Posts

Setting up your environment for Hacking - Part 1 : Tools

Image
Hello everyone,

In previous posts, I gave you introduction on XSS, one of the vulnerability. In case if you missed it, you can read it here

Introduction to XSS

Hands on | Google XSS Game




The above 2 posts are well reached and I got lots of mails and facebook messages asking "Can you teach me hacking".

Most of the people are noobs and they don't know how to hack or what is hacking. So, In this and the next few posts, I am going to tell you about setting up your environment for hacking (or) to learn hacking.

In this post, I am talking about the common tools used for hacking. Don't worry. They're open source and you can get it for free.

1. FireFox

Firefox is a web browser you must have to perform testing against websites and web applications. Firefox is not as interesting as chrome but it does have lots of add-ons which help us to test against a target. I'll tell about them later.

Visit Firefox Official Page  |  Download Firefox Web Installer





2. Python

Python is a programm…

How to earn some internet points on Stack Overflow

Image
Stack Overflow, the largest QA site for professional, founded by Jeff and Joel in 2008 and became an encyclopedia for everyone who work or interested in Information Technology. It became an essential part of every programmer's life. Unlike other sites, Stack Overflow focuses only on technology. Any question that are not related to technology will be closed as off topic there. Also questions to recommend some software or hardware is unacceptable by the community.

To get high reputation on Stack Overflow, you have to consider lot of things.

1. Choose your Tag(s)

Each Stack Overflow question is tagged with programming language, tools, etc. So you can watch the tags of your interest to see new questions immediately when they posted.




Choose wisely because if you answer wrongly, you may lose reputation because of down votes.

There are certain tags that have high traffic. If you choose such a tag, your earnings will be high.

2. Be a FGIW

Try to be the first answer. Being the first one to…

Hands On training | Google XSS Game

Image
Hello everyone,

In a previous post, I talked about XSS aka Cross Site Scripting. Hope you all got a basic knowledge now. In this post, I am giving you more information on XSS with a hands on training on the Google XSS Game. You can find a video on how to solve this at the bottom of the page.

At first, Google XSS Game is a training platform provided by google to practice XSS. It consist of 6 levels and in each level, you have to execute a JavaScript alert in order to advance to next level. In each level, you'll be provided with different problems and you've to execute the alert using different techniques in each level. This will help you to understand various methods than can be used to execute XSS in a web page.

There are hundreds of such websites available which allow you to practice various types of vulnerabilities.





So let's get started.

Navigate to https://xss-game.appspot.com. This is where the Google XSS Game is available.

You'll see a page like this




Click the but…

Need support? or want to support? contact me or make a donation

Image
Hi Everyone,

I hope you people are enjoying my posts here. I am trying my best to share as much information as possible. In this blog, I will share my write ups, programming techniques, information on hacking and other stuff related to technology.

Contacting Me

Please contact me only for the following purposes

You're in doubt or want me to clarify any of the things I've described in any of my postYou'd like to share additional information which you want to see appear in my blog (with a credit to your profile)I am working as a freelance web, mobile app developer and a website designer and You want to assign any project or want to outsource a project.Want to pentest your website or secure/hack proof your website or web app.Invite to Private Bug Bounty ProgramsTo request contribution in your JavaScript Open Source projects You can reach me at sagarvd1995[at]gmail[dot]com or sagarvd[at]vdevs[dot]in
Support Me
If you liked my posts or my posts helped you somewhere, you can suppor…

Introduction to XSS - Methods, Impact and Prevention

Image
When searching for hacking tutorials or reading through write ups, definitely you will come across the term XSS. In this post, I am going to explain what is XSS, what are it's impacts and how to achieve it with few examples.

XSS aka Cross Site Scripting is a vulnerability which allow the attacker to inject and execute JavaScript code on the target website. This allow attacker to log the victim details, make a phishing page, bypass csrf, get cookies and many more.

XSS is of 2 types. Stored and Reflected.

Stored XSS is the type of XSS when the user entered data is stored in the server and the displayed in any other page. For example parameters like name, place, about etc can be vulnerable to stored XSS.
That said, fields like password are stored once and never retrieved or showed in future, hence it is not vulnerable to stored XSS.

When this can be exploited?




The developer isn't validating user inputs.The developer added certain validations but they are client side only.
How to Ex…

Bug in Facebook OAuth. Convert facebook test account to real account in instagram/ oculus

Image
Facebook Provide you the ability to create test accounts for white hat testing. You can create it by visiting the url facebook.com/whitehat/accounts.

Facebook wants you to test for security issues using test accounts only and if you're unable to reproduce an issue with a test account, then it is okay to use a real account you own or you have to get permission from the account owner. Adding Facebook implemented certain limitations for the test accounts.

I stuck with the last one. Can't convert to a real user account. Ok let's try it.

I tried for about a day in different ways like using the fake email at account recovery system and so on but failed.

I was like






And then I thought that I might find a way abusing facebook oauth system with test accounts. Navigated to few sites which allows login with facebook.

But when I tried login with facebook, It shows an error. Oops!! again screwed.

Then I decided to stop there and went to bed because it was 3 AM at night. In the next day, …

Download Guarded Profile Picture From Facebook

Image
Facebook recently introduced a feature called Profile Picture Guard. It protect others from downloading your profile picture. If you want to know more about it, you can read it here Profile Picture Guard | Facebook Help.

When turning on Profile Picture Guard, Facebook assure you that no one else can download your profile picture. Really??? 😆😆😆 Never!!!

I worked some time on it to see how can I bypass this restriction. Tried calculating the url to cdn but it requires a signature to access the file. Tried to view image and change dimensions and the result is negative.

What's next?

Think out of the Box.





I think I should leave it and change my target first. Then I decided to test it from my another account to check is there a way to bypass it.

Opened the profile picture and copied the url. Then I opened incognito to login to other account. Went to the url that I copied earlier and I was about to type my username and password in the login form at the top of page. Suddenly a pop up ca…