Davinder Tutorials

This blog is all about Cyber Security and IT

Wednesday, April 22, 2020

HTTP Cache Poisoning via Host Header Injection

  April 22, 2020    


Vulnerability:

Rewriting of links and URLs in cached pages to arbitrary strings by unauthenticated HTTP clients.When the application reflects HTTP Header value back in it's response and it may be possible to poison the server cache. The X-Forwarded-Host is directly reflected as a hyperlink. Than Host Header Attack - Cache Poisoning vulnerability may be there like:

Affected software: ANY site that does not validate HTTP Host: headers.

It is common practice for web programmers and web frameworks to rely on the value of the HTTP Host header to write links. This is for convenience, so that the same software will run on localhost, various testing servers, subdomains, secondary domains, etc, without modification. For example:

<a href="<?=$_SERVER['HTTP_HOST']?>/login">Login</a>

This turns out to be a very, very bad idea in any language. The HTTP Host header is arbitrary text controlled by the client, but common practice treats it as though it were a safe environment variable.

HTTP Request

GET / HTTP/1.1
Host: davindertutorials.com
X-Forwarded-Host: test.com
...
....

HTTP Response

HTTP/1.1 200 OK
....
....
....
<li class="SL_hide" title="Get New Relic on your iPad, iPhone, or Android phone"><a href="http://test.com/mobility">New Relic for iOS & Android</a></li>
....

Now as you see we are able to see test.com in the response.

Mitigation: DO NOT use the value of the Host header for anything. If you must, apply very strict filters to only allow valid FQDNs, and then whitelist the FQDNs you allow. Treat it as you would any arbitrary data coming from the outside. If your webserver is configured to output the value of the Host header (as in the example, and as by default in many webservers), disable that configuration.

   / / /

  No Comments

Host Header attack

  April 22, 2020    

 In simple terms if a website x.com is requested and when i change the host to y.com , if I am able to open the host . Than it is a host header attack.

Vulnerability Description: 

Open Redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.

How to find this Vulnerability 

1. Change host to x.com, Than click on go . If  not able to success . than try below method.
2. Change host to x.com and Set X-Forwarded-Host to original domain.com, if still unable to get success , try the below one
3. Do the opposite to step two , Means change host to original domain.com and Set X-Forwarded-Host to original x.com

If you are unable to find success with the above written steps , Than may be the website is secured for this vulnerability.

Remediation:

If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.

Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.


Example of a Bug Reported:

Vulnerable URL:
https://wakatime.com/settings/account?apikeyrefresh=true
Payload: " X-Forwarded-Host: bing.com "
How to reproduce this vulnerability:
  1. Open this URL " https://wakatime.com/settings/account?apikeyrefresh=true " and send it to the repeater in burp suite.
  2. add the payload to the header request and forward the request.
  3. It will directly redirect to bing.com

Impact

Impact:
Whenever a user visits this URL, it will redirect them to site.com. It is used in phishing attacks.

   / / / / /

  No Comments

Sunday, April 12, 2020

SPF Record Missing is an important Security Concern

  April 12, 2020    

What Is SPF/TXT Records?
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
like : Suppose woodland company have email address as : customersupport@woodland.com , So if  I am able to send a mail using that address that means SPF records are not properly set .

Checking Missing SPF:
There Are Various Ways of Checking Missing SPF Records on a website But the Most Common and Popular way is kitterman.com
Steps to Check SPF Records on a website:-
Go to http://www.kitterman.com/spf/validate.html or mslookup
Enter Target Website Ex: target.com (Do Not Add https/http or www)
Hit Check SPF (IF ANY)
If You see any SPF Record than Domain is Not Vulnerable But if you see Nothing Here then "HURRAY! You Found a Bug"
POC:
Once There is No SPF Records. An Attacker Can Spoof Email Via any Fake Mailer Like Emkei.cz. An Attacker Can Send Email From name "Support" and Email: "support@davindertutorials.com" .With Social Engineering Attack He Can TakeOver User Account Let Victim Knows the Phishing Attack but When He See The Email from the Authorized Domain. He Got tricked Easily.
How to reproduce this
  2. fill all the details
    like
    Name - mycrypto
    email - support@mycrypto.com
    to - your email address
Click on send email .It will directly send a mail from support@davindertutorials.com to you


   / /

  No Comments

Wednesday, March 27, 2019

Understanding the Basics: Confidentiality, Integrity and Availability

  March 27, 2019    



Confidentiality, integrity, and availability, often known as CIA, are the building blocks of information security .

Any attack on an information system will compromise one, two, or all three of these components. Based on which of these components is being compromised the most, efficient security controls can be designed accordingly.


Confidentiality

In layman’s terms, something that is confidential is secret and is not supposed to be disclosed to unintended people or entities. What’s the first thing that comes to your mind that needs to be kept confidential? Probably
your passwords and ATM PINs . There may be many parameters and information items that need to be kept confidential during a particular communication. If confidentiality is compromised, it might result in
unauthorized access to your systems or severe loss to your privacy!

Integrity

In context of the information security (InfoSec) world, integrity means that when a sender sends data, the receiver must receive exactly the same data as sent by the sender. For example, if someone sends a message “Hello!”, then the receiver must receive “Hello!” . Any addition or subtraction of data during transit would mean the integrity has been compromised.

Availability

Availability implies that information is available to the authorized parties whenever required. For example, consider a server that stores the payroll data of company employees. The finance team wants to access it at of fiscal year-end for some reporting purpose. If the server is able to provide all the requested information to the requestors, then its availability is considered good and healthy. But if the server goes down at all (for any intentional or unintentional reason), and the finance team is not able to retrieve required data in time, then we say that the information availability has been affected or compromised.

