OWASP Broken Web Applications Virtual Machine (VM) Version 1.0rc1 Released! Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products). The Broken Web Applications Project (BWA) is an effort to provide a wealth of applications with known vulnerabilities for those interested in: learning about web application securitytesting manual assessment techniquestesting automated toolstesting source code analysis toolsobserving web attackstesting WAFs and similar code technologies InstallationThe VM requires no installation. Note – The VM is entirely command line driven. If you would like to access your VM from links off this site, the one configuration change you may need to make is to add an entry to your hosts file pointing to the name owaspbwa to the IP address of your VM.
Cross-site Scripting (XSS) This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 06/5/2018 Overview Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. An attacker can use XSS to send a malicious script to an unsuspecting user. Related Security Activities How to Avoid Cross-site scripting Vulnerabilities See the DOM based XSS Prevention Cheat Sheet See the OWASP Development Guide article on Phishing. See the OWASP Development Guide article on Data Validation. How to Review Code for Cross-site scripting Vulnerabilities See the OWASP Code Review Guide article on Reviewing Code for Cross-site scripting Vulnerabilities. How to Test for Cross-site scripting Vulnerabilities See the latest OWASP Testing Guide article on how to test for the various kinds of XSS vulnerabilities. Description Cross-Site Scripting (XSS) attacks occur when: Stored XSS Attacks Reflected XSS Attacks Alternate XSS Syntax
Creating wordlists with crunch v3.0 CRUNCH v3.0 Warning... this is a looong post, grab a beverage.. ;) Also heavy on images.. Since the post on Creating wordlists with crunch v2.4 made in April last year, crunch has gone through quite a few changes and improvements and bofh28 has now released v3.0 ! (on 16-05-2011) To make sure that the information on this blog is staying upto date, its time for a new and improved post. There will be a lot of duplication from my previous post on crunch, but it should then at least be a more or less full and complete post. I have tried to follow the alphabetical order of the options and have done a chapter per option/switch. crunch is a tool for creating bruteforce wordlists which can be used to audit password strength. All the below is done on backtrack 5, only tested on the 32bit versions. crunch is not installed by default on BT5 and as yet (22-05-2011) not yet in the repo's. tar -xvf crunch-3.2.tgz cd crunch3.2/ make && make install apt-get update apt-get install crunch . . . . . . . . etc. etc. . . .
SQL injection Computer hacking technique A classification of SQL injection attacking vector as of 2010. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.[2] History[edit] The first public discussions of SQL injection started appearing around 1998;[3] for example, a 1998 article in Phrack Magazine.[4] Form[edit] Classic SQLIBlind or Inference SQL injectionDatabase management system-specific SQLICompounded SQLI SQL injection + insufficient authentication[7]SQL injection + DDoS attacks[8]SQL injection + DNS hijacking[9]SQL injection + XSS[10] Technical implementations[edit]
Information Security Blog » Cymothoa – Inject Shellcode into an existing process Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them. Select All Code: root@Dis9Team:/pentest/backdoors/cymothoa# . find /bin/bash pid root@Dis9Team:/pentest/backdoors/cymothoa# ps aux | grep /bin/bash root 1236 0.0 0.2 4280 1376 tty1 S+ 09:22 0:00 /bin/bash /usr/bin/startx root 1506 0.1 0.3 4648 1932 pts/1 S 09:22 0:00 /bin/bash root 1554 0.0 0.1 3376 744 pts/1 S+ 09:26 0:00 grep --color=auto /bin/bash pid = 1506 root@Dis9Team:/pentest/backdoors/cymothoa# . -s = 0 Payloads = 0 – bind /bin/sh to the provided port (requires -y) root@Dis9Team:/pentest/backdoors/cymothoa# nmap -p 10086 127.0.0.1 Starting Nmap 5.59BETA1 ( ) at 2011-12-23 09:29 CST Nmap scan report for localhost (127.0.0.1) Host is up (0.00062s latency). next Payloads = 2 – bind /bin/sh to tcp port with password authentication (requires -y -o) Rating: (from 8 votes)
SQL Injection This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 04/10/2016 Overview A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. Threat Modeling SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Related Security Activities How to Avoid SQL Injection Vulnerabilities Description Examples
