Blind cross site scripting (BXSS) is a variation of stored XSS, where the injection point and the execution point are different. It’s harder to find and certainly requires a different methodology than testing for stored (non-blind), reflected, or even DOM-based XSS.
Typically, with stored Blind cross site scripting, the payload is executed on the same page it was injected in.
ezXSS: Test Blind Cross Site Scripting
ezXSS is an easy way to test blind Cross Site Scripting.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
Features of ezXSS:
Easy to use dashboard with statics, payloads, view/share/search reports and more
Instant email alert on the payload
Prevent double payloads from saving or alerting
Share reports with other ezXSS users
Easily manage and view reports in the system
Search for reports in no time
Secure your system account with extra protection (2FA)
The following information is collected on a vulnerable page:
The URL of the page
Any page referer (or share referer)
All Non-HTTP-Only Cookies
Full HTML DOM source of the page
Time of execution
its just ez
PHP 5.5 or up
A domain name (consider a short one)
An SSL if you want to test on https websites (consider Cloudflare or Let’s Encrypt for a free SSL)
Blind Cross site Scripting (XSS) Vulnerability Detection
One of the major features that XSS Hunter offers is the ability to find blind XSS. This is a vulnerability where an XSS payload fires in another user’s browser (such as an administrative panel, support system, or logging application) which you cannot “see” (e.g. it does not fire in your browser). XSS Hunter addresses this by recording extensive information about each payload fire in its database.
Most Popular Training Courses at Indian Cyber Security Solutions
The newly discovered Credential Security Support Provider protocol (CredSSP) vulnerability on the Windows platform allows hackers to use Remote Desktop Protocol (RDP) and Windows Remote Manager (WinRM) to remotely steal data or run malicious code. The CredSSP protocol was originally designed to provide cryptographic authentication when Windows hosts use RDP or WinRM for remote connections.
This vulnerability (CVE-2018-0886) was discovered by a researcher at a company named Preempt Security. There is a logical encryption vulnerability in the CredSSP protocol. A hacker can use a wireless connection to initiate a man-in-the-middle attack. Physical connection to the network, you can also initiate a remote call (Remote Procedure Call) to steal the authentication information in the computer process.
How Does CredSSP Attack Work?
An attacker can exploit this vulnerability in conjunction with a man-in-the-middle attack. The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (e.g., the server user connected with RDP). An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.
CredSSP attack could be mounted list:
An attacker with WiFi/Physical access – If an attacker has some physical access to your network, then he could easily launch a man-in-the-middle attack. If you also have WiFi deployed in areas of your network, you might be vulnerable to key reinstallation attacks (KRACK), thus making all machines that do RDP via WiFI exposed to this new attack.
Address Resolution Protocol (ARP) poisoning – Despite being an old attack technique, many networks are still not 100% protected from ARP poisoning. If this is the case in your network, this new vulnerability means an attacker with control of one machine could easily move laterally and infect all machines in the same network segment.
Attacking sensitive servers (including domain controllers) – Sometimes, an attacker has control of several workstations in an organization and needs to find a way to infect sensitive business-critical servers (which might require higher privileges).
Most corporate internal networks use the Windows RDP protocol for remote login. Preempt’s researchers reported this vulnerability to Microsoft last August but until now Microsoft released a patch for the vulnerability.
Most Popular Training Courses at Indian Cyber Security Solutions
Agrigento is a tool to identify privacy leaks in Android apps by performing black-box differential analysis on the network traffic. It performs root cause analysis of non-determinism in the network behavior of Android apps.
Agrigento works in two steps: first, Agrigento establishes a baseline of the network behavior of an app; then, modifies sources of private information, such as the device ID and location, and detects privacy leaks by observing deviations in the resulting network traffic. The main contribution of this work is to make black-box differential analysis practical when applied to modern Android apps.
Agrigento is able to eliminate the different sources of non-determinism by intercepting calls from the app to certain Android API calls and recording their return values, and in some cases replacing them (either by replaying previously seen values or by returning constant values).
It records the timestamps generated during the first run of each app and replays the same values in the further runs.
It records the random identifiers (UUID) generated by the app.
