Clickjacking

Clickjacking, also known as UI-Redress attack, misleads the victim by overlaying multiple frames and making some frames invisible. Thus the victim is displayed with one webpage but his/her action is actually on another webpage that is selected by the attackers. This attack takes advantage of the HTML property called iFrame. Since Robert Hansen and Jeremiah Grossman announced a talk on the topic at OWASP AppSec 2008 , there has been a flood of news, discussions, and demonstrations on clickjacking.
                 
                   Since it is the victim who actually, but unknowingly, clicks on the element of the legitimate page, the action looks “safe” from the browser’s point of view; that is, the same origin policy is not violated. Clickjacking attacks have been reported to be usable in practice to trick users into initiating money transfers, clicking on banner ads that are part of an advertising click fraud, posting blog or forum messages, or, in general, to perform any action that can be triggered by a mouse click. Beside several proof-of-concept clickjacking examples that have been posted on security-related blogs, it is not clear to what extent clickjacking is used by attackers in practice.

TO view clickjacking visit Clickjacking demostration

So now i am not saying how to clickjacking a web site but I will say how you can protect yourself

1. Do not click on any suspicious link , popups and any link embedded  image or video
2. Do not entry any data in an unknown webpage
3, Always see the URL of web sites
4. Use browser addons (noscript ) or disable javascripts while entering data to a webpage.

Now how to protect our web site from Clickjacking

Frame-Busting: This technique checks if the webpage is the topmost window or embedded in a frame. If the webpage is embedded, it will bust out of the frame and makes itself as the topmost frame. This is achieved with the help of DOM property call top. The top property defines the topmost ancestor window.

<script type="text/javascript">
function breakout()
{
if (window.top!=window.self)
{
window.top.location=window.self.location;
}
}
</script>


The above javascript function defines a sample frame-busting function.





Comment please

Continue

Proxy service by hackandsecurity9

Helo friends now you can acess any blocked website in your collage or school through our Proxy service namer TERMINATER (TPrpxy) . So go to this site  Terminater  and enjoy the service

Continue

Xss on www.mahindra.com and reported

Xss found on Indias top luxury car company mahindra.com.Not only in india the company has great  name in world luxury car market.I reported them.i found totally 15 vulnerability on their  site.

Continue

Xss in Webcrawller.com search engine

Xss in search engine webcrawller.com.Again credits goes to me(Ankush).i found this serious vulnerability in webcrawller and informed them.but no response.

Continue

Xss in India's popular shopping chanel Homeshop18

Xss in india's popular shopping chanel www.homeshop18.com.All credit goes to me(Ankush Mohanty).i found this vulnerability and reported them and they patched the vulnerability.

Continue

XSS in www.ask.com by Ankush Mohanty

Hello friends xss found by me in popular search engine http://www.ask.com

Continue

XSS in Checkpagerankgoogle.com By Ankush Mohanty

I found xss vulnerability in site ww2.checkpagerankgoogle.com

This site shows google page rank of any website

Continue

How to make strong password using passwordmaking table

   Helo friends after a long time

         

 I    am posting how to make a strong password mean a  password that can not easily crack by any kind of password attack like Brute force attack and Password guessing.In this book you can make your name as a password with some code.

So read and make strong password

download link

Continue

Interview with bug hunter Vignesh Kumar

 Tell me  about you?

Hi, I am Vignesh Kumar from TamilNadu, INDIA.
I hold a Bachelor of Engineering in Electrical Engineering and in addition an

Information Security Enthusiast, budding Bug Bounty Hunter.


You are an electrical engineering student,how did you get intrest in security?

Yes, I am an Electrical Engineer. Also I am more obsessed with Electronics

and Networking field.
Also I have a huge passion for Information security too. I was introduced and

inspired into
"Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).

When did you start bug hunting?

Around 8 months ago.

I am really proud to have you as my friend. How did your Parents/Friends 
react when you got rewards?

Thanks. :) My parents and friends were really happy for me.

What vulnerability you have discovered?

The vulnerabilities which are categorized by The OWASP Foundation.

What is your first finding,how did you feel at that time?

I can barely remember the first one. But i was finding bugs with small sites
until I started Bug Bounty Hunting.

You are a bug hunter for fun or income?

