Posted by Avik Sarkar
On 6/25/2011 04:47:00 pm
Google has released a Chrome extension that is capable of checking client-side code for cross-site scripting weaknesses and other security issues. Called DOM Snitch, the still-experimental extension intercepts JavaScript calls to potentially dangerous functions like document.write, document.cookie, HTMLElement.innerHTML and others. It records a complete stack trace allowing the user to determine if the calls can lead to cross-site scripting, mixed content, violations of the same-origin DOM policy and other issues. "DOM Snitch is intended for use by developers, testers, and security researchers alike," says Radoslav Vasilev, a Google security test engineer. The benefits of DOM Snitch include the ability to inspect DOM modifications in real-time without the need of debuggers, built-in security heuristics and nested views, as well as export capability. The easy exporting of captured DOM modifications enables developers to ask for help from their peers when troubleshooting issues. DOM Snitch is not the only security tool released by Google for developers. Its open source Skipfish and Ratproxy web application vulnerability scanners are also capable of detecting XSS, XSRF and other flaws.
JavaScript is a critical component in many web attacks, both client-side and server-side. It is used in most drive-by exploits, as well as to obfuscate malicious code on compromised websites. There are several types of cross-site scripting vulnerabilities. Persistent ones are most dangerous because they can be exploited to insert rogue code into pages permanently. Non-persisted or reflected ones can only be exploited by tricking users into opening malformed URLs.
DOM-based XSS flaws like the ones DOM Snitch helps identify are more complicated and can be exploited to load non-HTML code from a server or write code into the page directly on the client-side.
For More Info and to Download Click HERE
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by VOGH
On 6/25/2011 01:56:00 pm
11 High Profile Websites of Pakistan is Vulnerable Said Zero, He also Exposed Data Base and Credentials of Admins.
List Of Vulnerable Sites:-
http://www.awt.com.pk/
http://www.unapakistan.org.pk/
www.psf.gov.pk
www.commerce.gov.pk
http://www.whatmobile.com.pk/
http://www.competitiveness.org.pk/
http://www.whatmobile.com.pk/
http://www.smeda.org.pk/
http://www.shifa.com.pk/
http://www.gallup.com.pk/
http://www.onlinenews.com.pk/
www.phonebook.com.pk
Here are the details of those Sites:-
1) Army welfare trust of Pakistan Hacked by zero
Hacked website :-
http://www.awt.com.pk/news_detail.php?news_id=9
Mirror link:-
http://mirror.sec-t.net/defacements/?id=44797
2) XSS Vulnerablity in United Nations Association of Pakistan
link:-
http://www.unapakistan.org.pk/search.php?search=%3E%22%3E%3Cscript%3Ealert%28%22ZERO%20WAS%20HERE%22%29%3C/script%3E§ion=Whole+Site&x=24&y=1
3) Pakistan Science foundation is vul to sql-i
Data Base:-
http://pastebin.com/XCtn8Ksw
4) government of pakistan Ministry of Commerce is vulnerable to sql-i
| admin | $P$BCr2kHTn8oXYjZ.z2AabI56aSgo7gs. |
| khushnaam | $P$BtJsGbrR1l0.IYsv9a1tJhwkjMMYO/. |
Data Base:-
http://pastebin.com/WKwP68HC
5) civildefence of pakistan vul to sqli found by zero
Data Base:-
http://pastebin.com/HsXvQAGA
6) http://www.shifa.com.pk/ is vulnerable to sql-i
Data Base:-
http://pastebin.com/8r2vqqYF
7) http://www.smeda.org.pk/ is vulnerable to sql-i
Database:-
http://pastebin.com/7Xukb7cH
8) http://www.gallup.com.pk/ vulnerable to sql-i
Data Base:-
http://pastebin.com/3vNLAmry
9) http://www.onlinenews.com.pk/ vulnerable to sql-i
| 3e8edbe7d481ca8ba452ae92631a905e | admin |
| 4bc2cfed02b6bebf99b6646c82cec3b8 | admin |
Data Base:-
http://pastebin.com/y7Vt0zSC
10) http://www.whatmobile.com.pk/ vulnerable to sql-i
user: aamir
pass:NoMoreBullShit81
Data Base:-
http://pastebin.com/TzTMjKYK
11) http://www.competitiveness.org.pk/ vulnerable to sql-i
Vulnerable Link:-
http://www.competitiveness.org.pk/subpage.php?pageid=-21+union+select+1,concat%28admin_name,0x3a,admin_password%29,3,4,5,6,7,8,9+FROM+tbl_admin--
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 6/24/2011 10:31:00 pm
ErroR &
Aiyoo Hacker of Team Greyhat Found serious SQL-i Vulnerability in the Official Website of Public Health Engineering Department Govt. of West Bengal
He also Exposed The Admin credentials of that Site.
