This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Cross-site WebSocket hijacking (CSWSH)

By  September 09, 2022  No comments

 

What is WebSocket?

WebSocket is, like HTTP, a communications protocol that enables interaction between a browser and a web server.
The WebSocket protocol allows both servers and browsers to send messages to each other using a single TCP connection.

This is very useful when trying to create real-time applications such as online games and live chat. For example, Slack’s web app uses WebSocket connections to sync messages in its chat functionality.


In order for a web application to sync in real-time, web servers need to be able to actively push data to its clients. And this is where WebSocket comes in.


Traditionally, HTTP only supports client-initiated communications. This means that every time the real-time application needs to be synced (for example, an online game updating its live leaderboard), the client’s browser would need to send an HTTP request to retrieve the data from the server.

When an application is constantly doing this type of update, this traditional method incurs a lot of unnecessary overhead and ultimately slows down the application.

Whereas the WebSocket protocol solves this problem by creating a persistent connection between the client and the server that allows both client and server-initiated data transfers.

During the lifetime of a WebSocket connection, the client and the server are free to exchange any amount of data without incurring the overhead and latency of using traditional HTTP requests.

How are WebSocket connections established?

A WebSocket connection between a client and a server is established through a WebSocket handshake.


This process is initiated by the client sending a normal HTTP or HTTPS request to the server with the special header: “Upgrade: websocket”. If the server supports WebSocket connections, it will respond with a 101 status code (Switching Protocols). From that point on, the handshake is complete and both parties are free to send data to the other.


Side note: WebSocket uses the ws:// URL scheme, and the wss:// URL scheme for secure connections.

WebSocket connections are normally created using client-side JavaScript like the following:

The wss protocol establishes a WebSocket over an encrypted TLS connection, while the ws protocol uses an unencrypted connection.

To establish the connection, the browser and server perform a WebSocket handshake over HTTP. The browser issues a WebSocket handshake request like the following:

If the server accepts the connection, it returns a WebSocket handshake response like the following:

At this point, the network connection remains open and can be used to send WebSocket messages in either direction.

Note

Several features of the WebSocket handshake messages are worth noting:

  • The Connection and Upgrade headers in the request and response indicate that this is a WebSocket handshake.
  • The Sec-WebSocket-Version request header specifies the WebSocket protocol version that the client wishes to use. This is typically 13.
  • The Sec-WebSocket-Key request header contains a Base64-encoded random value, which should be randomly generated in each handshake request.
  • The Sec-WebSocket-Accept response header contains a hash of the value submitted in the Sec-WebSocket-Key request header, concatenated with a specific string defined in the protocol specification. This is done to prevent misleading responses resulting from misconfigured servers or caching proxies.

The Sec-WebSocket-Key header contains a random value to prevent errors from caching proxies, and is not used for authentication or session handling purposes (It’s not a CSRF token).

Websockets Enumeration

You can use the tool https://github.com/PalindromeLabs/STEWS to discover, fingerprint and search for known vulnerabilities in websockets automatically.

Cross-site WebSocket hijacking (CSWSH)

Also known as cross-origin WebSocket hijacking.
It is a Cross-Site Request Forgery (CSRF) on a WebSocket handshake.


It arises when the WebSocket handshake request relies solely on HTTP cookies for session handling and does not contain any CSRF tokens or other unpredictable values.
An attacker can create a malicious web page on their own domain which establishes a cross-site WebSocket connection to the vulnerable application. The application will handle the connection in the context of the victim user’s session with the application.

Structure of an attack

To carry out the attack, an attacker would create a script that will initiate the WebSocket connection to the victim server. She can then embed that script on a malicious page and trick a user into accessing the page.


When the victim accesses the malicious page, her browser will automatically include her cookies into the WebSocket handshake request (since it’s a regular HTTP request). The malicious script crafted by the attacker will now have access to a WebSocket connection created using the victim’s credentials.

Simple Attack

Note that when establishing a websocket connection the cookie is sent to the server. The server might be using it to relate each specific user with his websocket session based on the sent cookie.


