This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Clickjacking| Clickjacking Attacks

By  September 09, 2022  No comments

 

What is Clickjacking?

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.

The invisible page could be a malicious page, or a legitimate page the user did not intend to visit – for example, a page on the user’s banking site that authorizes the transfer of money.

TYPE Of Clickjacking Vulnerability:-

Likejacking

a technique in which the Facebook “Like” button is manipulated, causing users to “like” a page they actually did not intend to like.


Cursorjacking

a UI redressing technique that changes the cursor for the position the user perceives to another position. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.

Prepopulate forms trick

Sometimes is possible to fill the value of fields of a form using GET parameters when loading a page. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.

Populate form with Drag&Drop

If you need the user to fill a form but you don’t want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to Drag&Drop something that will write your controlled data like in this example.

Examples Of Clickjacking Attacks:-

Basic Payload

Multistep Payload

Drag&Drop + Click payload

XSS + Clickjacking Vulnerability

If you have identified a XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.

Example:
You found a self XSS in some private details of the account (details that only you can set and read). The page with the form to set this details is vulnerable to Clickjacking and you can prepopulate the form with GET parameters.
An attacker could prepared a Clickjacking attack to that page prepopulating the form with the XSS payload and tricking the user into Submit the form. So, when the form is submited and the values are modified, the user will execute the XSS.

How to avoid Clickjacking Attacks?

Client side defences

It’s possible to execute scripts on the client side that perform some or all of the following behaviours to prevent Clickjacking:

  • check and enforce that the current application window is the main or top window,
  • make all frames visible,
  • prevent clicking on invisible frames,
  • intercept and flag potential clickjacking attacks to the user.

Bypass

As frame busters are JavaScript then the browser’s security settings may prevent their operation or indeed the browser might not even support JavaScript. An effective attacker workaround against frame busters is to use the HTML5 iframe sandbox attribute. When this is set with the allow-forms or allow-scripts values and the allow-top-navigation value is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window:

Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviours while allowing functionality within the targeted site.


Depending on the type of Clickjaking attack performed you may also need to allow: allow-same-origin and allow-modals or even more. When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or </frame> . Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are:</p>

  • X-Frame-Options: deny which prevents any domain from framing the content (Recommended value)
  • X-Frame-Options: sameorigin which only allows the current site to frame the content.
  • X-Frame-Options: allow-from https://trusted.com which permits the specified ‘uri’ to frame this page.
  • Check limitations below because this will fail open if the browser does not support it.
  • Other browsers support the new CSP frame-ancestors directive instead. A few support both.

Content Security Policy (CSP) frame-ancestors directive

The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application’s Content Security Policy.


The frame-ancestors ‘none’ directive is similar in behaviour to the X-Frame-Options deny directive (No-one can frame the page).


The frame-ancestors ‘self’ directive is broadly equivalent to the X-Frame-Options sameorigin directive (only current site can frame it).


The frame-ancestors trusted.com directive is broadly equivalent to the X-Frame-Options allow-fromdirective (only trusted site can frame it).

The following CSP whitelists frames to the same domain only:


Content-Security-Policy: frame-ancestors ‘self’;


See the following documentation for further details and more complex examples:

Limitations

  • Browser support: CSP frame-ancestors is not supported by all the major browsers yet.
  • X-Frame-Options takes priority: Section “Relation to X-Frame-Options” of the CSP Spec says: “If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is “enforce”, then the X-Frame-Options header MUST be ignored”, but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
Read More

Best Hacking Android Phones for Hacker (2022)

By  September 09, 2022  No comments

 

What things do hackers need in mobiles?

  • Ram:- 4 to 8 GB
  • Rom:- 64 GB to Unlimited
  • Battery:- 3050mAh to 6000mAh
  • Kernel:- Hacking Framework Supported Kernels
  • Os:- Android Or Linux
  • SoC:- Media Tek G35 or Up And SD 635 or Up

Linux Phones Made For Hackers:-

  • Pro 1X
  • pro1x
    Pro 1X

An interesting smartphone that supports Ubuntu Touch, Lineage OS, and Android as well.

It is not just a Linux smartphone but a mobile phone with a separate QWERTY keypad, which is rare to find these days.

The Pro 1 X features a decent specification, including a Snapdragon 662 processor coupled with 6 GB of RAM. You also get a respectable AMOLED Full HD display with the Pro 1 X.

  • WiPhone
  • WiPhone, A Phone for Hackers and Makers project video thumbnail
    WiPhone

WiPhone is a unique, minimal phone.

