CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart

Linux Flaw Let Users With UID Greater Than 2147483646 Become Root

A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl command unauthorizedly—thanks to a newly discovered vulnerability.
The reported vulnerability actually resides in PolicyKit (also known as polkit)—an application-level toolkit for Unix-like operating systems that defines policies, handles system-wide privileges and provides a way for non-privileged processes to communicate with privileged ones, such as "sudo," that does not grant root permission to an entire process.
The issue, tracked as CVE-2018-19788, impacts PolicyKit version 0.115 which comes pre-installed on most popular Linux distributions, including Red Hat, Debian, Ubuntu, and CentOS.
The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX.
Where, INT_MAX is a constant in computer programming that defines what maximum value an integer variable can store, which equals to 2147483647 (in hexadecimal 0x7FFFFFFF).
So it means, if you create a user account on affected Linux systems with any UID greater than INT_MAX value, the PolicyKit component will allow you to execute any systemctl command successfully.
Security researcher Rich Mirch, Twitter handle "0xm1rch," has also released a proof-of-concept (PoC) exploit to successfully demonstrate the vulnerability that requires a user with the UID 4000000000.
Red Hat has recommended system administrators not to allow any negative UIDs or UIDs greater than 2147483646 in order to mitigate the issue until the patch is released.


Identity theft

Identity theft

Defining Identity Theft

Identity theft is a crime involving someone impersonating a victim for the purpose of financial gain or other personal gain.The victim could be an individual or a business, and the perpetrator could be one person or several individuals acting as part of a theft or fraud ring. Often, the theft of a person’s or business’s identity is used to commit other crimes as well, such as credit card fraud, submitting loan applications in another person’s name, and so on.Read more


Cross-Site Scripting (XSS)

Cross-Site Scripting (What is XSS?)

Cross-Site Scripting (XSS)

1 Overview

Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code into victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks. To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web-based message board using phpBB. We modified the software to introduce an XSS vulnerability in this message board; this vulnerability allows users to post any arbitrary message to the board, including JavaScript programs. Students need to exploit this vulnerability by posting some malicious messages to the message board; users who view these malicious messages will become victims. The attackers’ goal is to post forged messages for the victims.Read more


DNS ID Hacking Presentation

DNS ID Hacking

You might be wondering what DNS ID Hacking is. DNS ID Hacking isn't a usual way of hacking/spoofing such jizz or any-erect. This method is based on a vulnerability on DNS Protocol. More brutal, the DNS ID hack/spoof is very efficient is very strong because there is no generation of DNS daemons that escapes from it.Read more


blind sql injection discovery

Blind SQL Injection Discovery

While performing web application and penetration testing following scenario is very common and it hides potential exploitable SQL injection scenario:

1. We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw.Read more


what is a compiler?

What is a compiler?

A compiler is a program that translates a high-level language program into a functionally equivalent low-level language program. So, a compiler is basically a translator whose source language (i.e., language to be translated) is the high-level language, and the target language is a low-level language; that is, a compiler is used to implement a high-level language on a computer.

Read more


What is the difference between HTML Injection and XSS?

Same thing. In one of the situations, the attacker injects valid HTML tags, while in the other one, the attacker injects HTML tags but also tries to run a script.

 


Python Tops The List of Programming Languages

Python Tops The List of Programming Languages by Popularity

Python is a widely used high-level programming language for general-purpose programming,  first released in 1991. An interpreted language, Python has a design philosophy which emphasizes code readability, and a syntax which allows programmers to express concepts in fewer lines of code than might be used in languages such as C++ or Java. The language provides constructs intended to enable writing clear programs on both a small and large scale.

Python features a dynamic type system and automatic memory management and supports multiple programming paradigms, including object-oriented, imperative, functional programming, and procedural styles. It has a large and comprehensive standard library.

Python interpreters are available for many operating systems, allowing Python code to run on a wide variety of systems. CPython, the reference implementation of Python, is open source software[26] and has a community-based development model, as do nearly all of its variant implementations. CPython is managed by the non-profit Python Software Foundation.