How to do it?

Discuss the many weaknesses of browser security and ways to mitigate the threat

How to do it?

Post by iistapp on Wed Apr 06, 2011 7:38 am
([msg=56015]see How to do it?[/msg])

Hi ho all my fellow guys and gals,

Today I was browsing the forum and found this guy requesting people on HTS to find holes in his web page, so I got this urge for trying it my self, but I honestly have no idea how to do so :o

So what I'm trying to say here, how are you finding holes? Do you just randomly find them by reading the source code? Do you inject scripts on the page or w/e, tools maybe?

Any suggestions or topics to read into to learn more about it would be greatly appriciated :)
User avatar
iistapp
Poster
Poster
 
Posts: 135
Joined: Tue Apr 21, 2009 9:44 am
Location: Norway
Blog: View Blog (0)


Re: How to do it?

Post by Reason7194 on Wed Apr 06, 2011 12:21 pm
([msg=56026]see Re: How to do it?[/msg])

Just on a side note here, I remember reading a mods comment about if the hts users should pin test a free-hosting website. They said it could bring up legal issues.

And as for finding holes in their website, it's more of using your own knowledge on how to manipulate the syntax of what the pin tester is testing.
I study Gotafu.
Reason7194
Poster
Poster
 
Posts: 215
Joined: Fri Jan 07, 2011 5:01 pm
Blog: View Blog (0)


Re: How to do it?

Post by Goatboy on Wed Apr 06, 2011 3:57 pm
([msg=56037]see Re: How to do it?[/msg])

Reason7194 wrote:Just on a side note here, I remember reading a mods comment about if the hts users should pin test a free-hosting website. They said it could bring up legal issues.

And as for finding holes in their website, it's more of using your own knowledge on how to manipulate the syntax of what the pin tester is testing.

That was me. I still say it's probably illegal, but I'm mulling that over in my head for a bit before making a decision. And it's pen-tester, as in "penetration testing".

Usually finding a vulnerability begins by doing a walk-through of the site. Check the most prevalent pages and functions yourself, while running an intercepting proxy in the background to log all traffic. If you're good, you'll be able to look at a page and immediately spot good points to test. Forms should be obvious. Picture galleries are notoriously vulnerable to local file inclusion. Chat systems using AJAX could be used to XSS other users. It's all a matter of knowing what can be attacked, then how to attack it.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2825
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: How to do it?

Post by iistapp on Thu Apr 07, 2011 2:14 am
([msg=56062]see Re: How to do it?[/msg])

So where would I get an intercepting proxy for background use to log all traffic as suggested? Is this a simple google and two click download, or does it take quite some skill to set this up?

Also, what would you suggest to learn to know and see what can be attacked?

If I were to do a walk through of HTS to find vulnerabilities, where would you suggest me to start? And how would you suggest me to start off? Would it be the same way for every page, or does it depend on what programming language is used on the page or what?

Loads of questions, I apologise for that, but I feel like you guys are honest people and can aid me with the best answers on topics like this
User avatar
iistapp
Poster
Poster
 
Posts: 135
Joined: Tue Apr 21, 2009 9:44 am
Location: Norway
Blog: View Blog (0)


Re: How to do it?

Post by Goatboy on Thu Apr 07, 2011 2:59 am
([msg=56065]see Re: How to do it?[/msg])

iistapp wrote:So where would I get an intercepting proxy for background use to log all traffic as suggested? Is this a simple google and two click download, or does it take quite some skill to set this up?

Normally I would tell you to Google it, but you seem like a decent enough guy. Paros Proxy is the most simple in terms of setup and usage, but also has less features than the next two. Burp Proxy and Webscarab are both more functional, but the learning curve is steeper as a result. They are also written in Java, which means you will need to have a JRE (Java Runtime Environment) installed to use them. You probably have this already.

In any case, you have to configure your browser to use your intercepting proxy for all connections. It varies by browser, but this is something that Google can easily help you with.

iistapp wrote:Also, what would you suggest to learn to know and see what can be attacked?

The best advice I can give here is to test everything (within reason; don't go probing the FBI quite yet). If you wanna know what to study in order to actually understand these attacks and be able to pull them off, then you should probably start by learning a programming language. Python is easy for beginners to pick up, PHP is used in a ton of websites, C is used for a lot of applications/programs. If your focus is going to be on web security, then I would definitely suggest PHP first. Learn how to build websites with it (meaning you will need to learn HTML as well). Learn how you can access a database with it. Learn about the common security flaws programmers introduce, as well as how to exploit and fix them.

It might help to set up a webserver of your own for testing. If you are reading this right now, you already have everything you need. You can install what's called XAMPP (Cross-platform Apache MySQL PHP and Perl) on your machine and you will have a fully-functional webserver in minutes. If you are more ambitious, you can either dedicate an old machine or create a virtual machine, and install a LAMP (Linux Apache MySQL PHP/Perl/Python) server that way. I'd go with this option because then you have the benefit of learning Linux as well.

iistapp wrote:If I were to do a walk through of HTS to find vulnerabilities, where would you suggest me to start? And how would you suggest me to start off? Would it be the same way for every page, or does it depend on what programming language is used on the page or what?

