FAQs | What we've been asked

If you want to know about us or about questions related to web application security, please ask via yehg contact form.

Ques: What does 'YGN' in "YGN Ethical .." stands for? Acronym of your group men's names?
=> It stands for the city we live in. YanGoN.

Ques: How do you think guys here who are learning hacking?
=> Most of them learn hacking to do illegal hacking, which will never do them good. They think hackers are those who deface/destroy web sites or systems on the Net. They are criminals. Cyberlaws in all countries take serious actions against cybercrimes. Every malicious activity can lead you to jail and charge you thousands of $ depending on how much damage you have caused. Don't follow ways to criminal. Look at cybercrime.gov.

Ques: How do you want to suggest for learning hacking?
=> A short and quick advice is - Learn all security/hacking basics and perspectives. Then choose one specialized area. There are dozens of specialized fields in security/hacking. So, if you're now a DBA or interested in Databases, then learn all databases - MS SQL, Oracle, Db2, MySQL and learn database hacking techniques and tools. You can be confident yourself you're smarter and more knowledgable than an average penetration tester.

Ques: What is the main difference between web developer and web application security guy?
=> Most web developers are not aware of and attentive to every security flaw that may exist in their applications. They adopt secure practice only if certain flaw such as SQL injection is notoriously prevalent. Even if they take secure approach, their approach can be broken because they don't know detailed knowledge in such flaws. Web App Sec guys must know every web application related vulnerabilities and countermeasures whether they are small or big. In security-critial applications like online-banking, so-called small flaws can pave the door way for attackers.

Ques: I underestimate XSS. How much big things can that Javascript alert box do ?
=> It's not to blame for an average who can't see biggest risk come together with a faw. JavaScript alert box is used to quickly test whether a web site is vulnerable to XSS or not. If this is vulnerable, it has to be determined what type of XSS flaw exists - Reflected, Dom-based, Attribute-based, Stored ..etc. Then attackers select distributable means which is either sending links to innocent people or posting links in newsgroups ...etc for attacking web site users. For example, they can inject a malicious script that launches any executables in your computer or that overwrites NTDETECT.COM without which your Windows system can't boot or worse changes your Home Router settings without your knowledge. Did you notice overall efficieny between a PC with and without an Internet connection though you ever update your Antivirus? Antivius solutions can't protect web-related threats much. For attacking web site administrators, they can inject scripts that automate stealing sensitive information, automate critical settings or inserting backdoor iframe that steals key logging and much more. Be aware that XSS is not all about Stealing Cookie as widely known.

Ques: Can you tell me variants about Blackhat, Whitehat and Grayhat?
=> Quoted from Grayhat Hacking: The Ethical Hacker's Handbook “If an individual uncovers a vulnerability and illegally exploits it and/or tells others how to carry out this activity, he is considered a black hat. If an individual uncovers a vulnerability and exploits it with authorization, he is considered a white hat. If a different person uncovers a vulnerability, does not illegally exploit it or tell others how to do it, but works with the vendor - this person gets the label of gray hat.”

Ques: How can I master in web hacking?
=> Generally, you can start from :
  1. Must learn basic to medium coverage of all web languages - PHP, ASP.Net, JSP, ROR, JavaScript/AJAX, Flash, Actionscript, Flex, CSS, XML ,...etc
  2. Develop and practise at least two small but usable web applications in each language
  3. Read the WASC Threat Classification(TC), OWASP Testing Guide(TG), CWE.
  4. Read and practice using good web security testing books (We recommend Web Application Hacker's Handbook).
  5. Play with WebGoat, Hackmebank, ...etc -  http://sourceforge.net/projects/virtualhacking/files/web/
  6. Hack the challenge sites - http://yehg.net/hwd/?id=c&go=99
  7. Download popular web applications (e.g. http://www.opensourcecms.com/ and hack them on your own testing machines. Do auditing codes as well. Submit your findings to developers.
  8. Give free security assessment to non-profit organization sites. Never search for security projects in freelance sites where all those guys will ask you to do illegal hacking.
  9. Do assessment according to WASC TC, OWASP TG, PortSwigger's Guide.
  10. Keep up with the times, trend of latest web attack techniques.
  11. Try to apply as an entry level web pentester in one of security companies - http://yehg.net/hwd/?id=c&go=88
No need to memorize.
Never use automated tools (one-click tools, I mean) alone.
Such Tools will lower your quality and skills and will make you miss important entry points in attacking.
Need to know what to do - which tools to use - which methods to apply.
Have all references in your hand.