Showing posts with label HACKING.T. Show all posts
Showing posts with label HACKING.T. Show all posts

Friday, 19 May 2023

Prevention of MITM attack

 

Prevention of Man in the Middle Attack (MITM)

Several practical steps are required to block MITM attacks on the user's part. It also required a combination of verification methods and encryption for applications. The various preventions of MITM are as follows:

WEP/WAP Encryption

If our wireless access point has a strong encryption mechanism, it will prevent our network from joining unwanted users who are nearby our network. The attackers will brute force into a network if we have weak encryption mechanisms, and then it will begin MITM attacking. The safe network is provided by strong encryption implementation.

Router login credentials

If we are applying a router, we have to make sure to change the default router login. Including the Wi-Fi password, we have to also change the router login credentials. The attacker can change their malicious server to our DNS server if they find our router login credentials. They can also do even worse. They can change our router with malicious software.

VPN (Virtual Private Network)

In a local area network, a secure environment for sensitive data is provided by a virtual private network. Using key-based encryption, they can provide secure communication. Due to this way, an attacker cannot decipher the traffic in a virtual private network even if an attacker happens to get a shared network.

Force HTTPS

Using the public-private key exchange, HTTPS can securely transfer data or communicate over HTTP. Due to this, the data that the attacker wants to sniff can be prevented. Websites should not provide HTTP as an alternative. They should only use HTTPS. By installing browser plugins, users can enforce always use of HTTPS on requests.

Encrypted Data

Using the robustly encrypted and transmitted data with authentication, secure communication protocols like HTTPS (Hypertext transfer protocol secure) and TLS (Transport layer security) help mitigate spoofing for website operators. Using this, the interception of site traffic can be prevented, and the decryption of sensitive information like authentication tokens can be blocked.

Use SSL/TLS

If we want to secure every page of the website and not only the login page required by the user, the applications can use SSL/TLS. This reduces the chances of stealing session cookies by the attacker. This will protect the user's browsing data, which is entered while login into an unsecured section of the website.

Public key pair-based authentication

Spoofing of something is typically involved in man-in-the-middle attacks. Various layers of stacks can use public key pair authentication as RSA to ensure whether the things we want to communicate with are actually the things we are communicating.

Using Imperva to protect against MITM

Because of the suboptimal implementation of SSL/TLS like the ones that support the outdated use or enabled the exploit and under-secured ciphers, MITM attacks often occur. To control these, Imperva provides end-to-end encryption of SSL/TLS in an optimized way for their customers, as part of its suite of security services. Imperva offers managing services. Professional security maintained the configuration of SSL/TLS and kept it up to date to counter q1emerging threats and to keep up with compliance demands.

To ensure compliance with the latest demands of PCI DSS and to prevent compromising attacks of SSL/TLS, the certificates are optimally implemented if we are hosted on Imperva. If we want to enforce the security of SSL/TLS across multiple subdomains, we can configure HSTS (HTTP Strict Transport Security) under the Imperva cloud dashboard. This can also secure the web application and website from cookie hijacking attempts and protocol downgrade attacks.

MITM Attack Progression


In two distinct phases, MITM execution will be successful, which are decryption and interception. In interception, the attacker stays in between the data stream, ready to capture the data, collect the received data, and sell or reuse the data. In decryption, data is sent by an attacker, analyzes the used encryption techniques like HTTPS, etc. tries to decrypt the data and reuse it.

Interception

In the first step, we use the attacker's network and intercept user traffic before reaching its desired location. For doing this, the passive attack is the simplest and most common. In this attack, attackers create malicious Wi-Fi hotspots that are freely available to the public, which means they are not password protected. The name of this type of Wi-Fi generally corresponds to their location. When such hotspots are connected by any user or victim, the attackers gain full access to online data exchange. A more active approach is taken by attackers to interception may launch any of the following attacks:

IP spoofing

An IP address is contained by all the system which is connected to the network. An IP address is also provided by many corporate internal networks to the system. In IP spoofing, attackers alter the header of a package in an IP address and disguise themselves as an application. As a result, the URL connected to the application tries to access by the users and send to the attacker's website. In this case, DOS may be used by an attacker to perform MITM attacks, where the attacker acts between two systems as middleware.

ARP spoofing

ARP means Address Resolution Protocol. It is used in a local area network to resolve the IP address to corresponding MAC addresses. To locate the device in a network and to identify the device's MAC address, an IP address is used. In an ARP poisoning attack, attackers link their MAC address to the legitimate user's IP. Then to establish a connection to the attacker system, it sends a constant series of ARP messages. As a result, data is transmitted to the attacker, which the user sends to the host IP address.