It records the plaintext and ciphertext values whenever the app performs encryption.
The instrumented environment sets a fixed seed for all random number generation functions.
It replaces the values of system-related performance measures (e.g., free memory, available storage space) with a set of constants.
Agrigento requires other modules to be installed on the Android device:
[Changer] – Modify the values of private information sources.
[JustTrustMe] – Handle certificate pinning.
[Android Mock-location] – Allow to set mock location through ADB.
Agrigento Network Behavior:
Agrigento looks for privacy leaks at all levels of the tree, i.e., in all parts of the HTTP request: the domain, path, key, and values, as well as the headers and the payload. In the current implementation Agrigento includes parsers for application/x-www-form-urlencoded, application/json, and any content that matches a HTTP query format. However, it can be easily extended with parsers for further content types.
Most Popular Training Courses at Indian Cyber Security Solutions
Dorothy 2 is a malware/botnet analysis framework written in Ruby.
Dorothy 2 is a framework created for suspicious binary analysis. Main strengths of Dorothy are a very flexible modular environment and an interactive investigation framework with a particular care of the network analysis. Additionally, it is able to recognize newly spawned processes by comparing them with a previously created baseline. Static binary analysis and an improved system behavior analysis will be shortly introduced in the next versions. Dorothy 2 analyses binaries by the use of pre-configured analysis profiles.
Dorothy 2 analysis profile is composed of the following elements:
The number of screenshots requested (and the delay between them)
A list of the supported extensions, and how the guest OS should execute them
The use of profiles gives the researcher the possibility to run analysis on a set of binaries by using different environments. As it is known, some malwares are configured to run only in the specific environment.
The first three modules of Dorothy are publicly released under GPL 2/3 license as tribute to the the Honeynet Project Alliance. All the information generated by the framework – i.e. binary info, timestamps, dissected network analysis.
Dorothy needs the following software:
VMWare ESX >= 5.0 (tip: if you download ESXi, you can evaluate ESX for 30 days)
Postgres >= 9.0
At least one Windows virtual machine
One unix-like machine dedicated to the Network Analysis Engine(NAM) (tcpdump/ssh needed)
Trinity is a Fuzz testing engine. One that has been done many times before on Linux, and on other operating systems, where Trinity differs is that the arguments it passes are not purely random. Trinity is slightly different from traditional fuzzing.
Trinity Fuzzer is really good at locating bugs in FS.
Trinity creates up a pool of file descriptors, from pipes, sysfs, procfs, /dev and sockets when a system call needs a file descriptor. Trinity also uses information about system calls to provide “something at least semi-sensible”.
Trinity supports Alpha, Aarch64, ARM, i386, IA-64, MIPS, PowerPC-32 etc.
Trinity adding support for additional architectures is a small amount of work mostly involving just defining the order of the syscall table. Trinity also has improved reproducibility so that, when a kernel oops occurs, Trinity records the last random seed used so a developer can use its value to recreate the problem.
Trinity is a system call fuzzer which employs some techniques to pass semi-intelligent arguments to the syscalls.
Trinity has a “syscalls group” dedicated to VFS syscalls.
The intelligence features include in Trinity:
If a system call expects a certain datatype as an argument (for example a file descriptor) Trinity gets passed one.
If a system call only accepts certain values as an argument, (for example a ‘flags’ field), Trinity has a list of all the valid flags that may be passed.
Trinity logs it’s output to files (1 for each child process), and fsync’s the files before Trinity actually makes the system call.
If one run Trinity without any arguments as a non-root user, it will scan for fd’s as mentioned above, then create a number of child processes.
With warning out of the way: Trinity has a neat feature called ‘victim files’.
There are almost always new kernel bugs being triggered by trinity.
Sometimes, trinity causes the oom-killer to trigger.
Malheur is a tool of automatic analysis malware behavior. Malheur has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.
MALHEUR supports four basic actions for analysis:
Malheur permits for figuring out novel lessons of malware.
Malheur supports Extraction of prototypes: Malheur identifies a subset of prototypes representative for the full data set.
Malheur supports Clustering of behavior: Malheur automatically identifies groups (clusters) of reports containing similar behavior.
