Professional Documents
Culture Documents
Apr 2012
Apr 2012
JavaScript
cod
browser.
The impact of
by the poten
code.
A quick look i
Stored
Reflect
DOM Bas
Stored XSS the injected
the target ser
message forum
etc. The victi
script from
stored informa
Reflected XSS
where the inje
vector method.
ch as in an error message,
web server, su
search result
includes some
server as part
are delivered
over
ng
or
such as in
User s
other web se
into
on
malicious
link
clicki
submitting
runs
his
own
in
the
these possible
ways
by
So, all this is the story about the types of
XSS. Now let the real game begin.
cover
all
example.
Custom Attack Vec
tor I
XSS attack more patience, more
possibility of attack.
ered many a times that
side
java
sc
machine. General
ly developers focus more
><script
he will use best encoding
>alert(document.cookie)</scri
user
functions. This
application
javas cript
http://www.victimsi
application,
http://www.victim
http://www.victimsi
sub
directori
JavaScript Funct
names in a plain
text.
/tickets-booking /sear
ch form
+ &t= + (((new
Date()).getTime() -
began_loading) /
1000);alert(document
.cookie);//
+ &t= + (((new
Date()).getTime() -
began_loading) / 100
0)
Javascript function
will treat this line as
Victim
application
has
/ticketscontinuation
of
the function
line and
booking/search form directory. Observe in
execute
ne, then
it comes
above
screenshots
the
li
to
that
/ticketsalert(document.cooki
all
availa
but
application
has smart
as it is in javascript function.
encoding
which encodes all the
/tickets-booking /search form
by this JAVASCRIPT
+ &t= + (((new
have exploited XSS
Date()).getTime() -
methods
began_loading) / 1000)
Custom Attack Vecto
r II
Above line is as it is in javascript function. If
xample of custom attack
I write http://www.victimsite.com/abc/xyz
victim site, there is one
in address bar then application responses
which has the value of
back with page not found error,but the
his value is being used by
javascript function
will have
value like
ction called OpenTicket.
below:
This is another e
vector.
hidden
In
the
variable
5678u , 9999999999 ,
cker.com , 55555 , d
/2012
15:19:13 , 1 , 1 , f
evil , 13/02
Now we will see a custom attack vector for
, , , ,SegmentI
D)
Date()).getTime() began_loading) /
1000);alert(document.cookie);//
in the URL. Now the javascript function
By appending this
function treats th
Style Attri
Its been o
ignored by
successfully.
the
miscellaneous
block
events
all
like
onclick, o
xss has l
execute in
There is
expects the
tried thei
the possib
STYLE attri
bute.
The form
is processed with the required
field and
captures the values in proxy tool.
Observe in
the below screenshot, there is an
appended ST
YLE attribute with the value of
XSS attack
vector in the input field.
Append the onmouseover
into the first name field.
attack
vector
XSS is expl
oited successfully at the page.
In response, application respond back with
error message that special characters are
not allowed. But when you click on the text
box of first name, you get surprised. Script
re
many
more
victim
websites
gets executed on the page.
on internet; its just a matter of
There
available
how expert
on
the
entire
html
ref
page
concerns a
Exploitation
Bro
Framework
(BeEF) is
is
pioneering
techniques
BeE
that
provide th
client side
prac
attack vectors.
framework
code
is
Now, lets s
lets
initi
Below is
page.
used
available
http://code.google.com/p/beef/downloads/
list. Anyone can download and install BeEF,
into the BeEF framework, below
which requires web server, PHP and ruby
t look or we can say home page of
installation
as pre-requisites.
Backtrack
ized BeEF.
(BT) has inbuilt setup of BeEF in it. BT
users can use it without any installation. In
of
at
After login
is the firs
the initial
XSS
Now
entire browser is in attackers hand. He
can
check the system information of the
cre
ated information.
Simply apply this script code in the search
box of the application. IP address is live IP
address of a machine on which BeEF is
configured. Hook.js will hook a browser into
BeEF.
There are many other ways possible to force
victim user to click on this payload,
example by sending one image which has
malicious link behind it, or by click jacking
attack, or by email etc.
for
In
below
I
ave
opened
in
Victims
brows
er.
BeEF
plugin has detected that Facebook is
initi
ated at the victims browser.
