Ethical Hacking: Playing around with the basics | Part#2

Continuing with sharing my further experience around Ethical Hacking learning journey.

Was occupied with quite a few things on personal front recently hence couldn’t go with the speed I wanted but could juice out some productivity in the form of some reading and some practical exercises.

Read few chapters of The Web Application Hacker’s Handbook and the best part, read lots of publicly disclosed reports by HackerOne, Publicly Disclosed and Bugcrowd.

On the practical side, tried RCE on few Bugcrowd program sites though couldn’t succeed yet ūüėź Also, the learning and discussions journey continued with awesome Santhosh Tuppad. So recently he gave me around ten exercises to crack. Let’s see how I approached them one by one.

Exercise#1

In the first exercise, I was supposed to crack username and password of a dummy login page. The hint was left in the source code that Base64 encoded value of username is password. I guess the agenda was to get the learner familiar with the encoding thing and to check whether he/she is checking the source code for hints. It took me a minute or so to use an online encoder to get the password expected value. However, due to some technical glitch in the dummy exercise application, it was not letting me get through(the error was genuine so it looked like expected working where access was denied).

Hence, even though my answer was right, I felt that it is not and kept on searching and trying new things. This technical glitch pushed me a for days where I kept on trying different things to crack through. Below are few things I tried, I know some of them are silly but I tried them anyway.

  1. Admin as username and password as many sites actually have such password for admin panels
  2. UserName as username and password, pwd as password (Hint from source code)
  3. admin / admin123 as username and password (again from past experience and usual username-password patterns)
  4. santhoshtuppad as username and password
  5. santhoshtuppad as username and c2FudGhvc2h0dXBwYWQ= as password (The Correct answer, which I got to know only after trying everything)
  6. comment as password (Hint from source code)
  7. value of comment encoded in Base 64 as password (Hint from source code)
  8. empty username, password
  9. single space as username and password
  10. Enabled token ID field on UI and tried SQL injection, 1=1′, 1=1–, 2=2–, and others (Tried SQL injection on CSRF token field by enabling it
  11. Tried SQL Injection on username and password
  12. Used tamper data plugin to play with parameters passed
  13. Tampered cookie values
  14. Added debug points using developer tool trying to understand the flow through script
  15. Tried changing the method TYPE to GET from POST with same parameters and request data and executed same
  16. Went through integrated scripts as well
  17. Tried for context variations, /one/admin
  18. Looked for XML-RPC
  19. Knowing MySQL, tried few queries on mysql / information_schema, users table, etc. (as part of SQL injection)
  20. Tried /exercise/one/admin as well with several credentials
  21. Tampering the POST request

Exercise#2

The goal was to try dummy username and password in all the forms one by one and finding out the best error message and also explaining why other error messages are not recommended.

Here are my findings:

Messages Observed-

  1. The password you entered for admin is incorrect.
  2. Invalid username / password
  3. Wrong password.
  4. The username doesn’t exist

I put my money on would be on message#2.

While 3 and 4 clearly tell me if particular username I am using is registered with the system or not, which narrows down my target zone. OR

OR

It might also violate privacy as it tells me if a particular user is present/registered on system or not.

Message#1 is basically an incorrect message as it always throws standard message even if a user is not registered. So this, in turn, might confuse the registered user.

Read more

How to get your Team together and be a Happy Unit

Get your team together Testers in Blue #ZyQualSquad
Testers in Blue #ZyQualSquad

If you are a leader(with a title or without title), I am sure you must be thinking often on how to get your team together. How to juice productivity with visible vibrant energy and free-flowing passion across the team. You must be thinking of conducting some awesome team building activities, present(or receive) content of great help to your entire team so that they would feel that they are learning in some way. My mind is often occupied with such thoughts. Not just because I lead a team, but because I naturally love to push people to get their best, to grow together. And of course, I equally love to learn from the people around me. 

Weekly Wednesday session is one of those many initiatives me and my team took as our efforts towards making the above possible. If you do not know what our weekly Wednesday session is about, you can get a glimpse of what exactly it is here. Ok, so I am not really going to directly tell you the ‘how to’ here as the title might have conveyed, but I am surely going to share few practical hints on ‘what can be done’. Wednesday is a fun day for us. It stays eventful and it stays productive. It acts well to burst away midweek blues if any. However, last few sessions were going bit unplanned and though we were having fun, the feeling was there that we can juice more productivity and fun if we plan it properly. Taking people together, engaging the audience is a skill. Content too has to be different.

