SIMPLE HTML FORMS

1. Bypassing Required Fields

Surely you have met a webpage that requires you to fill all fields in a form in order to submit it. It is possible to bypass these types of restrictions on any webpage. If you take a look at the webpage’s source and follow it down to the form’s code, you will notice the onsubmit form attribute. Hopefully by this time you have experienced the power of javascript and you know that javascript has control over every single element in a webpage, including forms.We can use javascript to our advantage in every page we view for we can modify, delete, or add any element to the webpage. In this case we wish to clear the form’s onsubmit attribute in order for the form to be submitted successfully.

The onsubmit attribute generally points to a function that checks the form to have the correct format.  A function that does this may look something like this:

function formSubmit(x)

{

if(x.email.value==”") return false;

return true;

}

…

…

I will not go into great detail about how the formSubmit function works. You should know that if the (textfield/optionfield/option/..) field is left blank, the form will not be submitted to process.php. Now comes the moment of truth, how do we modify the form so that onsubmit returns true everytime? The way we can access the form with javascript and do this is:

document.forms[x].onsubmit=”return true;”;

or

document.spamform.onsubmit=”return true;”;

Both of these ‘queries’ will allow you to submit the form free of restrictions.  The secret is how to execute this.  I do this using my browser’s Location bar. All you have to do is enter this text into the location bar and press enter:

[removed]document.spamform.onsubmit=”return true;”;

The above statement will not work because the ‘query’ will return a value javascript doesn’t know what to do with it so it dumps the returned value on the screen. We need a way to use this value and escape it from passing on to javascript. I know the exact way to do this, with alert()!

[removed]alert(document.spamform.onsubmit=”return true;”);

You will see an alertbox with “return true;” instead of dumping this value out to the webbrowser. Once you have executed this query you will be able to enter whatever value into whatever field in spamform.

Full Article: Hacking with Javascript



By: sandya

About the Author:

The largest card swindle in the world done by unknown hackers.

TJX hackers have lost their doubtful record for data break-in involving card data. Then around 45 million cards were involved.

The American bank-credit card payment system company called Heartland has had unwanted visitors in their systems. Heartland is the largest US company within payment systems.

Malicious software has been planted in their systems to sniff card data. Visa and Mastercard reported suspicious activities in their systems and a research was performed and revealed a global effect of this break in.

It is not certain for how long the hackers have been in their systems and collected data.

There is not a certainty to what data the sniffer software has been looking for, but Heartland ensure that no personal information like social security codes, nor addresses or phone numbers have been taken out of their systems. But most likely the hackers have been looking for the track-2 data, which is the information from the magnetic stripe on the cards.

Heartland treats over 100 million transactions every month and this seems therefore to be the largest scam ever done on card thefts.

This means that more that 45 million cards are exposed to this theft.

CardCops reports that there are rumors in the underground that a huge break in has been performed in a company like Heartland.

In addition there has been a 20% increase in activities the hackers utilize to check whether the cards are working or not. They perform small transactions to charity organizations. December 23rd 2008 RBS Worldpay reported on behalf of The Royal Scotland Group that they have also had a break in to their systems. Around 1.5 million cards were leaked this time.

To attack companies like this is more serious than doing a break in to a store as these companies are the nerve centers in any payment transaction through out the world.

Drastic measures have to be taken in order to capture these hackers and at the same time make systems more bullet proof in the future.



By: Stig Kristoffersen

About the Author:

An Ethical Hacker is an expert hired by a company to attempt to attack their network and computer system the same way a hacker would. Ethical Hackers use the same techniques and tactics as those used by illegal hackers to breach corporate security systems. The end result is the company’s ability to prevent an intrusion before it ever occurs.

A company can’t know if their security system is solid unless they test it. It’s hard, though, for a company’s IT team to thoroughly ring out the system. Try as they might, the techs can’t go at the system with all the malicious or mischievous motives of a true illegal hacker. To thoroughly uncover vulnerabilities, the theory goes; you must examine your security system through the eyes of an illegal hacker.

