Cross Site Scripting - XSS - Mechanism

Cross Site Scripting - XSS - Mechanism

1. What is Cross Site Scripting?
Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages, with HTML and JavaScript (others being VBScript, ActiveX, HTML, or Flash) as the prime culprits for this exploit. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.
In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed. There are many slight variations to this theme, however all XSS attacks follow this pattern, which is depicted in the diagram below.

A basic example of XSS is when a malicious user injects a script in a legitimate shopping site URL which in turn redirects a user to a fake but identical page. The malicious page would run a script to capture the cookie of the user browsing the shopping site, and that cookie gets sent to the malicious user who can now hijack the legitimate user’s session. Although no real hack has been performed against the shopping site, XSS has still exploited a scripting weakness in the page to snare a user and take command of his session. A trick which often is used to make malicious URLs less obvious is to have the XSS part of the URL encoded in HEX (or other encoding methods). This will look harmless to the user who recognizes the URL he is familiar with, and simply disregards and following ‘tricked’ code which would be encoded and therefore inconspicuous.
2. Site owners are always confident, but so are hackers!
Without going into complicated technical details, one must be aware of the various cases which have shown that XSS can have serious consequences when exploited on a vulnerable web application. Many site owners dismiss XSS on the grounds that it cannot be used to steal sensitive data from a back-end database. This is a common mistake because the consequences of XSS against a web application and its customers have been proven to be very serious, both in terms of application functionality and business operation. An online business project cannot afford to lose the trust of its present and future customers simply because nobody has ever stepped forward to prove that their site is really vulnerable to XSS exploits. Ironically, there are stories of site owners who have boldly claimed that XSS is not really a high-risk exploit. This has often resulted in a public challenge which hackers are always itching to accept, with the site owner having to later deal with a defaced application and public embarrassment.
3. The repercussions of XSS
Analysis of different cases which detail XSS exploits teaches us how the constantly changing web technology is nowhere close to making applications more secure. A thorough web search will reveal many stories of large-scale corporation web sites being hacked through XSS exploits, and the reports of such cases always show the same recurring consequences as being of the severe kind.
Exploited XSS is commonly used to achieve the following malicious results:

• Identity theft
• Accessing sensitive or restricted information
• Gaining free access to otherwise paid for content
• Spying on user’s web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Web application defacement
• Denial of Service attacks

Any site owner with a healthy level of integrity would agree that none of the above can really be considered us frivolous or unimportant impacts on a vulnerable site. Security flaws in high-profile web sites have allowed hackers to obtain credit card details and user information which allowed them to perform transactions in their name. Legitimate users have been frequently tricked into clicking a link which redirects them to a malicious but legitimate-looking page which in turn captures all their details and sends them straight to the hacker. This example might not sound as bad as hacking into a corporate database; however it takes no effort to cause site visitors or customers to lose their trust in the application’s security which in turn can result in liability and loss of business.
4. XSS Attack Vectors
Internet applications today are not static HTML pages. They are dynamic and filled with ever changing content. Modern web pages pull data from many different sources. This data is amalgamated with your own web page and can contain simple text, or images, and can also contain HTML tags

DISLAIMER: For education purpose only

Adithya

Read More

Caller ID Spoofing

Caller ID Spoofing

Go to this website

http://www.crazycall.net

Fill the asked information i.e.

First select the country
Now insert the mobile number u wanna display
& now insert the victim's mobile number
Press "Get me a code" and we will provide you with number to call and a code.
Call the number
Enter the code and we will connect your call to your friend with the CallerID and voice you have selected.

DISLAIMER: For education purpose only

Adithya 

Read More

Apple iOS 5 Review

Introduction

It's June again, time for Apple to make headlines. The WWDC is over and the iOS 5 and the iCloud are now official. It won't be before the fall though that the iOS 5 will officially launch.

However, Apple has given us a taste of the iOS 5 by releasing a developer preview soon after the announcement. We went on to update an iPhone 4 with the beta release and we are ready to share our first impressions.

But before we continue, let's take a look at the most important features to premiere on the iOS 5.