DNS Spoofing

DNS means Domain name system. DNS is used to resolve the IP address to its domain names like "javatpoint.com" and vice versa. In this attack, the DNS cache of the target device is corrupted by the attacker and rewriting it. The attacker alters the DNS recodes and redirects to the vulnerability server. As a result, an altered DNS record is sent to the attacker's site, and the users try to access this site. Where the 32.21.12.23 port number resolves the www.stupidonlinebank.com. The DNS cache is poisoned by the attacker, and it redirects the user to "19.168.0.10'. In this port, a fake phishing site is deployed by an attacker, and that site is ready to collect the entered details.

Decryption

Now without alerting the application or user, decryption is needed on two-way SSL traffic. To achieve this, various methods are as follows:

HTTPS Spoofing

When the initial connection is made to a protected site, the victim's browser receives a fake certificate from the attacker. The certificate holds the thumbprint, and a compromised application is associated with it. The thumbprint is verified by the browser based on an existing list of trusted sites leaving the attacker to access any data which is entered by the user before it is passed to the application.

SSL Beast

It is used in SSL to target a TSL version 1.0. Here, malicious JavaScript is injected into the victim's computer that is used to intercept the encrypted cookies, which are sent by the web application. Now to authenticate tokens and decrypt the cookies, the cipher block chaining of the app is compromised.

SSL Hijacking

SSL hijacking occurs during the TCP (transmission control protocol) handshakes when an attacker passes forged authentication keys to both the application and the user. It is used to compromise social media accounts. Most websites of social media store session browser cookies on the user's system. When the browser hijacks and malware is injected into the user's machine, this type of attack mainly occurs. It will also occur when session cookies are stolen by the attacker. When the entire session is controlled by a man in the middle, this sets up what appears to be a secure connection.

SSL Stripping

In 100% of websites, around 70% of websites are still working on insecure and generic HTTP ports. This provides the backward capability and extensive availability of the application to the users. Using this, the secure HTTPS connection can be downgraded to a basic HTTP connection. An attacker can use the HTTP connection to sniff the packets and read them. Now the users are browsing an unencrypted website, so the attacker can also alter the packet on the spot.

Meterpreter


Meterpreter allows hackers to access the target's system by running an invisible shell. It is used to establish a communication channel on the target machine. Meterpreter is famous among pen testers because of its power and versatility. Due to these qualities, the bad actors are attracted to them. Meterpreter contains all the basic features which are contained in the penetration testing tool. The features include profiling the network, running executables, access to the command shell, and sending and receiving files. These are not the only features of interpreters, they can do many more things. A few of its capabilities are post-forwarding, taking screenshots, privilege escalation, and keylogging. Using the in-memory DDL injection, the interpreter is deployed. Meterpreter creates no new processes, writes nothing to disk, and it resides entirely in memory. Instead, it injects itself into compromised processes from which it can migrate from one to other running processes as necessary. The forensic footprint of the attack is very less as a result. Due to these features, it becomes an attractive payload for APIs that prioritize staying under the radar. There are several ways to load the interpreter into memory. The Metasploit framework contains numerous stagers like document macros, VBScript, and Powershell. If we want to inject an interpreter directly into memory, this Metasploit framework also provides a large number of exploits. The loader and exploits can also write by advanced users, and they can use those loaders and exploits with their custom evasion techniques.

Meterpreter and Metasploit are constantly evolving. It was recently common that if we want to drop the stages of meterpreter on the disk and evade sandboxes and bypass the static scanners use as many packers as possible. For that, Metasploit has various easy-to-use and built-in encoders. To detect them, AV companies do struggle. Using the number of fileless techniques, interpreters, and Metasploit have been updated. For example, after exploitation and leveraging WinAPI, we will inject the payload into a system process to query the registry. In Metasploit, every time, more features are added. It provides a long list of auxiliary modules to list here as well as a fuzzer to find out the potential security flaws in binaries.

To circumvent the disadvantage of a specific payload, Meterpreter was designed to ensure encrypted communication and enable the writing of commands. When we use the specific payload, and the target system starts a new process, at that time, alarms may be triggered. This shows the drawback of using specific payloads. Meterpreter was originally written by Skape for Metasploit 2. x. Matt Miller uses the hacker moniker. For 3. x, the common extension was merged and is currently undergoing an overhaul for Metasploit 3.3. It is an advanced multi-function payload. When we don't have our tool, and we are standing in a remote system, Meterpreter helps us to leverage the capabilities dynamically at run time. Using the Meterpreter, we can easily exploit the systems which are in the exploited system's network but not in our network. An interactive shell is provided by Meterpreter, which helps us to use extensible features at run time. Due to this, the chances of successful penetration testing are increased.

Meterpreter Goals

  • Meterpreter creates no new processes and writes nothing to disk because it resides entirely in memory.
  • Meterpreter can easily migrate from one to another running processes as necessary. It injects itself into a compromised process.
  • Encrypted communication is used by Meterpreter by default.
  • At the time of the forensic report, the interpreter provides very little evidence as a result on the target machine.