Actually, bit of both. Also to gain more "Knowledge" in Information Secuirty.

What is your future plan?

Electrical/Networking Engineer

What you got in bug hunting?

Cash Rewards , Hall of Fames, SmartPhones, T-shirts etc..

Say the sites name in which you  found bugs?

Google,Facebook, Twitter, Apple, Adobe, Microsoft, Nokia, RedHat etc..

What is your advice to newbie?

“Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one

just by aiming on money.
 Have thirst of gaining knowledge in Infomration Security which will fetch you

HOFs, money and all.
Don’t feel depressed when you fail for the first few times attempting "Bug

Bounty Hunting".
Do more learning, practising, hunting which will definitely fetch you the

rewards.
Moreover, patience is highly recommended if you are a beginner. Once you jump

in, you will get used to it.

What do you want to say about me and Hackandsecurity9?

Thank you so much for this opportunity. You are really doing great with

HackAndSecurity9.
Keep up the great work. Wish you more success in the very near future.





http://hackandsecurity9.blogspot.in
Hackandsecurity™

Continue

Proxy setting for different browsers!!!!!!!

Proxy settings for Different Browser

Proxy setting on browser is necessery to bypass firewall or anonymous browsing on internet

For proxy setting go to proxy list  then select healthy status  IP adress and port no(8080)

How to change Google Chrome proxy settings

To change proxy settings:
• Click "Customize and control Google Chrome" icon right under the "window close" button.
• A popup menu will be dipslayed. Click "Options".
• Select the "Under the Hood" tab.
• Scroll down and Click "change proxy settings" button.
• A popup dialog will be display. Select the Connections tab on this dialg.
• If you are using LAN, click "LAN Settings" button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click "Settings" button.
• Make sure the "automatically detect proxy settings" and "use a proxy automatic configuration script" options are not checked.
• In the "Proxy Server" area, click the check box next to Use a proxy server for this connection.
• If nessesary, enable "bypass proxy server for local addresses".
• Click the "Advanced" button and set Proxy Server address (proxy IP), proxy server port.
• Click OK.

How to change Internet Explorer 7.0 proxy settings

To change proxy settings:
• Select Tools => Internet Options.
• Select the Connections tab.
• If you are using LAN, click "LAN Settings" button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click "Settings" button.
• Make sure the "automatically detect proxy settings" and "use a proxy automatic configuration script" options are not checked.
• In the "Proxy Server" area, click the check box next to Use a proxy server for this connection.
• If nessesary, enable "bypass proxy server for local addresses".
• Click the "Advanced" button and set Proxy Server address (proxy IP), proxy server port.
• Click OK.

How to change Internet Explorer 6.0 proxy settings

To change proxy settings:
• Select Tools => Internet Options.
• Select the Connections tab.
• If you are using LAN, click the LAN Settings button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click the Settings button.
• Make sure the "automatically detect proxy settings" and "use a proxy automatic configuration script" options are not checked.
• In the "Proxy Server" area, click the check box next to Use a proxy server ....
• If nessesary, enable "bypass proxy server for local addresses".
• Click the "Advanced" button and set Proxy Server address (proxy IP), proxy server port.
• Click OK.

How to change proxy settings in Firefox 2.x and FireFox 3.x

To change proxy settings:
• Select Tools => Options.
• Select "Advanced" tab.
• Open "Network" tab.
• Click "Settings" button in the "Connections" area.
• Select the Manual Proxy Configuration radio button.
• In the necessary proxy field(s), set Proxy Server address (proxy IP) and proxy configuration port.
• Click OK.

How to change proxy settings in Safari

To change proxy settings:
• Open Safari
• Click Safari on top of the screen.
• Click "Preferences".
• In the menu bar at the top of the window, Click "Advanced".
• Click on the "Change Settings" button next to the Proxies label
• Click on the check box button next to Web Proxy (HTTP)
• Enter proxy server and port information
• Select "Apply Now" to save settings.

How to change proxy settings in Firefox 1.x

To change proxy settings:
• Select Tools => Options.
• Select the General tab.
• In the "Connections" area click the "Connection Settings" button.
• Select the Manual Proxy Configuration radio button.
• In the necessary proxy field(s), set Proxy Server address (proxy IP) and proxy configuration port.
• Click OK.

