Six Ways A Website Can Be Hacked
In today’s world, one must think twice before claiming that (s)he is safe from hackers. Be it ordinary individuals, small companies, large technology corporations or even governments with vast resources, it seems everybody falls victim to a hacking incident these days.
We collected the top 6 risk factors affecting most websites. The list aims to give you a quick 360 panorama on the security risks of websites.
1. Web Application Vulnerabilities – it (usually) begins with an encoded escape character…
A significant portion of vulnerabilities emerge due to lack of sufficient input validation controls, where user supplied input “somehow” makes its way into the program code, and gets executed. Typical examples of inputs that hackers use as escape characters are apostrophe (‘) and quotation marks (“). The attacker can use techniques such as URL-encoding or HTML-encoding to disguise them (making the injected values %27, %22, ‘ or “), which helps bypass simple filters. If input validation is poorly implemented and fails to detect the injection of escape characters, then the attacker is free to start injecting code as well.
There are well known examples like SQL-injection and XSS, and then the ones that usually get undermined, such a OS Command Injection and different types of Code Injection vulnerabilities. Although most cases are easily preventable by preferring White Listing methods over Black Listing and using up-to-date and proven libraries, these attacks still pose great risk for websites. OWASP’s famous Top 10 List for Most Critical Web Application Security Risks is a very comprehensive and respected guide in this field. Lucky for us all, an update to the latest 2013 version will be released in July 2017, but is already available now as Top-10 2017 Release Candidate.
On the other hand, hackers make use of search engines to locate sites containing these vulnerabilities (a.k.a “Google Hacking”).
Other significant examples in this category are File Inclusion and IDOR (Insecure Direct Object Reference), which are observed less frequently, but are definitely deadly. While a file inclusion vulnerability in your web application may permit code execution on your server, an IDOR in a banking application may permit an attacker to gain access to other customers’ bank accounts.
Thorough and regular web application security tests are a must, especially if your web site contains or processes financial transactions and/or other sensitive data.
2. OS Vulnerabilities – Achilles heel
Hackers are well-informed workers. They discover new vulnerabilities every day. Whether your site runs on the latest version of Windows or a flavor of Linux, patch management is a key activity to save you from newly emerging threats.
After a hacker gains foothold to a server, lack of OS patches often provide the missing link, to escalate their privileges from low-profile OS accounts like www_data or Apache to root on Linux systems, or a member of IIS_IUSER to NT Authority/SYSTEM on Windows.
And don’t forget the OS vulnerabilities that directly give away the keys to the kingdom, such as MS08-067 or MS09-050. A vulnerability scan on a large corporate network could still reveal such old vulnerabilities, as well as many similarly critical but newer ones.
3. Web Server or Content Management System Vulnerabilities – Didn’t you forget something?
Default credentials! The “sudden death” kick in any penetration test. The first item on any hacker’s checklist. So classic, yet still so effective. And yes, at some point most of us must have left a default password unchanged.
Check if the door is already open, before trying to pick a lock, most hackers would say. Default passwords of programs can be easily found with a simple Google search.
Placing the administration interfaces on an easily discoverable folder (E.g.: /wp-admin, /admin, /administrator or /config) is more usual than you might think. This lets the hackers to perform brute-force attacks. Tools such as DirBuster (for page discovery) or Hydra (for brute-forcing) are very effective.
Beside such classic vulnerabilities, misconfigurations in Cross-Origin Resource Sharing (CORS) or Flash/Silverlight Cross-Domain Policies override the Same Origin checks and permit malicious websites to perform XSS or CSRF attacks against your visitors.
A hardening checklist comes handy for preventing such vulnerabilities from taking place.
4. Shared Hosting
If your website is hosted along with 300 other sites on the same server, what is the probability of one of them having a critical vulnerability? The likelihood increases even further, if some of those sites were not authored by professionals.
Hosting providers tackle such risks by logically isolating the resources of websites, such as using different database credentials and limiting OS permissions, as well as robust patch management.
Hackers may have the upper hand here, though. It is hard and meticulous work for the hosting provider to secure hundreds of sites. But is easy for the hacker to get a list of all web servers hosted at a specific IP address, thanks to search engines like Bing. (If your site is on shared hosting, try Bing with the following search phrase: “IP:your-server’s-IP”) Some “Google hacking” or a “vulnerability scan” may let them locate a weakness and get a foothold into one of those websites.
5. Other Server-side Vulnerabilities – Libraries, components, network devices…
As of 8 April 2017, a simple Shodan query for the HeartBleed vulnerability still returns more than 182.000 results: IP addresses, server geo-location information and more. And high-quality exploits are publicly available at Exploit-db.
The situation is similar for the other infamous vulnerabilities that have emerged in the previous years, such as Shellshock, Poodle, Drown, Ghost, Freak and MS Windows Schannel.
Performing regular vulnerability scans is a must, if you want to avoid being listed on Shodan.
6. DNS Poisoning – A Phantom Menace
Ensuring the security of your server is a lot of hard work and definitely an important achievement. However, it does not guarantee the security of your website users, in today’s complex threat landscape.
Meet DNS Poisoning. This sinister attack aims to manipulate the IP resolution data cached on DNS servers, thereby cause the DNS server to direct users to the IP of the hacker-controlled fake server. Such attacks are very hard for an end user to detect, yet still they can easily be used to steal session cookies, login credentials, credit card information and other sensitive data.
In this kind of attack, the attacker could have compromised your ISP’s DNS server and they have redirected your website to their hacker site. However, user would not be able to tell that it was the DNS that was hacked. As such, it is important to find a trustworthy DNS provider, who has right security measures in place to reduce the risk of DNS poisoning.
Getting acquainted with these risks, attack methods and protection mechanisms is critical to safeguard your systems. Whether you are running a humble personal blog or a large e-commerce site, be mindful of security threats and keep yourself up-to-date. You can also consider implementing some web security solutions like WAF, scanners, etc to secure your website. Play it safe and check out https://www.banffcyber.com.
Authored by: Reha Esen, CISA
Edited by: WebOrion Team