Working of Meterpreter

The hacker sends the first-stage payload to the target computer when a system is compromised. Meterpreter is connected back by this payload. Then it sends a second DLL injection, which is followed by the DLL of the meterpreter server. Using the interpreter session, client-server communication and a socket are established. It is encrypted, and this is the best part of this session. Due to this, confidentiality is provided. Hence, any network administrator may not sniff a session.



Website vs Webpage

 


Website

It is a collection of files or documents, or web pages. We can look at the browser using the browser. There are many browsers on the internet, like Safari, FirefoxInternet ExplorerGoogle Chrome, etc. On the internet, the content of a website is located under a domain. For example, the website of a company can have several web pages like the product, contact us, home, services, about us, etc. By using the web address, all the content can access. By using a dynamic web page or static web page, a website can be designed. We can look at the browser using the various browser available on the internet like Firefox, Google Chrome, etc. The website's content is globally viewed, and for each individual, all the content of the website remains the same. A website can be service-specific, product-specific, industry-specific, etc. The main intention of these websites is to educate the visitor of their site about their products, services, and the industry. To access the website on the internet, firstly website must be hosted on a server. Websites cannot be indexed. Instead of the website, search engine crawlers crawl index web pages and web pages. Users can navigate the website from one page to another. To view the website, we require navigation. By using a unique URL, a website can be presented. When the user opens the browser to use the website, he will send a request to the server, which contains our requested website using the internet. In response, the server sends information about the page to our browser, which will display the information for us.

Webpage

A web page or webpage can be defined as a digital document that appears on the website over the internet. In a larger website, web pages are just a smaller part of the website. A web page contains more specific information as compared to a website. If multiple web pages reside in a different document, they can have the same name. The web page's content will be displayed on the website. It is a part of the website that's why it needs less time to develop. Using a single URL, we can access a web page. We can copy and share the web pages. We do not need any navigation to view the web page. The web pages can have graphics, video, audio, plain text, hypertext, hyperlink to other pages, etc. The content of a web page can be displayed using the web browser. The web browser connects to the server to display the remote files. Using programming languages like PythonPhpPerl, and HTML, web pages can be created. The HTML pages are not that interactive and also have a simple appearance, but the loading and browsing time is less.

The web pages are of two types, Static and dynamic web pages. In a static web page, if the user does any change in the web page's information, the change will be reflected on the website also. A person has to manually change every web page, and this process is tiresome and time-consuming. In a dynamic database, the product information is stored using the central database. The content of the dynamic web page views differently each time we open it. For example, date, time, stock prices, weather information, etc. It takes more time to load as compared to a static web page.

Let's understand the difference between Website and Webpage

Website and web page are relevant to each other, but it is distinct words. A website is a collection of various web pages, whereas a web page is considered a single entity. A website can access through the HTML and DNS protocol, while web pages can access using the browser. If you want to connect a web page to any other web page on the website, web pages contain navigational links. The web page has specific information while the website content changes as per the web page.


S.N.WebsiteWebpage
1A website is a collection of web pages, and we can access these web pages using the URL.It is a part of the website. It contains links to other web pages.
2The URL of the website does not have any extension.The URL of a web page has an extension as PHP, HTML, HTML, etc.
3A unique URL is contained in each website.If multiple web pages reside in a different document, they can have the same name.
4A website is a location where the content of the web page is displayed.A web page contains the content that will be displayed on the website.
5The website and web page address do not have any relation.The address of the web page depends on the address of the website.
6It takes more time to load as compared to the web page.It is a part of the website that's why it needs less time to develop.
7A website shows all the online content, and it involves each type of file.It is a part of the website which drives the website and is used to hold it together.

Post Exploitation Concept



Purpose of Post Exploitation

The post-exploitation is used to determine the capabilities and base value of the target system. The main purpose of post-exploitation is to gain access to all parts of the target system without knowing the user or without being detected. If the attacker is detected, it will make all the effects useless and everything null. A penetration tester is used to exploit the target's computer system without any authentication and analyze the data's value presented on the system of the victim. The tester can dig even further to get more information about the target system if they deem the information valuable. A penetration tester can also analyze system configuration settings, communication modes, registry settings, and connectivity methods by which specific networks are connected to the devices. In this process, the methods and requirements can vary from the rules of engagements and situations.

Rules of Engagement

The post-exploitation consists of a set of rules which is used to protect the client and penetration tester. By using these rules, unnecessary conflicts between the client and the tester can be avoided. If anything does not need to be exploited, the tester will not exploit this. Using these engagement rules, we can avoid any unnecessary actions at all costs. There are two types of sets of rules, which are as follows:

Protecting Ourselves

Before making any attack, the penetration tester should learn all the necessary details about the victim or victim system. A penetration tester needs to protect their identity anyhow. When the required operation is done, the tester should avoid the risk of leaving traces. A tester should perform all the operations under strict confidentiality. If a tester is detected, due to this, the whole operation will be terminated. If the tester wants to ensure the safety of digital footprinting or personal information or information of the client, the penetration tester should perform the following steps:

  • If the client is a company or business, we should sign a service-level agreement or contract. This contract is used to break the security of company assets.
  • If we want to store the extracted information for a confidential purpose, we should use strong encryption methods.
  • If we want to store the information or data of the client, we testers should avoid personal devices.

