Search This Blog

Sunday, December 31, 2006

Snap shoot for other sites in youe ASP.NET project

Peace be upon you

I think a lot of people who works on CMS ( Content Management System ) or portals, were always asking how can do we make a live preview for the user in Image, Now I will start with this snap shoot for a web site for Mobile software -if the web is not snapped you will see "Thumoo"-

now lets begin this story :), first download the source code for Thumoo http://thumboo.com/
after that you can use it, sometimes you want to make a quick preview for the website + you don't want to open the web site you want to preview, what I am explaining here is little Fancy :D, which means it's not essintial , you can live wihtout it, but I like the idea and actually I like the way of this "Thumoo", I think it's so professional, the code is cool,it needs some enhancement but it's ok, you can do it your self when you use this code,
I wish this topic is useful for all of you


Please kick it for me :) kick it on DotNetKicks.com

Monday, December 25, 2006

What is Session ID and session hi-jacking?

Peace be upon you
My Dear Friend Mohamed Shehata asks about the session ID, now I am explaining it,
First have a look for this figure


When the user hit the web site name, what is happening?
actually there is a lot of hidden things happen and even some developers don't know what is happening or how is it happen, here we start
User hit the site name: The server do inital things to connect you to the excution of script (ASP,PHP,...)
Server creates a cookie in the client machin, this cookie called Session ID,
for sure any developer know and uses the Session Object, but do anyone think how the session id works, and how the session ID get to you the right information, it is simple, Script Engine(ASP Engine, PHP engine,...) do this for you, the engine creates the session ID which is the Key for the whole data row, the data row is the data you save in the session object, which is filtered by the session id which is save in the Client machin
did you got it ?:D
who the Hacker uses all of this, simply there is technique called session hi-jacking, this is depending on stealing the session from the client machin,this way when the engine tries to get the session id from the hacker machin the engine will not say anything it will give the web application the information depending on the session id,
this is way the hacker appear to the web site as the normal user,
how can the user get out of this trick, NO WAY FOR THE USER TO PROTECT HIM SELF
because as long as the hacker got your session id, then he is you :D, it's like passport without photo, as long as u carry it then anyone carry it will be the one,
How can developer protect his application from such attacks?
the beloved MSDN give us a little solution check this link out
MSDN TOPIC ABOUT SESSION HIJACKING
it really gives the key to protect your application and user from such attacks,


How do this thing used in hacking hotmail account?
when you login, someone send you link, you open it
the page redirect you to infected page of MSN ( infected with XSS Exploit ), the script is passed in the query string, but I grantee you will never see it, the encode it to HexaDecimel,
the script simply get all cookies in your session and pass it to other site, that save your data,
as long as you don't sign out, your session is a life, so u have to kill it by "SIGN-OUT", after that you are disappear for the site, if the hacker take your session ID and tries to use it, he will find that you are not signed in, simply he will be asked to enter the user name and the password, this way protect you but not so much, as I said before , you have to open any link came to you in other browser, WHY
because when you click on the link and when new window open, it inherit all of it's cookies with it, which means
when you open link, it will popup new window, this window contine the link that will still your information, when the hacker redirect you to MSN again (to steal your session id) he will get your data,
I wish it is useful

thanks for your time
Ahmed Essam

Kick it Please
kick it on DotNetKicks.com

Sunday, December 24, 2006

Intel has video repository

Peace be upon you

I think all of you like the idea that you don't have to read content in Channel 9 at msdn http://channel9.msdn.com/
I foundn that intel did something similar, and really it's amazing to have the video content which make you able to save some time and enjoy your self by videos,

here is the link I wish you all like it as I do, have fun :)

Intel Videos

Kick it for me ;) kick it on DotNetKicks.com

Friday, December 22, 2006

How do hackers Hack hotmail accounts?