The word hacking has strongly negative connotations, and, for the most part, rightly so. But ethical hacking is much different. It takes place with the explicit permission of the company whose system is being attacked. In fact, their “good guy” role is underscored by the nickname “white hat” Ethical Hackers have been given. The nickname is a throwback to old Westerns where the good cowboys could be identified by their white hats.

The company and the Ethical Hacker enter into a legally binding contract. The contract, sometimes called a “get out of jail free card,” sets forth the parameters of the testing. It’s called the “get out of jail free card” because it’s what harbors the Ethical Hacker from prosecution. Hacking is a felony, and a serious one at that. The terms of the agreement are what transform illegal behavior into a legal and legitimate occupation.

Once the hacker has exhausted his attempts, he reports back to the company with a list of the vulnerabilities he uncovered. The list in and of itself, however, is not particularly useful. What’s most valuable is the instructions for eliminating the vulnerabilities that the Ethical Hacker provides.

An Ethical Hacker works to uncover three key pieces of information. First, he determines what information an illegal hacker can gain access to. Next, he explores what an illegal hacker could do with that information once gained. Last, the Ethical Hacker ascertains whether an employee or staff member would be alerted to the break-in, successful or not.

At first it might sound strange that a company would pay someone to try to break into their system. Ethical hacking, though, makes a lot of sense, and it is a concept companies have been employing for years. To test the effectiveness and quality of product, we subject it to the worst case scenario. The safety testing performed by car manufacturers is a good example. Current regulatory requirements including HIPAA, Sarbanes Oxley, and SB-1386 and BS 799 require a trusted third party to check that systems are secure.

In order to get the most out of the assessment, a company should decide in advance the nature of the vulnerabilities they’re most concerned with. Specifically, the company should determine which information they want to keep protected and what they’re concerned would happen if the information was retrieved by an illegal hacker.

Companies should thoroughly assess the qualifications and background of any Ethical Hacker they are considering hiring. This individual will be privy to highly sensitive information. Total honesty and integrity is of the utmost importance.



By: Paul Walsh

About the Author:

So How exactly do hackers strut their stuff? I think it is important to understand the basis of their activity in order to protect our computers from their filthy hands even further. By knowing what they do, we’ll understand which part of the computer they specifically target thus makes it easier for us to protect our computers by taking measures against that specific part. In a way, the quote, “Attack is the best form of Defence” can be applied here and I don’t mean hacking back the hackers who hacked you. I mean outsmarting them so they can’t repeat the same process over and over again. Who knows? If everyone gives them a hard time then they may go elsewhere and turn into a new leaf, using hacking for a good cause. So how do hackers hack your computer? Unfortunately, there are many ways in which one can do so. As explained by the following quote.

“In the Old world, if I wanted to attack something physical, there was one way to get there. You could put guards and guns around it, you could protect it. But a Database – or a control system – usually has multiple pathways, unpredictable routes to it, and seems intrinsically impossible to protect. That’s why most efforts at computer security has been defeated.” – Andrew Marshall, military analyst

That sums it up perfectly. Unfortunately, most efforts at computer security has been defeated because hackers continue to evolve their ideas so it becomes stronger and less detectable. However, these megaviruses and malware only come around once in a while so lets focus on the most common forms of hacking. Note: If you are looking for ways to hack then you’re on the wrong site buddy.

Type 1: Brute Force attack

A brute force attack is a method of defeating the encryption which secures a network by systematically trying a large number of possibilities. What it basically does is to guess the possibilities of a password by running through a list of dictionary words, number patterns and symbols until it has found the actual password. This kind of hacking can take up to weeks if the password is complex but can take a matter of minutes if your password is as simple as ‘abc’. How to avoid it? Simple. Make your password as complex as possible and use a secure password manager such as Roboform to remember it. How do you make a complex password? Check my earlier article, ‘Impossible for others, possible for you – designing your password’.

