Basic Hacker Skills

 

When people think of hackers they immediately think of the worst but there are many different types of hackers and most of them has done a great deal to improve and develop software, the Internet and electronic devices.

 

Hacking skills - You must have the patience and will to understand programming languages. There are dozens of programming languages and they have evolved through the years, so start out with learning the basics. You can begin learning the programming language C then progress to other languages like Pascal or Fortran. Then move on to learning Perl, XHTML and other programs used on the Internet.

 

Understanding computer hardware is also a must as well as all the components that a computer system needs. You need to understand banking systems, and other systems used in the financial world because this is where you'll learn the kinds of security that are in place to protect the system and its clients.

 

Stage 1. Automation Auditing
Stage 2. Manual Auditing

Automation Tools:-

1. AppScan
2. Scando
3. Acunetix
etc..

Manual Testing Tools:-

1. Burp Suite
2. IE Tamper
3. Achilles
etc..


How to prevent via coding ?   [Project should implement the following points]:-

Auto Completion for important controls like password
Salted hash for password fields
Sanitization to all the input controls
Browser Refresh [use captcha]
Steal Password via Refresh or back button [use redirection, clear cache]
Session Fixation [ use new session id before/after login ]
Brute Force [use captcha]
Guessing UserID
Always clear Browser cache
Insecure direct object reference  [ in search result screens, avoid give action link with pk id ]
CSRF
Downloading Secure File [ dont take a path from parameter ]
Inproper Error Handling [use proper tr{} catch{}, move to custom error page]
XSS [use sanitization, check server side validation (type,size,input data) ]
SQL Injection [use sanitization]
Cross Account Access
Privileged Escalation
Login Trail
Audit Trail
Forgot Password [use security question, captcha, send a mail link to change password (one time link) ]
etc..

Detecting Fraud on Websites:;

Prerequisites


Before jumping into ways to detect potential fraud in Web applications and services, we need to set a few ground rules. Number one, and most important, you must have adequate logging. For full coverage on appropriate logging, read “How to Do Application Logging Right.”1 At a minimum, consider the five types of logging events covered

• authentication, authorization, and access events;
• changes to the system, application, or data;
• availability issues;
• resource issues;

 

Impossible Travel

Let’s say you saw the two entries shown in Figure 2 in your logs. These entries show that someone accessed login.jsp twice (let’s assume the same  user and that you have those details in the logs) in two hours. At 10 a.m., an IP address in California accessed  it; at noon, someone in Romania accessed it. The quick math says that no one could travel from California to Romania in two hours, even in an SR-71.

HTTP Request

Looking beyond the User-Agent header, what has changed?

• The order of headers differs.
• The order of cookies differs.
• The headers differ. Only the
first request has Origin and Cache-Control; only the second request has Keep-Alive.

• Regarding Accept-Encoding, only the first request lists each.

•  regarding Accept-Language, the first request has en-US and q=0.8, whereas the second request has en-us and q=0.5.

Fraud Detection in Sessions :- Its like session hacking / session fixation.