Malheur supports Classification of behavior: Malheur is able to assign unknown behavior to known groups of malware.
Malheur supports Incremental analysis: Malheur can be applied incrementally for analysis of large datasets. By processing reports in chunks, the run-time can be significantly reduced. This renders the application of Malheur feasible.
Analysis of malware behavior by Malheur:
Malware binaries are collected in the wild and executed in a sandbox, where behavior of Malheur is monitored during run-time. Malheur analyzes reports for discovery and discrimination of malware classes using machine learning. Malheur can be applied to recorded behavior of various format, for example as in reports generated by CWSandbox, Anubis, Norman Sandbox and Joebox.
Actions & Options of Malheur
Malheur supported different actions for analysis of a dataset. For all actions the reports of Malheur are first mapped to a high-dimensional vector space.
Droid Application Fuzz Framework (DAFF) helps to fuzz Android Browsers and PDF Readers for memory corruption bugs in real android devices. Everyone can use the inbuilt fuzzers or import fuzz files from one’s own custom fuzzers. DAFF consist of inbuilt fuzzers and crash monitor.
Droid-FF is the very first Android fuzzing framework which helps researchers find memory corruption bugs written in c /c ++ – It comes as a VM which is ready to go and easy to work with.
Native code for Droid-FF is preferred over JIT languages due to their memory efficiency and speed, but security bugs within native code can result in exploits that can take over the Android system . The goal of the fuzzer is help researchers find security bugs by fuzzing Android.
Droid Application Fuzz Framework currently supports fuzzing the following applications:
Adobe Acrobat Reader
Foxit PDF Reader
Google PDF Viewer
WPS Office + PDF
What does it do:
Currently includes Peach, with some pre-populated pit files, which helps in generating data be it “dex,ttf,png,avi,mp4” etc
a . Dumb fuzzing: From a large input section of valid data , the fuzzer generates new data with mutations in place.
Intelligent Fuzzing: File format representation of the target data and let the fuzzer generate data which is structurally valid, but has invalid data in sections.
The fuzzing system is an automated program which runs the dataset against the target program and deals with any error conditions that can possibly happen. It also maintains state so that we could resume the fuzzing from the right place in an event of a crash.
Advanced Triage System
In the event of a valid crash, the triage system collects the tombstone files which contains the dump of the registers and system state with detailed information. It also collects valid logs and the file responsible for the crash and moves it to the triage database. The triage database runs scripts on the data derived from crashes, like the type pf the crash, for eg : SIGSEGV, the PC address at this crash and checks for any duplicate, if found, the duplicate entry is removed and is moved to crashes for investigation.
Using during this lab:
The android system which we are going to fuzz is an Engineering build from AOSP which has symbols, thus in an event of a crash, it will be much easier to triage the crash. The system supports fuzzing real devices, emulators , and images running on virtual box.
Droid Application Fuzz Framework has three fuzzer modes:
Google Domato– Uses slightly modified version of Google Domato for generating fuzz files.
Dumb Fuzzer– As the the name suggests, a dumb fuzzer. (Only for PDF)
Pregenerated Files (3rd Party Fuzzer)– To use your private or custom fuzzer generated files.
MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
How it all started
For the past few months by digging into the Android Operating system to understand its inner workings and how different elements are pieced together. It is decided to start of with trying to understand how applications are developed.
The first step was to understand the components of an android application, then later how the operating system executes it, what data is stored, where its stored and who had access to it.
It soon started to become quite frustrating on having to run various tools to get different output. For example, running dex to jar to convert the android application (apk) into a jar file or converting the apk into smali bytecode using baksmali. This process was not only inconvenient and slow, but i could only reverse engineer and study one app at a time. At this point in time my good friend Chrispuswas also facing the same challenges on reverse engineering android apps.
After a bit of googling it came across MobSF. Its an awesome tool that performs both static and dynamic analysis of both Android and iOS applications. After downloading the tool from github and poking around in it, found the strings it was using to perform the static analysis, and that was when we had the light bulb moment.