It’s designed to enable hackers by making it easy to extend and modify the electronics and software. Something typical phones are not good for.

WiPhone is also a VoIP mobile phone. It uses WIFI to make HD voice calls, for free. This means that there is no required service contract – and it’s yours for life.

List of Best Hacking Android Phones for Hackers

Under 10k:-

  • POCO C31 (Royal Blue, 64 GB)
    Poco C31

POCO C31

  • Ram:- 4Gb
    ROM:- 64Gb Upto 512 GB
  • Display:- 16.59 cm (6.53 inch) HD+ Display
  • Battery:- 5000 mAh Lithium-ion Polymer Battery
  • SoC:- MediaTek Helio G35 Processor
  • Infinix Hot 10 Play (7° Purple, 32 GB)
    Infinix Hot 11 Play

Infinix Hot 11 Play

  • Ram:- 4Gb
  • Rom:- 128GB
  • Display:-6.82-inch (1640×720)
  • Battery:- 6000mAh
  • SoC:- MediaTek Helio G35
  • realme C21 (Cross Blue, 64 GB)
    Realme c21

Realme C21

  • Ram:- 4 GB
  • Rom:- 64 GB Upto 256Gb
  • Display:- 16.51 cm (6.5 inch) HD+ Display
  • Battery:- 5000 mAh
  • SoC:- MediaTek Helio G35 Processor
  • Micromax IN Note 1 (Green, 64 GB)
    Micromax In Note 1

Micromax IN Note 1

  • Ram:- 4 GB
  • Rom:- 64 GB Upto 256Gb
  • Display:- 16.94 cm (6.67 inch) Full HD
  • Battery:- 5000 mAh Li-Polymer
  • SoC:- MediaTek Helio G85

Under 20k:-

  • Realme narzo 30

realme narzo 30

  • Ram:6gb
  • Rom:128 upto 256Gb
  • Display:16.51 cm 6.5 inch Full HD
  • Battery:5000 mAh
  • SoC:MediaTek Helio G95 Processor
  • SAMSUNG Galaxy M32 (Black, 128 GB)
    Samsung Galaxy M32

Samsung Galaxy M32

  • Ram:6Gb
  • Rom:128Gb upto 1TB
  • Display:16.26 cm (6.4 inch) Full HD
  • Battery:6000 mAh
  • SoC:MediaTek Helio G80 Processor
  • MotoRola Moto G60

MotoRola Moto G60

  • Ram:6Gb
  • Rom:128Gb
  • Display:17.22 cm (6.78 inch) Full HD + 120hz Refresh Rate
  • Battery:6000 mAh
  • SoC:Qualcomm Snapdragon 732G Processor

Best With Support Kali Nethunter Without Custom Recovery (Kernel)

The Kali NetHunter project is the first Open-source Android penetration testing platform for Android devices, allowing for access to the Kali toolset from various supported Android devices. There are multiple unique features not possible on other hardware platforms.

The Kali NetHunter interface allows you to easily work with complex configuration files through a local web interface. This feature, together with a custom kernel that supports 802.11 wireless injection and preconfigured connect back VPN services, make the Kali NetHunter a formidable network security tool or discrete drop box – with Kali Linux at the tip of your fingers wherever you are!

  • One Plus One

OnePlus One

  • Ram:3Gb
  • Rom:64Gb
  • Display: Multi-touch IPS 5.5″ (13.97 cm) Corning Gorilla Glass 3 (full HD 1080 x 1920 pixels @ 401 PPI) touch-screen by JDI with LTPS technology
  • Battery:3,100 mAh Li-Po battery
  • SoC: 2.5GHz Qualcomm Snapdragon 801 quad core processor
  • Nokia 6.1

Nokia 6.1

  • Ram: 4Gb
  • Rom: 64Gb
  • Display:14.73 c.m. (5.8-inch) FHD
  • Battery:3060mAH lithium-ion battery
  • SoC: 1.8GHz Qualcomm Snapdragon 636 octa core processor
  • Installing NetHunter On the TicWatch Pro | Kali Linux Documentation
    TicWatch Pro

TicWatch Pro

  • Ram: 1Gb
  • Rom: 4Gb
  • Display: 1.39″ AMOLED (400 x 400 px) + FSTN LCD
  • Battery: 415mAh
  • SoC: Qualcomm® Snapdragon Wear™ 2100 (MSM8909W)

More Supported List

1.One Plus Devices

One Plus 2
One Plus 3
One Plus 6
One Plus 7
One Plus Nord (11)

2. Xiaomi

Davinci Miui (10)
Xiaomi Mi A3

3. Nexus

Nexus 5 And 5x
Nexus 6 and 6x
Nexus 7 and 7x
Nexus 9
Nexus 10

Others:-

Samsung Galaxy Tab S4
Nokia 3.1
Sony XPeria Z1

Which is the Best Hacking Android Phone?

