New Post

Rss

Monday, August 26, 2013
Prevent SQL Injection via Prepared Statements or Parameterized Queries

Prevent SQL Injection via Prepared Statements or Parameterized Queries

Hey Friends ! In our last tutorial on How to prevent SQL Injection, we have learned how Dynamic SQL queries and Escape Sequence & type handling makes our website vulnerable to SQL Injection attacks. Well if you ask me the reason, then i will say its only because of lack of awareness of secure coding standards. If web developers know how to code securely and efficiently then we all can avoid SQL Injection. So friends, today we will learn our very first article on how to write SQL codes securely using prepared statements. Queries written using prepared statements are also referred as Parameterized Queries. But before everything we must understand what is Parameterized Query and then we will learn how to write Parameterized Queries in different web application Languages in secure way. I will explain in the Languages that i know(i.e. Core Java, Java Hibernate, .NET, ASP.NET, PHP and PERL) rest you can learn from other references. So friends lets start our tutorial on How to Prevent SQL Injection via Prepared Statements or Parameterized Queries.


Prevent SQL Innjection Using Parametrized queries
Prevent SQL Innjection Using Parametrized queries

What is Parameterized Query in respect to SQL?

Parameterized Query is basically an type of SQL Code which requires at least one parameter for its execution. A Standard placeholder i.e. "?" (without quotes) is normally substituted for the parameter in the SQL Query and then the parameter is passed to query in the separate statement. Still not clear?

Consider an example : I wish to write an Dynamic SQL Query where i have to select something from some table based on some condition. Say i have a table namely "USERS_DATA" and i have to extract the records when custName = spaces. Now how an normal user will write the Dynamic SQL Query:


String query = "SELECT * FROM users_data WHERE user_name = "
   + request.getParameter("custName");

 try {
     Statement statement = connection.createStatement( );
     ResultSet results = statement.executeQuery( query );
 }
But the above Dynamic SQL is insecured and its vulnerable to SQL Injection because custName variable is not properly handled.

Now if i wish to write the Parameterized Query for the above Dynamic SQL Query, then i have to first request the parameter custName and it should be validated for input validation attacks. Then i will pass "?" in the user_name field value and in the next statement i will pass the value of custName field into query in new statement. How it will look like :

String customerName = request.getParameter("custName");  // perform input validation
String query = "SELECT * FROM users_data WHERE user_name = ? ";

 PreparedStatement pstmt = connection.prepareStatement( query );
 pstmt.setString( 1, customerName);
 ResultSet results = pstmt.executeQuery( );

Now you can see how a parametrized query actually looks like. ? is standard placeholder and custName field is passed after input validation checks.


I hope this gives you basic understanding of What is parametrized Query and how we should write. Our main goal is to understand how it will help us to avoid SQL Injection attacks. So lets see the actual concept running behind it.


Prepared Statements (or Parameterized Queries)


All developers should understand the concept of using Prepared statements or parametrized queries before writing actual Database Queries. Because this will not secure your website but also it will increase the readability of the SQL code and will save you efforts in fixing and understanding things.

Using Prepared statements is just an another way to write Dynamic queries but faster, safer and easier way. Parametrized Queries force web developers to first write the complete SQL code , and then pass each parameter as per requirement. This helps in distinguishing between code and data regardless of what user input has been supplied to SQL code. This is the step where it handles the user input via validation and hence secures the SQL Injection attacks.

So by prepared statements, web developers prevent hacker from changing the actual processing or functionality of SQL query. But How? In the example of Parametrized Query i have shown above if Hacker passes some Blind SQL String say 'a'='a' then what Query will do is, it will check for the customer name who has name 'a'='a' rather that logically interpreting it. So it prevented the SQL Injection. Isn't it? Off-course it does. 

