Ethical Hacking: Playing around with the basics | Part#2

Continuing with sharing my further experience around Ethical Hacking learning journey.

Was occupied with quite a few things on personal front recently hence couldn’t go with the speed I wanted but could juice out some productivity in the form of some reading and some practical exercises.

Read few chapters of The Web Application Hacker’s Handbook and the best part, read lots of publicly disclosed reports by HackerOne, Publicly Disclosed and Bugcrowd.

On the practical side, tried RCE on few Bugcrowd program sites though couldn’t succeed yet ūüėź Also, the learning and discussions journey continued with awesome Santhosh Tuppad. So recently he gave me around ten exercises to crack. Let’s see how I approached them one by one.

Exercise#1

In the first exercise, I was supposed to crack username and password of a dummy login page. The hint was left in the source code that Base64 encoded value of username is password. I guess the agenda was to get the learner familiar with the encoding thing and to check whether he/she is checking the source code for hints. It took me a minute or so to use an online encoder to get the password expected value. However, due to some technical glitch in the dummy exercise application, it was not letting me get through(the error was genuine so it looked like expected working where access was denied).

Hence, even though my answer was right, I felt that it is not and kept on searching and trying new things. This technical glitch pushed me a for days where I kept on trying different things to crack through. Below are few things I tried, I know some of them are silly but I tried them anyway.

  1. Admin as username and password as many sites actually have such password for admin panels
  2. UserName as username and password, pwd as password (Hint from source code)
  3. admin / admin123 as username and password (again from past experience and usual username-password patterns)
  4. santhoshtuppad as username and password
  5. santhoshtuppad as username and c2FudGhvc2h0dXBwYWQ= as password (The Correct answer, which I got to know only after trying everything)
  6. comment as password (Hint from source code)
  7. value of comment encoded in Base 64 as password (Hint from source code)
  8. empty username, password
  9. single space as username and password
  10. Enabled token ID field on UI and tried SQL injection, 1=1′, 1=1–, 2=2–, and others (Tried SQL injection on CSRF token field by enabling it
  11. Tried SQL Injection on username and password
  12. Used tamper data plugin to play with parameters passed
  13. Tampered cookie values
  14. Added debug points using developer tool trying to understand the flow through script
  15. Tried changing the method TYPE to GET from POST with same parameters and request data and executed same
  16. Went through integrated scripts as well
  17. Tried for context variations, /one/admin
  18. Looked for XML-RPC
  19. Knowing MySQL, tried few queries on mysql / information_schema, users table, etc. (as part of SQL injection)
  20. Tried /exercise/one/admin as well with several credentials
  21. Tampering the POST request

Exercise#2

The goal was to try dummy username and password in all the forms one by one and finding out the best error message and also explaining why other error messages are not recommended.

Here are my findings:

Messages Observed-

  1. The password you entered for admin is incorrect.
  2. Invalid username / password
  3. Wrong password.
  4. The username doesn’t exist

I put my money on would be on message#2.

While 3 and 4 clearly tell me if particular username I am using is registered with the system or not, which narrows down my target zone. OR

OR

It might also violate privacy as it tells me if a particular user is present/registered on system or not.

Message#1 is basically an incorrect message as it always throws standard message even if a user is not registered. So this, in turn, might confuse the registered user.

Read more

6 Years of My Software Testing Journey

I rather joined Zycus as a QA quite accidentally. I started interview rounds for a role of Developer, but was later conveyed about Testing Opportunity. So I joined on terms of being given Development opportunity in case Testing doesn’t interest me(which¬†I never had to even think about later). Needless to say, I knew nothing much about Testing before starting the interview rounds and very less by the time I got selected.

So why am I writing this piece? Well, I am doing so to share very critical aspects of being a Software Tester which I learnt during my journey. I cracked my interviews, joined one of the biggest and most ambitious product of Zycus, logged near 3000 defects in initial 2-2.5 years only, spanning across categories like Functional, Performance, Security, Usability, Multilingual, Multi-tenancy and many more . What I want to highlight is- My journey till this point(~2/2.5 years) of time was successful without any direct and great knowledge of Software Testing principles, Test matrices, Testing theories, etc.

Read more