One Plus Nord 11

Equipped with impressive features and decent specifications, the Oneplus 11 is a perfect choice that is available at a starting price of Rs 43,548.

This stylish handset from OnePlus comes with a 6.55 inches (16.63 cm) display that has a resolution of 1080 x 2400 Pixels offering immersive and comfortable viewing..

You can enjoy speed and lots of storage space as the phone comes with 8 GB of RAM and 128 GB of internal storage.

the phone is powered with Octa-core (1×3.2 GHz Kryo 585 & 3×2.42 GHz Kryo 585 & 4×1.80 GHz Kryo 585) Qualcomm SM8250-AC Snapdragon 870 5G (7 nm) processor.

Various connectivity options on the Oneplus 11 include WiFi – Yes, Wi-Fi 802.11, a/ac/b/g/n, Mobile Hotspot, Bluetooth – Yes, v5.2, and 5G supported by device (network not rolled-out in India), 4G (supports Indian bands), 3G, 2G.

AND also It support The Kali Nethunter framework. So It is Best Phone for Hacking.

Read More

Cross-Site Script Incusion(XSSI)

By  September 09, 2022  No comments

 

Cross-Site Script Incusion (XSSI)

XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the script tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the script tag.


This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host.

Types Of XSSI

  • Static JavaScript (regular XSSI)
  • Static JavaScript, which is only accessible when authenticated
  • Dynamic JavaScript
  • Non-JavaScript

1. Regular XSSI

The private information is located inside a global accessible JS file, you can just detect this by reading files, searching keywords or using regexps.


To exploit this, just include the script with private information inside the malicious content:

2. Dynamic-JavaScript-based-XSSI and 3. Authenticated-JavaScript-XSSI

Confidential information is added to the script when a user requests it. This can be easily discovered by sending the request with and without the cookies, if different information is retrieved, then confidential information could be contained. To do this automatically you can use burp extension: https://github.com/luh2/DetectDynamicJS.


If the information resides inside a global variable, you you can exploit it using the same code as for the the previous case.


If the confidential data is sent inside a JSONP response, you can override the executed function to retrieve the information:

Or you could also set a prepared function to be executed by the JSONP response:

If a variable does not reside inside the global namespace, sometimes this can be exploited anyway using prototype tampering. Prototype tampering abuses the design of JavaScript, namely that when interpreting code, JavaScript traverses the prototype chain to find the called property. The following example is extracted from the paper The Unexpected Dangers of Dynamic JavaScript and demonstrates how overriding a relevant function of type Array and access to this, a non-global variable can be leaked as well.

In the original code slice from type Array accesses the data we’re interested in. An attacker can, as described in the preceding clause, override slice and steal the secrets.

Security Researcher Sebastian Lekies just recently updated his list of vectors.

4. Non-Script-XSSI

Takeshi Terada describes another kind of XSSI in his paper Identifier based XSSI attacks. He was able to leak Non-Script files cross-origin by including, among others, CSV files as source in the script tag, using the data as variable and function names.


The first publicly documented XSSI attack was in 2006. Jeremiah Grossman’s blog entry Advanced Web Attack Techniques using GMail depicts a XSSI, which by overriding the Array constructor was able to read the complete address book of a google account.


In 2007 Joe Walker published JSON is not as safe as people think it is. He uses the same idea to steal JSON that is inside an Array.


Other related attacks were conducted by injecting UTF-7 encoded content into the JSON to escape the JSON format. It is described by Gareth Heyes, author of Hackvertor, in the blog entry JSON Hijacking released in 2011. In a quick test, this was still possible in Microsoft Internet Explorer and Edge, but not in Mozilla Firefox or Google Chrome.

JSON with UTF-7:

Including the JSON in the attacker’s page

PROTECTION FROM XSSI

Developers should never place sensitive content inside JavaScript files and also not in JSONP. This already thwarts a large number of attacks from category 1 to 3. Category 4 vulnerabilities are usually fixed through browserside measurements. Nevertheless, user entries which are saved to JSON files and read from them should be sanitized.