Type 2: Bogus websites

Unfortunately, many internet users don’t pay attention a lot of attention on the website they access. For example, there has been two cases of bogus Facebook websites during the last few months when hackers made a replica of Facebook and convinced users to sign in like a normal Facebook website. How? They’ll first infiltrate a user’s account and send a convincing message to all his friends. The message could be something like “Hey. Check out your photo in my Photo Album. Click here to see it’. The link will lead the user’s friend to the bogus Facebook website which will request the user to sign in again. Once the user has signed in, all the information goes straight to the hacker and the hacker will then able to infiltrate the user’s account and repeat the process. There has also been cases like this for eCash websites such as Paypal. So how you do distinguish a genuine and bogus website? First, pay attention at the URL address. Are there any typos? For example, myspace.com and mysspace.com. Most users only take a quick glance at the URL address and I guarantee that they wouldn’t be able to spot the typo from the previous example. Another thing to look for, especially if you’re doing online transactions is the https:// sign. All major online businesses should have this to show that any transactions are encrypted and secured. In the end, it really comes down to common sense so always be aware of any websites you visit and don’t click a link hastily if you come across one.

Type 3: Trojans, spyware and keyloggers

Trojans, spyware and keyloggers can all be classified as malware. What do they do? They basically act as a backdoor in a computer. A Hacker will distribute a legitimate looking installation file around, possibly through emails or P2P networks. What most user wouldn’t know is that a trojan or spyware would be part of the installation file and they would be installed unnoticed. Once they have been installed, the malware process will run in the background and monitor every move a user makes on his computer. A keylogger for example will record every keystroke a user makes, things like passwords and bank account numbers are at risk. How do you avoid these malware? Download files only from legitimate and reputable websites! Always question the software beforehand by searching about it on Search Engines like Google. You are bound to find many user reviews about the software, helping you decided whether to install the file or not.

Type 4: Software vulnerabilities

Unfortunately, every software and programs out there has flaws and hackers take advantage of them quickly and efficiently. As you may have heard recently, The Conficker Virus was able to spread due to a vulnerability in the Windows Operating System. To reduce the chances of hackers taking advantage of these vulnerabilities, always download the latest updates for your OS as soon as it is released. Windows has its infamous Windows Update which can be quite annoying at times but it is the quickest and most efficient way for Microsoft to distribute updates to fix any security vulnerabilities they find in the system. There are unfortunately many other forms of hacking out there but the above four points cover the most basic of attacks which are performed against common users. Hackers on a large scale may also use attacks such as DDOS (Distributed Denial of Service) which aims to overload a system’s network by directing many ‘puppet’ computers to a site in one go. Sounds scary huh? Don’t worry. These attacks are not likely to come at you unless you are a high figure profile causing controversy in the underground world. Just be aware of what you do on your computer and always have an antivirus of antispyware program installed to reduce your chances of being hacked.



By: James Millway

About the Author:

Many of you might have seen this, especially IE users, on thier IE title after the transfer of some files to a handy drive.

Hacked by godzilla- MS32DLL.dll.vbs,a low threat worm(symantec) is also known as VBS.Zodgila worm.

It was discovered since Nov 23, 2006

How it works

1)It firstly creates

[****]:\MS32DLL.dll.vbs

[****]:\MS32DLL.dll.vbs

[****]:\autorun.inf

NOTE:**** REFERS TO DRIVE NAMES

2)Secondly it adds the following Windows IE entry level values

“MS32DLL” = “%Windir%\MS32DLL.dll.vbs” to the registry subkey:

HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run

3)Finally it changes the IE title

“Window Title” = “Hacked by[REMOVED]” to the registry subkey:

HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \Main

to modify title in Internet Explorer.