Below is the List of Standard Functions available in Languages that supports Parameterized Queries:

  • Java : Use PreparedStatement() with bind variables 
  • .NET /C# : Use SqlCommand() or OleDbCommand() with bind variables 
  • PHP : Use PDO (PHP Data Objects) using function bindParam()
  • Java Hibernate : use createQuery() with bind variables ( These are also called as named parameters)
  • SQLite : use sqlite3_prepare() to create a statement Object.
 Usually use of prepared statements won't hinder the performance of the SQL Query but if you think its hampering the performance, then the best possible solution is to escape all user supplied input using an escaping routine specific to your database, rather than using Prepared statements. For such situation we have another secure coding standard called use of Stored procedures that we will discuss in upcoming article of the series.

Now its time to see how to write parametrized query in different Languages of the above unsafe Dynamic SQL.

1. Core Java or Standard Java : We have already seen that above but still for easy navigation sake i will write it again here. In Standard Java we have function prepareStatement() to write parametrized queries.

String customername = request.getParameter("custName");
String query = "SELECT * FROM users_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, customername);
ResultSet results = pstmt.executeQuery( );
 

 2. .NET / C# : As explained above we use SqlCommand() or OleDbCommand() with bind variables to write parametrized queries in .NET. Let's see its usage:

String query = "SELECT * FROM users_data WHERE user_name = ?";
try {
   OleDbCommand command = new OleDbCommand(query, connection);
   command.Parameters.Add(new OleDbParameter("custName", CustName Name.Text));
   OleDbDataReader reader = command.ExecuteReader();
   // …
} catch (OleDbException se) {
   // error handling
3. PHP : As i have stated above PHP uses PDO (PHP Data objects) using bindParm() to write the parametrized queries. Lets see how it looks practically :

$stmt = $pdo->prepare('SELECT * FROM users_data WHERE custName = :custName');
$stmt->execute(array(':custName' => $custName));
foreach ($stmt as $row) {
    // do something with $row
}
4. Java Hibernate : In Java Hibernate, we use createQuery() function to write the parametrized queries. Lets see how it looks:

Query safeHQLQuery = session.createQuery("from users_data where custName=:custName");
safeHQLQuery.setParameter("custName", userSuppliedParameter);

5. ASP.NET : In ASP.NET we have a function called sqlParameter() to write parametrized SQL Queries. Lets have a look:

string sql = "SELECT * FROM users_data WHERE custName = @custName";
SqlCommand command = new SqlCommand(sql);
command.Parameters.Add(new SqlParameter("@custName", System.Data.SqlDbType.char));
command.Parameters["@custName"].Value = ;

Well that's all about Prepared Statements or Parameterized queries. I hope you all understands the concept that how we an prevent SQL Injection using Prepared statement or Parameterized Queries.

In our Next article on How to Prevent SQL Injection, we will learn how to use Stored Procedures to prevent SQL Injection.

Have Fun! Keep Learning. If you have any queries ask me in form of comments.




Saturday, August 24, 2013
Prevent SQL Injection attacks by Hackingloops - Part 1

Prevent SQL Injection attacks by Hackingloops - Part 1

SQL Injection is the most common and most popular website attacking technique used by Hackers to Hack websites and own website's databases. SQL Injection's attacks are popular because of its 4 rules i.e. easy to exploit, hard to secure, coders negligence and most important lack of knowledge on secured coding. 100's of websites are there on internet which teaches you how to perform SQL injection to hack websites but only quite a few who teaches you how to prevent SQL injection. The only reason behind that People know how to exploit because its damn easy but they don't know how to secure it. According to survey held on Injection Attacks in March 2013 by IT Security Companies, survey results were really shocking.  Note : This survey was only for web developers and approximately 60 thousand web developers participated in it.

  • 60% developers never listened the word "SQL Injection". 
  • Out of 40%, 14% Web developers don't know "What is SQL Injection?".
  • Out of 26% Web Developers who knows SQL Injection, 17% does not know how to prevent SQL injection, 3% said they have security teams to look into vulnerabilities.
  • Only 6% Web developers know What is SQL Injection and How to prevent their websites from SQL Injection.

That was survey data based on very basic objective questionnaire, Imagine what will the actual scenario. Frankly speaking, at max 3-4% web developers know how to protect or prevent SQL Injection i.e. secure coding.