Alert box get populated at the victims end.
authenticated
to
Gmail,
best
encoding
insertion
editable
textarea) a
may har
skills
of
the
application
develope
Ankit Ni
rmal
ankit.ni
rmal@indusface.com
Ankit
Nirmal
is
senior
information
secur
years
of
experience
in
infor
research
in
the
automate
appli
cation
security
and
code
review
This was all about some tricky and advance
ss.
stuff of XSS. Sometimes one wonders what
if attackers hook cyber cafs or librarys or
publicly
available
computer
into
proce
their
Sysinternals Suite
TCP View is a subset of
TCP connections.
the NetStat progr
On downloading
TCPView Tcpvcon and a
Sysinternals utilities
are
one
of
the
best
command-line
version
with
the
same
friends of administrator. Sysinternals was
functionality com
es along as a surprise gift.
original
created
back in 1996
by
Russinovich and Bryce Cogswell and was
bought by Microsoft in 2006. Since then the
company has continued to release new tools
and improve the existing ones.
The
Sysinternals
suite consists
following different categories:
Mark
of
the
TCPView enumerate
UDP endpoints, re
versions.
To
domain
toggle
between the dis
integrated
operation, simu
and
e. It is a powerful utility
Color
Coding:
Endpoints
which
will make it an important
changes
much
mor
whose features
state from
one
update
to the next are
system troubleshooting and
highlighted
in yellow;
those
which
are
toolkit.
deleted
are
shown
in red, and
new
endpoints are shown in green.
of
Process
Monitor
utility in ones
malware hunting
Overview
Capabilities
Process
Mo
monitoring
including:
The
da
input a
nd output parameters is more
Using Tcpvcon
d.
detaile
The thre
each o
identif
operati
on.
Usage: tcpvcon [-a] [-c] [-n] [process name
Capture o
f process details, including
or PID]
image p
ath, command line, user and
-a
Show all endpoints (default
ID
show established TCP connections).
nt properties columns are
is
to
session
The
eve
configu
rable and moveable
-c
Print output as CSV.
ers can be set for any data
The filt
field,
configu
Advanced
logging architecture scales
The TCPView is a very useful and a handy
to tens
of millions of captured events
tool which gives the details in one view to
and gig
abytes of log data
the Administrator.
A
cess
tree
tool
shows
pro
relatio
processes
referen
ced in a trace
Process Monitor is monitoring tool that
viewing
of process
image
shows
file
system,
Registry
and
tion
process/thread activity. It is a combination
logging of all operations is
of
the
features
of
two
important
e.
Sysinternals utilities, Filemon and Regmon.
It adds an extensive list of enhancements
including rich and non-destructive filtering,
comprehensive
event
properties
informa
Boot time
possibl
such
Easy
with
This
file
contains
the
individual
It would ec
the command
is used to write its arguments
to standard
output. Another command that
ROT which is known as the Caesar Cipher is
e using is the tr command which
a kind of cryptography wherein encoding is
characters.
I saw
in pastebin
done by moving the letters in the alphabet
implementations
in
different
to its next letter. There are 25 possible ROT
languages to decode ROT and
settings which covers the scope of letters At
of
them
are
using
the
TR
Z. Thus in ROT-1, A is equals to B and B is
so why not mixed it with the
equals to C and so are the next letters but Z
nd? Alright here it goes, for
would go back to A. And so the ROT-1
pkfduY is ROT-1 and so I can
cipher of ProjectXis QspkfduY. Thus, ROT
echo QspkfduY | tr b-za= rotation.
Z.
we will b
translates
different
programming
that
mos
application
echo comma
example Qs
decode it using
aB-ZA-A a-zA-
Jay Turla
shipcodez@gma
il.com
This list should help you to decode ROT-3 to
ROT-25:
Jay Turla
is a programming student and
Infosec en
thusiast from the Philippines.
ROT-3 = tr d-za-cD-ZA-C a-zA-Z
He is one
(Philippin
The
ProjectX
Blog.
