Breaking The Great Wall of Web – XSS WAF Evasion CheatSheet

I think it’s mandatory to give back to Security community from where we learn cutting edge techniques and information. Therefore after months of effort i am presenting to you a new WhitePaper titled “Breaking Great Wall of Web” without any strings attached.

Acknowledgements

I would like to thank the Acunetix Team for helping with proof-reading of the document.

Background

The WhitePaper not only contains sophisticated XSS vectors but it aims at also explaining the methodology behind bypassing a WAF.  The previous paper on this subject “Bypassing Modern WAF’s XSS Filters – Cheat Sheet” was released 3 years back. A lot has changed and evolved during these years, especially with the advent of ECMA Script a new horizon for evasion/obfuscation have been opened. I have already discussed/demonstrated several techniques presented in this whitepaper in my recent Webcast hosted by Garage4hackers team namely “Bypassing Modern WAF’s Exemplified At XSS“.

Abstract

Input Validation flaws such as XSS are the most prevailing security threats affecting modern Web Applications. In order to mitigate these attacks Web Application Firewalls (WAF’s) are used, which inspect HTTP requests for malicious transactions. Nevertheless, they can be easily bypassed due to the complexity of JavaScript in Modern browsers. In this paper we will discusses several techniques that can be used to circumvent WAF’s exemplified at XSS.

This will paper talk about the concepts of WAF’s in general, identifying and fingerprinting WAF’s and various methodologies for constructing a bypass. The paper discusses well known techniques such as Brute Forcing, Regular expression reversing and browser bugs for bypassing WAF’s.

How to Hack My Lock Box in any system

How to hack folder lock software

 

Step1: Make a Bootable pendrive with kali linux or any linux operating system.

 

Step:2 Now boot victim PC with kali linux

 

step :3 Now you can see all the files and folder without any mylock box privacy..

Because mylock box is windows application which works on only windows operating system.

step:4 Enjoy

Best Website Vulnerability Scanners Free

These Web Scanners are best for finding bugs in the websites..

Acunetix web vulnerability scanner download here : click here

Burp Suite Proxy Download : Click here

Netsparker web vulnerability scanner Download : Click here 

Nikto Web Vulnerability Scanner Download   : Click here

Nessus Web Vulnerability Scanner Download : Click Here

How to Find Credit card details using google dorks for carding

These are google dorks to find out shopping website for sql injection.you can test these website for sql injection vulnerability for fetching credit card details from database.

inurl:”.php?cat=”+intext:”Paypal”+site:UK

inurl:”.php?cat=”+intext:”/Buy Now/”+site:.net

inurl:”.php?cid=”+intext:”online+betting”

inurl:”.php?id=” intext:”View cart”

inurl:”.php?id=” intext:”Buy Now”

inurl:”.php?id=” intext:”add to cart”

inurl:”.php?id=” intext:”shopping”

inurl:”.php?id=” intext:”boutique”

inurl:”.php?id=” intext:”/store/”

inurl:”.php?id=” intext:”/shop/”

inurl:”.php?id=” intext:”toys”

inurl:”.php?cid=”

inurl:”.php?cid=” intext:”shopping”

inurl:”.php?cid=” intext:”add to cart”

inurl:”.php?cid=” intext:”Buy Now”

inurl:”.php?cid=” intext:”View cart”

inurl:”.php?cid=” intext:”boutique”

inurl:”.php?cid=” intext:”/store/”

inurl:”.php?cid=” intext:”/shop/”

inurl:”.php?cid=” intext:”Toys”

inurl:”.php?cat=”

inurl:”.php?cat=” intext:”shopping”

inurl:”.php?cat=” intext:”add to cart”

inurl:”.php?cat=” intext:”Buy Now”

inurl:”.php?cat=” intext:”View cart”

inurl:”.php?cat=” intext:”boutique”

inurl:”.php?cat=” intext:”/store/”

inurl:”.php?cat=” intext:”/shop/”

inurl:”.php?cat=” intext:”Toys”

inurl:”.php?catid=”

inurl:”.php?catid=” intext:”View cart”

inurl:”.php?catid=” intext:”Buy Now”

inurl:”.php?catid=” intext:”add to cart”

inurl:”.php?catid=” intext:”shopping”

inurl:”.php?catid=” intext:”boutique”

inurl:”.php?catid=” intext:”/store/”

inurl:”.php?catid=” intext:”/shop/”

inurl:”.php?catid=” intext:”Toys”