Advanced DLL Injection It has been a while since my last article. Special thanks to those who decided to stay with me despite the long break and welcome to new readers! In this article I am going to cover such a trivial (as it may seem) subject as DLL injection. For some reason, most of the tutorials on the web only give us a brief coverage of the topic, mostly limited to invocation of LoadLibraryA/W Windows API function in the address space of another process. While this is not bad at all, it gives us the least flexible solution. Let us try another approach. A short remark for nerds before we start. So, let the fun begin. Creation of target process Let's assume, that the loader has already passed the phase of loading and parsing configuration files and is ready to start the actual job. Windows provides us with all the tools we need to start a process. BOOL WINAPI CreateProcess( __in_opt LPCTSTR lpApplicationName, __inout_opt LPTSTR lpCommandLine, __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, Lancet lancet:
Cross-site scripting Background[edit] Security on the web is based on a variety of mechanisms, including an underlying concept of trust known as the same origin policy. This essentially states that if content from one site (such as is granted permission to access resources on the system, then any content from that site will share these permissions, while content from another site ( will have to be granted permissions separately. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. XSS vulnerabilities have been reported and exploited since the 1990s. Types[edit] There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: non-persistent and persistent. Non-persistent[edit] A reflected attack is typically delivered via email or a neutral web site. Persistent[edit] Exploit examples[edit]
md5deep and hashdeep Session hijacking attack This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 08/14/2014 Description The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. The session token could be compromised in different ways; the most common are: Predictable session token; Session Sniffing; Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc); Man-in-the-middle attack Man-in-the-browser attack Examples Example 1 Session Sniffing Figure 2. Example 2 Cross-site script attack The attacker can compromise the session token by using malicious code or programs running at the client-side. Figure 3. References
Pastenum – Pastebin/pastie enumeration tool Introduction When conducting a pen-test, the process typically starts with the reconnaissance phase, the process of gathering information about your target(s) system, organization or person. Today, we want to present a tool that can be added to your reconnaissance toolkit. Text dump sites such as pastebin and pastie.org allow users to dump large amounts of text for sharing and storage. As these sites become more popular the amount of sensitive information being posted will inevitably increase. Pastenum is designed to help you find that information and bring it into one easy to read location. The hope is it will allow internal security teams to run simple queries about their companies and determine if they have sensitive information residing in one of these text dumps. In order to do so, it uses a series of search queries for keywords, provided by the pentester. Installing the tool To use Pastenum you will need ruby 1.9.2. Example : Now become that user account, using the profile of the user :
Session hijacking A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine. If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net. A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. History[edit] Session hijacking was not possible with early versions of HTTP. HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. Methods[edit] Prevention[edit]
Mac OS X rootkit - Support multiple kernel versions and gives root privileges Today, a 64bit Mac OS-X kernel rootkit has been released by prdelka from NullSecurity . It supports: multiple kernel versions, give root privileges, hide files / folders, hide process, hide user from 'who'/'w', hide network port, sysctl interface for userland control, execute a binary with root privileges via magic ICMP ping. See backdoor section. 64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the BSD subsystem in all OS-X Lion & below. It uses a combination of syscall hooking and DKOM to hide activity on a host. String resolution of symbols no longer works on Mountain Lion as symtab is destroyed during load, this code is portable on all Lion & below but requires re-working for hooking under Mountain Lion. currently supports: * works across multiple kernel versions (tested 11.0.0+) * give root privileges to pid * hide files / folders * hide a process * hide a user from 'who'/'w' * hide a network port from netstat * sysctl interface for userland control