ROT-6 = tr g-za-fG-ZA-F a-zA-Z
(http://ww
w.theprojectxblog.net/)
ROT-7 = tr h-za-gH-ZA-G a-zA-Z
ROT-8 = tr i-za-hI-ZA-H a-zA-Z
ROT-9 = tr -za-iJ-ZA-I a-zA-Z
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
tr
n-za-mN-ZA-M
o-za-nO-ZA-N
p-za-oP-ZA-O
q-za-pQ-ZA-P
r-za-qR-ZA-Q
s-za-rS-ZA-R
t-za-sT-ZA-S
u-za-tU-ZA-T
v-za-uV-ZA-U
w-za-vW-ZA-V
x-za-wX-ZA-W
y-za-xY-ZA-X
z-za-yZ-ZA-Y
=
=
=
=
=
=
=
=
=
=
=
=
=
ROT-13
ROT-14
ROT-15
ROT-16
ROT-17
ROT-18
ROT-19
ROT-20
ROT-21
ROT-22
ROT-23
ROT-24
ROT-25
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
a-zA-Z
retaining
or
receiving
stolen
computer
resource o
r a communication device.
The sectio
Whoever di
Punishment
for
dishonestly
owing or having reason to believe
receiving
stolen
computer
o be stolen computer resource or
resource
or
communication
ion device, shall be punished
device kn
the same t
communicat
with impri
with fine
lakh or wi
This secti
On
An
y stolen computer resource, or
In this article, we will have a look at the
to a person who dishonestly receives
provisions
of Sec.
66B
which
is about
or retains.
----------------------- Page 17----------------------Issue 27 April 2012 | Page - 17
defined
under
System/computer
data
base
ltd.
or
contact@sagarrahurkar.com
playing gambling, because of which
he is always in need of money. One
Sagar
He
the
iPad
and
sold
in Cyber Laws, Fraud
it
to
exclusive
training
stolen.
programs
for
Dheeraj
can
be
prosecuted
enforcement agencies like Police, Income
law
under
this
provision.
He is a regular contributor to various
2.
Dinesh is working as an office boy in
Info-Sec magazines, where he writes on
Calsoft
systems
Pvt.
IT Law related issues.
ltd.
Rahurkar
can
be
contacted
infamous in the office as a greedy
at
contact@sagarrahurkar.com
person who is always behind money
and
noticed
lavish
lifestyle.
that,
Priyanka,
One
day,
who
he
is
company
secretary
forgot
her
Dinesh
stolen
of
Calsoft
laptop
the
has
in
laptop,
the
took
office.
it
can
be
prosecuted
under
this
provision.
St
art VM Ware and boot Matriux.
How to enable Wi-Fi
ter you login and obtain an IP, if
on
Matriux
running
you execute ifconfig -a, by default
Af
inet
inside
VMware
or
Link
Bcas
any
other
Mask
:255.255.255.0
virtualization software. This tutorial
6 addr: fe80::a800:4ff:fe00:a04/64
will
inet
Scop
e:Link
take you step by step on how to do that.
ROADCAST RUNNING MULTICAST MTU:1500
UP B
Metr
ic:1
For this tutorial, I am running VMware
kets:34 errors:0 dropped:0
Workstation on a Windows 7 Enterprise N
runs:0 frame:0
Edition which is my Host machine.
The
ackets:119 errors:0 dropped:0
RX pac
over
TX p
over
runs:0 carrier:0
Matriux is (obviously) my guest operating
coll
isions:0 txqueuelen:1000
system running "Krypton" v1.2. I am using a
D-Link
DWA-125
Wireless
N
Adapter for this tutorial.
150
USB
Procedure
There are so many methods and approaches
to
enable
Wi-Fi
inside
VMware
Virtualization
environment.
One
of
preferred approaches is explained below:
/
the
collisions:0 txqueuelen:1000
RX bytes:4731 (4.6 KiB) TX
bytes:11021
(10.7 KiB)
Interrupt:19 Base address:0x2000
lo
Metric:1
RX packets:52 errors:0 dropped:0
overruns:0 frame:0
TX packets:52 errors:0 dropped:0
Now
Connect
your
USB
overruns:0 carrier:0
collisions:0 txqueuelen:0
Adapter
to your
PC
/
Wi-Fi
Laptop.
Driver
Software
or
information
Clic
sh
Figur
e 4
----------------------- Page 20----------------------Issue 27 April 2012 | Page - 20
wlan0
-a
T
M
e
nvironment.
inet addr:192.168.116.130
Bcast:192.168.116.255
J
oin us for more discussion on Matriux and
Mask:255.255.255.0
i-Fi topics at http://forum.matriux.com/
o
H
MTU:1500 Metric:1
Team Matriux
http://matriux.com
include( b
e ];
}
What is Local File Inclusion?
?>
Local File Inclusion is a method in PHP for
such as include() are not
including Local files from the Local web
its wrong use can cause
server itself.
sue.