Prevent SQL Injection
Prevent SQL Injection

But friends, there is no need to worry about SQL Injections. After reading this articles you can proudly say that you are among those 3-4% coders who know secure coding standards. But before everything you must know what is SQL injection and what's its scope i.e. how much severe damage it can do to your website and database.

SQL Injection : Basic Introduction


First of all let's understand the words separately i.e. break the word SQL Injection into SQL + Injection. What is SQL? SQL stands for Structured Query Language, its used to query and manipulate the relational database. By querying, i meant selecting data from database based on some conditions. By manipulating, i meant updating, deleting, inserting etc on database. 
Injection as the word implies injecting something extra into something. In case of SQL Injection, it means injecting an extra piece of code into SQL query to manipulate its behavior from existing. So this gives us basic idea that SQL injection will going to put something extra in our existing SQL query and what we have to do is to handle this extra code from altering the actual SQL. But you guys were still be thinking that how an injection impact our query. Here are two God Principle's why SQL injection occurs:

"SQL Injection can attack those SQL queries which are dynamically created by using some inputs from either program or user or some functionality."

"SQL Injection can also occur if escape sequences and types are not handled properly in the SQL query."

Let us learn two God Principles in detail:

Dynamic SQL Queries

I am sure most of you have heard this term but still for newbies i will explain them what dynamic SQL is.
Dynamic SQL is an SQL code which generated within an web application or from the system tables and then executed or run against the database to manipulate the data. The SQL code is not stored in the source program, but rather it is generated based on user input. This can include determining not only what objects are involved, but also the filtration criteria and qualifiers that define the set of data being acted on.
Using Dynamic SQL, we can create powerful web applications that allow us to create database objects and manipulate them based on user input.
Wow what an feature it is? Is that really going in you mind. If yes then calm down. Every dynamic query increases the SQL injection attack surface and make your website prone to SQL Injection attack. But How? 


Consider an example: Consider the below dynamic SQL

String query = "SELECT * FROM items WHERE owner = "'" + userName + "' AND itemname = '" + ItemName.Text + "'";
Statement stmt = connection.createStatement();

ResultSet rs = stmt.executeQuery(query);
 
When the above query executes, this will result into below SQL query: 


SELECT * FROM items WHERE owner = AND itemName = ;
means above query will extract all those results from "Items" table where owner name and itemname are empty or spaces. The above SQL statement is correct but is it secured?? Think about it.

Off course its not secured. If you look above statement closely, the above statement only behaves correctly if itemName does not contain a single-quote character. But why?? Everything looks good. Its because above dynamic query is made by concatenating a constant base query string and a user input string.

Since itemName variable is not correctly validated that means if Hacker enters something that results in always true, the query will result into yielding all the itemNames in the table. Don't understand always true concept? Consider an example say itemName is an character field then what about 'a' ='a' . Since a will always equal to a, this condition will always return true. Now what if we concatenate this to itemName for some user say "Lokesh". So, the query becomes something like below:
SELECT * FROM items
 WHERE owner = 'Lokesh'
 AND itemName = 'a'='a';

Then what about if Lokesh is admin of the website and he's the person who added all these items. Then query will become :

SELECT * FROM items;
which is absolutely a generalized query that will result into sharing of everything inside Items table.

Isn't it dangerous? Off course it is! But How to prevent this? There are several ways of preventing it below is one example using prepared statements. How will the dynamic query look like :

PreparedStatement stmt = connection.prepareStatement("SELECT * FROM items WHERE owner = ? AND itemName=?");
stmt.setString(1, userName);
stmt.setString(2, itemName);
ResultSet rs = stmt.executeQuery();

This code is not vulnerable to SQL Injection because it correctly uses parameterized queries. This just an example, we will discuss all preventive measures in detail in coming articles.

Incorrectly Filtered Escape Sequences or Types

First of all we must understand what are escape sequences?  Escape sequences are those characters which alters the normal behavior of the characters.
Escape sequences use an escape character to change the meaning of the characters which follow it, meaning that the characters can be interpreted as a command to be executed rather than as data.