Apple iOS 5 new features:

• Notifications - real time on-screen notifications, lockscreen notifications and pull-down Notification Center
• iMessage service in the Messaging app enabling instant messages to other iOS users
• Reminders - including location-aware options
• Customizable notification sounds - email, voicemail and calendar alerts
• Twitter integration
• iCloud service integration
• Enhanced Camera app - viewfinder grid, hardware shutter key
• Integrated photo editing - crop, auto enhance, rotate and red-eye fix
• Updated Safari - tabbed browsing (on iPad), private browsing mode, integrated Reader, Reading list and optimized performance
• Dictionary lookup throughout the interface
• Computer free operation - independent activation, OTA updates, iCloud backup and restore
• Wi-Fi synchronization with iTunes with automatic operation
• New features in the Mail app - Bold, Italic, Underline and Quote options, extended Search, mass Mark as Read/Unread and Flag setting, Add/Delete mailbox folders
• Updated Calendar and Game Center apps
• Newsstand app combining all of your magazine subscriptions
• iPod player now called Music, has new icon
• Separate Video app for iPhone
• AppStore purchase history (already available for iOS 4 too)
• New Storage management options (list and info of all installed apps)
• Multi-tasking gestures for iPad
• AirPlay mirroring for iPad
• New accessibility options involving the LED flash and custom vibrations

Typically, there's still plenty of stuff missing and some of the things will probably never make it to the iOS. Here is a list of the things we continue to miss:

Still missing:

• No Flash support in the web browser
• No quick toggles for Wi-Fi, Bluetooth and 3G
• No Facebook integration
• No proper widgets for the lockscreen
• App folders still are limited to 12 apps tops
• No DivX/XviD video support out of the box (though there're lots of players in the App Store)
• No USB Mass storage mode for uploading content to the device
• No haptics for the touchscreen
• No Bluetooth file transfers to other phones
• Contacts lack a swipe-to-delete or mass delete feature

Well, the list is notably shorter than last year's. It's debatable though whether Apple listened to the users or just filled their time with low-priority features that have been on the list for quite some time. Either way, some of the new stuff is quite good so let's waste no more time on introductions. Follow us on the next page where we start to explore the iOS 5 at close range.

Read More

MSI GE620DX Gaming Laptop

MSI has officially announced a new Sandy Bridge-powered notebook, called the MSI GE620DX. The new MSI GE620DX is a gamer-designed laptop which is claimed perfect for playing. The new gaming machine has brush metal finish chassis and also boasts an exterior with awesome high tech lines. The letters “MSI” are emblazoned in the center of the GE620DX’ cover in luminescent white script which is set off by the metal brush finish. This gaming machine supports MSI GPU Boost technology which automatically switches back and forth between the discrete graphics card and the graphics chip. 



This 15.6 ” laptop will work  with an Intel quad-core 2.0GHz Core i7-2630QM, support for DirectX 11 and PhysX GPU with the MSI’s own technology that is smart enough to switch from discrete to integrated graphics to maximize the efficiency of the machine. Other hardware specifications include a webcam 720p, HDMI output and a display 1366 x 768 LED backlit. Depending on your budget, you have a choice of hard drive options, and increase up to 8GB of DDR3 memory for your MSI GE620DX.

It comes with high-speed USB3.0 ports which boast transfer speeds of 4.8Gbps i.e 10 times faster than USB2.0 interface, and 80% higher power transmission. This is a portable device too which measures only 383 x 249.2 x 32.5 and weights around 2.4kg (with battery). Its 6-cell 4400 mAh battery enables an impressive battery life.

Adithya

Read More

Tablet computer for zero to four years Babies

With the way things are going, it can’t be too long before we see the unveiling of a curved tablet with straps attached, designed to fit snugly around the protruding bulge of an expectant mother. Such a device would be pre-loaded with an assortment of educational apps designed to give little Johnny or Jane a brainful of useful knowledge prior to their arrival in the big wide world.