Peace be up on you

some people talk to me before was wondering "How do hacker change thier hotmail accounts?"
simply I will explain how this thing works but I will not tell you how to do it :D because it's so evil, anyways let's begin

first of all the hacker depend on a famous error that no "Web Developer" full into it this Error is called XSS or Cross Site Scripting, the cross site scripting is a little problem that enable anyone to change something in the page content through the query string, that is passed between the web pages in a site, this is the first thing that hacker look for on the sites like "MSN" and "Hotmail"
the next stage is "Stealing your Session ID", but what is the session ID, Session Id is something like that enable the server to know that you is you :D, in anther way you can say that this Session ID hold a key when you request something from the server the server will check something like a table and get the rest of your information by it,
what is the problem then ? the problem is that this session ID is stored as cookies which means that anyone can get and it's so simple-check this topic "I have wrote it before" http://www.codeproject.com/useritems/externalmenuArgument.asp- after that the hacker send you something so normal that you will never doubt, the hacker will send you a link that will redirect you to any page that has the "XSS" problem, and it will contain a small script that take your session id and send it to anther site,
now the hacker has your session ID, but how he will use it, simply did you use opera browser before, this is the simplest way he will use opera to change his/her session id to appear to hotmail or MSN that he/she is you, after that he can , so anther trick that enable him/her to change your Email password, it depend on the same issue,
how to protect your self? it's little tough but you have to do it
Don't open any link by just clicking on it, copy it and open in anther browser
the other way it will be more tough is to disable the Javascript on the browser
the last note is to sign out after you do what you want to in your Email account,

I wish it really help please if you find anything wrong please post comment, we all seeking to learn :)
thanks for your time reading it :)

if you don't mind kick it for me :) kick it on DotNetKicks.com

Tuesday, December 19, 2006

Sending mail through Telnet

Peace be upon you

I think a lot of people uses the SMTP wrong :D, why am I saying this, simple because every referance I have read about it was about simple tasks for the mail
nothing complex, I have never seen anyone talk about authintication in SMTP, anyways lets begin doing this cool thing , I will explain every step

Open Start -> Run
type Telnet

here it comes black screen -lets suppose that our mail server called SMTP.Ahmed-Essam.com -

let's begin in the black screen

U : o smtp.Ahmed-Essam.com 25
S : 220
U : HELO MyDomain
S :250
U:AUTH LOGIN
S:VXNlcm5hbWU6 in this point you will need a base 64 convertor http://makcoder.sourceforge.net/demo/base64.php
U: "your user name after encoding with base 64"
S: 334 UGFzc3dvcmQ6
U: "your password after encoding with base 64"
235 Authentication successful
U:MAIL From: <Mail@ahmed-essam.com>
250 Ok
U:RCPT TO: <Target@mail.com>
S:250 Ok
U:data
S:354 End data with .
U:

To:Z3Zo3@Network.com
CC:Koar3@Masmt.com
Subject:Don't think about it a lot.
Date: Wed, 20 Jun 2029 20:18:47 -0400
Content-Type:text/html
testing the mail trhough telnet.
.

S: 250 Ok: queued as 3A60D32C036


did anyone notice something, the date and the all fake information we have put about the Email, here appear a little threat, U can't be so sure that ur Freind send u the Email you are reading,

anyways I wish u like this post :), C U next post,

I forgot to tell u, if anyone want to read his mail through the Telnet :) tell me to write post about it :)

I wish you like, thanks for your time.



Kick it for me kick it on DotNetKicks.com

Microsoft release Service Pack for VS2005

Peace be upon you

I felt so happey when I read this on Ayman Shoukry's blog, finally a lot of bugs had been fixed and this fixes had been collected in one package, anyways here is links to the Service pack and the topic for more details

Direct link to download the SP
http://www.microsoft.com/downloads/details.aspx?familyid=BB4A75AB-E2D4-4C96-B39D-37BAF6B5B1DC&displaylang=en
Link from VS Team
http://blogs.msdn.com/vsdteam/archive/2006/12/18/vs-2005-sp1-is-now-available.aspx