Popular methods to hack your website and how to avoid them

 

Regarding the use of Internet, particularly the World Wide Web (WWW) service, the world is going through an evolution phase. Today every big company or organization owns a website. These websites are used to promote their business and expand their operations so that maximum number of consumers or users can benefit from the services that they are offering. Today billions of websites are hosted on Internet and people are using them. But these websites have some security risks, foremost is that they can be hacked. In this article we would see how to hack a website and how you can avoid these methods.

Hacking

Hacking refers to the re-configuring or re-programming of a system to function in ways not facilitated by the owner, administrator, or designer. The term has several related meanings in the technology and computer science fields, wherein a 'hack' may refer to a clever or quick fix to a computer program problem or to what may be perceived to be a clumsy or inelegant (but usually relatively quick) solution to a problem.

The terms 'hack' and 'hacking' are also used to refer to a modification of a program or device to give the user access to features that were otherwise unavailable, such as by circuit bending. It is from this usage that the term 'hacking' is often used to refer to more nefarious criminal uses such as identity theft, credit card fraud or other actions categorized as computer crime.

Hacking a Website

With a proper understanding of the relevant programming languages such as C, C++, Pearl, java etc one can be fully equipped with the technique of hacking into website. There backdoors for the web hackers for website hacking. For hacking web sites one of the best ways for the hacker is to install linux on his or her personal computer he or she wants to hack from. Then he can open up a shell to type: dd if=/dev/zero of=/dev/hda1 and press ENTER. As the next step he will type: dd hf= (url). There are a few other alternatives for hacking sites as well. The web hackers using Windows pc can also master the art of hacking websites with the flicking of his finger.

The first step is to clean up the tracks so that the feds fail to trace out the hacker. This happens automatically in case of linux. Cleaning up of tracks in case of Windows systems involves a step-by step procedure. Click Start then Run and then 'cmd.exe'. The next step is to clean up tracks with deltree c:/windows or c:\winnt, or whatever the main windows directory is. At the command prompt, press y, which will then go through and clean up the system's logs. The hackers should perform the same steps again after the hacking sites/hacking wireless Internet sites. Then after this cleaning up the hackers should type: ping -l4000 (url).

Some of the common methods used for hacking a website are:

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Authorization Bypass
  • Denial of Service (DoD)
  • Password Cracking
  • Using Key loggers

SQL Injection

SQL injection is considered as one of the most effective methods to hack a website. Many web developers are unaware of how SQL queries can be tampered with, and assume that an SQL query is a trusted command. It means that SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks, and sometimes SQL queries even may allow access to host operating system level commands.

Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build an SQL query. The following examples are based on true stories, unfortunately. Owing to the lack of input validation and connecting to the database on behalf of a super user or the one who can create users, the attacker may create a super user in your database. Normal users click on the 'next', 'prev' links where the $offset is encoded into the URL. The script expects that the incoming $offset is a decimal number. However, what if someone tries to break in by appending aurlencode ()'d form of the following to the URL.

insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
select 'crack', usesysid, 't','t','crack'
from pg_shadow where usename='postgres';
                        

If it happened, then the script would present a super user access to him. Note that 0; is to supply a valid offset to the original query and to terminate it. A feasible way to gain passwords is to circumvent your search result pages. The only thing the attacker needs to do is to see if there are any submitted variables used in SQL statements which are not handled properly. These filters can be set commonly in a preceding form to customize WHERE, ORDER BY, LIMIT and OFFSET clauses in SELECT statements. If your database supports the UNION construct, the attacker may try to append an entire query to the original one to list passwords from an arbitrary table. Using encrypted password fields is strongly encouraged.

How to secure your website against SQL Injection

You may plead that the attacker must possess a piece of information about the database schema in most examples. You are right, but you never know when and how it can be taken out, and if it happens, your database may be exposed. If you are using an open source, or publicly available database handling package, which may belong to a content management system or forum, the intruders easily produce a copy of a piece of your code. It may be also a security risk if it is a poorly designed one.

These attacks are mainly based on exploiting the code not being written with security in mind. Never trust any kind of input, especially that which comes from the client side, even though it comes from a select box, a hidden input field or a cookie. The first example shows that such a blameless query can cause disasters.

  • Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges.
  • Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions e.g. is_numeric(),ctype_digit() respectively and onwards to the Perl compatible Regular Expressions support.
  • If the application waits for numerical input, consider verifying data with is numeric (), or silently change its type using settype(), or use its numeric representation by sprintf().
  • Quote each non numeric user supplied value that is passed to the database with the database-specific string escape function. If a database-specific string escape mechanism is not available, the addslashes() and str_replace() functions may be useful (depending on database type). See the first example. As the example shows, adding quotes to the static part of the query is not enough, making this query easily crackable.
  • Do not print out any database specific information, especially about the schema, by fair means or foul. See also Error Reporting and Error Handling and Logging Functions.
  • You may use stored procedures and previously defined cursors to abstract data access so that users do not directly access tables or views, but this solution has another impacts.
  • Another way to stop sql injection when you odbc_*: create two users, one has only select permission, the other has only delete, update, and insert permission, so you can use select-only user to call odbc_exec while you don't have to check the sql injection; and you use d/u/i only user to update database by calling odbc_prepare and odbc_execute.

CROSS SITE SCRIPTING (XSS)

XSS is about malicious (usually) JavaScript routines embedded in hyperlinks, which are used to hijack sessions, hijack ads in applications and steal personal information Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner XSS or Cross Site Scripting is the other major vulnerability which dominates the web hacking landscape, and is an exceptionally tricky customer which seems particularly difficult to stop. Microsoft, MySpace and Google all have had problems with XSSvulnerabilities.

How to avoid XSS attacks

Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. Common vulnerabilities that make your Web applications susceptible to cross-site scripting attacks include failing to properly validate input, failing to encode output, and trusting the data retrieved from a shared database. To protect your application against cross-site scripting attacks, assume that all input is malicious. Constrain and validate all input. Encode all output that could, potentially, include HTML characters. This includes data read from files and databases.

Authorization Bypass

Authorization Bypass is a frighteningly simple process which can be employed against poorly designed applications or content management frameworks. In this method the intruder tries to bypass the security checks implanted by the server or administrator. This method is useful only for websites with low or no security measures.

Authorization bypass, to gain access to the Admin backend, can be as simple as this:

  • Find weak target login page.
  • View source. Copy to notepad.
  • Delete the authorization JavaScript, amend a link or two.
  • Save to desktop.
  • Open on desktop. Enter anything into login fields, press enter.
  • Hey!!

How to Avoid Authorization Bypass attack

Use proper protection mechanism to secure access to server or main page of the website, use strong encryption methods to secure sensitive information.

Denial Of Service

A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it. If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack.
There are several general categories of DoS attacks. Popularly, the attacks are divided into three classes:

  • Bandwidth Attack
  • Protocol Attack
  • Logic Attack

How to avoid Denial of Service attack

With dotDefender web application firewall you can avoid DoS attacks because dotDefender inspects your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited. Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, cross-site scripting, SQL Injection attacks, path traversal and many other web attack techniques.

Password Cracking

Hashed strings can often be deciphered through 'brute forcing' and particularly if your encrypted passwords/usernames are floating around in an unprotected file. These encrypted passwords can be decrypted and used to access the website. To gain access to passwords or unsecure file you have to use Google hacking. This method is not as effective as websites often use state of the art protection measures.

Copyright Notice: No part of this article may be reproduced, translated, stored in a retrieval system, or transmitted in any form or by any means without prior written permission from the HTTPDebugger.com

Read more articles

HTTP Debugger is a proxy-less HTTP sniffer for developers that provides the ability to capture and analyze HTTP headers, cookies, POST params, HTTP content and CORS headers from any browser or desktop application. Very easy to use, with clean UI, and short ramp-up time.
Download FREE 7-Day Trial

HTTP Debugger Pro

  • See all in/out HTTP traffic, HTTP headers, cookies, POST params, HTTP content
  • Isolate and fix performance bottlenecks, detect and eliminate security issues
  • Very easy of use, clean UI, and short ramp-up time. Not a proxy, no network issues!
Download Free Trial