You see, according to an LA Times report, Amazon has started taking pre-orders for the Vinci tablet, a 7-inch device aimed at babies from zero to four years of age. Newborns tend to do little more than babble and bowel movements, but now we’re supposed to believe they’ll be able to engage with a selection of games, books and music videos. Maybe they will.
The tablet incorporates a special soft-cornered handle, making it easy for those tiny little hands to grip. It has no Wi-Fi facility, so parents needn’t worry about their six-month-old toddler – who won’t know the value of money at that age (unless an app teaches them) – emptying their bank account by filling up the hard drive with costly downloads.
Under the hood, Vinci is likely to impress many. The Android-based device uses a Cortex A8 processor, has 4GB storage space and a 3-megapixel camera. It also has a slot for a MicroSD card, a built-in speaker and a built-in microphone.
Weighing in at 1.28 lb (580 g), Vinci is a touch lighter than the iPad at 1.33 pounds (603 g), so a baby will, at the very least, get a physical workout while playing around with it. The tablet is being sold for $389 and will be launched in the US on August 1o.
Vinci’s website explains that the tablet was “invented by our founder, Dr. Dan D. Yang, who is a mother and world-renowned telecom entrepreneur.” Yang came up with the idea for a baby-focused tablet when she noticed how much her young daughter liked to play with her smartphone and computer.
There’s no doubt that a great deal of thought has gone into the design of the Vinci tablet, but it might leave you wondering – whatever happened to those more traditional kinds of toys. Rattle, anyone?

Adithya

Read More

USB 3.0 Flash Drive Roundup..

A brief history of USB Flash Drives
Developed in the early 1990s by Compaq, DEC, IBM, Microsoft, Intel, Nortel, and NEC, Universal Serial Bus is today the de facto peripheral interface standard. It has almost entirely replaced earlier interfaces like the serial and parallel ports. USB also relegated most external storage media like floppy and Zip disks to obsolescence, due to the utilization of the USB interface by flash and external hard drive manufacturers. USB 1.0, launched in 1996, specified 12Mbits/s “Full Speed” data transfer rates between devices and the host computer, though it did not see widespread adoption. 1998 saw the release of USB 1.1, which maintained the same 12Mbits/s transfer rate, and was the first widely adopted USB standard.

Usb1.0

I remember happily paying over $100 for a 32MB flash drive in the fall of 1999 because I could fit an entire semester’s assignments, articles, and papers on a single gadget the size of a pack of gum – and it was also durable – my first flash drive survived three trips through the washing machine. Though it’s hard to imagine someone not recognizing a flash drive now, back then other students occasionally came up to me at the Fishbowl to ask “What is that blinking light thingy you plugged into the computer?” While the earliest flash drives were handy, they were agonizingly slow – even accounting for their diminutive capacities.

Usb 2.0

The widespread adoption of USB devices (over 10 billion in the wild) is largely due to the development of USB 2.0. The USB 2.0 specification was released in 2000, and boasts a 480Mbits/s data transfer rate. Though USB 2.0 devices rarely approach this theoretical throughput maximum, USB 2.0 is far less patience-trying than USB 1.1, and googling (or binging or yahooing) 'novelty flash drive' reveals there's a flash drive for every interest imaginable. However, in 2000 when USB 2.0 was introduced, a 20GB hard drive was ‘huge.’ Today, a 2TB hard drive costs less than $100, and copying 1,000GB+ over USB 2.0 is a not particularly exciting all-night affair.

USb 3.0

Like USB 2.0 before it, USB 3.0 offers dramatically improved data transfer rates compared to its predecessor. Though specifications were announced in late 2008, consumer devices didn’t start ‘hitting the street’ until the beginning of 2010. USB 3.0 specifies transfer rates up to 5Gbit/s, compared to USB 2.0’s 480Mbits/s. USB 3.0 devices are downward compatible with USB 2.0 ports. Because of the ubiquity of USB 2.0 ports and relative rarity of USB 3.0 ports, this is an important consideration. Unfortunately, plugging a USB 3.0 device into a USB 2.0 port yields USB 2.0 transfer rates. Fortunately, computers with USB 3.0 ports are becoming increasingly common. Many newer laptops have at least one such port. USB 3.0 port expansion cards are available to upgrade older systems, and many newer motherboards feature two or more USB 3.0 jacks. Cases with front USB 3.0 ports are still rare, as are motherboards with USB 3.0 front port headers, but these will only become more common as time passes.
Anand reviewed an array of USB 2.0 flash drives back in 2005. He found that performance between different manufacturers and different models was quite variable. Because manufacturers often do not provide hard data regarding their drives’ performance, or sometimes provide ‘idealized’ transfer rates that don’t equal real-world capabilities, choosing between flash drives is problematic. We compare here a number of USB 2.0 and 3.0 drives in multiple ways, including synthetic performance tests and real-world use scenarios.

Read More