Burp Suite- Spider

We use Burp Suite free edition software which is installed in kali linux operating system. Burp covers over 100 generic vulnerabilities, such as SQL injection and cross-site scripting (XSS), with great performance against all vulnerabilities in the OWASP top 10.
    In this we use “spider” tool in Burp Suite. Burp Spider is a tool for automatically crawling web applications. While it is generally preferable to map applications manually, you can use Burp Spider to partially automate this process for very large applications, or when you are short of time.
I used google-gruyere website for testing purposes. This website is vulnerable for various vulnerabilities such as cross-site scripting and SQL injection.

First of I configured proxy in the web browser. ( ip address - 127.0.0.1)
Then visit the web site. https://google-gruyere.appspot.com/

Then open burp suite. In order to access this website in the browser you should forward all data packets from burp suite “Target” section.
In the site map section all the websites that have been accessed will be listed down. From there I find https://google-gruyere.appspot.com/. Then I right click on it and select “spider this host”.

 By going to spider -> control I can make sure that the “spider” is running properly.

Once I clicked on “spider this host” burp suite started to scan through the website. Finally it displays all the web pages(html, text files) in the middle section of it.

Here you go. You have retrieved all the web pages in the website.

How to secure your passwords

Why passwords MUST be protected? Some of you know the reason but most of you guys are keeping your passwords safe because you see other people do it or just because of the meaning of the word "password". If you think that your Facebook password must be protected more than your Twitter account password because you don't use Twitter often you are completely wrong. I will leave the link here for you to read the story of "Epic Hacking - Mat Honan" to understand how much damage a single password can do!  

First of all we should look at how to secure passwords.There are too many ways to do this but some of them are not that much accurate.

1. Two factor authentication.  

This is the best way to secure passwords. Two factor authentication means instead of using one means of authentication (static/dynamic) user use two means of authentication (static & static/ dynamic & dynamic / static & dynamic ).

What are these static and dynamic means of authentication? 
Static - Something that user knows or user possesses. eg:- ID card, Passcode
Dynamic - Something that user does or user is. eg:- Hand movements, Voice recognition, IRIS scanning

Advantage of having Two factor authentication is that even though an attacker knows the password for a particular account he will not get the access to it. In order to get that he has to find out the other factor also. Facebook, Gmail and other social media and services provide Two factor authentication.


2. Combination of lower case, upper case, alpha numerical characters

Passwords are vulnerable to brute force attacks. Therefore if you only use upper case or lower case letters it will be easy for an attacker to break your password.

3. Having a password which contains at least 8 characters 

When the password length increases according to that number of combinations also get increase. If the number of combinations are huge process of breaking the password will take huge amount of time. Sometimes it will be not possible for the attacker because the process requires a lot of processing power.

4. Always avoid using solitary words

Solitary means existing alone. That means do not use words that exists in any language.

5. Do not use names of people, places, things, and characters 

6. Do not write down passwords 

Since people do not like to memorize passwords they tend to write them down on papers. Sometimes they write down credentials on a sticky note and paste it on the monitor at the work place. If that is the case why they have a password to log in? Anyone can use anyone's device or an account. 

7. Always log out from devices or accounts once you are done. Otherwise workstation hijacking can occur. 



 


 

Scams on social media platforms

How many times you log into social media sites within a day? A lot right? So you must know what are the possible scams in social media platforms.

1. An attacker can ask people to share a particular post or his/her own website on other social media platforms in order to get access to a particular file or video.

2. When users go to view videos in a particular website the website will ask to install plugins to watch the video. This plugin might be a trojan horse program which will harm users’ computer or data.

3. Another incident would be click baits. Article or a video might look like it has some shocking information but the actual content inside that can be utter waste.


4. One of the most popular methods attackers use is sweepstakes or lotteries.
They will ask to fill form and submit to win a prize (g:- iPhones, trip to Malaysia etc)

5. In holiday seasons like Christmas you will be seeing a lot of fake charity events in social media platforms. They will ask you to donate money.

 What are the intentions behind these scams?

1. Build a relationship
Once you submitted a form they will get your e-mail addresses and send e-mails about various different things such as advertisements, social awareness things.

2. Gather information
If the other party doing a survey or something they will gather all your information and put together to come up with a conclusion (eg :- what is the most popular mail service among people )

3. Exploit any identified vulnerability
Assume that there is a mail service called A and attackers find out a vulnerability in A server which can be used to hack all the customers of mail service A. Attackers can go through submitted forms and find out people who use service A. Then their accounts will be hacked.

4. Financial benefits
People who gather information can sell those information to another person or to an organization. This is called information brokering.

How to avoid scams?

1. Avoid clicking on suspicious links and videos.

2. Always look at the URL displayed in URL bar. If it does not look familiar or does not come from the website you wanted to visit close the window without clicking on anything.

3. Some of these scam sites are hosted on free hosting sites. Therefore they are served on HTTP . If you see HTTP instead of HTTPS(Secured) avoid it.

4. Give dummy values in textboxes if you do not trust.

5. In emails check sender’s email address. Attackers can be very smart but you have the responsible to notice even tiny differences between bogus and valid email addresses.