How to change proxy settings in Mozilla 1.7

To change proxy settings:
• Select Edit => Preferences.
• Select Advanced to open sub-menu.
• Select the Proxies item.
• Select the Manual Proxy Configuration radio button.
• In the necessary proxy field(s), set Proxy Server address and proxy configuration port.
• If nessesary, enable "bypass proxy server for local addresses".
• Click OK.

How to change proxy settings in Opera 9.x and 8.x

To change proxy settings:
• Select Tools => Preferences.
• Open the Advanced tab and select Network sub-category.
• Click the "Proxy servers" button.
• In the necessary proxy field(s), set Proxy Server address and proxy configuration port.
• Click OK.

How to change proxy settings in Netscape browser 8.x

To change proxy settings:
• Select Tools -> Options.
• Select "General".
• In the Connections area click the "Connection Settings" button.
• Select the Proxies item.
• Select the Manual Proxy Configuration radio button.
• In the necessary proxy field(s), set Proxy Server address and proxy configuration port.
• Click OK.

How to change proxy server settings in Netscape 7.x

To change proxy settings:
• Open the Edit menu.
• Select Preferences to open Dialog box.
• Click on the triangle next to the Advanced category to expand it.
• Select the Proxies item.
• Select the Manual Proxy Configuration radio button.
• In the necessary proxy field(s), set Proxy Server address and proxy configuration port.
• If nessesary, enable "bypass proxy server for local addresses".
• Click OK.

Coment please

Continue

SOCIAL ENGINEERING

Social Engineering is the art of  manipulating people in to performing actions or divulging confidential information

This type of attack is non-technical and rely heavily unhuman interaction

Hackers use social engineering attacks to obtain information that will allow him/her to gain unauthorized acess to a valued system and the information that resides on that system.

The purpose of social engineering is usually to secretly install spyware other malicious software or to trick person in to handing over password and/or othere  sensitive financial or personal information

What are they looking for??

1:- Obtaining simple information such as your pet's name,where you are from,the places you have visited;information that you had give out freely to your friends 

2:- Take a close look at some of the 'secure' sites you log into .some have a 'secret questins' you  have to answer, if you can not remember your  user name  or password.The question pretty though for an out sider looking in to trying to hack into your account.

Tactics:

1:- Pretexting- Creating a fake scenario

2:- Phishing- Fraudulently obtaining private information

3:- Quid pro quo:- Somthing for somthing

4:- Baiting:- Real world trojan horse

5:- Diversion theft :- A con

Pretexting

Creating fake scrnario

Prior Research/Setup used to establish legitimacy

Give information that a user would normally not divulge

This technique is used to impersonate

Authority ect

Using prepared answers to victims questions

Other gathered information

Ex: Law Enforcement

Threat of alleged infraction to detain suspect and hold for questioning

Phishing

Fraudulently obtaining private information

Send an email that looks like it came from a legitimate business

Request verification of information and warn of some consequence if not provided

Usually contains link to a fraudulent web page that looks legitimate

User gives information to the social engineer

 Ex: Ebay Scam

Spear Fishing

Specific phishing

Ex: email that makes claims using your name 

Vishing

Phone phishing 

Rogue interactive voice system

Ex:call bank to verify information

Quid pro quo

Somthing for somthing

Call random numbers at a company, claiming to be from technical support.

Eventually, you will reach someone with a legitamite problem

Grateful you called them back, they will follow your instructions

The attacker will "help" the user, but will really have the victim type commands that will allow the attacker to install malware

Baiting

Real world of trojan horse

Uses physical media

Relies on greed/curiosity of victim

Attacker leaves a malware infected cd or usb drive in a location sure to be found

Attacker puts a legitimate or curious lable to gain interest

Ex: "Company Earnings 2009" left at company elevator

Curious employee/Good samaritan uses

User inserts media and unknowingly installs malware

Diversion theft

A con

Persuade deliver person that delivery is requested elsewhere - "Round the Corner"

 When deliver is redirected, attacker pursuades delivery driver to unload delivery near address

Ex: Attacker parks security van outside a bank. Victims going to deposit money into a night safe are told that the night safe is out of order. Victims then give money to attacker to put in the fake security van

Most companies do not prepare employees for this type of attack

Weakest link

No matter how strong your:

Firewalls

Intrusion Detection Systems

Cryptography

Anti-virus software 

You are the weakest link in computer security!