4)As a result your IE title will end with “Hacked by Godzilla” and You might not able to open

any of your drive by double click

Now i will tell you how can you remove the worm

Open Task Manager ( Right click on your taskbar and click “Task Manager” ) Click on Processes tab and select “wscript.exe” and click “End Process” button. (Remember to remove all wscript.exe) Go to My Computer, Click on Tools -> Folder Options, click on View tab Under Advance settings,

check “Show Hidden files and folders“,

uncheck “Hide extensions for known file types“,

uncheck “Hide protected operating system files (Recommended)”

and click “OK” button Go to C:\WINDOWS or C:\WINNT and delete file MS32DLL.dll.vbs Now go to all your drive in your computer, and delete autorun.inf and MS32DLL.dll.vbs………………(visit blog below)

TO SEE MUCH MORE ARTICLES OF THE SAME VISIT www.stolentips.blogspot.com



By: prem

About the Author:

 Around 8000 net bank customers in Denmark has been deprived to enter their own net banks lately. The reason is a virus according to F-Secure that has been targeted against Danish net bank customers.

The main task of the virus was to take control over the customers card transactions and let the men behind the scene empty the accounts for money. There is no information about whether money is lost during this attack or not. The banks have closed several accounts in order to minimize any risks in this case.

The security company F-Secuer has identified the Trojan as Trojan-Banker.Win32.MultiBanker but there remains to make a cure against these.

The Trojans identified in this case were difficult to detect and complicated in construction, as they have used rootkit technology and the consept they have used to sniff information is called Man-in-the-Browser technique.

The way it works is that the Trojan modifies the victims behaviour in true time like in a bank transactions. The method is described as very complicated and expensive routine. Unfortunately we will see more of these types of attacks in the future and the banks will need to ensure more safe routines and methodologies to ensure customers security online as well in other electronic transactions they are involved in.

The challenge is big, however, it remains to see whether the banks will make available enough resources and efforts to solve these issues or not.

At the moment it looks like internet based services are not safe for the users and caution is advised using these at the moment.



By: Stig Kristoffersen

About the Author:

So in my first post on Network Security/Hacking i have told you how to use angryip scanner to find out live computers on your network…..sorry to say this but most of the internet users out there are not concern with their network security and they connect to the internet without using a Firewall, and most of them share a folder with important files…..

There are many software based firewalls like Zone Alarm which sit on your PC between your OS and Internet and wheneven some program tries to access the internet they will pop-up a window asking you weather you want to allow the program or not….if you dont have the knowledge about that program you can always google.com to find what the program is….and then you can allow/block them…sounds simple right but it provides the best protection….

Sharing of folders….this is something which is the killer in the cable internet networks….even if you dont have any folders shared but you have File Printing and Sharing enabled you are vunerable to all the Network Virus which spread through network..If you have a cable internet connection remember to remove File Printing and Sharing from Network Connections. Its a service and you dont need it to access the internet….

Angryip scanner result window would display all the live hosts and you can right click a live host and select browse to browse the shared folders….

 Another basic mistake people do is they would allow unwanted services enable…for example telnet….have you used telnet before…..most of you would answer no…its a service through which you can remotely connect to a PC and execute commands….by default it comes with a blank password….so you can simply right click the live hosts and select Telnet…if the service is enabled you are in his system and you can use any dos command you have learnt as part of your Basic Computer skills….delete all system files to make his system useless…thats the worst thing to do….

 Keep comming back for more….and please post your suggestions and comments…….



By: Sunil Saripalli

About the Author:

An Ethical Hacker is an expert hired by a company to attempt to attack their network and computer system the same way a hacker would. Ethical Hackers use the same techniques and tactics as those used by illegal hackers to breach corporate security systems. The end result is the company’s ability to prevent an intrusion before it ever occurs.

A company can’t know if their security system is solid unless they test it. It’s hard, though, for a company’s IT team to thoroughly ring out the system. Try as they might, the techs can’t go at the system with all the malicious or mischievous motives of a true illegal hacker. To thoroughly uncover vulnerabilities, the theory goes; you must examine your security system through the eyes of an illegal hacker.