Protecting the client

If the client is an individual user or a company or business, the safety of their information and data is upon us. Before the initiation of an attack, the penetration tester should have to follow the proper steps. The tester may also have analyzed the attack method's capabilities and effects and determined the best suitable method for the job. If we want to ensure the safety of both clients, the penetration tester should follow the following steps:

The tester should not involve in an exploitation exercise, which is not necessary.

Suppose the client is a company or business. In that case, the tester should not use attack methods such as SSL stripping, DDoS (distributed denial of service), network packet sniffing, or SQL injection without the client's proper permission. Due to these attacks, daily operators may be disturbed or halted.

Tools used for Post exploitation

Metasploit is the well-known and most popular tool that is frequently used for post-exploitation. Under Metasploit, Meterpreter and other sub-tools are developed, and it makes the task of post-exploitation easier and faster. The penetration testing toolkit is described by the Metasploit framework, which is used to exploit research tools and development platforms. Various auxiliary modules and pre-verified exploits are included in the framework for a handy penetration test. Metasploit also contains different handlers, encoders, and payloads, which can be mixed up to work on any pen test.

Nexpose


 

Nexpose is a vulnerability scanning tool. It is sold as a virtual machine, private cloud deployment, standalone software, managed service, or appliance. The user can interact with purpose using the web browser. The editions of Nexpose are paid except for the free program which is the Nexpose community edition. Nexpose is used to scan the vulnerability of a network. Nexpose finds the active services which are running on the machine-like open ports, services, and running applications. Using the services, and applications, it tries to find the existing vulnerability on the network; It supports vulnerability management's lifecycle, including verification, impacts analysis, discovery, risk classification, detection, reporting, and mitigation. The result of expose will be shown in the scan report. With the help of the result, we can prioritize vulnerabilities based on the risk factor. After that, we can find the most effective solution for vulnerability.

Metasploit Pro and Nexpose integrate with each other to provide validation tools and vulnerability assessments that help us verify vulnerabilities, eliminate false positives, and test remediation measures. There are various ways through which we can use expose with Metasploit Pro. Metasploit Pro provides us a connector that is used to add a Nexpose console. Using this addition, we can directly run a vulnerability scan from the web interface and then we can automatically import the result of the scan into a project. In the other method, we can run scans from expose and import the result of the scan into Metasploit Pro to perform vulnerability analysis and validation. We will select the method according to our situation.

Features of Nexpose

Nexpose works in mobile, virtual, physical, and cloud environments to find assets and scan for vulnerabilities within an organization's environment and then prioritize risk according to the exploitability of those vulnerabilities. It also prioritizes vulnerability patching and schedule scan by enabling administrators and configuring security alerts.

Nexpose has a special feature known as Live monitoring, which collects the available data and then converts that data into action plans. Vulnerabilities that are exploited first are found and prioritized by the advanced exposure analytics feature of expose. Because of this, the security managers save from getting bogged down with too many security alerts. The Liveboards feature is used to replace the result of a static dashboard with visual reporting that is constantly updated. Rapid 7 introduces a new feature for expose named as remediation workflow feature, which is used to track and manage the security staff of the organization and analyze the progress of addressing those vulnerabilities.

Nexpose and Metasploit seamlessly integrate with each other to validate vulnerabilities by attempting to exploit them just as an attacker.

Product Version

Nexpose has various editions with different deployment options as follows:

Ultimate: It offers hardware appliances, managed services, virtual appliances, private cloud, or software products. All features have a scan engine and an unlimited number of IP addresses.

Enterprise: It offers hardware appliances, managed services, virtual appliances, private cloud, or software products. Medium to large organizations use it with the security team. It supports scan engines, users, and various numbers of IPs.

Consultant: It offers a virtual application or software product. It is used in the organization, which gives IT security consulting. We can install it only on one laptop. It can scan up to 1,024 IPs and support one scan engine.

Express: It offers a private cloud, virtual application, or Software product. It can support two scan engines and only one user. It is used only in small organizations. It can scan up to 1,024 IPs.

Community: It offers a virtual appliance or software product. It can support one user and one scan engine. It can scan the IPs up to 32.

All product editions include dynamic asset groups, exception management, automatic vulnerability updates, and RealContext classification. If we want to exclude vulnerabilities from risk score calculation, exception management will help us by allowing the admin to remove vulnerabilities from the asset listing table or report. Dynamic assets groups are the type of groups that meet certain criteria like when we create a vulnerability exception, group members automatically change after occurring a scan. The high-priority risks can be determined by the contextual business intelligence provided by RealContext. The distributed scanning, integrated vulnerability validation, hosted perimeter scanning, mobile discovery and assessment, and user role customization are included only in ultimate and enterprise editions.