Time was for me to get the matter in hand. I informed the team that I would be presenting throughout the session and have interesting things lined up for them. We usually meet for around two to two and a half hours every Wednesday, so I wanted to adhere to the schedule and still cover a lot of variety which I want all my team members to focus on too in future. I spent some 45 minutes to put my mind mined stuff into a PowerPoint presentation. Here is what all was there:

  • Testing Trends: 

how to get your team together ZyQualSquad TrendTracker

I decided to start with something related to Testing. Need and challenge of any IT professional these days is to stay up to date with what is happening in the industry. The case with us, the testers is no different. What could have been a better choice than quick talk around State of Testing Survey 2017? Thanks to PractiTest and Tea-time with Testers for conducting this awesome survey with well defined and well-directed questions. The report talks about many things such as where the overall testing industry is heading, what tools they are using, how important now is to break the comfort zone and learn something new for testers, how the career shifts are happening and so on. If you haven’t had look at it yet, you can check it here.

Read more

Leadership vs Positive Leadership. Choose later one. 

ZyQualSquad Testing Leadership
Positive Leadership

Got this personalised hand-written pic-note and this #Instagram themed magnet note from couple of my Squad members. They have just left/about to leave my team to take on future goals. Such words coming from someone who have nothing to do with me as far as their immediate professional growth is considered, is much bigger sense of satisfaction and achievement than anything else. The positive impact I created on lives of people around me will always be my favorite achievement.

#FarewellJagrati #FarewellHamza #ThankYou

My new love: Ethical Hacking : Post#1

 

New love: Ethical Hacking

Hope the post title don’t annoy my wife :p . It shouldn’t I guess, as long as the love is for learning something very good.

The Start:

We all face dilemmas in a day to day life. Sometimes in personal life, sometimes in professional. In the later category, I was facing one from last many months. And worst part being in dilemma is sometimes you either end up doing nothing or you do both the things. What happens then is you end of thinking about two things and end up working on two as well. This delays your achievement, this reduces or rather diverts your focus frequently. Being someone who always ends up getting a lot of new ideas on daily basis regarding new things to learn, try and implement it sometimes becomes very tough to select one and finish it completely.

The dilemma I am talking about was with respect to the choice of new skillset to learn to advance professionally and to make the days count even better. It was between two things which are booming nowadays and probably they are here to stay- Automation and Ethical Hacking/Security Testing. I worked on both of these and have basic or intermediate knowledge of both. Or you can say I am logically clear on both. But to implement the ideas, solve the problems or make your logic work, you also need to have in depth of technical knowledge of the task at hand, you should know how to. And putting my efforts on both things was delaying my expertise on either.

The choice was finally made as I understood my natural inclination towards the unknown.¬†I am curious by birth, like to explore. So Ethical Hacking was definitely my thing. It’s like an endless road, you can go on and on and on. I have just started on it and will try to share my experience here as I progress. Let’s see how it goes.

The pre-requisite:

It is not necessary to be from software and networking background to learn Ethical Hacking I think but it will definitely help. At least it helps me when I read stories of other hackers or incidents and can understand at least 70-80% of those technically. Again the area to test is so vast that even your preparations or pre-requisites differ according to your target. If you are going to test mobile devices, you will have to gain knowledge around that, if you are going to test web applications your preparations shall differ and so on. I will surely update about what exactly to do and from where to start once I reach some level.

If you ask me, I collected basic knowledge around networking, protocols like HTTP and https, Linux, HTML,¬†javascript over years at my Job. That shall help I guess. Apart from that, I follow a lot of hackers on Twitter. Their stories, tweets, and interview are of great information. Reading their experience feels like watching a sci-fi/mystery movie. I love it. And yes, I am also reading¬†The Web Application Hacker’s Handbook¬†as my first book purely into Security Testing.

And yes, one more important thing. Did I mention¬†that you should be having a Mentor? It is always necessary and helps a lot with anything in life. I am not saying you should have one for everything, but there should be someone whom you look up to¬†when you do some good work in some field. It is applicable to life in general as well. I am lucky to have few. And here guess with whose help and guidance I am learning to hack? Santhosh Tuppad. If you don’t know him already(which is rare if you are into the testing world), you should read his bio and know about his work.

Read more

Happy Women’s Day¬†

Ok. Let me first accept that I am not very expressive and might not have wished many women around me personally today. Anyways, I was just thinking if I have to list down few names or personalities from Venus community who have had impact on my life and that too by not thinking for long, who all will come there.

Here I go. First name on my mind is of course my Mom, Suman. Can’t explain or collect in what all ways she would have shaped today’s ‘Me’. She is someone from whom I have inherited lots of qualities which makes non separable part of me as a person and as a professional. Her inclination towards perfection, her habit of speaking less and speaking right, her smartness- all this has flown down to me(Did I publicly claimed that I think I am smart? :p Anyways). Watching her all these years have taught me how to stay tough in bad times and how to stay sober in good times. Things I owe to her are beyond thank you, so I will move on to next name I could remember. 

