Saturday, 12 November 2016

HOW TO USE CSRF VULNEREBILITY IN WEBSITE (OWASP TOP 10)


CSRF vulnerability
CSRF vulnerability -Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Exploit of this vulnerability-
Let’s do….
Requirement tools:-
1.   Any OS
2.   Xampp server
3.   Web vulnerability web application (DVWA)

Now, follow the steps given below-
1.   Open login page of DVWA website
Admin=admin, password=pentest (I already changed the password)
2.   Set the DVWA security level- Low
3.   Go to CSRF option
4.   Now I am changing the password
Password= hacksac12
Logout
And then login again with the new password
Go to CSRF and view the page source.
Now I want to change the password using this vulnerability.
Let’s do…
Now copy the source code and paste in a notepad

Login with wrong ID or Password
Then copy the first half URL as shown in picture
Paste it after (form action-)
Pentest-new password
Paste your new password after the (new) [“value-pentest”].
Then we copy the new password [“value-pentest”]paste right after the (conf) in the next line,just like we show in the picture.

Then Save as .html format.
Open the file you save which is in html format .
Now when you open the html file a new tab open click Change.
Password has been changed
Let’s check the new password
Its working ….
So this is the vulnerability is allow to hacker login.


So this is the vulnerability is allow to hacker login.
Login password would be changed of any website.
Thanks for reading this article.    
Author: Sumreet Sharma is An Certified Ethical hacker, Penetration tester, junior security analyst network engineer technical writer and pursuing in Microsoft software engineer, India.
Contact here: https://goo.gl/unp1AA
Posted by at No comments:

HOW TO USE XSS (OWASP TOP 10 VULNEREABILITY )




 


 

OWASP

Top Vulnerabilities

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

So this vulnerability is very critical.    

Requirements:-

1.     Any OS

2.     Xampp Server

3.     Web vulnerable web application(DVWA)

Firstly set security level: Low

Now, do the following Steps

1.     Open login page of DVWA website

2.     Go to XSS option

3.     Select reflected XSS

Vulnerable vector



Copy this and paste in the dialogue box

<script>alert(0)</script>

When you submit this, it show a pop up you displaying 0 zero, and then press ok


Then copy this and paste in the same dialogue box

<script>alert(“XSS”)</script>
 
When you submit, this time pop up displaying XSS on it.
Now the trick
you have to replace the word alertto prompt.


Then a pop up comes up displayingXSS, put your name in the blank. (ex:Sachin)


Now, again paste the second command and replace


XSS to documentation.cookiescopy this and paste in it.

<script>prompt(“documentation.cookies”)</script>


Now pop up will show displaying documentation.cookies again type your name on it (ex:sachin)



Now again you have to replace documentation.cookies to documentation.domain, when you press submit


pop up will appear and dislplaying  127.0.0.1 put your name in it. Just like before.


All done in XSS (reflected)…

Now select XSS(stored) next to XSS(reflected)

Put any name in it and in the message box put this

<script>prompt(“documentation.domain”)</script>


 Logout from the account…
Go to the login page
Username: admin
Password: password

Click XSS stored, Pop up comes up displaying 127.0.0.1; put your name in it.



All Done.

So as any Hacker inject our script in website and they can change everything.

Thanks for reading this article.

Author: Sumreet Sharma  is An Certified Ethical hacker, Penetration tester,  junior security analyst network engineer technical writer  n pursuing in Microsoft software engineer, India.

Contact here: https://goo.gl/unp1AA














Posted by at No comments:

Saturday, 22 October 2016

Two Ways To Turn Computer Into Wifi Hotspot



 
Two Ways to Turn Computer into Wifi Hotspot
1.Connectify:
This is an Easy Way so i will recommend you to first try this way. Simply follow the steps.
Step 1: Download Connectify Hotspot.
Step 2: Install and the Restart your Computer.
Step 3: If a Windows Security Alert of Windows Firewall appears, then click Allow access button to add Connectify Hotspot.
Step 4: On Next screens, you should click to choose Connectify Hotspot Lite to use it.
Step 5: Enter your Hotspot Name(SSID) after the "Connectify-" prefix. Only Hotspot PRO lets you choose any SSID you want. Input your desired network security key. Choose your available internet connection (Wi-Fi, LAN) that you want to share.

Then Choose Wi-Fi to create a Wi-Fi hotspot. Choose Ethernet to share over a wired connection (only available in Pro version)
Step 6: Almost Done now all you have to do is Click on Start Hotspot Button.

2: Without Any Software
Step 1: First you need to open “Command Prompt” (Administrator Mode).
Step 2: Type the following command in your Command Prompt. 
netshwlan set hostednetwork mode=allow ssid=Hotspot key=Password123

The "SSID” represents your “WiFi Hot Spot’s name” and the “Key” represents your “WiFi Password”. You can change them, in case you need.
Step 3: Next, enter the following command and press enter to start your virtual WiFi hotspot. It should show a message that “The hosted network started”.
netshwlan start hostednetwork
 


Step 4: Now, go to Control Panel -> Network and Sharing Center -> Network Connections. There you will see the newly listed “Virtual Local Area Connection”.
Step 5: Get back to the “Network and Sharing Center” and click the “Ethernet” or whatever shows in the “Connections” section. A new window will pop-up, in that select “Properties” and go to “Sharing” tab on the top.
Step 6: Enable “Allow other users to connect through this computer’s Internet Connection” option on the top. In the drop down list below, select the newly listed “Virtual Local Area Connection”. Click “Ok” and you are good to go.

All Done…
          
   Enjoy your wifi hotspot
Thanks for reading this article.

Author: Sumreet Sharma  is An Ethical HackerCyber Security Expert, Penetration Tester, India.

Contact here :https://goo.gl/unp1AA
Posted by at No comments:
Subscribe to: Posts (Atom)