Setup

The setup and configuration of Nexpose are very easy. It gives an intuitive web user interface. The product which is designed by expose can be deployed within minutes. Using the exploitable skill level or the score of the vulnerability scoring system, the administrator can view the vulnerabilities. The exploitable level of skill categorizes the vulnerabilities.

Pricing, Licensing, and Support

The product Nexpose community is freely available online. The purchase of a subscription option is also available for the consultant edition. Pricing and license have various available deployment formats for express, enterprise, and ultimate editions. Due to the various deployment formats, it is complex. Nexpose expresses sans the IPs up to 128, which costs around $2,000. The range of hardware appliances is around $3,000 to $18,000. The enterprise, ultimate, and express editions have a perpetual license.

Rapid7 provides 24/7 basic support using the phone, web, email, and hardware appliances while having warranties for 3 years. Super support provides users bi-annual system maintenance, 90 minutes of agreement of service level, on-site emergency support, dedicated account managers, and more. Based on the environment size or number of IPs, the super support cost will vary. But in large organizations, it costs over $20,000.

Nexpose software provides a free trial, and Nexpose enterprise provides a live demo. The user, administrator guide, and Nexpose installation are freely available on the internet. White papers, searchable vulnerability databases, research reports, webcasts, and many more are freely available online tools. The Rapid7 classroom provides expose product training. The customers can participate in that training online or on-site at the location of the customer. The Rapid 7 website has free Webinars.

Magecart attack


 

Magecart is a data skimming type. Attackers use the skimming method to capture the sensitive information of the target from the online payment forms like credit card numbers, debit card numbers, email IDs, passwords, etc. To steal information on credit cards, hackers enter harmful code into the website. On the checkout page, the users enter the card information, and the hackers capture it. Shopping cards are really attractive for hackers because it is used to collect the customer's payment information.

Working of Magecart

Magecart is a type of data-skimming attack that follows a well-established pattern. For their success, they have to achieve the following things:

Gain access to the website

The hacker can place skimming code and gain access to the website using two ways. The first one is hackers can either break our server or our infrastructure and place skimming code. The second one is hackers can go to one of our third-party vendors, and when the user calls it in their browser, they will add a malicious script to our website.

Skim information from a form

Groups can capture the data in a lot of different ways, but skimming code is always better because it is a type of JavaScript that is used to listen to the personal information of users and collect it. We know the hacking approach in which hackers monitor all the keypresses on a page or observe the specific part of a webform and intercept the input like credit card or debit card information and CVV field. Generally, hackers use the other code to hide the malicious code and to avoid detection.

Send information back to the server


In the whole process, this part is very simple. The game will be over when the attackers gain access to our website and get sensitive data about users which they want. Now they can use the end user's browsers and send the information to any location on the Internet.

Prevention from Magecart attack

Preventing access provides the best defense against Magecart. Online companies need a system that can intercept all APT calls made by our website to the browser and block access to sensitive data that we have not authorized previously. Due to this, we can prevent the access of customers' sensitive information from non-critical third-party scripts or any malicious scripts. When the attacker tries to access sensitive information, this system will monitor it and alert the companies.

The attacks against websites continue to uptick. The attacker takes the payment information from customers, just like the Magecart attacks that are used to steal sensitive information directly from the customers or end-users. There is a sophisticated botnet attack that uses the data found on other websites and leverages stolen credit card information and credentials of users to commit fraud. Now this time, many brands think about the attacks and provide end-to-end web security. By using this security, the backend infrastructure can be protected, Magecart attacks in the browser can be mitigated, and sophisticated botnet attacks can be stooped.

Defend against Password Cracking

The key line of defense is preventing your password from being cracked by hackers. The users and organization can use the following two ways to minimize the password cracking risk:

Password policies

The front line of defense is password policies. Password policies describe the set of rules to improve the security of a user's password by compelling or motivating users to create strong or safe passwords. The events of the password lifecycle like expiration, periods reset, and authentications are governed by password policies. Some policies of passwords provide advisory and best practices for the user. Some sites are using programming rules so that the users adhere to the policy. If the site has complicated criteria to create a password, and users are required to spend time, user frustration will arise. If you provide a password policy, which has guidelines and certainty for the user, it will help mitigate the frustration level of users. The examples of password policy are as follows:

Longer password: To substantially improve your password or security, you should create a longer password and passphrases. However, if the password regularly appears in the cracking dictionary, you should avoid that type of password and avoid the longer passwords that have been compromised previously.

Personal details: The password policy tells the user to not use any personal details or not use any link related to personal details while creating the password. Most users use their personal details while creating a password like pets, hobbies, DOB, account number, etc. A hacker will create the password combination using the personal details if they have access to see your personal information by social media. The password entered by the users should be checked to make sure that they don't include any basic information as login information or the name of the user.