The word hacking has strongly negative connotations, and, for the most part, rightly so. But ethical hacking is much different. It takes place with the explicit permission of the company whose system is being attacked. In fact, their “good guy” role is underscored by the nickname “white hat” Ethical Hackers have been given. The nickname is a throwback to old Westerns where the good cowboys could be identified by their white hats.

The company and the Ethical Hacker enter into a legally binding contract. The contract, sometimes called a “get out of jail free card,” sets forth the parameters of the testing. It’s called the “get out of jail free card” because it’s what harbors the Ethical Hacker from prosecution. Hacking is a felony, and a serious one at that. The terms of the agreement are what transform illegal behavior into a legal and legitimate occupation.

Once the hacker has exhausted his attempts, he reports back to the company with a list of the vulnerabilities he uncovered. The list in and of itself, however, is not particularly useful. What’s most valuable is the instructions for eliminating the vulnerabilities that the Ethical Hacker provides.

An Ethical Hacker works to uncover three key pieces of information. First, he determines what information an illegal hacker can gain access to. Next, he explores what an illegal hacker could do with that information once gained. Last, the Ethical Hacker ascertains whether an employee or staff member would be alerted to the break-in, successful or not.

At first it might sound strange that a company would pay someone to try to break into their system. Ethical hacking, though, makes a lot of sense, and it is a concept companies have been employing for years. To test the effectiveness and quality of product, we subject it to the worst case scenario. The safety testing performed by car manufacturers is a good example. Current regulatory requirements including HIPAA, Sarbanes Oxley, and SB-1386 and BS 799 require a trusted third party to check that systems are secure.

In order to get the most out of the assessment, a company should decide in advance the nature of the vulnerabilities they’re most concerned with. Specifically, the company should determine which information they want to keep protected and what they’re concerned would happen if the information was retrieved by an illegal hacker.

Companies should thoroughly assess the qualifications and background of any Ethical Hacker they are considering hiring. This individual will be privy to highly sensitive information. Total honesty and integrity is of the utmost importance.



By: Paul Walsh

About the Author:

The first cause for websites being hacked is the lack of knowledge of

their webmasters.

Hackers or even wannabe hackers can modify your website home page,

steal your website profits and fame by just using ready to be downloaded

exploits published into trusted and untrusted internet security portals.

Wether you have a basic knowledge of web site publishing or you are

an experienced webmaster the only thing to protect yourself from hackers attacks

is ethical hacking.

Ethical hacking means understanding your enemy mind, skills, intentions and

strength, up to take the successful countermeasures that will save your daily hard job

into developing a successful and trusted web platform.

Image damages causing shareholders and customers complaints, not to mention

6 figures money loss, is what led many big corporations to hire dozens of ethical hackers

to keep their networks and web site safe from “bad” hackers.

In this article I am going to focus on the following two questions:

What do ethical hackers do?

What can I do to protect my website if I am not an ethical hacker?

The first step taken by hackers, should they be ethical or evil, is to scan your

web application for known vulnerabilities. This can be achieved through a

penetration testing process that can be manual or automated by some programs

and scripts. This is the most important and crucial task in every attack attempt.

And this is what an ethical hacker can’t fail.

The second step is to get a working exploit to take advantage of the vulnerablity

found in step 1. Here is where protection and fixes should take place to *prevent* the attack and not

to just cure after the disaster. Ethical hackers in this case would be able to

modify source codes to cover the holes or just reduce the success rate of the attack dramatically.

I would strongly advise to work on the first step since it is the most simple

to master wether you’re not expert into security field or you just don’t have enough money to hire

an experienced ethical hacker.

Internet security knowledge is what can save your site with a very cheap price.

At the most basic level this can be achieved by keeping yourself informed on your

websites scripts well-known vulnerabilities, available patches and

security best practices.

Moreover the understanding of basic attacking vectors like Cross site scripting or SQL Injection will

keep you safe from a big number of wannabe hackers that you will be able to

defeat…with your knowledge!