Admin Account:-
User Name:- superadmin
Password:- wbphed@#22486312
Admin Login Link:- http://www.wbphed.gov.in/applications/Admin/restrictedzone.php
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 6/24/2011 09:24:00 pm
DEFCON was started in 1993, and has grown into the largest annual gathering of hackers. Attendees to this year’s conference, DEFCON19, will include cyber-criminals, hackers, computer security professionals, security personnel, US Federal agents, and any one else with interest in anything that can be hacked. Activities at the event include speakers on different subjects of interest to hackers, social events and contents. In August the first ever DEFCON kid’s conference will take place. This conference will be run as part of the main DEFCON conference, and is meant to teach kids between 8 and 16 years “white hat” hacker skills. As opposed to “black hat” hacking, the DEFCON Kids will be taught “white hat” hacker skills that will give them the ability to protect themselves against cyber crime. Black hat involves the dark side of internet hacking, including looting of money and destruction of hardware or software. The aim is to convince kids that it is cool to fight crime by being an ethical hacker.
The courses will be run by some of the world’s most elite hackers. According to the DEFCON Kids website, the training and demonstrations will include “learning how to open Master locks, Google Hacking, making Electronics, Social Engineering, coding in Scratch and Communicating in Code.”
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 6/24/2011 05:27:00 pm
Arizona Law Enforcement Compromised by LulzSec. They released "hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses, and passwords belonging to Arizona law enforcement."
According To Lulzsec:-
"We are releasing hundreds of private intelligence bulletins, training manuals,
personal email correspondence, names, phone numbers, addresses and passwords
belonging to Arizona law enforcement. We are targeting AZDPS specifically
because we are against SB1070 and the racial profiling anti-immigrant police
state that is Arizona.
The documents classified as "law enforcement sensitive", "not for public
distribution", and "for official use only" are primarily related to border
patrol and counter-terrorism operations and describe the use of informants to
infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest
movements.
Every week we plan on releasing more classified documents and embarassing
personal details of military and law enforcement in an effort not just to reveal
their racist and corrupt nature but to purposefully sabotage their efforts to
terrorize communities fighting an unjust "war on drugs".
Hackers of the world are uniting and taking direct action against our common
oppressors - the government, corporations, police, and militaries of the world.
See you again real soon! ;D"
For More Click Here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 6/24/2011 05:03:00 pm
Web hosting, Reseller, Vps & Dedicated services Provider Hosterbox Hacked by Shadman Tanjim , Admin Bangladesh Cyber Army
According to the Hacker:-
Website: www. hosterbox.com
Hacking Method: SQL Injection
Vulnerability risk: high
Host IP: 184.82.153.150
Web Server: Apache
Powered-by: PHP/5.2.16
Injected Link:
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 6/24/2011 04:45:00 pm
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types commonly found on Unix systems, as well as Windows LM hashes.
What is new in John the Ripper 1.7.8 :-
The bitslice DES S-box expressions have been replaced with those generated by Roman Rusakov specifically for John the Ripper. The corresponding assembly
code for x86 with MMX, SSE2, and for x86-64 with SSE2 has been re-generated. For other CPUs and for AVX/XOP, C compilers do a reasonably good job of generating the code from the supplied C source files (with intrinsics where relevant). The S-box expressions that we were using before had a 21% larger gate count, so theoretically this could provide a 21% speedup. In practice, though, a 12% to 14% speedup at DES-based crypt(3) hashes is typical. This effort has been sponsored by Rapid7
Corrected support for bcrypt (OpenBSD Blowfish) hashes of passwords containing non-ASCII characters (that is, characters with the 8th bit set). Added support for such hashes produced by crypt_blowfish up to 1.0.4, which contained a sign extension bug (inherited from older versions of John). The old buggy behavior may be enabled per-hash, using the “$2x$” prefix.
The external mode virtual machine’s performance has been improved through additional multi-op instructions matching common instruction sequences
(assign-pop and some triple- and quad-push VM instructions were added).
A few minor bug fixes and enhancements were made.
This release comes with an 17% improvement in gate count for the Data Encryption Standard (DES) algorithm by generating different S-box expressions targeting both typical CPUs with only basic instructions and CPUs/GPUs that have “bit select” instructions.
Download John the Ripper v1.7.8 HERE
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