Then, if for example the websocket server sends back the history of the conversation of a user if a msg with “READY” is sent, then a simple XSS establishing the connection (the cookie will be sent automatically to authorise the victim user) sending “READY” will be able to retrieve the history of the conversation.:

Stealing data from user

Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:

Now download the wsHook.js file from https://github.com/skepticfx/wshook and save it inside the folder with the web files.


Exposing the web application and making a user connect to it you will be able to steal the sent and received messages via websocket:

The impact of Cross-Site WebSocket Hijacking

Using a hijacked WebSocket connection, the attacker can now achieve a lot of things:

  • WebSocket CSRF: If the WebSocket communication is used to carry out sensitive, state-changing actions, attackers can use this connection to forge actions on behalf of the user. For example, attackers can post fake messages onto a user’s chat groups.
  • Private data retrieval: If the WebSocket communication can be used to retrieve sensitive information via a client request, attackers can initiate fake requests to retrieve sensitive data belonging to the user.
  • Private data leaks via server messages: Attackers can also simply listen in on server messages and passively collect information leaked from these messages. For example, an attacker can use the connection to eavesdrop on a user’s incoming notifications.

How to prevent Cross-Site WebSocket Hijacking

In order to prevent Cross-Site WebSocket Hijacking, an application would need to deny WebSocket handshake requests from unknown origins. There are two ways this can be achieved:

  • Check the Origin header: browsers would automatically include an Origin header. This can be used to validate where the handshake request is coming from. When validating the Origin of the request, be sure to use a whitelist of URLs instead of a blacklist, and use a strict and rigorously tested regex expression.
  • Use CSRF tokens for the WebSocket handshake request: applications could also use a randomized token on a WebSocket handshake request and validate it server-side before establishing a WebSocket connection. This way, if an attacker cannot leak or predict the random token, she will not be able to establish the connection.

WebSocket is a big part of many modern applications. However, it is often overlooked as a potential attack vector.

As Web Sockets are a mechanism to send data to server side and client side, depending on how the server and client handles the information, Web Sockets can be used to exploit several other vulnerabilities like XSS, SQLi or any other common web vuln using input of s user from a websocket.

Read More

Clickjacking| Clickjacking Attacks

By  September 09, 2022  No comments

 

What is Clickjacking?

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.

The invisible page could be a malicious page, or a legitimate page the user did not intend to visit – for example, a page on the user’s banking site that authorizes the transfer of money.

TYPE Of Clickjacking Vulnerability:-

Likejacking

a technique in which the Facebook “Like” button is manipulated, causing users to “like” a page they actually did not intend to like.


Cursorjacking

a UI redressing technique that changes the cursor for the position the user perceives to another position. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.

Prepopulate forms trick

Sometimes is possible to fill the value of fields of a form using GET parameters when loading a page. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.

Populate form with Drag&Drop

If you need the user to fill a form but you don’t want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to Drag&Drop something that will write your controlled data like in this example.

Examples Of Clickjacking Attacks:-

Basic Payload

Multistep Payload

Drag&Drop + Click payload

XSS + Clickjacking Vulnerability

If you have identified a XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.

Example:
You found a self XSS in some private details of the account (details that only you can set and read). The page with the form to set this details is vulnerable to Clickjacking and you can prepopulate the form with GET parameters.
An attacker could prepared a Clickjacking attack to that page prepopulating the form with the XSS payload and tricking the user into Submit the form. So, when the form is submited and the values are modified, the user will execute the XSS.

How to avoid Clickjacking Attacks?

Client side defences

It’s possible to execute scripts on the client side that perform some or all of the following behaviours to prevent Clickjacking:

  • check and enforce that the current application window is the main or top window,
  • make all frames visible,
  • prevent clicking on invisible frames,
  • intercept and flag potential clickjacking attacks to the user.