It has figured, why don’t we use the same strings to perform the static analysis but dumping the identified matches to a text file for review. First thing first, was to ask Ajin, the creator of MobSF for permission to use the detection strings, of which he obliged. What crossed our minds next was the OWASP mobile top 10, which checks are supposed to be performed on an mobile application in accordance to OWASP mobile security threats. then it came across the list of mobile app checklist on the OWASP website for both static and dynamic analysis.
After a few months of bash scripting, the simple reverse engineering script morphed into the MARA framework. A tool that decompiles android application, java classes, dex file and class files into java class files, then proceeds to statically analyze them. Included androbugsto scan for potential vulnerabilities in the apk, alongside a number of other tools. There is also an integrated SSL scanner for scanning domains extracted from the resulting source code. This was nothing more than a script to make our work easier, faster and more efficient.
APK Reverse Engineering
Disassembling Dalvik bytecode to smali bytecode via baksmali and apktool
Disassembling Dalvik bytecode to java bytecode via enjarify
Decompiling APK to Java source code via jadx
APK deobfuscation via apk-deguard.com
Parsing smali files for analysis via smalisca
Dump apk assets,libraries and resources
Extracting certificate data via openssl
Extract strings and app permissions via aapt
Identify methods and classes via ClassyShark
Scan for apk vulnerabilities via androbugs
Analyze apk for potential malicious behaviour via androwarn
Identify compilers, packers and obfuscators via APKiD
Extract execution paths, IP addresses, URL, URI, emails via rege
APK Manifest Analysis
Extract exported activities
Extract exported receivers
Extract exported services
Check if apk is debuggable
Check if apk allows backups
Check if apk allows sending of secret codes
Check if apk can receive binary SMS
Domain SSL scan via pyssltest and testssl
Website fingerprinting via whatweb
Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist
MARA is capable of performing either single or mass analysis of apk, dex or jar files.
A multiple set of test tools will be necessary for a more thorough and comprehensive testing process .I have given an overview of the MARA Framework setup process and how it can expedite your android app reverse engineering and static analysis process.
BriskInfosec holds utmost experience in Mobile App Penetration Test to identify potential vulnerabilities and insure coding practises in android application.
A hash buster is a program that generates a string of text for insertion in a spam message so that, to a spam filter, the e-mail appears to be a different message each time it is sent. The text might appear in the Subject line, its From line, or after the message body, and might either be coherent text or gibberish. The latter is sometimes arranged in word-like formations to be less easily detected.
The hashing process, used by some spam filters, represents each message as a single number (known as a hash) to simplify comparison. Each number is then compared to those of other messages to determine if it matches a list of known spam messages or enough other messages to determine bulk e-mail status. However, a hash buster is only effective for spam filters that rely solely on hash comparison, and most such programs combine a number of approaches.
PTH is a one of the hash buster attack technique that allows an attacker to start lateral movement in the network over the NTLM protocol, without the need for the user password. We evaluated a number of legitimate and illegitimate scenarios for (PTH) NTLM connections to see the differences and how each of these can be distinguished. Based on our findings, CyberArk Labs created a freely available tool (Ketshash) that detects live PTH attempts.
MD5 has been deprecated for uses other than as a non-cryptographic checksum to verify data integrity and detect unintentional data corruption.
SHA – standing for secure hash algorithm used by certification authorities to sign certificates and CRL (certificates revocation list). Introduced in 1993 by NSA with SHA0, it is used to generate unique hash values from files. Developed as part of the U.S. Government’s Capstone project.
Since 2005 SHA-1 has not been considered secure against well-funded opponents, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Microsoft, Google, Apple and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
According to Venafi, after January this kind of certificate use will cause major performance disruptions. For example, browsers will alert users that sites using SHA-1 are insecure and won’t display a green padlock or other symbol for secure HTTPS transactions. Browsers may even block access to sites that use the outdated certificates.
SHA-2 is a set of cryptographic hash functions which includes SHA-224, SHA-256, and SHA-512. The 256 in SHA-256 represents the bit size of the hash output or digest when the hash function is performed. Not all software supports every digest size within the SHA-2 family. Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.
Many organizations will be able to convert to SHA-2 without running into user experience issues, and many may want to encourage users running older, less secure systems to upgrade.