Use different passwords: The different accounts should have different passwords. The password policies require users to enter different passwords for different accounts. It would be best if you did not use the same passwords for all your online accounts. The user should have distinct passwords, either working in the same department or using the same equipment.

Adopt passphrases: You should use passphrases like a standard. Policies of password require to create passphrases by the users as opposed to a password. The purpose of passphrases is the same. They have a large length; that's why it is harder to crack the passphrases. Numbers, letters and symbols should be included in an effective passphrase. It is easy for users to remember passphrases as compare to passwords.

Discourage sharing: The password should not be shared, and it is meant to be personal should be specified by the password policies. The adoption of 2FA (two-factor authentication) is another password policy. In the 2FA, a user should present two pieces of evidence: a password and a temporary code sent to the email or cellphone or other methods before login into the account.

Password screening

If you screen a dictionary attack against compromised passwords and a dictionary password list, it will become the best way to prevent dictionary attacks. Compromised password screens are used to collect the compromised data from a dark web source and the internet, and then it will determine the password which is trying to create by the user has been compromised. The tools of password screening work by checking the username's partial hash, password at login, setup of password, and reset. E-commerce companies and consumer sites use password screening to detect and prevent users from hackers who use previously compromised credentials.

Cross-site Scripting

Cross-site scripting is also known as XSS. When malicious JavaScript is executed by a hacker within the user's browser, then cross-site scripting will occur. In this attack, the code will be run within the browser of the victim. Upon initial injection, the attacker does not fully control the site. Instead, the malicious code is attached to the top of a valid website by the bad actor. Whenever the website is loaded, the malware will be executed, and this will load to trick the browser.

JavaScript in XSS

JavaScript is a programming language that runs on a web server inside. The interactivity and functionality are added to the web page using the client-side code. It is used extensively on CMS platforms or all major applications. If the JavaScript code exists inside our browser, it will not impact the website's visitors, unlike server-side language like PHP. JavaScript cannot run on the server because it is client-side. Using the background requests, it can interact with the server. An attacker can use these background requests to add malicious content to a web page without refreshing the web page. These requests can perform the actions asynchronously or gather analytics about the browser of the client.

Working on Cross-site scripting

When the attacker exploits a vulnerability on the software of a website, only then can they inject their code into a web page of the victim's website. After successfully exploiting the vulnerability, attackers can inject their script, which will be executed using the browser of the victim.

When the victim's browser page successfully runs the JavaScript, sensitive information about the target user can be accessed from the session. The session allows an attacker to target the administrator of the site and completely compromise a website.

The cross-site scripting attack will be very useful when most of the publically available pages on the website have vulnerabilities. In this case, the malicious code can be injected by adding malicious content, phishing prompts, and ads on the website to target the website's visitors.

Types of Cross-site scripting attacks

There are various ways to use cross-site scripting based on our goals. The most common type of cross-site scripting attacks is as follows:

Stored Cross-site scripting attack

When a payload is stored by the attacker on the compromised server, in this case, a stored cross-site scripting attack will occur. Due to this, the malicious code will be delivered by the website to the other visitors. In this attack, the initial action is only required by the attacker, and due to this, many visitors have to be compromised. The stored cross-site attack is the most dangerous cross-site scripting. An example of this attack includes the fields of our profile like our email id, and username, which are stored by the server and displayed on our account page.

Reflected Cross-site scripting attack

When the data is sent from the browser to the server, and the payload is stored in that data, in this case, reflected cross-site scripting would occur. An example of this attack includes a contact form or website search data sent to the target and contains a malicious script. Search form is another type of reflected cross-site attack in which a search query is sent by the visitor to the server, and the result can only be seen by visitors. Victims' custom links are sent by attackers that direct visitors toward the vulnerable page.

Self Cross-site scripting attack

When the vulnerability is exploited by the attacker, which requires manual changes and extremely specific context, in this case, self cross-site scripting attack will occur. Specific changes include setting our information to a payload or cookie values types of things.

Blind Cross-site scripting attack

When the result of an attack cannot be seen by an attacker, in this case, blind cross-site scripting will occur. In a blind cross-site scripting attack, the vulnerability lies on that page, which can only be accessed by authorized users. If the attacker wants to successfully launch an attack, this requires more preparation for this. The attack will not get any notification if the payload fails. Hackers can also use polyglots if they want to increase the success rate of these types of attacks. Polyglots can work in different scenarios like a script tag, plain text, and attributes.

DOM-Based Cross-site scripting attack

When the JavaScript on the page is vulnerable to cross-site scripting (XSS), rather than the server itself, in this case, the DOM-based cross-site scripting attack will occur. JavaScript can add interactivity to the page. It can also add arguments in the URL, which is used to modify the page after loading it. The malicious code can be added to a page while modifying the DOM when the user's value is not sanitized. When the URL provides the languages and the website change into these languages rather than the default language, this shows the example of DOM-based cross-site scripting.