Bypass

As frame busters are JavaScript then the browser’s security settings may prevent their operation or indeed the browser might not even support JavaScript. An effective attacker workaround against frame busters is to use the HTML5 iframe sandbox attribute. When this is set with the allow-forms or allow-scripts values and the allow-top-navigation value is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window:

Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviours while allowing functionality within the targeted site.


Depending on the type of Clickjaking attack performed you may also need to allow: allow-same-origin and allow-modals or even more. When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or </frame> . Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are:</p>

  • X-Frame-Options: deny which prevents any domain from framing the content (Recommended value)
  • X-Frame-Options: sameorigin which only allows the current site to frame the content.
  • X-Frame-Options: allow-from https://trusted.com which permits the specified ‘uri’ to frame this page.
  • Check limitations below because this will fail open if the browser does not support it.
  • Other browsers support the new CSP frame-ancestors directive instead. A few support both.

Content Security Policy (CSP) frame-ancestors directive

The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application’s Content Security Policy.


The frame-ancestors ‘none’ directive is similar in behaviour to the X-Frame-Options deny directive (No-one can frame the page).


The frame-ancestors ‘self’ directive is broadly equivalent to the X-Frame-Options sameorigin directive (only current site can frame it).


The frame-ancestors trusted.com directive is broadly equivalent to the X-Frame-Options allow-fromdirective (only trusted site can frame it).

The following CSP whitelists frames to the same domain only:


Content-Security-Policy: frame-ancestors ‘self’;


See the following documentation for further details and more complex examples:

Limitations

  • Browser support: CSP frame-ancestors is not supported by all the major browsers yet.
  • X-Frame-Options takes priority: Section “Relation to X-Frame-Options” of the CSP Spec says: “If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is “enforce”, then the X-Frame-Options header MUST be ignored”, but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
Read More

Best Hacking Android Phones for Hacker (2022)

By  September 09, 2022  No comments

 

What things do hackers need in mobiles?

  • Ram:- 4 to 8 GB
  • Rom:- 64 GB to Unlimited
  • Battery:- 3050mAh to 6000mAh
  • Kernel:- Hacking Framework Supported Kernels
  • Os:- Android Or Linux
  • SoC:- Media Tek G35 or Up And SD 635 or Up

Linux Phones Made For Hackers:-

  • Pro 1X
  • pro1x
    Pro 1X

An interesting smartphone that supports Ubuntu Touch, Lineage OS, and Android as well.

It is not just a Linux smartphone but a mobile phone with a separate QWERTY keypad, which is rare to find these days.

The Pro 1 X features a decent specification, including a Snapdragon 662 processor coupled with 6 GB of RAM. You also get a respectable AMOLED Full HD display with the Pro 1 X.

  • WiPhone
  • WiPhone, A Phone for Hackers and Makers project video thumbnail
    WiPhone

WiPhone is a unique, minimal phone.

It’s designed to enable hackers by making it easy to extend and modify the electronics and software. Something typical phones are not good for.

WiPhone is also a VoIP mobile phone. It uses WIFI to make HD voice calls, for free. This means that there is no required service contract – and it’s yours for life.

List of Best Hacking Android Phones for Hackers

Under 10k:-

  • POCO C31 (Royal Blue, 64 GB)
    Poco C31

POCO C31

  • Ram:- 4Gb
    ROM:- 64Gb Upto 512 GB
  • Display:- 16.59 cm (6.53 inch) HD+ Display
  • Battery:- 5000 mAh Lithium-ion Polymer Battery
  • SoC:- MediaTek Helio G35 Processor
  • Infinix Hot 10 Play (7° Purple, 32 GB)
    Infinix Hot 11 Play

Infinix Hot 11 Play

  • Ram:- 4Gb
  • Rom:- 128GB
  • Display:-6.82-inch (1640×720)
  • Battery:- 6000mAh
  • SoC:- MediaTek Helio G35
  • realme C21 (Cross Blue, 64 GB)
    Realme c21

Realme C21

  • Ram:- 4 GB
  • Rom:- 64 GB Upto 256Gb
  • Display:- 16.51 cm (6.5 inch) HD+ Display
  • Battery:- 5000 mAh
  • SoC:- MediaTek Helio G35 Processor
  • Micromax IN Note 1 (Green, 64 GB)
    Micromax In Note 1