 People are more vulnerable than computers

"The weakest link in the security chain is the human element" -Kevin Mitnick 

Way to prevent and protection

 3rd Party test - Ethical Hacker

Have a third party come to your company and attempted to hack into your network

3rd party will attempt to glean information from employees using social engineering

Helps detect problems people have with security

Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information

Do not provide personal information, information about the company(such as internal network) unless authority of person is verified

Before transmitting personal information over the internet, check the connection is secure and check the url is correct

If unsure if an email message is legitimate, contact the person or company by another means to verify

Be paranoid and aware when interacting with anything that needs protected

KEVIN MITNICK(Famous Social Engineer Hacker)

Went to prison for hacking

Became ethical hacker

"People are generally helpful, especially to someone who is nice, knowledgeable or insistent."

Kevin Mitnick - Art of Deception

"People inherently want to be helpful and therefore are easily duped"

"They assume a level of trust in order to avoid conflict"

"It's all about gaining access to information that people think is innocuous when it isn't"

Here a nice voice on the phone, we want to be helpful

Social engineering cannot be blocked by technology alone

A qutoe from KEVIN MITNICK

"You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”

SOCIAL ENGINEERING

Thank you  for reading my post.Please coment and share 

Continue

How to Change Status Of Someone's Facebook Account

Most of us know that Facebook allows us to update our status using our mobile phone. This feature is called Facebook Text. If you have Facebook Text enabled, you have to just type in the status and send this message to “923223265? using your registered mobile phone. Facebook will automatically update your status.

So, in this Facebook hack, we will use SMSGlobal to change the status of your friend. SMSGlobal allows us to send message to any number from anyone’s number. That is, we will send Facebook a fake SMS from your friend’s registered mobile number.

Facebook will think that the message has been sent by your friend and his status will be updated according to the message contents sent by us..


1. Go to SMSGlobal.com and register for an account.

2. After logging in to your account, click on “Send SMS to a Number”

3. Enter the information according to the form

Send SMS To: 919232232665
Sender ID From: The registered mobile number of your friend.
Message: The status you want to update for your friend. Enter anything you want. It will appear as your friend’s new status.

Hit on Send SMS.

4. Now, Facebook will update your friend’s status to the message you have sent.






IMPORTANT!! : The slave MUST have the Facebook Text feature enabled in their account , if they don't then this will not work

Continue

Hack Facebook Passwords by adding into friend list

These days many Facebook users have hundreds and possibly thousands of friends. More friends increase the chance that your Facebook account will be hacked – especially if you accept friend requests from people you do not know.

Critical vulnerability found on FACEBOOK

It isn’t entirely unusual that Facebook users receive friend requests from people they do not know. Often, those friend requests are blindly accepted in an effort to grow the friendship base. It seems that especially people with Facebook accounts that are primarily used for marketing purposes are more likely to accept friend requests from people they do not know than the typical Facebook user does.

Such accounts could be hacked easily, and there is no ingenious hacking talent required to do so: You simply need to walk through Facebook’s passwork recovery process with two other Facebook friends of a targeted account.

You can easily gain access to a your friends Facebook account through a collusion approach. You have to use Facebook’s password recovery feature, which is accessible through the “Forgot your password?” link on the Facebook login page.

Once identified the Friend, Facebook suggested to recover the password via the existing email address. However, you can bypass this hurdle by clicking the “No longer have access to these?” link. In that case, Facebook asks for a new email address. In the following step, Facebook presents the security question tied to the account. However, you can also to bypass the question by typing wrong answers three times in a row.After that, Facebook provides a rather surprising way to get your account back – 

via the support of three friends.

1. First, you select three friends “you trust”. These three friends then receive a code, which is required to change the account password.

2. Select yourself and immediately received a code from Facebook. With those three codes, you can easily change the password for the targeted account.

3. The problem clearly is that three friends you do not really know and cannot trust could potentially gain access to the victim Facebook account – through the standard password recovery feature.

4. To bypass problem mentioned in step 3 SOCIAL ENGINEERING. Create your own 2 more fake profiles and add the victim as a friend on facebook. Now get all the 3 codes and you are done.

