Hack Web Applications by Intercepting HTTP request/response using WebScarab

Hello Friends,

Today we will understand how we can intercept the HTTP request we send to a website and how we can analyse the response header.For this purpose we will use WebScarab which you can download by searching it on google.

After you have installed the setup you will first have to set your browser so that WebScarab can intercept the request and response.
I am taking the example of Firefox here. Go to options > Advanced > Network > Settings > Then select the Manual Proxy configuration and enter the following values.
HTTP proxy – 127.0.0.1 and port – 8008
This sets the webscarab to intercept the request by acting as a localhost proxy .

Now you start your webScarab by clicking on the icon.
The screen will appear wired and somthing like as shown in the figure. Click on the figure to enlarge it .
In the intercept tab , select “Intercept request” and in the left hand side menu select “Get” and “Post” options .
This makes your webScarab completely ready to intercept the HTTP Get and post requests .Now in your browser type any url , for e.g , google.com and you will get a window that will show the intercepted HTTP Get request. Now if you click on the “Intercept Response” button then it will also intercept the response that is coming back to the browser from the google server.

You can use this technique to analyse the the various request and response headers and let me tell you this can be very very deadly . If you are able to make the right moves and changes in the Headers then you can easily modify the headers to send invalid valuse to the servers .
In the main window of the webScarab , the “Summary” tab shows you the details of all the intercepted requests and response.This is a short tutorial on webScarab that will give you a basic understanding of how to use webscarab to intercept the HTTP values and analyse them > Rest is upto you how far you can take it .
Advertisements

Guide to Hacking

Q: What is hacking?

Hacking is unauthorized use of computer and network resources. This is normally done through the use of a ‘backdoor’ program installed on your machine. However, most people understand a hacker to be what is more accurately known as a ‘cracker’.The terms “hack” are also used to refer to a modification of a program or device to give the user access to features that were otherwise unavailable, such as DIY circuit bending. It is from this usage that the term “hacking” is often incorrectly used to refer to more nefarious criminal uses such as identity theft, credit card fraud or other actions categorized as computer crime.

Q: What is cracking?

Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system.A lot of crackers also try to gain access to resources through the use of password cracking software, which tries billions of passwords to find the correct one for accessing a computer.On a file-by file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file’s access is restricted.

Q: What is a virus/trojan/malicious script file?

A virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document.Trojan executes on your computer, the attacker, i.e. the person running the server, has a high level of control over your computer, which can lead to destructive effects depending on the attacker’s purpose.

Q: What is a stealer?

A stealer is a software designed to create viruses. This virus is called as a server. You send the server to the victim and if they open it all their passes (according to how the stealer is built) will be sent to you via email, or ftp or a php webhost.

Q: What is a RAT?

A Rat is a software created that created similar servers (virus). If the victim opens it they will be your RAT. You can have a complete access to their system. There are hundereds of features.
RAT – Remote Administration Tool.

Q: What is a keylogger?

A keylogger is a software designed to create servers. You send the server to the victim and if they open it all their keystrokes would be sent you via email, ftp, php webhost etc.

Q: What is BOT?

A bot is a malicious program which has several purposes.
They are usually told what to do by a botnet admin although many of the features now are automated.

Q: What is a BOTNET?

A botnet is a network of infected computers that all connect to one area where they are commanded by the botnet admin.

Q: What is a crypter?

All your servers that you create of a keylogger, stealer, RATs etc. are detected by antivirus. So inorder to make it FUD (Fully UnDetectable) we use a crypter and crypt your infected server.

Q: How does a crypter work?

A crypter has a built in or external file called stub. This stub is based on common encryptions like rc4, xor, tweafish, blowfish etc. When you crypt your infected file the crypter embeds the stub onto your server and covers the server. Just like how you paint your rusted metals. And makes it undetectable from anti-virus.

Q: What is reverting?

Reverting is a technique used to obtain forgotten passwords. But a hacker uses this method to access the victims account.

Q: What is social engineering?

It is a psychological approach, where you manipulate people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques.

Q: What is DDos?

The core design intention behind Denial of Service (DoS) Attack Trojan is to produce a lot of internet traffic on the victim’s computer or server, to the point that the Internet connection becomes too congested to let anyone visit a website or download something. An additional variation of DoS Trojan is the Mail-Bomb Trojan, whose key plan is to infect as many computers as possible, concurrently attacking numerous email addresses with haphazard subjects and contents that cannot be filtered.

Q: Who can be hacker ?

“Little bit” of knowledge and “no” commonsense.