hi guys,

How can i find out whether a certain website is "hackable" or not ? ;-)..


i'm asking u guys abt first lessons of hacking..............!
where can i find more info on this ,some cool sites plz!

Bye

well first of all, i wouldn't openly say or talk about hacking a site on a forum, but the way i see it, any site is hackable, it just depends on how good you are a hacker. try www.2600.com , its all about hacking.

Hacking IMO isn't a topic here.

Please go somewhere else with this question.

The first thing you need to learn is how to search for stuff, so I won't give you any URI's, just search for them:
Immortal Descendants, Greythorne, Mammon, Fravia, HCU, W00W00, Teso, Technotronic, Phrack (texts), Packetstrom, HNN, TL Security, BRSF, SWG, also check any site the lists defacements with mirros, description of exploit and nmap traces, Dislessici, Razor, Fyodor (of nmap fame), Hackersclub, and check the white-hats as well: cert, sans, securityfocus, ISS.

If someone drops the soap you *will* remember the day you impressed your friends saying "dudez, m3 1337 h4x0r n0w! WoooWoo!"

YMMV

Fee-Fi-Fo-Fum, I smell the blood of a Trollish One!

As trickykid and unSpawn already suggested: fsck off, you're in the wrong place.

We need a "don't feed the trolls" sign.

[edit] w00t....300 posts [/edit]

hey guys...........

i'm sorry for the post ,but i didn't mean any harm,i just wanted to test the site i am trying to design ! i wanted to know whether it is possible to access my site without being authorized(that sort of things....)! and if possible how the intrusion could be logged!

without knowing how and in what and all ways someone could attack a site..how is it possible to test...i thought anyof u may have some knowhow ...

only that .........NO DEVILISH IDEAS..
maybe the way i presented the post was wrong...

sorry for the outbreak,

hey anoop u got to learn a lot bout security man.
READ a lot is what i'll say.

Go thru the following sites(assuming u haven't done that uptil now) :
www.securityfocus.com
www.attrition.org/security
www.tlsecurity.com
this'll atleast give u a start.

read bout various firewalls,IDS,scanners n other os fingerprinting methods.
try scanning ur site externally to see what all data it shows for example open ports,services running,OS name etc.

as trickykid said each n every site is hackable.
all u can do is secure ur site as best as possible but making it unhackable is something just not possible.

sorry its www.tlsecurity.org

Uh. Ok. Testing. Design. Ok.

I can only be hoping you have read stuff about safe coding :-]

If youre going to test try to make an assessment first, and then a plan. This will help you focus on the parts to test instead of results, because it can be quite hard to determine *where* a point of failure occurs, and if a lot happens you can kinda lose track of what to do. It also singles out tests that can't be automated, and helps to convince "buyers" (if you're in that situation) and/or server administrators you're not some maverick presenting another buggy app to the world.

Try to get an overview of the base components that make up the "static" package like the OS, the webserver, any application servers.
With static I mean just the stuff and it's configuration, not any interpreted parts.
Now cruise around for nice options in new versions, vulnerabilities, signs of misconfiguration.
(Note a "webserver" will perform a single task and that is serve. It doesnt and shouldnt have a need for "r" services, user accounts, man pages, X, lpd, BIND, telnetd. Think lean and mean. And itll save time looking for vulnerabilities in that.)

Try to get an overview for any application (+version!) your technical design relies on that deals with connectivity, presentation, manipulation or gathering of data (eg "interaction"), languages like Perl, PHP, Cfm, ASP, TCL, Pike, , and any database, middleware, proxy or gatewaystuff. All can have vulnerabilities either due to misconfiguration: not using chroots, permissions, bad authorization checking method, server runs as root, database over-privileged users, not scrubbing a generic install, or plain simple not checking of boundaries/validating input.

Now test the setup with all components thrown together. Make sure you don't focus on stuff like DOSsing, (in essence the provider should take care of that), but on error handling, validation, performance under load, and if you documented/configured the previous parts well, this is the stage you try to gain access to the application(s) by trying to force "weird" stuff down it's throat :-]

*Some stuff aint necessary if the box you're testing on aint the box itll finally will run on, but keep in mind any dependancies of your technical design might be affected by the move. Thats why professional systems/agencies use a "staging" server for an extra quality check before releasing stuff.

I could ramble on about testing methodologies etc etc, but I hope this gives you a (very very) general idea to work with, for more specific questions on securing/security you're welcome in the security corner.

wow..thanx man!
i'll go thru the procedures..