Escape characters are different for different types of databases like oracle, mySQL, SQL server etc. We will discuss here for mySQL as its the most popular one and its free.

MySQL supports two types of Escaping modes:
1. ANSI_QUOTES SQL Mode
2. MySQL mode

ANSI_QUOTES Mode : It encodes all single quote in the SQL with double quotes. But its rarely used, we will discuss it later why its rarely used because this type of escape sequence filtering is not considered completely fail safe.

MySQL Mode : In MySQL, the MySQL mode is turned on by default for handling escape sequences. It uses below encoding pattern, usually its by default but sometimes you have to manually encode these:

 NUL (0x00) --> \0  
 BS   (0x08) --> \b
 TAB (0x09) --> \t
 LF    (0x0a) --> \n
 CR   (0x0d) --> \r
 SUB (0x1a) --> \Z
 "      (0x22) --> \"
 %    (0x25) --> \%
 '      (0x27) --> \'
 \      (0x5c) --> \\
 _     (0x5f) --> \_ 
 all other non-alphanumeric characters with ASCII values less than 256  --> \c
 where 'c' is the original non-alphanumeric character.
Escaping wildcard characters like LIKE keyword which collaborates '_' and '%' characters.

That was about escape sequences but let's see practically with an example how escape sequence allows an SQL injection attack.

This type of SQL injection vulnerability occurs when user input is not correctly validated for escape sequences mentioned above. 
Consider an below example :
String.query = "SELECT * FROM users WHERE name = '" + userName + "';"

Statement stmt = connection.createStatement();
The above mentioned SQL query is designed to pull up the records of the specified username from its table of users. Its a correct query but is it secured?  No its not. The field userName is vulnerable to SQL injection because userName field's supplied user input is not properly handled for single quote escape character.

The above SQL can be manipulated to result in always true condition by just passing always true condition in userName field.

For example if we replace the '(single quote) by always true condition i.e. ' or '1'='1 then this will yield all the users in the database. The query will become something like :

SELECT * FROM users WHERE name = ' ' OR '1'='1';

which is actually equivalent to 

SELECT * FROM users

Similar to Dynamic SQL queries. This can be prevented too using above concept or using standard functions available in PHP like mysql_query() function etc. This prevents attackers from injecting entirely separate queries, but doesn't stop them from modifying queries.

Similarly incorrectly handled type causes the SQL injection. Incorrect Type handling SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example :

 "SELECT * FROM userinfo WHERE id = " + a_variable + ";"

If you take a close look at the statement, you will find that author intended a_variable to be a number correlating to the "id" field. However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters. And it will result into severe damage to database and even the whole web application.

So its always recommended that we must encode all escape sequences before using them in SQL code else it will result into SQL injection.

Note: These two God principles are not the ways for SQL injection, there are other things too but these are responsible for atleast 95% SQL injection attacks.

This was the First tutorial of the SQL Injection Prevention Tutorial, there are atleast 5 more to come in series so keep visiting for latest ones.

Have Fun! Keep Reading! If you have any queries ask in form of comments.
11 Firefox Addons a Hacker Must Have and use

11 Firefox Addons a Hacker Must Have and use

Firefox is one the most secured web browser in the world. Have you ever dreamed of that we can use Firefox to Hack like a pro? Firefox like other browsers has a feature called add-on. Add-ons adds an additional functionality to your Firefox browser. There are thousands of Firefox add-ons available for Mozilla but Hackingloops brings you the best and most effective Hacking add-ons ever on Firefox. In short, we are listing a most popular and interesting Firefox add-ons that are useful for Hackers. This list of 11 add-ons vary from information gathering tools to attacking tools. All these add-ons are available for free and you can download from the Mozilla add-on website. So friends lets see what Hackingloops has bring this time for you. I will list them in way from top( I like most) to bottom pattern but note that all of them are extremely good tools.

