B L A C K J A C K S

Social networking sites are online communities filled with millions who are looking to meet new people as well as connect with old. These networks give us access to tools, options, and opportunities that previously were not possible. With all of the new ways to connect, many doors for cyber-crimes have been opened making it more important than ever to know the risks and how to protect yourself. Hackers thrive on social networking sites, especially those who wish to find and use personal information that users willingly post to the world.  However, it is possible to use these sites in a secure way. Top Tips to Stay Safe Choose your social network carefully Evaluate the site that you plan to use and make sure you understand the privacy policy. Find out if the site monitors content that people post. You will be providing personal information to this website, so use the same criteria that you would to select a site where you enter your credit card. Use privacy settings ...

What is RESTful API? A RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. A RESTful API -- also referred to as a RESTful web service -- is based on representational state transfer (REST) technology, an architectural style, and approach to communications often used in web services development. How RESTful APIs work? A RESTful API breaks down a transaction to create a series of small modules. Each module addresses a particular underlying part of the transaction. This modularity provides developers with a lot of flexibility, but it can be challenging for developers to design from scratch. Let's get started... I have created an authorization server and resource server both in a single API. There is an endpoint that you can call in order to retrieve the resources for the demonstration purposes. This is written using node.js. In order to run this on your computer, you have to have node.js installed on your...

When a user logs in to a web application the site generates a random value and sets it as a cookie. A double submit cookie sends this value as a cookie but also as a request parameter. The server then confirms that the cookie value and the request parameter value match before executing a transaction request. An attacker can not change a cookie value with a CSRF attack, so even if the request parameter is manipulated the malicious request will not execute. You can get a sample login page from here :  https://github.com/csandeepa/CSRF-double-submit-cookies Once you run the code you can see a login page like this. The initial page is index.php. here is how it looks like. The login form is created using basic html codes. the form submission method is POST. and also here you can see session generation and validation of login credentials codes written in php. After successfully logged in, the user is redirected to the update.php page.There is a function to get ...

What Is CSRF? Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. A successful CSRF attack can be devastating for both the business and user. It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies. CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server. As the unsuspecting user is authenticated by their application at the time of the attack, it’s impossible to distinguish a legitimate request from a forged one. Implement Synchronizer Tokens Synchronizer tokens are often referred to as “challenge” tokens. These challenge tokens are included within an HTML form and associated with sensitive server-side tasks. When a user wants to...

Meet the VM here:  https://www.vulnhub.com/entry/tr0ll-2,107/ Hey there! This is the way I followed to find the flag in Tr0ll 2 VM. It is not a difficult thing. As I guess, anyone can do it. Let's move on..... Finding the IP address of the Tr0ll VM. Running nmap tool to get an idea about open ports and running services on the machine. According to the nmap result, the target machine runs 3 services. -21 ftp -22 ssh -80 http Finding the common paths on the http web service. Check the robots.txt file to get all the paths. Add all the paths in robots.txt into a text file and run dirb again using it as a dictionary (troll_paths.txt). Four working directories found. There is an image in each one. Nothing else. Get these four images and check md5 values. There is only one image having some different hash value. Run strings command on the image which has a different hash. Browsed to the /y0ur_self page and f...