Network Sniffing Tools were listed since 2014 from the web’s favorite hacking/ pentesting software hacker tools as used by hackers, geeks, ethical hackers and security engineers (as well as black hat hackers).
This list and resource sprung to life when we organized an online poll way back in 2013 that was very well received and the below are the recommended tools that all voted as the ‘Top Ten List of Hacking Tools’.
Nmap (Network Mapper)
Nmap is an abbreviation of ‘Network Mapper’, and it’s very well known free open source hackers tool. It is mainly used for network discovery and security auditing. As a tool uses raw IP packets in creative ways to determine what hosts are available on the network, what services (application name and version) those hosts are providing information about, what operating systems (fingerprinting) and what type and version of packet filters/ firewalls are being used by the target. It was designed to rapidly scan large networks, but works fine against single hosts.
Metasploit Penetration Testing Software
The Metasploit Project is a hugely popular pentesting or hacking framework. It is very essential network sniffing tools which provides the user with vital information regarding known security vulnerabilities and helps to formulate penetration testing and IDS testing plans, strategies and methodologies for exploitation. Most practical IT Security courses such as OSCP and CEH include a Metasploit component. It helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.
John The Ripper
John the Ripper is free and Open Source software which is famous network sniffing tools, distributed primarily in source code form. If you would rather use a commercial product tailored for your specific operating system, please consider John the Ripper Pro, which is distributed primarily in the form of “native” packages for the target operating systems and in general is meant to be easier to install and use while delivering optimal performance. This tool can also be used to perform a variety of alterations to dictionary attacks.
THC Hydra is a popular password cracker and has a very active and experienced development team. Essentially THC Hydra is a fast and stable Network sniffing Tools that will use dictionary or brute-force attacks to try various password and login combinations against an log in page. This hacking tool supports a wide set of protocols including Mail (POP3, IMAP, etc.), Databases, LDAP, SMB, VNC, and SSH.
The Zed Attack Proxy (ZAP) is one of the most popular network sniffing tools named as OWASP projects. The fact that you’ve reached this page means that you are likely already a relatively seasoned cybersecurity professional so it’s highly likely that you are very familiar with OWASP, not least the OWASP Top Ten Threats listing which is considered as being the ‘guide-book’ of web application security. This hacking and pentesting tool is a very efficient as well as being an ‘easy to use’ program that finds vulnerabilities in web applications.
Wireshark is the world’s foremost and widely-used network sniffing tools and very popular pentesting tool. It can locate what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.
Wireshark essentially captures data packets in a network in real time and then displays the data in human-readable format (verbose). The tool (platform) has been highly developed and it includes filters, color-coding and other features that lets the user dig deep into network traffic and inspect individual packets.
The Aircrack is a Wifi (Wireless) hacking or network sniffing tools. This network sniffing tool are very effective when used in the right hands. For those new to this wireless-specific hacking program, Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking hacking tool that can recover keys when sufficient data packets have been captured (in monitor mode). All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.
Maltego is a unique network sniffing tools and it is an unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates and is a platform that was designed to deliver an overall cyber threat picture to the enterprise or local environment in which an organization operates. It is an unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.
One of the awesome things about Maltego which likely makes it so popular (and included in the Kali Linux Top Ten) is its’s unique perspective in offering both network and resource based entities is the aggregation of information sourced throughout the web.
Cain and Abel Hacking Tool
Cain and Abel is a password recovery tool which is a popular network sniffing tools for Microsoft Windows but it can be used off-label in a variety of uses, for example, white and black hat hackers use Cain to recover. Many types of passwords using methods such as network packet sniffing and by using the tool to crack password hashes.
Nikto Website Vulnerability Scanner
Nikto is a classic Network Sniffing Tool’ that a lot of pentesters like to use. Nickto is sponsored by Netsparker (which is yet one of the Network Sniffing Tools). It is an Open Source (GPL) web server scanner which is able to scan and detect web servers for vulnerabilities. It performs over 6000 tests against a website. The large number of tests for both security vulnerabilities and mis-configured web servers makes it a go to tool for many security professionals and systems administrators. It can find forgotten scripts and other hard to detect problems from an external perspective.