/xss.php?foo=bar" -p param</pre></blockquote><div style="text-align: left;"> Note that the <tt style="max-width: 66em; text-align: -webkit-auto;"><reflectionurl></tt> can be used for asking the tool to make the injections at <tt style="max-width: 66em; text-align: -webkit-auto;"><targeturl></tt> and to look for reflections at the URL defined with <tt style="max-width: 66em; text-align: -webkit-auto;"><reflectionurl></tt>.</div><div style="text-align: left;"> </div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">Further information Sometimes it might be useful to discover the first successful injection without realizing a complete test. This task could be achieved through the argument <tt style="max-width: 66em;">-stop-first</tt>, which makes the tool stop at the first positive, it will find. In addition, you could obviously stop the test through CTRL+C, if so, then the tool will print in stdout the successful injections that it found so far.</div><div style="line-height: 1.25em; max-width: 64em; text-align: left;"> </div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">Click on this <a href="http://code.google.com/p/snuck/downloads/list" target="_blank">link</a> to download Snuck.</div><div style="line-height: 1.25em; max-width: 64em; text-align: left;"> </div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">Cheers!</div><div style="line-height: 1.25em; max-width: 64em; text-align: left;"> </div><div style="line-height: 1.25em; max-width: 64em; text-align: left;">About The Author This article is written by Sindhia Javed Junejo. She is one of the core members of RHA team.</div></div></div>

Automatically Bypass XSS Filter With Snuck

Snuck is a Selenium based automated tool programmed, which is different from typical web security scanners, to help discovered XSS vulnerabi...

+ Read more »