Prevention of Cross-site scripting attacks

Website vulnerabilities can be exploited using a variety of methods leveraged by an attacker. If we want to reduce the risk of cross-site scripting, there is no single strategy. Unsafe user input helps the cross-site scripting attacks because it is directly rendered onto the website's web page. This attack would be impossible if the inputs of the user are properly sanitized. We can ensure that the inputs of users cannot be escaped on our website using multiple ways. Using the following protective measures, we can harden our web applications and protect our website.

Whitelist Values

We can restrict the input of a user to a specific whitelist. This practice allows us to only send the safe and known value to the server. If we know about the receiving data, like the content of the drop-down menu, the restricted user input will only work.

Restrict HTML in Inputs

HTML is limited to trusted users. If we want to allow formatting and styling on an input, we can use Markdown instead of HTML to generate the content. If we want to use HTML, we should sanitize it with a robust sanitizer like DOMPurify, which is used to remove all the unsafe code.

Sanitize value

If we are using content on a page generated by a user, we should ensure that it would not result in HTML content by using entities in place of unsafe characters. The appearance of regular characters and entities is the same, but the entity cannot generate HTML.

Use HTTPOnly Flags on Cookies

Session cookies are used to allow a website to recognize a user between requests. An attacker frequently exfiltrates the user's cookies and steals the admin session. Once the attacker steals the cookies of a user, they can log in to the account of the admin without authorized access or credentials. HttpOnly cookies are used to prevent the JavaScript from reading the cookie's content and increase the difficulty of an attacker stealing the session. Using this method, we can only prevent our cookies from the attacker. An attacker can still act as an admin user and send a request using the active browser session. If the attacker uses cookies as the main identification mechanism, in this case, this method will be only useful.

Use WAF

We can virtually patch attacks against our website using the firewall. This method is used to intercept the requests like SQLi, RCE, and XSS before our website gets malicious requests. The large scale attacks like DDOS can also be protected by it.

Types of Passwords Attack

There are three types of password attacks:

  • Non-electric attacks
  • Online attacks
  • Offline attacks

1) Non-electric attacks

A non-electric attack is a type of attack that uses chicanery to get sensitive information from users or perform actions through which the security of a network will be compromised. Non-electric attacks are as follows:

Social Engineering

Social engineering is the process in which a user is tricked into believing that the hacker is a legitimate agent. The hacker uses a common tactic. The hacker poses as technical support and calls a victim. Hackers ask for a network access password so that they can provide assistance. If the person has done this using fake credentials and fake uniforms, this technique will become effective. But these days, this technique is less common.

Hackers can be highly lucrative and highly convincing if social engineering attacks are successful. For example, a hacker hacked $201,000 from a UK-based energy company by tricking the CEO of the company with an AI tool that mimics his assistant's voice.

Shoulder Surfing

Shoulder attacks are performed by the most confident hackers. The hacker can take the look of an aircon service technician, parcel courier, or anything else so that they can easily access an office building. Once they entered the office, they will get a kind of free pass, and they can note the passwords that are entered by the staff members of the company.

The Brazen example includes hackers who distinguish themselves so that they can gain access to the company sites. To grab sensitive information, documents, and passwords, they look over the employee's shoulders. This attack mostly affects smaller businesses.

Recently security experts get some vulnerabilities in the process of authentication used by WhatsApp. If the user takes a new device and wants to use Whatsapp, he has to enter a unique code that is sent to the number via text message. By using that code, the account of a user can be restored, and the chat history can also be retrieved from the background. It was found that if an attacker knows the phone number of a user, they can download Whatsapp on a new device, and after downloading, they issue a prompt for a new code. If the hacker uses a spying device, they can copy the code as it arrives on the user's own device.

Spidering

The techniques which are used in phishing attacks and social engineering attacks are also used in spidering. Savvy hackers have understood that the passwords used in the corporate office are made of business-related words. In the brute force attack, the custom words list is built by Website sales material, listed customers on websites, studying corporate literature, and website of competitions. The process is automated by really savvy hackers.

Using spidering, a hacker knows their target, and based on the target's activity; they can get the credentials. For example, many companies set their internal service password related to their business so that their employees can easily remember them. If a hacker targets a company and knows their work, they may try and access the networks or handbooks of their employee to further their understanding. Hackers can also create a list of all possible combinations of words by studying the products that the company creates. That list can be further used in brute force attacks.