Micromax IN Note 1

  • Ram:- 4 GB
  • Rom:- 64 GB Upto 256Gb
  • Display:- 16.94 cm (6.67 inch) Full HD
  • Battery:- 5000 mAh Li-Polymer
  • SoC:- MediaTek Helio G85

Under 20k:-

  • Realme narzo 30

realme narzo 30

  • Ram:6gb
  • Rom:128 upto 256Gb
  • Display:16.51 cm 6.5 inch Full HD
  • Battery:5000 mAh
  • SoC:MediaTek Helio G95 Processor
  • SAMSUNG Galaxy M32 (Black, 128 GB)
    Samsung Galaxy M32

Samsung Galaxy M32

  • Ram:6Gb
  • Rom:128Gb upto 1TB
  • Display:16.26 cm (6.4 inch) Full HD
  • Battery:6000 mAh
  • SoC:MediaTek Helio G80 Processor
  • MotoRola Moto G60

MotoRola Moto G60

  • Ram:6Gb
  • Rom:128Gb
  • Display:17.22 cm (6.78 inch) Full HD + 120hz Refresh Rate
  • Battery:6000 mAh
  • SoC:Qualcomm Snapdragon 732G Processor

Best With Support Kali Nethunter Without Custom Recovery (Kernel)

The Kali NetHunter project is the first Open-source Android penetration testing platform for Android devices, allowing for access to the Kali toolset from various supported Android devices. There are multiple unique features not possible on other hardware platforms.

The Kali NetHunter interface allows you to easily work with complex configuration files through a local web interface. This feature, together with a custom kernel that supports 802.11 wireless injection and preconfigured connect back VPN services, make the Kali NetHunter a formidable network security tool or discrete drop box – with Kali Linux at the tip of your fingers wherever you are!

  • One Plus One

OnePlus One

  • Ram:3Gb
  • Rom:64Gb
  • Display: Multi-touch IPS 5.5″ (13.97 cm) Corning Gorilla Glass 3 (full HD 1080 x 1920 pixels @ 401 PPI) touch-screen by JDI with LTPS technology
  • Battery:3,100 mAh Li-Po battery
  • SoC: 2.5GHz Qualcomm Snapdragon 801 quad core processor
  • Nokia 6.1

Nokia 6.1

  • Ram: 4Gb
  • Rom: 64Gb
  • Display:14.73 c.m. (5.8-inch) FHD
  • Battery:3060mAH lithium-ion battery
  • SoC: 1.8GHz Qualcomm Snapdragon 636 octa core processor
  • Installing NetHunter On the TicWatch Pro | Kali Linux Documentation
    TicWatch Pro

TicWatch Pro

  • Ram: 1Gb
  • Rom: 4Gb
  • Display: 1.39″ AMOLED (400 x 400 px) + FSTN LCD
  • Battery: 415mAh
  • SoC: Qualcomm® Snapdragon Wear™ 2100 (MSM8909W)

More Supported List

1.One Plus Devices

One Plus 2
One Plus 3
One Plus 6
One Plus 7
One Plus Nord (11)

2. Xiaomi

Davinci Miui (10)
Xiaomi Mi A3

3. Nexus

Nexus 5 And 5x
Nexus 6 and 6x
Nexus 7 and 7x
Nexus 9
Nexus 10

Others:-

Samsung Galaxy Tab S4
Nokia 3.1
Sony XPeria Z1

Which is the Best Hacking Android Phone?

One Plus Nord 11

Equipped with impressive features and decent specifications, the Oneplus 11 is a perfect choice that is available at a starting price of Rs 43,548.

This stylish handset from OnePlus comes with a 6.55 inches (16.63 cm) display that has a resolution of 1080 x 2400 Pixels offering immersive and comfortable viewing..