Firefox Add-ons for Hackers
Firefox Add-ons for Hackers

11 Firefox Add-ons a Hacker Must Have and use


1. Tamper Data
Tamper data is an great tool to to view and modify HTTP/HTTPS headers and post parameters. We can alter each request going from our machine to destination host with this. Thus it helps in security testing web application by modifying POST parameters. It can be used in performing XSS and SQL Injection attacks by modifying header data.
Add Tamper data to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/tamper-data/

2. Firebug
Firebug is a nice add-on that integrates a web development tool inside the browser. With this tool, you can edit and debug HTML, CSS and JavaScript live in any webpage to see the effect of changes. It helps in analyzing JS files to find XSS vulnerabilities. It’s an really helpful add-on in finding DOM based XSS for security testing professionals.
Add firebug to your browser :
https://addons.mozilla.org/en-US/firefox/addon/firebug/
 
3. Hackbar
Hackbar is a simple penetration tool for Firefox. It helps in testing simple SQL injection and XSS holes. You cannot execute standard exploits but you can easily use it to test whether vulnerability exists or not. You can also manually submit form data with GET or POST requests. It also has encryption and encoding tools. Most of the times, this tool helps in testing XSS vulnerability with encoded XSS payloads. It also supports keyboard shortcuts to perform various tasks.I am sure, most of the persons in the security field already know about this tool. This tool is mostly used in finding POST XSS vulnerabilities because it can send POST data manually to any page you like. With the ability of manually sending POST form data, you can easily bypass client side validations of the page. If your payload is being encoded at client side, you can use an encoding tool to encode your payload and then perform the attack. If the application is vulnerable to the XSS, I am sure you will find the vulnerability with the help of the Hackbar add-on on Firefox browser.
Add Hackbar to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/hackbar/

4. Cookies Manager +
Cookie Manager is one of the greatest tool ever made. Using this tool you can actually play with cookies. You can alter almost all cookie using this tool. You can use Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.
Add Cookies Manager to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/

5. NoScript
No Script add-ons greatness is beyond imagination. With this tool you can monitor each an every script running on website, you can block any of scripts and see what actually that scripts does on website. But this add-on is for experts, newbies will face problems using this. Note: If you are testing XSS, HTTPS header modifications, Injection attacks on any website you need to disable this plugin because it will not allow you to do so. 
Add NoScript to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/noscript/

6. Grease Monkey
Grease Monkey is an counter part of No Script, its actually behaves opposite of Noscript. We use Noscript to block the scripts and use GreaseMonkey to run the scripts. It allows you to customize the way a web page displays or behaves, by using small bits of JavaScript. 
Add Grease Monkey to Firefox :
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/

7. User Agent Switcher

User Agent Switcher add-on; adds a one click user agent switch to the browser. It adds a menu and tool bar button in the browser. Whenever you want to switch the user agent, use the browser button. User Agent add on helps in spoofing the browser while performing some attack.
Add user agent Switcher to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

8. CryptoFox
CryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available encryption algorithm. So, you can easily encrypt or decrypt data with supported encryption algorithm. This add-on comes with dictionary attack support, to crack MD5 cracking passwords. Although, it hasn’t have good reviews, it works satisfactorily.
Add CryptoFox to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/cryptofox/

9. SQL Inject Me
SQL Inject Me is another nice Firefox add-on used to find SQL injection vulnerabilities in web applications. This tool does not exploit the vulnerability but display that it exists. SQL injection is one of the most harmful web application vulnerabilities, it can allow attackers to view, modify, edit, add or delete records in a database.The tool sends escape strings through form fields, and tries to search database error messages. If it finds a database error message, it marks the page as vulnerable. Hackers can use this tool for SQL injection testing.
Add SQL Inject Me to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/ 

10.  XSS ME
Cross Site Scripting is the most found web application vulnerability. For detecting XSS vulnerabilities in web applications, this add-on can be a useful tool. XSS-Me is used to find reflected XSS vulnerabilities from a browser. It scans all forms of the page, and then performs an attack on the selected pages with pre-defined XSS payloads. After the scan is complete, it lists all the pages that renders a payload on the page, and may be vulnerable to XSS attack. Now, you can manually test the web page to find whether the vulnerability exists or not.
Add XSS ME to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/xss-me/

11.  Passive Recon
Last but not the least. Passive recon is a good information gathering tool. 
PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information. It gathers information like DnsStuff tool available on backtrack.

