Learn what is CSRF attack by hacking an online Casino

This article was originally published at: https://www.blog.duomly.com/what-is-csrf-attack-tutorial-for-beginners/


Intro

Today we will talk about what is CSRF attack.

Did you know somebody can steal your money by using just a simple image?

In this tutorial, I will show you how, and we will hack an online casino together!

In the first post about web security, we were talking about hacking a bank app by SQL Injection.

Link is here:

SQL Injection attack tutorial for beginners

Today we will focus on something else, but still dangerous, and quite easy to do.

It's especially dangerous because many websites and applications are vulnerable to this attack.

You will learn what a CSRF attack is and why the CSRF attack can be dangerous.

Next, we will discuss how to make a CSRF attack and how to secure the app.

Let's start!

If you prefer video, here is the youtube version:

What is CSRF attack

CSRF is a type of security vulnerability that allows an attacker to perform any action on another application.

Especially in a situation, the one where the victim is authenticated, and we would like to make him any action for us.

It's more focused on change the internal state of the app than push data out to the attacker.

Why a CSRF attack is dangerous

CSRF attack can be very dangerous, especially when we will mix it with the XSS one.

It's mostly targetted to do action in our authenticated account, but without our knowledge and permission.

For example, imagine the situation when we are a reader of any community forum. We are logged in to our email or bank account in different one browsers window.

An attacker can upload a malicious image to the forum.

It can be enough we will just see his post, the next code from the image will do call to our email account.

This call can change the settings of our email account.

Like for example, all of the emails that will come to our inbox can be forwarded to the attacker's inbox as well.

How to secure app from the CSRF attack

In this section, I will show you a few critical (for me) methods that can prevent your application from the CSRF attack.

It's not all that you can do, but these are crucial, in my opinion.

It's worth doing research and study more of them because maybe in your project there will be needed some more security.

I used a pointed-list to make it as clear as possible.

1. Tight CORS and accept calls only from a known origin

2. Use same-site cookie 

3. Use CSRF token

4. Use sessionId, only for this session

5. Use your custom headers in calls

6. Never use GET for the call that should do something else than just return data

7. Avoid developing features that will do any special action only by visiting URL

What do I need for the CSRF attack

VirtualBox or VMware:

You can find the VirtualBox (it's free), or buy/use a trial of VMware(it's better).

Web Security Dojo:

Web Security Dojo is an operating system with a lot of useful tools like burp, Nikto, or sqlmap that you can use to train your hacking skills.

The second important fact is that Web Security Dojo contains a few targets that you can legally use to hack.

You can download it from this link:

https://sourceforge.net/projects/websecuritydojo/

Knowledge how to use SQL Injection:

In this lesson, we will use SQL Injection to pass authentication of the Casino, and it will be necessary.

Don't worry if you don't know how to use it yet!

In the previous episode, I've created a whole lesson about basic SQL Injection.

You can learn and train it there.

Here is the blog post of the "What is SQL Injection attack tutorial":

SQL Injection attack tutorial for beginners

And here is the youtube version:

Very basic HTML:

We will use HTML to create some template of the page with malicious code.

We will use that template to hack the Casino later.

If you do not know how to use HTML yet, don't worry!

You can just follow what we do in today's lesson, or you can do a whole html&css course here:

HTML and CSS course

How to make CSRF attack

Start the machine:

The first step that we need to is to run the whole environment.

Run your Web Security Dojo by VMware or VirtualBox, and wait until it loads.

Start the Casino:

When our Web Security Dojo is loaded, we need to run the Casino.

The first step is to go into the menu (it's that blue icon on the top left corner).

Next, you should open a tab named "Targets".

And, as the last step, you should click on the "Hacme Casino Start".

Open Casino:

Your server should load, now you can open the Casino.

Go into the browser and type in the address bar:

http://casino.local:3000
Hack the authentication:

When you visited that URL, you should see the Casino's website and a login form.

We do not know the login and password to the ace's account.

So we can hack it by SQL Injection.

You can hack it by some of the methods that you already learned in the previous lesson or use that one below.

Password input should be empty, and in the user's input you should type:

') OR 1=1 —
Prepare the malicious website:

Congratulations, you've hacked access to the ace's account!

Next, we should create some malicious website, that we will put our image with the fake-URL, that will do a call to the Casino (where our victim is loggedIn).

First, you need to create a folder for that, and next, you need to create the index.php file with the code.

Look at the example below: 

<html>
<head></head>
<body>
  <h1>Greetings from Duomly</h1>
  <img src="http://localhost:3000/account/transfer_chips?transfer=1000&login[]=andy_aces&commit=Transfer+Chips"/>
</body>
</html>
Run the malicious website:

The next step is just to run our PHP server that will host our malicious site.

Open the terminal in the directory that contains our code and type:

php -S localhost:8000
Login as bobby_blackjack:

In this step, we need to be a victim for a while.

We need to log in as a victim and take a look at our (victim's) profile or balance.

Here are the credentials that we can use.

login:

bobby_blackjack

pass:

twenty_one
Open the malicious website when a victim is logged in (bobby_blackjack):

Now the fun is starting!

We need to send the malicious URL to the victim and expect he will open it.

Next, when the page loads, the malicious code will render the image.

The image has the malicious link that will be fired and will send some money from the victim's account into the "andy_ace", that is our account in this case. 

http://localhost:8000
Logout and login as the andy_ace:

After the proper attack, we can log in to the andy_ace account by using SQL Injection again.

Do you see a larger amount of money?

Congratulations!

You've stolen money from the bobby_blackjack!

Conclusion

Congratulations!

Now you know what CSRF is, why CSRF attack is dangerous, and how to make the CSRF attack.

You know as well how to secure your app from the CSRF attack.

Follow us to get more popular web-security skills, and comment on what you would like to learn in the next lessons!

Remember, you cannot hack the software or apps that you aren't an owner or have not the owner's permission.

It's illegal and can have huge consequences.

Thanks for reading,

Radek from Duomly

#web-development #database #sql #api #html

What is GEEK

Buddha Community

Learn what is CSRF attack by hacking an online Casino
Houston  Sipes

Houston Sipes

1600430400

10 Free Online Resources To Learn Swift Language

Swift is a fast and efficient general-purpose programming language that provides real-time feedback and can be seamlessly incorporated into existing Objective-C code. This is why developers are able to write safer, more reliable code while saving time. It aims to be the best language that can be used for various purposes ranging from systems programming to mobile as well as desktop apps and scaling up to cloud services.

Below here, we list down the 10 best online resources to learn Swift language.

(The list is in no particular order)

#developers corner #free online resources to learn swift language #learn swift #learn swift free #learn swift online free #resources to learn swift #swift language #swift programming

Ananya Gupta

Ananya Gupta

1595485129

Pros and Cons of Machine Learning Language

Amid all the promotion around Big Data, we continue hearing the expression “AI”. In addition to the fact that it offers a profitable vocation, it vows to tackle issues and advantage organizations by making expectations and helping them settle on better choices. In this blog, we will gain proficiency with the Advantages and Disadvantages of Machine Learning. As we will attempt to comprehend where to utilize it and where not to utilize Machine learning.

In this article, we discuss the Pros and Cons of Machine Learning.
Each coin has two faces, each face has its property and highlights. It’s an ideal opportunity to reveal the essence of ML. An extremely integral asset that holds the possibility to reform how things work.

Pros of Machine learning

  1. **Effectively recognizes patterns and examples **

AI can survey enormous volumes of information and find explicit patterns and examples that would not be evident to people. For example, for an online business site like Amazon, it serves to comprehend the perusing practices and buy chronicles of its clients to help oblige the correct items, arrangements, and updates pertinent to them. It utilizes the outcomes to uncover important promotions to them.

**Do you know the Applications of Machine Learning? **

  1. No human mediation required (mechanization)

With ML, you don’t have to keep an eye on the venture at all times. Since it implies enabling machines to learn, it lets them make forecasts and improve the calculations all alone. A typical case of this is hostile to infection programming projects; they figure out how to channel new dangers as they are perceived. ML is additionally acceptable at perceiving spam.

  1. **Constant Improvement **

As ML calculations gain understanding, they continue improving in precision and productivity. This lets them settle on better choices. Let’s assume you have to make a climate figure model. As the measure of information you have continues developing, your calculations figure out how to make increasingly exact expectations quicker.

  1. **Taking care of multi-dimensional and multi-assortment information **

AI calculations are acceptable at taking care of information that is multi-dimensional and multi-assortment, and they can do this in unique or unsure conditions. Key Difference Between Machine Learning and Artificial Intelligence

  1. **Wide Applications **

You could be an e-posterior or a social insurance supplier and make ML work for you. Where it applies, it holds the ability to help convey a considerably more close to home understanding to clients while additionally focusing on the correct clients.

**Cons of Machine Learning **

With every one of those points of interest to its effectiveness and ubiquity, Machine Learning isn’t great. The accompanying components serve to confine it:

1.** Information Acquisition**

AI requires monstrous informational indexes to prepare on, and these ought to be comprehensive/fair-minded, and of good quality. There can likewise be times where they should trust that new information will be created.

  1. **Time and Resources **

ML needs sufficient opportunity to allow the calculations to learn and grow enough to satisfy their motivation with a lot of precision and pertinence. It additionally needs monstrous assets to work. This can mean extra necessities of PC power for you.
**
Likewise, see the eventual fate of Machine Learning **

  1. **Understanding of Results **

Another significant test is the capacity to precisely decipher results produced by the calculations. You should likewise cautiously pick the calculations for your motivation.

  1. High mistake weakness

AI is self-governing yet exceptionally powerless to mistakes. Assume you train a calculation with informational indexes sufficiently little to not be comprehensive. You end up with one-sided expectations originating from a one-sided preparing set. This prompts unessential promotions being shown to clients. On account of ML, such botches can set off a chain of mistakes that can go undetected for extensive periods. What’s more, when they do get saw, it takes very some effort to perceive the wellspring of the issue, and significantly longer to address it.

**Conclusion: **

Subsequently, we have considered the Pros and Cons of Machine Learning. Likewise, this blog causes a person to comprehend why one needs to pick AI. While Machine Learning can be unimaginably ground-breaking when utilized in the correct manners and in the correct spots (where gigantic preparing informational indexes are accessible), it unquestionably isn’t for everybody. You may likewise prefer to peruse Deep Learning Vs Machine Learning.

#machine learning online training #machine learning online course #machine learning course #machine learning certification course #machine learning training

Ananya Gupta

Ananya Gupta

1601875752

AI(Artificial Intelligence): The Business Benefits of Machine Learning

Artificial intelligence has been around since a minimum of the 1950s, but it’s only within the past few years that it’s become ubiquitous. Companies we interact with every day— Amazon, Facebook, and Google—have fully embraced AI. It powers product recommendations, maps, and social media feeds.

But it’s not only the tech giants that will employ AI in their products. AI solutions are now accessible to several businesses and individuals. And it’s becoming clear that understanding and employing AI is critical for the companies of tomorrow.

What Is AI?
In the last 20 years, there are major changes in technology—notably the arrival of the mobile. But the innovation that’s on par with inventing electricity is AI.

Machine Learning
Machine learning may be a subset of AI and maybe a set of techniques that give computers the power to find out without being explicitly programmed to try to so. One example is classification, like classifying images: during a very simplistic interpretation, for instance, a computer could automatically classify pictures of apples and oranges to travel in several folders. And with more data over time, the machine will become better future scope and career oppertunity for students who want to make career in Machine Learning.

Deep Learning and Neural Networks
Deep learning may be a further subset of machine learning that permits computers to find out more complex patterns and solve more complex problems. one among the clearest applications of deep learning is in tongue processing, which powers chatbots and voice assistants like Siri. It’s the recent advent of deep learning that has particularly been driving the AI boom.

And all of those are supported neural networks, which is that the concept machines could mimic the human brain, with many layers of artificial neurons. Neural networks are powerful once they are multi-layered, with more neurons and interconnectivity. Neural networks are researched for years, but only recently has the research been pushed to the subsequent level and commercialized.

AI Business Benefits
Now that you simply have a conceptual understanding of AI and its subsets, let’s get to the guts of it: what can AI do for you and your business? We’ll explore highlights within five areas: human resources, accounting, legal, marketing and sales, and customer support.

Human Resources
Artificial intelligence poses a big opportunity in process automation. One example would be recruitment and human resources. As an example, tasks like onboarding and administration of advantages are often automated.If you want to learn deep about AI then join Artificial Intellegence class in Noida and get offer to work on live projects.

Accounting
The dutiful accountant, languishing over the bookkeeping—it’s a classic image. But now many of their services might not be needed. Many traditional bookkeeping tasks are already being performed by AI. Areas like accounts payable and receivable are taking advantage of automated data entry and categorization.

Legal
Some of the foremost fascinating advancements in AI are associated with law and legal technology. Specifically, AI can now read “legal and contractual documents to extract provisions using tongue processing.” Blue J Legal’s website touts the platform’s ability to help with employment law. The Foresight technology “analyzes data drawn from common law cases, using deep learning to get hidden patterns in previous rulings.” briefly, cases can now be analyzed much faster, insights are often drawn from across a good array of legal knowledge, and thus business decisions are often more accurate and assured.

Sales and Marketing Analytics
Analytics can now be done much more rapidly with much larger data sets because of AI. This has profound impacts on all kinds of data analysis, including business and financial decisions.

One of the quickly changing areas is marketing and sales applications. AI makes it easier to predict what a customer is probably going to shop for by learning and understanding their purchasing patterns.

Customer Support
You’ve been there. Waiting forever on a customer support line. Perhaps with a cable company or an enormous bank. Luckily, AI is close to making your life easier, if it hasn’t already.

According to the Harvard Business Review, one of the most benefits of AI is that “intelligent agents offer 24/7 customer service addressing a broad and growing array of issues from password requests to technical support questions—all within the customer’s tongue .” For customer support, a mixture of machine and deep learning can allow queries to be analyzed quicker.

Conclusion
With AI becoming ever more pervasive, having a fundamental understanding of it’s a requirement for continued business success. Whatever role you hold in your business, understanding AI may assist you to solve problems in new and innovative ways, saving time and money. Further, it’s going to assist you to build and style the products and services of the longer term.

#machine learning online training #machine learning online course #machine learning course #machine learning training in noida #artificial intelligence training in noida #artificial intelligence online training

Online Deep Learning (ODL) and Hedge Back-propagation

Introduction

As the main concept of deep neural networks is to train through back-propagation in a batch setting, the data is required to be available in an offline setting. As a consequence, the scheme is irrelevant for many practical situations, in which the data arrives in sequence and cannot be stored. For example: stocks, vehicle position, and many more. ODL is very challenging as it cannot use back-propagation. Two years ago, Sahoo et al (2018) addressed the gap between online learning and deep learning, where they claimed that “without the power of depth, it would be difficult to learn complex patterns”. They presented a novel framework for ODL (to be reviewed later).

Image for post

General Scheme (Or, 2020)

Overview of Online Learning (OL)

OL is an ML method in which data is available in sequential order, and we use it in order to predict future data at each time step. Moreover, in OL, we update the predictor in real-time. According to Shai Shalev-Shwartz: “OL is the process of answering a sequence of questions given (maybe partial) knowledge of the correct answers to previous questions and possibly additional available information”. The family of OL includes online convex optimization, (which leads to efficient algorithms), limited feedback model when the system observes the loss value but does not observe the actual real value and more (I recommend reading ref [2] for more information).

#artificial-intelligence #machine-learning #real-time-systems #online-learning #deep-learning #machine learning

Tech Hub

Tech Hub

1628430590

How to find WiFi Passwords using Python 2021|Hack WiFi Passwords|Python Script to find WiFi Password

Hack Wifi Passwords easily..

https://youtu.be/7MwTqm_-9Us

 

#wifi #python #passwords #wifipasswords #linux #coding #programming #hacking #hack

#wifi #hack #using #python #python #hacking