During an attack on a computer system, at least one of the three, confidentiality, integrity or availability, is affected or compromised.

Various attacks on Confidentiality, Integrity and Availability

Attacks that affect Confidentiality are:
Packet sniffing, password cracking, dumpster diving, wiretapping, keylogging, phishing

Attacks that affect Integrity are:
Salami attacks, data diddling attacks, session hijacking, man-inthe- middle attack

Attacks that affect Availability are :
DoS and DDoS attacks, SYN flood attacks, physical attacks on

   / / / /

  No Comments

How to Conduct Pentesting for any organisation (Complete Tutorial)

  March 27, 2019    


Pentesting means finding vulnerabilities by using various techniques and methods .





Organisations hire consultants who have team of complete auditors who perfrom the pentesting .





Auditors are those who know how to find vulnerabilities and perform exploits as well to check the securities issues .





Auditors perform the task depending upon the agreement signed between the organisation and the auditors .





Based on the agreement , Pentesting will be performed. Just like we have different type of hackings like ... black ,white and grey box .. similarly auditors perform pentesting based on the the rights provided to them.






Types of hacking





External pentesting
This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service. Example of public hosts: router, firewall, web server, mail server, name server, etc.





Internal pentesting
As the name suggests, this type of hacking is executed from the customer’s internal network.





Black box hacking
This mode is applicable to external testing only. It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information.





Gray box hacking
This method is often refer to internal pentestings. Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited.





White box hacking
White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems.





Phases of hacking


 


Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases.
There is a general consensus among the entities and information security
professionals that these phases are 5 in the following order:
1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues
Usually these phases are represented as a cycle that is commonly called “the circle of hacking” with the aim of emphasizing that the cracker can continue the process over and over again.



Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:






  

  No Comments

Monday, March 18, 2019

Firewall, IDS, and IPS

  March 18, 2019    


The three devices commonly used to provide security are the firewall, the IDS, and the IPS.





Firewall





A firewall is a network security system that actively monitors and regulates the inbound and outbound network traffic based on a predefined security ruleset. A firewall typically acts a barrier between a trusted, secure internal network and an outside network, such as the Internet, which may not be secured enough. A firewall helps screen out malicious users, viruses, and worms that try to access your network from the Internet.





Some firewalls are simply software that runs on your computer, while other firewalls are sets of complete hardware devices and appliances. Firewalls can operate on individual hosts but are widely implemented on the network level. Firewalls are often used to create a Demilitarized Zone (DMZ), a physical or logical subsection of a network that separates the internal private LAN from the external untrusted network like the Internet. The resources that need to be accessed externally over the Internet, such as a web server hosting a website, are kept in the DMZ. The remaining resources, like the database server and backup servers are all kept in an internal private LAN and are not directly accessible over the Internet. Because the resources in a DMZ are directly accessible to the public, they need to be hardened for security. Firewalls also offer a feature known as stateful inspection , which monitors and keeps track of all the network connections and ensures that all inbound packets are the result of an outbound request. This feature was primarily designed to prevent harmful packets from entering the network and also defend against common information-gathering techniques like port scanning.





Intrusion Detection System





Unlike a typical firewall, which functions on predefined rules, an intrusion detection system is more intelligent in the way it detects various attacks. While a firewall may just check and restrict access to a particular system (based on IP address and port), the IDS would go an extra mile to check whether the traffic contains any malicious code, which might lead to an attack. Just as an anti-virus program has a signature database of known viruses, an IDS has a signature database for known and common attacks. It checks all packets traversing the network and tries to match them against its signature database. If a match is found, it raises an alert about the attack so that the network/system administrator can take appropriate steps to prevent it.





Intrusion Prevention System





An intrusion prevention system does all the jobs that an IDS does, but it also stops the attack (by dropping packets) whenever it encounters malicious traffic in network packets. This ensures an automated response to an attack and reduces manual intervention.


  

  No Comments

Do you know where the passwords are stored in linux?

  March 18, 2019    


Two important files in the Linux system are responsible for storing user credentials:





/etc/passwd





Is a text file that stores all the account information (except the password) required for user login.





The following sample entry from an /etc/passwd file will help clarify its components:









1. User Name: This is the username used to log in.





2. Password: The X character implies that encrypted password for this user is stored in the /etc/shadow file.





3. User ID (UID): Each user on the system has a unique ID. UID 0 (zero) is reserved for the root user.





4. Group ID (GID): This is the group ID of the group to which the user belongs.





5. User ID Info: This comment field can store additional information about the user, including email, telephone number, and so on.





6. Home Directory: This is the default directory that will be available for the user after login. All the user-specific documents and settings are stored in the respective home directory.





7. Command/Shell Path: This is the path to the command prompt, or shell .





/etc/shadow









Is a text file that stores actual passwords in hashed format. It also stores parameters related to the password policy that has been applied for the user. Following is an example entry from the /etc/shadow file:





1. Username: This is the username to which the password belongs.





2. Password: This is the password stored in hashed format.





3. Last password change: This field indicates the number of days since the last password change.





4. Minimum Age: This denotes the number of days remaining before the user can change his or her password.





5. Maximum Age: This denotes the maximum number of days after which the user must change his or her password.





6. Expiry Warning: This denotes the number of days before which the user must be warned about the password expiring.





7. Inactive: This is the duration in days after password expiry that the account will be disabled.


  

  No Comments

Subscribe to: Posts (Atom)