The majority of bugs described in Takeshi Terada’s paper have been fixed. However, there is always the possibility that similar bugs are found again. These can be blocked at least partially by instructing the browser to not guess the content-type. Some browsers accept the not-yet-standard response header X-Content-Type-Options: nosniff to do so. A correct Content-Type is also helpful in reducing the chance of XSSI.

Read More

SSTI (Server Side Template Injection) Vulnerability | Detect | Idenfify | Exploit

By  September 09, 2022  No comments

 

What is server-side template injection(SSTI Vulnerability)?

A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.


Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.

An example of vulnerable code see the following one:

$output = $twig->render("Dear " . $_GET['name']);

In the previous example part of the template itself is being dynamically generated using the GET parameter name. As template syntax is evaluated server-side, this potentially allows an attacker to place a server-side template injection payload inside the name parameter as follows:

http://example.com/?name={{bad-stuff-here}}

Constructing a server-side template injection attack

Server-Side Template Injection | PortSwigger Research
Constructing a server-side template injection attack

How To Detect SSTI Vulnerability

As with any vulnerability, the first step towards exploitation is being able to find it. Perhaps the simplest initial approach is to try fuzzing the template by injecting a sequence of special characters commonly used in template expressions, such as the polyglot ${{<%[%'”}}%.
In order to check if the server is vulnerable you should spot the differences between the response with regular data on the parameter and the given payload.


If an error is thrown it will be quiet easy to figure out that the server is vulnerable and even which engine is running. But you could also find a vulnerable server if you were expecting it to reflect the given payload and it is not being reflected or if there are some missing chars in the response.

Detect – Plaintext context

The given input is being rendered and reflected into the response. This is easily mistaken for a simple XSS vulnerability, but it’s easy to differentiate if you try to set mathematical operations within a template expression:

Detect – Code context

In these cases the user input is being placed within a template expression:

The URL access that page could be similar to: http://vulnerable-website.com/?greeting=data.username

If you change the greeting parameter for a different value the response won’t contain the username, but if you access something like: http://example.com/?greeting=data.username}}hello then, the response will contain the username (if the closing template expression chars were }}).


If an error is thrown during these test, it will be easier to find that the server is vulnerable.

Identify SSTI Vulnerability

Once you have detected the template injection potential, the next step is to identify the template engine.
Although there are a huge number of templating languages, many of them use very similar syntax that is specifically chosen not to clash with HTML characters.

If you are lucky the server will be printing the errors and you will be able to find the engine used inside the errors. Some possible payloads that may cause errors:

${}{{}}<%= %>
${7/0}{{7/0}}<%= 7/0 %>
${foobar}{{foobar}}<%= foobar %>
${7*7}{{7*7}}

Otherwise, you’ll need to manually test different language-specific payloads and study how they are interpreted by the template engine. A common way of doing this is to inject arbitrary mathematical operations using syntax from different template engines. You can then observe whether they are successfully evaluated. To help with this process, you can use a decision tree similar to the following:

Exploition of SSTI Vulnerability

Read

The first step after finding template injection and identifying the template engine is to read the documentation. Key areas of interest are:

  • ‘For Template Authors’ sections covering basic syntax.
  • ‘Security Considerations’ – chances are whoever developed the app you’re testing didn’t read this, and it may contain some useful hints.
  • Lists of builtin methods, functions, filters, and variables.
  • Lists of extensions/plugins – some may be enabled by default.
test different language-specific payloads

Explore

Assuming no exploits have presented themselves, the next step is to explore the environment to find out exactly what you have access to. You can expect to find both default objects provided by the template engine, and application-specific objects passed in to the template by the developer. Many template systems expose a ‘self’ or namespace object containing everything in scope, and an idiomatic way to list an object’s attributes and methods.


If there’s no builtin self object you’re going to have to bruteforce variable names using SecLists and Burp Intruder’s wordlist collection.


Developer-supplied objects are particularly likely to contain sensitive information, and may vary between different templates within an application, so this process should ideally be applied to every distinct template individually.

Attack

At this point you should have a firm idea of the attack surface available to you and be able to proceed with traditional security audit techniques, reviewing each function for exploitable vulnerabilities. It’s important to approach this in the context of the wider application – some functions can be used to exploit application-specific features. The examples to follow will use template injection to trigger arbitrary object creation, arbitrary file read/write, remote file include, information disclosure and privilege escalation vulnerabilities.

Read More