In itself functions
vulnerable
but
serious security is
to
includes
subdirectory. In
not
sanitizing
characters such a
which is used for m
server
system
attacker to inclu
web server filesy
information
discl
execution.
For eg. if attack
www.site.com/board/
./etc/passwd
vironment variables
and
such
as
www.site.com/board/index.php?page=../../.
0
./proc/self/environ
0) which we can
alter
them,
HTTP_USER_AGENT=Mozilla/5.
(Windows NT
6.1; rv:8.
access.
follows:
Following are some of
the PHP functions
used for file inclusion:
PATH=/usr/local/bin:/usr/bin:/bi
nDOCUMENT_ROOT=/hsphere/local/ho
me/c242949/site.comHTTP_ACCEPT=t
ext/html,application/xhtml+xml,a
pplication/xml;q=0.9,*/*;q=0.8HT
TP_ACCEPT_CHARSET=ISO-8859-
include();
require();
include_once();
1,utfrequire_once();
8;q=0.7,*;q=0.7HTTP_ACCEPT_ENCOD
ING=gzip,
eir own code for
deflateHTTP_ACCEPT_LANGUAGE=enfollows:
us,en;q=0.5HTTP_CONNECTION=keepaliveHTTP_COOKIE=PHPSESSID=1662i
mbqqot4jq099sij0rhfr3HTTP_HOST=s
if(isset($_GET[ page ]))
{
include( board/ .str_repla
ite.comHTTP_USER_AGENT=Mozilla/5
.0 (Windows NT 6.1; rv:8.0)
Gecko/20100101
Firefox/8.0REDIRECT_QUERY_STRING
ce("..
=filename=/proc/./self/./environ
hp );
REDIRECT_STATUS=200REDIRECT_URL=
}
/runner.phpREMOTE_ADDR=116.202.1
64.155REMOTE_PORT=49376SCRIPT_FI
LENAME=/hsphere/shared/php5/bin/
phpSERVER_ADDR=98.131.116.1SERVE
ems to be a very
R_ADMIN=webmaster@site.comSERVER
php filters can be
_NAME=www.site.comSERVER_PORT=80
aking the following
SERVER_SOFTWARE=ApacheGATEWAY_IN
TERFACE=CGI/1.1SERVER_PROTOCOL=H
//....
TTP/1.1REQUEST_METHOD=GETQUERY_S
TRING=filename=/proc/./self/./en
?>
Beware!! The above code se
a good idea but such
bypassed
easily
by
request:
"index.php?page=....//....
//etc/passwd%00"
vironREQUEST_URI=/runner.php?fil
ename=/proc/./self/./environSCRI
PT_NAME=/php5bin/phpPATH_INFO=/r
unner.phpPATH_TRANSLATED=/hspher
e/local/home/c242949/site.com/ru
nner.php
----------------------- Page 23----------------------I
ssue 27 April 2012 | Page - 23
Securing
Local
product":
Vulnerabilities:
File
Inclusion
case "
include("product
.php");
1. Always try to use if else statement in
following way. For example:
default
<?php
hp");
if (isset($_GET[ page ]))
{
include("index.p
}
else
{
include("index.p
}
?>
2. In the below code:
t")
{
<?php
if($_GET[ page ]!=
include("product.php");
}
{
include( board/
.urlencode(
else
{
}
include("index.php");
}
?>
);
It will encode
the
attackers
}
../../etc/
request
"index.php?page=../
passwd%00"
result
else
in
and
the
following
error:
{
Warning:include(pag
e/..%2F..%
include("index.php");
2F..%2F..%2F..%2Fet
c%2Fpasswd
}
%00.php)
[functio
n.include]:
?>
failed to open s
tream: No
such file or direct
ory
Or similarly you can use switch case:
3. Use realpath() func
tion in the code:
<?php
<?php
if(isset($_GET[ page ]))
{
include( board/ .re
alpath($_GET[ page ]
switch($_GET[ page ])
{
. .php );
case "contact":
?>
include("contact.php");
----------------------- Page 24----------------------Issue 27 April 2012 | Page - 2
4
returns
on
/../
The
Real
path
function
canonicalized
absolute
pathname
success. The resulting path will have no
symbolic
link,
/./
or
components thus defending the attack
successfully.
4.
to
see
that
is
currently
Degree
in
environmental variables.
Computer
from
Science
G.H.
Raisoni
f
engineering and technology (Pune).
and
Engineering
institute