So next time you will see some suspicious activity in your website log you will be laughing at it,

since not a dummy tool but your own knowledge as ethical hacker will be protecting you.



By: ryan

About the Author:

Have you ever seen your friend post a bulletin on MySpace about how they made a $1,000 on the weekend? It’s the first sign your friend’s MySpace account has been hacked. Maybe you’ve had your MySpace account hacked and would like to know what you can do to prevent it from happening again in the future. Then this post is for you.





Phishing

Most people have their account hacked by clicking on a stranger’s profile only to be taken to what looks like the MySpace login screen. Turns out it’s not a MySpace login screen and the username and password you just entered is saved for future use by the bad guys(hackers). The biggest thing is if you find yourself suddenly sent to the login page when you haven’t signed out, look at the url and make sure it says myspace.com in the address bar. If it has happened to you, you should be able to remedy the problem by simply changing your password watching for the proper web address in the future.

For more on Phishing and the method used for hacking Myspace account by Phishing refer:

Hack email accounts by Phishing.

Viruses

Another way people have their account hacked is from malware installed on their system that records their keystrokes. This is an uncommon problem for MySpace accounts because people looking to watch your keystrokes wouldn’t risk the legal trouble for MySpace accounts. They’d much rather take your bank account or something more valuable. If you change your password repeated times and you keep getting hacked, then you may have a virus and you’ll need to reinstall your operating system and start over.



Spy Software



Keylogging is the best and most guaranteed way to obtain a myspace password because not only can their myspace password, but you can get the passwords to everything they have and see every piece of information entered on the computer. Keylogging refers to the monitoring of key’s pressed on a keyboard, but most spy software contain many more usefull features. Some software does not even require you to touch the person’s computer, which many people find extremely usefull. I have tried many many different software solutions, and here is what I recommend.

If you have physical access to their computer, this should be relatively easy. For this situation, we recommend a keylogging software such as Ardamax keylogger . You can simply install it on the computer that they use and it will log all activity on the computer, including capturing the MySpace password. I recommend Ardamax keylogger because it has a unique MySpace capture feature that saves a screenshot of every page visited on the site and also has a great interface.

If there’s no way you can physically access their computer, it can be a little trickier to pull off. The program i’ve found that works the best (and gets so close to this ethical line) is a service called SniperSpy. SniperSpy gives you a module that you can send to your target that will allow you to spy on their computer’s every action. No physical access to the target’s computer is needed. You can view their computer screen LIVE from anywhere at anytime via your web browser, which means you don’t need to install anything on your computer either. You will be able to look at chat conversations, web sites visited, and gain access to all the online accounts they log into while being SniperSpyed. It even takes image screenshots of every internet webpage they look at, so that if they are perhaps deleting messages from their email/myspace inbox, you can look at the stored screenshots and read the deleted messages when normally you never could! This is the tool I used to catch my girlfriend and it worked absolutely great. I really believe it’s the ultimate spying tool (and i’ve tryed a lot of things). Their Testimonials page shows that they’ve been on the news and featured in several magazines, so you should feel pretty good that you’ll accomplish what you’re after when you buy it.

I’ve gotten word of a secret coupon code for 25% off SniperSpy and/or Acespy! That’s at least $20 off! Too bad I didn’t know about it when I bought SniperSpy, haha. At the second purchase page, enter the following code: RXS-SPY25

Ask them for it

Yeah, that wasn’t what you wanted to hear. Well, the truth is, an honest partner will let you have it if there is absolutely nothing going on. The reason you should ask is they might be forthcoming. If your partner refuses, it does not necessarily mean they are cheating, but it is a red flag and can indicate they are hiding something

Other

People can also think their account was hacked if they neglect to log out and someone uses the computer after them. So be sure to logout and not just close the window, especially if you’re at a library, internet cafe, or the like.

So guys, i have provided you with almost all methods used for hacking Myspace accounts passwords. If you have any query about hacking myspace account passwords, please let me know.

Enjoy HaCkInG….



By: Rajesh

About the Author: