XSS or Cross Site Scripting

XSS or Cross Site Scripting
Remote Code Execution
SQL Injections

These are names of same procedure.

Cross Site Scripting

Cross-site scripting (XSS) is a type of web security vulnerability typically found in web applications which allow code injection by hackers into the web pages by finding back doors and insecure and carelessly handled code. When they are done, they can execute code at your website and get your database and website private information.

Preventing XSS Attacks

Some people call it bad code which is said to be cause of vulnerability. There are ways to secure code to prevent such attacks.

• Validate each input used in every form of your website
• Filter special characters from inputs e.g. % , < , > etc
• Encode special characters where needed e.g. & into

  &

  etc.

SQL Injections

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

Types of SQL injections

• Incorrectly filtered escape characters
• Incorrect type handling

Incorrectly filtered escape characters

In this type of SQL injection user input data is not filtered for escape characters.

For Example:

"SELECT * FROM users WHERE name = 'userName';"

If userName entered by user is = ‘a’

"SELECT * FROM users WHERE name = 'a'"

Which will bypass user authentication method.

Incorrect type handling

This form of SQL injection occurs when a user supplied field is not strongly typed or is not checked for type constraints.

Writing Secure PHP Code

• Use Magic Qoutes. By using magic quotes you provide extra security to form input by adding backslashes to user input.

  * A backslash becomes \
  * A quote ‘ becomes ‘
  * A double-quote ” becomes “

  To get original data input written by user you use stripslashes. A very good example is here and here.

• Change extension of web pages from php to html in apache by mod rewrite
• Use clean function as below

  <?php
  function clean($string) 
  { 
  $string = stripslashes($string);
  $string = htmlentities($string);
  $string = strip_tags($string);
  return $string;
  }
  ?>

• You can serve php code in html file
  http://bugs.php.net/bug.php?id=27580

More Security Measures

• Never use scripts from unreliable source.
• Always use only updated open source softwares and whenever a security upgrade is available or updated version is available, update your software immediately.
• Never and ever use or set Register Globals ON in php ini settings.
• Validate all inputs in any form at local side and sever side.
• Use web site vulnerability scanner softwares to ensure that website has no backdoors or security holes.
• Use reCAPTCHA for website forms.
• Always backup your web application at regular period.
• Check file and folder permissions (CHMOD) at your web server via ftp. Files must not be executable or writeable.
• Make folders forbidden which have no index file.
• Use Mod Rewrite
• Use redirection wisely
• Create custom error pages

Finally remain updated about security issues, bugs or vulnerability information about PHP by following website.

http://phpsec.org/

Cross Site Scripting Attacks - XSS Vulnerability Scanner

Is your website secure? XSS attacks (Cross Site Scripting) provides hackers access to your website content and database. If web applications are not secure, then your entire database of sensitive information is at serious risk.

Hackers are on the lookout for Cross Site Scripting (XSS) vulnerabilities in YOUR web applications. Shopping carts, forms, login pages, dynamic content are easy targets. Beat them to it and scan your web applications with Acunetix Web Vulnerability Scanner:

• Acunetix WVS automatically checks your web applications for XSS, SQL Injection & other vulnerabilities
• Firewalls, SSL and locked-down servers are futile against web application hacking
• Acunetix checks your web applications for coding errors that result in Cross Site Scripting vulnerabilities
• Acunetix also checks for other vulnerabilities in popular web applications such as Joomla, PHPbb, Wordpress etc.
• Acunetix identifies files with XSS vulnerabilities allowing you to fix them BEFORE the hacker finds them!

Audit your web site security with Acunetix Web Vulnerability Scanner. The best part about this software: Its free version is also available.

Download Link
http://www.acunetix.com/cross-site-scripting/scanner.htm

website scanner

Web Hosting Nightmare

Web hosting has been always a tricky question for webmasters. Sometimes you get satisfied with current hosting provider but its all a matter of time. I have experienced a loss recently. Mistakes might be mine also but some hosts do not cooperate enough to secure you but they leave you in critical time. I will not name the host. But I will reveal a critical situation I have been in. My Web hosting account was hacked. Web host suspended away my account and recommended me to move host.

Possible Reasons Involved

• I was busy and away from my web account
• I was using old versions of WordPress software
• I was not aware of critical threat about website vulnerabilities
• Too much reliance on host
• Uploading of different open source software at my web host for checking purpose
• Uploading of unsecured forms

Consequences

My hosting provider scanned my website and suspended my account. They informed me that there are some malicious scripts at my website. I checked these and deleted which I could find. Soon enough there were more found and support from host told me to move host.

What I had To Do

They suspended my account. My seven websites Including blogs also went down (These were at same web account). I had just Control Panel and ftp access. I downloaded data and databases. Setup blogs at local host. Exported my posts. Got shifted to new host. Transferred domain names. Uploaded new WordPress software. Imported posts. Took long time.

What Web Host Could Had Done

• They could told me all vulnerabilities and locations of scripts to me so that I could get rid of those
• They could advise me to download all data and after cleaning upload it
• They could themselves remove all vulnerabilities as I gave them permission to do so because they are supposed to be more technical in this

After This What I Could Conclude

• Web host will suspend your account and can delete it anytime whenever they will feel that you are in trouble and they will tell you to move host, doesn’t matter you tell them that you are not quiting and will try to fight back against threats
• Always upgrade new version of software
• Get a website scanner and scan website for cross site scripting threat and other vulnerabilities
• Well manage your .htaccess and robots.txt file
• Take care about directories and file permissions
• Do not upload unnecessary open source CMS or scripts for checking unless you know about it fully
• Get a Unix based web hosting
• Do not put all websites in one webhosting account (If you have enough budget then I will recommend you to take separate web hosting account for each domain and website)

My Recommendation

• Get DreamHost Web hosting (Unix Based) Dreamhost Control Panel Demo
• Get Website vulnerability scanner Acunetix Cross Site Scripting Scanner Free Version
• Get latest version of WordPress Download Latest Version

Know More About WordPress Vulnerability

Old wordpress version can get your blog banned from google
Wordpress SQL injection vulnerability
Wordpress upgrade importance
Wordpress Vulnerabilities list, Blog watch
Wordpress Exploit Scanner Plugin
How to know that your blog is vulnerable or being hacked

Resource Hacker - Customize Your Own PC Resources

Change the PC resources in the way you like it. Thats what ‘Resource Hacker’ is all about. If you like to play tricks with your PC and like to tweak it a bit then ‘Resource hacker’ is a good choice out there and it is absolutely free and easy to use.

Resource Hacker is a freeware utility to view, modify, rename, add, delete and extract resources in 32bit Windows executables and resource files (*.res). It incorporates an internal resource script compiler and decompiler and works on Win95, Win98, WinME, WinNT, Win2000 and WinXP operating systems.

Viewing Resources: Cursor, Icon, Bitmap, GIF, AVI, and JPG resource images can be viewed. WAV and MIDI audio resources can be played. Menus, Dialogs, MessageTables, StringTables, Accelerators, Delphi Forms, and VersionInfo resources can be viewed as decompiled resource scripts. Menus and Dialogs can also be viewed as they would appear in a running application.

Saving Resources: Resources can be saved as image files (*.ico, *.bmp etc), as script files (*.rc), as binary resource files (*.res), or as untyped binary files (*.bin).

Modifying Resources: Resources can be modified by replacing the resource with a resource located in another file (*.ico, *.bmp, *.res etc) or by using the internal resource script compiler (for menus, dialogs etc). Dialog controls can also be visually moved and/or resized by clicking and dragging the respective dialog controls prior to recompiling with the internal compiler.

Adding Resources: Resources can be added to an application by copying them from external resource files (*.res).

Deleting Resources: Most compilers add resources into applications which are never used by the application. Removing unused resources can reduce an application’s size.

Download Resource Hacker

Change Your Dynamic IP Address

This is suppposed to change your dynamic IP Address.

Open notepad and type 

ipconfig /flushdns
ipconfig /refresh
ipconfig /renew
ipconfig /all>newip.txt
end 

then save as (select all file types) — ip.bat

this is now a batch file rather than a txt file. Simply hit run on the file and watch the progress.

If you want to print out the results then add this line into the same file befoe “END”

ipconfig /all>filename. txt

A report will be saved in the same directory as your batch file, detailing your new ip and a bit more…