Next obviously will be my four sisters, by whom I was surrounded for years. My support system. Vijaya, Nayana, Swapna and Rupali. Long back in 80’s, I think credit should be given to my parents for such a cool league of names. While eldest of them taught me that no age is less to get mature and take up the responsibilities, youngest one taught me how stay calm while I am angry probably(Yes, we used to fight a lot :)). While the second eldest taught me how to stay consistent with results and live life on principles, the second youngest gave me confidence that it’s never too late to try out something new, to take that one brave step. 

When I rolled my life further, here is the unexpected entry. One of my teacher in 2nd or 3rd standard. I don’t remember the name but she had thrown my Diwali vacation homework notebook back at me saying it was full of shit. Big blow to self declared perfectionist and school level popular back then. I am thankful to that lady as probably she taught me(rather forced me)  to stay rooted even in good times. That was the first time probably I faced any public criticism. While I think further there is another personality in same category, again I don’t remember the name and don’t even know if it was crush or something, but back in junior school days I remember those stupid glances which were never returned to me. Ya, helps staying at ground. This is quite a revelation :D. 

While I think further, I realise that it’s past 11:30pm and I might face some danger from my beautiful wife Pooja if I don’t keep the cellphone aside in few minutes :p. So to make it fast, I think there were many women who have helped and taught me along the way, and I am sure all the men on this planet think same. Being a introvert, I have had very few female friends but the support system they were all these years is beyond just Thanking. 

As I fast forward, I think about my life partner Pooja and it’s fascinating to know that just her presence helps so much keeping a child within me awake. Someone who cares about me as if I am 10 year old :). Someone who supports ambitious me and still gives timely reminders about living life as it comes. 

That was a lot about my personal life, but is my professional life built without support of Venus species? Big No. When I started my software testing career I heard from someone that this field is mainly for ladies and I was like ‘what rubbish’. But believe me, as I have spent over six  years in this field, there are a lot of powerful tester-women here. So many lady Testers I have worked along all these years and have not only taught them but have also learnt a lot from them. I am thankful to all the ladies who have worked and who are still working in my awesome testing team #ZyQualSquad  and shared common vision. And how can I forget my first manager. She believed in me and gave me freedom to work in my style, to explore, fail and then try again till i succeed. 

Anyways, words won’t be enough to talk it all. I will just thank all the women in world again for all the sacrifices and contributions to make this world a place worth living. And as someone rightly said, “Stupid are the women who think they are equal to men. They are rather far more powerful than men in so many ways.” 


More power to you all. Happy Women’s Day. 

Why software testing? Here is the answer you want

perfect answer to why software testing

It wasn’t a first time someone said something about testing and it troubled me. It is just that the recent event pushed me to change something about- why software testing? It went¬†like this.

It was just another call from a computer science graduate who is looking for job opportunity. This time the call was from one of my relative.

Part of conversation after initial greetings-

She: Actually I got my results last week and looking for job. Please let me know if you come across any.
Me: Sure! Tell me what interests you. Development or Testing ?
She: (Laughs…) No no, not testing(still laughing), Development only.
Me: Ohh! (Tongue-tied)(She didn’t knew/know I work as Tester of course)

You see the problem? Problem is not that she choose development over testing, that is absolutely fine considering the choice factor. Problem is her reaction when I said “Testing”, rather a question- why software testing? why should I even think about it?

Read more

Why you should attend more and more Testing Hackathons

Testing Hackathons Bugasur
From Bug-a-Sur, Mumbai chapter

Allow me to start my answer to ‘Why you should attend more and more Testing Hackathons with a small story.

It was usual Saturday afternoon which otherwise I would have spent lazily at home. But this time(on 26th of November) I was at a co-working place Workloft to attend a Testing Hackathon called¬†Bug-a-sur(named after a demon¬†Bakasur¬†from Indian epic¬†Mahabharata, demon who used to eat food and the person who used to bring him that food) with some of my awesomely talented team members from¬†Zycus¬†#ZyQualSquad (that’s what we call ourself). Full marks to the title, very well thought. The event by the way was hosted by¬†Ventursity.
From my previous experience of attending a Testing Hackathon in Mumbai, I was expecting less9er crowd(Mumbai being quite passive for Testing meetups) at some compact place. I was wrong. When we went there, an entire floor half full of testers were waiting there and event management committee members were working hard to make it big.

Event started at 2 pm with introduction of Ventursity, hosting committee, products which we were supposed to test and their representatives. There were three apps/products which were supposed to be tested across platforms(mobile browser, desktop browser and app). ¬†Pricebaba,¬†Haptik¬†and¬†Flyrobe¬†were targets of 60-80 gathered testers. Rules, guidelines, product links were shared and at 3’o clock the attack was on.
We were 7 from Zycus, ¬†accompanied by one more tester from Androsonic which made it four teams. Duration to test was three hours. Of course less to test such a big and complex products but that’s how Hackathon works, aggressive targets in crunched time.

Read more