Not to dissuade you, but you probably won't find anything this early. Just trying to be realistic here. That said, if I were to do it I would probably be attacking the main site as opposed to the forum. The forum is PHPBB3, which is a public and very well-written open-source application, meaning many people can review it for code. HTS, on the other hand, does not have the benefit of being open-source - as a side note, this will be changing soon - which means that, at least in theory, there is a bigger chance of bugs being found.

Things to look for include login forms, upload forms, picture galleries, cookies, search bars, chat areas, pretty much anything where you can control the information that the server receives. There is a lot more of this than you would think.

iistapp wrote:Loads of questions, I apologise for that, but I feel like you guys are honest people and can aid me with the best answers on topics like this

Do me a favor, and never apologize for asking a question again. You'd be doing yourself a favor, too.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2825
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: How to do it?

Post by iistapp on Thu Apr 07, 2011 3:57 am
([msg=56071]see Re: How to do it?[/msg])

Thanks Goatboy, loads of information and I will have to read over it a few times and do things over time, as I'm at school at this moment I can't really do that much other than read up on things.

I've been reading some about HTML, and know some, I am also able to understand some of the source code on for example the main page, but I won't say I'm good enough to make a page all by my self. I believe I still have a lot of work to do on learning a programming/website language, but I hope I sooner or later will manage to do this, as I really enjoy this kind of things.

Setting up a webserver, does that cost me money or is this free? I think I'll have to start off by doing that and try to get my own website up and then do a penetration test on it, with help from one of the intercepting proxy's mentioned :)

Then just do some testing by my self to try to understand this whole thing better, as I seem to understand it in theory but not in practice.

By the way, would it be illegal to pen-test my own webpage?
User avatar
iistapp
Poster
Poster
 
Posts: 135
Joined: Tue Apr 21, 2009 9:44 am
Location: Norway
Blog: View Blog (0)


Re: How to do it?

Post by OhMythelees on Thu Apr 07, 2011 5:24 am
([msg=56073]see Re: How to do it?[/msg])

Hi all,

Another n00b to add to the list of many that come and go (well I hope I don't end up giving up on this). I have taken a liking to the idea of being able to do this sort of stuff and am in the process of trying to learn HTML. I have sat and done a few of the basic missions on the site, and knew more or less where to look to get source coding (you may laugh and think who is this guy, but I have to start some where.)

My question really is, how does logging site traffic work? Will this show the flaws in the sites coding?

Before you all jump to conclusions, I'm not some 12 year old kid, looking to hack into peoples webpages. I'm 28 years old, and looking like I am going to be made redundant from a career that I have done for 10 years so am trying to learn this stuff so that I can possible go into network/web security.


Many thanks

OhMythelees
New User
New User
 
Posts: 1
Joined: Wed Apr 06, 2011 10:08 am
Blog: View Blog (0)


Re: How to do it?

Post by iistapp on Thu Apr 07, 2011 8:13 am
([msg=56075]see Re: How to do it?[/msg])

OhMythelees wrote:Hi all,

Another n00b to add to the list...


Welcome to the club! Hope we can help eachother out in time, just installed XAMPP and checking it out, it's all new to me so doing some reading about most of the stuff already just to get a brief idea of what it all really is:)
User avatar
iistapp
Poster
Poster
 
Posts: 135
Joined: Tue Apr 21, 2009 9:44 am
Location: Norway
Blog: View Blog (0)


Re: How to do it?

Post by Assassian360 on Thu Apr 07, 2011 10:24 am
([msg=56077]see Re: How to do it?[/msg])

iistapp wrote:Setting up a webserver, does that cost me money or is this free? I think I'll have to start off by doing that and try to get my own website up and then do a penetration test on it, with help from one of the intercepting proxy's mentioned :)

Then just do some testing by my self to try to understand this whole thing better, as I seem to understand it in theory but not in practice.

By the way, would it be illegal to pen-test my own webpage?


You could either setup a locally hosted server on your own machine (there are a variety of different free programs available that allow you to do this), or you could find a free web host and dump your things on there. And it is not illegal to pen-test your own webpage.
Assassian360
Poster
Poster
 
Posts: 135
Joined: Sat Jun 26, 2010 1:37 am
Blog: View Blog (0)


Re: How to do it?

Post by caracarn001 on Thu Apr 07, 2011 11:52 am
([msg=56079]see Re: How to do it?[/msg])

Assassian360 wrote:You could either setup a locally hosted server on your own machine (there are a variety of different free programs available that allow you to do this), or you could find a free web host and dump your things on there. And it is not illegal to pen-test your own webpage.

I'd look out with this. If your website is on a (free) host, they (the hosters) might not like it if you attempt to gain access to files on their server which aren't yours.
User avatar
caracarn001
New User
New User
 
Posts: 42
Joined: Thu Nov 04, 2010 5:23 am
Blog: View Blog (0)


Next

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests