In
Part 1, we saw how to view and collect different information about websites using HttpFox, User-Agent Switcher, RefControl. In this session, we'll learn how to use this information to exploit and perform a simple hack of a website.The basic aim is to intercept the data to hack the websites using different tools and extensions of the Firefox browser. The Firefox community has built too many tools to intercept data like:
- Live Http Header
- Tamper Data
- Firebug
1. Live Http Header:Live Http Headers are used to view/modify the Http headers in the same session. Live Http Headers are used to send the data after modifying. When the Live Http Headers is started, it records all the data sent through the request header.One simple example will make it more clear to you. If a website is vulnerable to SQL Injection, we can login the admin or other user account using Live Http Header (to find whether a site is vulnerable to SQL injection or not use an other Mozila Firefox extension “SQL Inject Me” side bar).Find a username on the website - you might find it on the forums, comments or any posts on the website. After finding the name go to sign in form, start Live Http Header, insert dummy values in the form and press sign in. Now, go to Live Http header and scroll to the values you have inserted in the form. Select the line which may look like this “username=dummy&&password=dummy?login.php” Select the line and click on replay. The replay box will be open. Edit the values and again, click replay. It will send the data again to website. In this way, sent the values again and again to hack the login process using Live Http Header (Search “SQL injection” to find which values that have been sent and only change the password, not the user name (you found on the website). It's not only used to replay the values posted - it can also be used to replay and alter the referrer, user agent and the URL, etc.
Download Live Http Headers 2. Tamper Data:As the name specifies, this Mozilla Firefox extension is used to tamper with the data of the request header. It's used to tamper with the data posted - either through the Get or POST method. It's used to tamper the URL, Host, referrer , user agent, accept encoding, cookies etc before sending to the server. Data tampering of POST data is used in SQL Inject and SSI. User-Agent and referrer is also used to launch attack to the website.
Download Tamper Data 3. FireBug:Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug and monitor CSS, HTML and JavaScript live on any web page. The benefit of the Firebug is that to change the code of a website after “Save Page As” is not effective. Taking a simple example: websites use forms (Dropdown Selection, Radio Selection, Checklist) to submit the values of selected item. In the forms, there are values for every selection. If the page is saved and value is changed, it will be ineffective and can not be submitted. Use the FireBug to change the code or values of and submit it and acquire results of your wish.To do this, right-click on the element you want to change and choose "Inspect with Fire bug" from the menu. Now, it will show the exact piece of code for that element. Click on code and change the values and submit again.Something fun to try: Ask your Friend to enter his Facebook password. Before clicking on "Log in", inspect it with Firebug and change type of password field to "Type="text"". It will show the password immediately.
Download Fire Bug inspector Friendly Disclaimer: This tutorial is for beginners. If you already know this stuff - ignore it.