Add Passive Recon to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/passiverecon/


That's all for today guys, i hope you all are enjoying your journey towards becoming a Professional Hacker. Have fun! Keep Learning.
 
 
Thursday, August 22, 2013
How to become a Professional Hacker | Hackingloops

How to become a Professional Hacker | Hackingloops

Whenever i listens the word Hacker from anybody's mouth, it starts tickling my brain and my blood starts flowing fast through my nerves. Do you want to know why? Because i am Hacker. Lets be precise Professional Hacker. Believe it or not when somebody novice starts talking about Hacking in front of a Hacker, i am damn sure hacker can never hold back for long. May be some can but i won't. Almost everyday we hear at least 1 negative news about hackers like Mark Zukerberg's profile hacked by some hacker or particular organization or website is hacked by some Hacker or particular site's database is leaked. Have you ever heard any media or news channel reporting particular Hacker highlighted the bug or loophole in Facebook or twitter or any organizations website etc ?? Ever?? Off course not! Because media only portrays negative aspect of the Hackers. They misinterprets the scope of Hacker word. Everything in this world is like a Coin having two aspects Head or Tail i.e. Good or Bad. But its still a coin, you cannot call that its a tail coin or head coin, you will always call it a coin. Similarly Hackers have two aspects good or bad. Good who highlights loopholes or bugs and fixes them and Bad who misuses them for their own good or to harm others. But which is good and which is bad? Who defines it? But here we are not discussing types of hackers. We are discussing how to become a hacker i.e. good and bad both.

How to become a Professional Hacker
How to become a Professional Hacker

How i got an inspiration to become an Hacker? 

I was in my computer Engineering first year, where i met my very first mentor Mr Abdul Kadir Sir (Lecturer @ AMU). He shown me some amazing things in his class related to IP address and Networking and told me few good links to study more. I found that so much interesting and unique that it became my passion and i started learning things quickly. But suddenly a incident happened, my email account was hacked and that incident of hacking my email account boosted my Hacking journey to next level. Now my motive has become to learn how to hack email accounts, for searching this i visited at least 100+ Hacking websites but result is all same. All websites same novice methods like phishing, password guessing etc and none of them worked :D Phishing worked sometimes for me but its ration was 10:4. Once day doing so i thought why don't develop my own method to hack emails but how to start???? So i started from very beginning How email works?? What all channels it go through?? and much more. And it worked, i have written my own scripts and tools to hack emails and much more.  But believe me in that's not even the 1 percent of Hacking. My interest keep on growing and parallely my skills. 

That's the only reason i never say no to people who come to me for Hacking emails and Facebook kind of things because i see a new hacker evolving.  Now you all guys think this is not so called hacker, but its cracker. So my answer is quite simple " To become a good Cop, you have to think like a criminal or sometimes become a criminal to enter their territory".

So that about me, how i became a hacker. Now lets learn what things are necessary to become a professional Hacker.

How to become a Professional Hacker?

10 fundamental Steps to become a Professional Hacker:

1. Understand the concept of 5 W's ( What, Who, Where, When, Why) and 1 H (How).
Everything you work on or try to explore must have 5W's and 1 H concept in mind. What i am doing? Why i am doing? For Whom i am doing? Where it will take me? When i will reach destination and How i will expand further?

2. Always be curious like a new born baby i.e. never miss anything, learn everything from very beginning. A new born baby symbolizes for its curiosity, he wants to know how everything is going its around, why its going around? Become like new born baby. Listen to everyone carefully, read everything conceptually. Understand what that thing does and how it does?