You can enjoy speed and lots of storage space as the phone comes with 8 GB of RAM and 128 GB of internal storage.

the phone is powered with Octa-core (1×3.2 GHz Kryo 585 & 3×2.42 GHz Kryo 585 & 4×1.80 GHz Kryo 585) Qualcomm SM8250-AC Snapdragon 870 5G (7 nm) processor.

Various connectivity options on the Oneplus 11 include WiFi – Yes, Wi-Fi 802.11, a/ac/b/g/n, Mobile Hotspot, Bluetooth – Yes, v5.2, and 5G supported by device (network not rolled-out in India), 4G (supports Indian bands), 3G, 2G.

AND also It support The Kali Nethunter framework. So It is Best Phone for Hacking.

Read More

Cross-Site Script Incusion(XSSI)

By  September 09, 2022  No comments

 

Cross-Site Script Incusion (XSSI)

XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the script tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the script tag.


This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host.

Types Of XSSI

  • Static JavaScript (regular XSSI)
  • Static JavaScript, which is only accessible when authenticated
  • Dynamic JavaScript
  • Non-JavaScript

1. Regular XSSI

The private information is located inside a global accessible JS file, you can just detect this by reading files, searching keywords or using regexps.


To exploit this, just include the script with private information inside the malicious content:

2. Dynamic-JavaScript-based-XSSI and 3. Authenticated-JavaScript-XSSI

Confidential information is added to the script when a user requests it. This can be easily discovered by sending the request with and without the cookies, if different information is retrieved, then confidential information could be contained. To do this automatically you can use burp extension: https://github.com/luh2/DetectDynamicJS.


If the information resides inside a global variable, you you can exploit it using the same code as for the the previous case.


If the confidential data is sent inside a JSONP response, you can override the executed function to retrieve the information:

Or you could also set a prepared function to be executed by the JSONP response:

If a variable does not reside inside the global namespace, sometimes this can be exploited anyway using prototype tampering. Prototype tampering abuses the design of JavaScript, namely that when interpreting code, JavaScript traverses the prototype chain to find the called property. The following example is extracted from the paper The Unexpected Dangers of Dynamic JavaScript and demonstrates how overriding a relevant function of type Array and access to this, a non-global variable can be leaked as well.

In the original code slice from type Array accesses the data we’re interested in. An attacker can, as described in the preceding clause, override slice and steal the secrets.

Security Researcher Sebastian Lekies just recently updated his list of vectors.

4. Non-Script-XSSI

Takeshi Terada describes another kind of XSSI in his paper Identifier based XSSI attacks. He was able to leak Non-Script files cross-origin by including, among others, CSV files as source in the script tag, using the data as variable and function names.


The first publicly documented XSSI attack was in 2006. Jeremiah Grossman’s blog entry Advanced Web Attack Techniques using GMail depicts a XSSI, which by overriding the Array constructor was able to read the complete address book of a google account.


In 2007 Joe Walker published JSON is not as safe as people think it is. He uses the same idea to steal JSON that is inside an Array.


Other related attacks were conducted by injecting UTF-7 encoded content into the JSON to escape the JSON format. It is described by Gareth Heyes, author of Hackvertor, in the blog entry JSON Hijacking released in 2011. In a quick test, this was still possible in Microsoft Internet Explorer and Edge, but not in Mozilla Firefox or Google Chrome.

JSON with UTF-7:

Including the JSON in the attacker’s page

PROTECTION FROM XSSI

Developers should never place sensitive content inside JavaScript files and also not in JSONP. This already thwarts a large number of attacks from category 1 to 3. Category 4 vulnerabilities are usually fixed through browserside measurements. Nevertheless, user entries which are saved to JSON files and read from them should be sanitized.

The majority of bugs described in Takeshi Terada’s paper have been fixed. However, there is always the possibility that similar bugs are found again. These can be blocked at least partially by instructing the browser to not guess the content-type. Some browsers accept the not-yet-standard response header X-Content-Type-Options: nosniff to do so. A correct Content-Type is also helpful in reducing the chance of XSSI.

Read More