NOTE: The targeted account will be locked for 24 hours after this password change and the user’s old email address receives a notification of the password change as well as the names of the three friends who were given the codes. However, if these are friends with fake names, it doesn’t quite matter that you now know their names.

Now if a Facebook user could in fact be in a situation when a Facebook account is not checked within a 24-hour period, particularly since we enjoy to flaunt our activities through Facebook status messages. And if the account is checked frequently, the account depends on Facebook’s response time, which can easily stretch to a number of days.

Bottom line is You don’t expose yourself to people you don’t know.

Continue

What is Hacking?What is the difference between Hacker,Ethical hacker and Security researcher?????????

What is computer hacking?

 In a cyber security world, the person who is able to discover weakness in a system and managed to exploit it to accomplish his goal referred as a Hacker , and the process is referred as Hacking. Now a days, People started think that hacking is only hijacking Facebook accounts or defacing websites. Yes, it is also part of hacking field but it doesn't mean that it is the main part of hacking. So what is exactly hacking, what should i do to become a hacker?! Don't worry, you will learn it from Hack and Security. The main thing you need to become a hacker is self-interest. You should always ready to learn something and learn to create something new.

 Now , let me explain about different kind of hackers in the cyber security world.

 Script Kiddie:
 Script Kiddies are the persons who use tools , scripts, methods and programs created by real hackers. In a simple word, the one who doesn't know how a system works but still able to exploit it with previously available tools.

 White Hat Hacker:-

 White Hat hackers are good guys who does the hacking for defensing. The main aim of a Whitehat hacker is to improve the security of a system by finding security flaws and fixing it. They work for an organization or individually to make the cyber space more secure. Hack for Security only concentrates on white-hat hacking and help you to learn the Ethical Hacking world.

 Black Hat Hacker(hackers):

 BlackHat hackers are bad guys , cyber criminals , who have malicious intent. The hackers who steal money, infect systems with malware ,etc are referred as BlackHat hackers. They use their hacking skills for illegal purposes. The Hacker is one of the Security w0rm of Computer, who search for Vulnerability (Vulnerability means Weakness Point of any Program or web application) and Explode it for his Popularity, Profit or warn someone like (Government). Basically Just Hacker word is for Black Hat hackers, All Black hat hackers considered as a Cyber Criminal until they do Cyber Crime such as Defacing websites, Stealing data, Exploding Bank data's and I-llegal Contenting in Word Wide.
Hacker's earn in their own way from Internet Marketing service or working for Cyber Hacker's group such as Anonymous, Lulz Sec or Null/Crew etc.

 GreyHat hackers:

 The hackers who may work offensively or defensively, depending on the situation. Hackers who don't have malicious intentions but still like to break into third-party system for fun or just for showing the existence of vulnerability.

 Hacktivists: The hackers who use their hacking skills for protesting against injustice and attack a target system and websites to bring the justice. One of the popular hacktivists is Anonymous.



Security Professional :-

 Security Professional is one of the higher and Greater Security Master, no one is higher then Security Professional, Basically Sec Pro Work for Cyber Space Investigation Department or he search for Vulnerability and solve it to Prevent and Care System. In India there are very less Sec Pro and Cyber Crime in India is increasing day by day, that's the reason Indian Cyber Space require education in Computer Security.
In today's generation Indian Cyber Space Demand's of Security Professional and studies in Computer Security.
In Simple words Security Professional have complete knowledge of Computer Security even more then Black hat hacker's.

 Security Researcher :-

 Security Researcher is also called a White Hat hacker, Security researcher are real Hero of Internet. They search for Bugs or Vulnerability in Website and report it to admin or Cyber Space Investigation Cell. Security Researcher just report the vulnerability and Security Professional Fix the vulnerability and writing of Exploit Code, Security researcher basically are hired by many IT's Company to save their data and prevent hacking.

 Certified Ethical Hacker :-

 CEH is the base of the Hacking field which give you 3 option to become in your Life :-

1.Black Hat

2.Security Professional

3.Security Researcher

and that's all depend upon you in which field you want to make your future carrier.

All beginners hackers and learner have to start with CEH and get ceritified. It's just a base to enter's into HACKING WORLD :)

Continue