Devinder Goyal

Parul Khanna
Rishabh Dangwal
 Independent security researchers specializing
in their domain .

 We have provided corporate security solutions

to the worthy .

 Inculcated the sense of digital security in the

generation of today .
 Security is a misconception .

 No Security, only opportunity.

 Proactive security is notch better than Reactive

and Preventive security.

 Needless to say, security is directly

proportional to the awareness.
 Countless websites are defaced just for fun.

 Prominent methods include SQLi, RFI, LFI,

Zero-day/Zero-hour exploits

 Massive threat if executed carefully.

 Propaganda.

 Possible server/data center access.

 Sensitive Information disclosure.

 Practice by script-kiddies/skids.

 Possible botnet creation.

 Upload our backdoor by any means on server.
 Relies on php include() function . Vulnerable
sites will have code like this -

Index.php?page=something

In place of “something” we can upload our

backdoor.
 Search vulnerable websites using Google dork
“inurl:index.php?page=”
Or
inurl:"main.php?x="

 Test it by inputting some parameter In the

variable, if successful, exploit it.
 Attacker can access all data on server by
manipulation URL.

 Directory traversal attack.

 Manipulates php functions to get file level

access.

xyz.com/main.php?page=../../etc/ passwd
 Client side attack, allows to bypass client side
security mechanism

 Web 2.0 security nightmare

 Persistent XSS – Inserted code is Permanent.
 Non Persistent XSS – Inserted code is not permanent
Misuse of XSS -
 Steal cookies
 Log information
 Deface pages
 Spread misinformation
 URL redirection
 GSM/CDMA data stored at base station can be
used to trace location.

 Calls can be spoofed using commercially

available spoof cards.

 No regulation on call spoofing.

 Google : Call Spoofing

 SMS Bombing

 Phone Explosion due to overheating of phone

IC

 Sim Cloning
 Google reveals secrets, provided you know
how to ask

 Efficient manipulation of dorks

 Automated tools

 Find anything
 One of the most exotic places on the web

 Considered as the holy grail of all information

 Archives of classified information available

 Hotline/KDX access and UUCP

 Protocol defying tools like Gobbler/yersinia

 Black market has the sploits

 Easy to setup LOIC, and spam with ddos

 Exotic tools can be coded by efficient coders

 Casual hunting through Shodan

 Open source opens portals for security

 Defeat latest security technologies

(UTM/XTM) using custom blended attacks.
 Again..The only secure computer is the one
guarded by 2 guards buried 6 feet down the
earth with no internet connection in power off
state.

 Obscurity is not Security.

 Open Source rules

Thank You