2) Online attacks

Active online attacks can be categorized as follows:

Guess

Guess is like a best friend of a password cracker. If all the attacks fail, the hacker can try to guess your password. These days, various password managers create various password strings that are impossible to guess for a hacker. Many users set a random password based on their memorable phases of life like family, interests, pets, dob, hobbies, and so on. The password can also be based on things that you like to chat about on social networks, and the things can also include in your profile. When the password crackers attempt to get a customer-level password, they will look at this information and make a guess based on the available information on social networks. If you want to protect yourself from guesses, you should use a password manager and maintain password hygiene. Many password managers are free so you can use them.

Brute Force attack

In the Brute force attack, we access a system using different methods of hacking, which involves password guessing. For example, a hacker can use the relevant clues and guess the person's password. Many people use the same password on many sites. Using the previous data breaches, the password can be exposed using the previous data breaches. Using some most commonly used passwords, a hacker attempts to guess the associated username, which is a reverse brute force attack.

Dictionary attack

This attack shows a sophisticated brute force attack example. In a Dictionary attack, an attacker uses a dictionary that contains words. The words are nothing but a straightforward names. In other words, the attacker uses the words that most of the users use as their passwords. In dictionary attacks, every word in the dictionary is a test in seconds. Most of the dictionary contains the credentials gained from previously hacked passwords. The dictionary also contains the word combinations and most commonly used passwords.

A hacker knows all the clever tricks. So if the user groups the works like "superadministratorguy" or "best mommy", it will not prevent the password from a hacker. It will only increase a few extra seconds to being hacked. Many people use their memorable phrases like gf name, dob, bf name, and so on as their password and dictionary attack takes advantage of this fact. That's why while creating the password system urges the user to enter multiple character types.

Phishing

Phishing is a very easy way to hack the password of any user. In this attack, the hacker asks the user to enter his password. In the phishing email, a hacker sent the fake login page to the unsuspected user, which is associated with any service, the hacker wants to access. The page requests the user to write some terrible problem that he finds in their security. After that, the page skims its password. Now hackers can use that password to get the sensitive information of the user. When the users are giving you a password happily, then why will you have trouble cracking the passwords.

Malware

The Umbrella of malware contains a host of malicious tools, screen scrapers, and keyloggers. To steal the person's information, this malicious software is used. Ransomware software, which is highly disruptive malicious software, attempts to block access to the entire system. The malware families have some highly specialized malware that specially targets the password.

The activity of a user is recorded by Keyloggers and their ilk. Keyloggers can record it through screenshots or keystrokes and then share it with the attacker. Some malware attacks hurt the existence of the web browser's client password file. If the file is not properly encrypted, the hacker can easily access the saved password from the browser history of the user.

3) Offline attacks

Offline attacks are as follows:

Offline Cracking

We should remember that not all attackers hack through the internet connection. Mostly works done offline. You imagine that through the blocking automated guessing application, your password is safe. In this application, if a user enters the wrong password three or four times, the system lockout the user. This process will be true if all password hacking takes place online, but it's not. Offline hacking takes place using the hashes set in the password file, which was obtained from a compromised system.

Through the hack on the third party, the target compromises. They provide access to the hash file of the user's password and system server. Now the hacker can take time to try and access the code without knowing the individual user or target system. When the initial attack succeeds, this attack will be done, whether hackers access a database by stumbling or by the SQL injection attack or gain elevated privileges upon an unprotected server.

Rainbow table attack

As the name implies, the rainbow table is not colorful. The password is encrypted using cryptographic alias or hash whenever it is stored on the system. This encryption makes it impossible for a hacker to determine the original password. To bypass this, the hacker must maintain and share the directories built from previous hacks containing passwords and their corresponding hashes. This process reduces the time of hackers breaking into the system.

The Rainbow table is one step further from the rainbow. Rainbow provides password and hash, but the rainbow table uses the hash algorithm and provides the list of all possible encrypted password's plain text versions. If the hacker discovers any encrypted password in a company system, they can compare this encrypted password with the list provided by the rainbow table. Before the attack takes place, if most of the computation is done, launching an attack will become quicker and easier as compared to other methods.

Network Analyzers

Network analyzers are the type of tools that allows monitor and intercepting the package, which is sent over the network. The package contains a plain text password, and that tool lifts that password.

Without the malware, an attacker cannot access the physical network. The network analysis does not rely on exploiting network bugs and system vulnerabilities. In any attack, the first phase is network analyzers followed up with brute force attacks.

We can also use the same tools in our business to scan our network, which is useful for troubleshooting and running diagnostics. Using these tools, the admin can find out the information which is transmitted as plain text. He can put policies in place of information and prevent this from happening. If you route your traffic through a VPN (Virtual private network), you can prevent yourself from this attack.

Mask attack

This attack is specific in its scope. In a mask attack, the guess is based on numbers or characters. For example, if a password starts with a number and the hacker knows about it, they can tailor the mask to try only those types of passwords, which start with numbers. Some criteria to configure the masks are special characters, the arrangement of characters, the number of repeated single characters, password length, etc. The goal of a mask attack is to remove the unnecessary characters and reduce the time while cracking a password.