Just type in “inurl:” before these dorks:

merchandise/index.php?cat=

productlist.asp?catalogid=

Category.asp?category_id=

Category.cfm?category_id=

category.asp?cid=

category.cfm?cid=

category.asp?cat=

category.cfm?cat=

category.asp?id=

index.cfm?pageid=

category.asp?catid=

Category.asp?c=

Category.cfm?c=

productlist.cfm?catalogid=

productlist.asp?catalogid=

viewitem.asp?catalogid=

viewitem.cfm?catalogid=

catalog.cfm?catalogId=

catalog.asp?catalogId=

department.cfm?dept=

department.asp?dept=

itemdetails.cfm?catalogId=

itemdetails.asp?catalogId=

product_detail.asp?catalogid=

product_detail.cfm?catalogid=

product_list.asp?catalogid=

product_list.cfm?catalogid=

ShowProduct.cfm?CatID=

ShowProduct.asp?CatID=

search_results.cfm?txtsearchParamCat=

search_results.asp?txtsearchParamCat=

itemdetails.cfm?catalogId=

itemdetails.asp?catalogId=

store-page.cfm?go=

store-page.asp?go=

Detail.cfm?CatalogID=

Detail.asp?CatalogID=

browse.cfm?category_id=

view.cfm?category_id=

products.cfm?category_id=

index.cfm?Category_ID=

detail.cfm?id=

category.cfm?id=

showitems.cfm?category_id=

ViewProduct.asp?PID=

ViewProduct.cfm?PID=

shopdisplayproducts.asp?catalogid=

shopdisplayproducts.cfn?catalogid=

displayproducts.cfm?category_id=

displayproducts.asp?category_id=

DisplayProducts.asp?prodcat=

DisplayProducts.cfm?prodcat=x

productDetail.cfm?ProductID=

products.php?subcat_id=

showitem.cfm?id=21

productdetail.cfm?pid=

default.cfm?action=46

products_accessories.asp?CatId=

Store_ViewProducts.asp?Cat=

category.cfm?categoryID=

category.asp?category=

tepeecart.cfm?shopid=

view_product.asp?productID=

ProductDetails.asp?prdId=12

products.cfm?ID=

detail.asp?product_id=

product_detail.asp?product_id=

products.php?subcat_id=

product.php?product_id=

view_product.cfm?productID=

product_details.asp?prodid=

shopdisplayproducts.cfm?id=

displayproducts.cfm?id=

Cyber Security Tips For Secure Online Shopping

here are top cyber security tips for safe online shopping for online shopping.

However, the main question arises: Is it safe to do online shopping? Especially with so many users sharing credit card information over online shopping websites.

Here are some tips that you have to keep in mind before releasing your credit card information and clicking, ‘BUY‘ or ‘checkout’.

1. DO NOT CLICK On Suspicious Links

Malicious links are sent by scammers over internet who look more real than the original ones. As these links are specifically of the well-known sites like eBay and Flipkart, many online users fall victim.These links are created for installing malware in visitor’s pc.

The secure way of not getting tricked by these would be NOT to open these links if provided via social media sites, messages or emails from unknown sources.

2. Keep your Eye on New Vendors or websites

People tend to purchase goods and services from new vendors or websites as they generally give attractive discounts over social networking sites also.

However, one should always be safe from such vendors as sometimes the customer is trapped and exploited easily.

• Always get a double confirmation of the things that are necessary including product purpose and suitability, materials and construction, quality, and other things like speedy shipping, prompt refunds, and returns.
• Always try to start from minimum purchases and then shift to the major ones.
• Always look before you leap.

Search online for other people’s experiences online and also some sites like http://www.bbb.org and others.

3. Always Use Strong Passwords

This tip is one of the most obvious ones, but people do not intend to use it generally.

• Always try to avoid easy to crack passwords by including a combination of upper and lowercase letters, numbers and special characters in your password & put hard password not easily guessable.
• dont put simple passwords like 12345 or admin12345.
• dont have same password for multiple sites.

4. Always Use Secured Websites for shopping

Before releasing your sensitive information over online webisite, check to make sure if the website you just visited is a secure site.

Secure sites have a closed padlock in the status bar, and its URL starts with HTTPS, which means:

• Communication is encrypted
• SSL verifies authenticity

5. Avoid Using Debit Cards, Instead Use Credit Cards

Do not use debit card for online shopping.

In a case, if someone manages to intercept your financial information online, they can do less damage.

• Credit cards have spending limits but debit cards do not have.
• Credit cards should also be used with low credit limits even as other option also given by the bank as “one-time use.”

You can even make use of virtual credit cards that are specifically designed for online shopping only.

6. Important Things to Remember While Shopping

• Always keep documentation of your online purchases, mostly an email is sent to the customer confirming the order.
• It is the duty of every customer to print the document or save it somewhere safe till receiving the order.
• Moreover, it is always suggested to log off from the retailer’s website after making the purchase.

These are always considered to be the smarter options to adapt than to become a victim.

7. Do Not Provide Your Details to Every Website You Visit

Online stores provide an option for the customers to check out as a one time customer.

If you are not shopping regularly from any site, avoid filling unnecessary information, just in case, to be safe.

8.Check Your Bank Statements Regularly

Most of the banks now allow for setting up email notifications of any credit card transaction.

If you see any charges that are unusual, they have to get reported, and suitable actions should be taken that are needed to get a prompt refund.