3. Be innovative : Always be innovative with your thoughts and never satisfy from past success. If i do this what will happen? How it will respond? This is the major step to avoid boredom and stagnancy.

4. Must have an Urge for getting better and better: The day you stopped progressing you are a dead men in technology. Technology is growing at 100 folds, everyday we have something new in market. So cope with it to remain alive.

5. Read as much as content related to computers, subscribe Computer or internet geeks blogs, read manuals, articles, tutorials whatever you get. Everything teaches something unique.

6. Understanding for code's logic or semantics is compulsory.  Pick random codes and try to analyze them what they for? How they work?? What will be their output?? If you change something what will be its impact??

7. Adopt the Mindset of Hacker : As i have already explained above, to become a good hacker you have to think like one. That's why its a must to learn both aspects of Hacking Negative and Positive. If you don't think like other hackers you will not able to focus how other one gonna break into your system.

8. Learn like handicaps : Now this point comprises or several things for example : Say you don't have mouse how you will navigate? think otherwise you don't have keyboard how you will write. Similarly you don't have direct command or so called icon for any software, how will you use it? Use it using command prompt or best is practice on Linux Operating system preferred non GUI version.

9.
Learn how to Program: I will not focus on one programming language but must master at least one syntactically and others fundamentally. Rest Google is there for syntax.

10. Must have a Motive : Why you want to learn hacking, why you want to become a professional hacker and how you are going to achieve it.


I hope this helps all of you and motivates you to become a Professional hacker. I opted for it because i found it unique and interesting. It's upto you how you want to become, i can only teach you tricks, techniques, concepts etc etc. But its you who have to be faithful with yourself to become a Professional Hacker. We all know we are Born Hackers but we just needs an spark to opt it as profession.

Hope this article develops a spark in you! Have fun. Keep Learning as its the key to success.
How to Open Adf.ly links in India and other countries

How to Open Adf.ly links in India and other countries

Adf.ly is an free money earning URL shortner service which pays its users for every visitor they bring to site. Few days back several International service providers specially in India, USA and U.K. has blocked Adf.ly sites because of spreading piracy and malware over the web. Today i will share multiple techniques to open Adf.ly links in India in other countries without using any proxy or third party software. So guys lets learn how to unblock Adf.ly website links in India. There are multiple ways to unblock it. But before that we must understand how ISP's block websites like ADF.LY etc..

Unblock Adf.ly links in India
How to Unblock Adf.ly links in India

How ISP's Block Website in Countries?

The process of blocking content for an ISP(Internet Service Provider) is very simple. After all, any content that is coming from a website to your computer has to travel through the ISP, giving it ample opportunity to observe and censor banned content.

Consider an example, you are on one side of river bank (i.e. Your Computer) and you have visit to other side of river (i.e. Internet where all websites and content is located). Now ISP( Internet service provider) is the bridge which connects your machine to the internet. So ISP has authority to allow you to cross the bridge to access the content or not. But we all know there are other ways too, to cross the river like swimming or flying or so on. Consider these other ways as bypassing the bridge i.e. ISP.

Each web page has a unique ID i.e IP address, like a licence plate. If the government tells the ISP to block a specific page, it’s added to the blacklist, and isn’t allowed on the bridge. The government could also block a full domain, such as Facebook.com, which would be like blocking all cars with DL plates, instead of specific numbers.

I hope you understands how ISP works. Now lets learn how to bypass Adf.ly website blocked by ISP's.

Method 1:  Changing normal web i.e. Http to secured web HTTPS

1. Say you want to visit the Adf.ly website link

http://adf.ly/

2. Just replace the Http by HTTPS and enter the url. Url will looks similar to below:

https://adf.ly/

3. That's all.


Method 2: Adding a sub-domain to the website.

1. Say you want to visit the Adf.ly website link

http://adf.ly/

2. Just add v2. in front of adf.ly link, it will open.

http://v2.adf.ly/

3. That's all.


So guys enjoys free web without any blockage. If you have any issues or queries ask me in form of comments. A note of appreciation is always welcomed.

Designed by Hackingloops.