Protecting a website means thinking like a hacker

13 November 2018
hacker
It is always frightening when a website is hacked, especially when the content of the homepage is changed (defaced) or the data is shared with the competition. To protect yourself, it is necessary to understanding hacking techniques. A reminder of the basics by Christophe Villeneuve.

Hackers employ a range of different procedures - with or without the use of tools - to gain control of a website. But by the time we have noticed it is too late.

 

How to avoid the inevitable

You need to learn hacking techniques and use them to defend yourself. This approach is legal and is used by IT security experts nicknamed ‘White Hats’. They conduct intrusion tests to find and correct any weaknesses, as well as ensuring the security of information systems within their organisations. This falls within their remit as ‘pentesters’, a contraction of ‘penetration testers’. A whole host of solutions exists to ensure compliance with good practices during the design phase but all too often they are overlooked.

As for cyber criminals, they like to be discreet. They start with a visual reconnaissance of a website to analyse any potential hacking gains. They then scan the network to find a 'back door’. They finish by setting up a process to hide their traces to ensure they cannot be identified in the operational phase.

 

Direct attacks

hacker_1

 

This is the most simple type of attack. The hacker directly attacks the website from his/her computer using scripts and software developed by others that can be found easily on the internet. These hackers are pejoratively known as ‘script kiddies’ due to their lack of technical skills. Identifying inexperienced attackers is easy.

Using logs, it is possible to find the hacker’s IP address. In this case, the solution is to simply blacklist the address. It can be blocked for a certain period of time in the event that the attack is repeated. The attack can be stopped in this way.

 

Indirect bounce attacks
pirate

This type of attack is popular among hackers as their identities remain hidden. The principle is simple: the attack is carried out via an intermediary computer, which redirects any actions to the victim site. The aim of these indirect attacks is to steal CPU power, memory, bandwidth, etc. of the intermediary computer. This method of attack relies (among other things) on FTP Bounce software, which steals an identity to allow access to confidential data when the server filters the incoming IP addresses.

This makes it much harder to identify the attacker. It is possible to identify the intermediary computer but much harder to find the source.

 

Indirect response attacks

attaque indirecte

This is a variation of the aforementioned hacking technique and has the same advantages from the cyber criminal’s point of view.

In this case, the intermediary computer is not directly attacked. The hacker simply sends it a query. When the machine is used, the response is sent to the victim computer and the attack commences.

Because a third-party computer is used, identifying the hacker is complicated.

 

Web page attacks

Web browsers are software programmes that display web pages. There are several on the market. The most popular are Firefox, Chrome, Edge, Opera and Safari. Their role is to interpret what they receive and respond to different queries. The data is public and hence is accessible to everyone. If the displayed code does not comply with best practices, there is a hacking risk as techniques exist to steal data via the browser.

Below are instructions on how to hack a page; 

The structure of a page, even its tree diagram, can be consulted easily. Simply press [CONTROL]+[U] or right click on ‘view source’. The page content can be selected via [CONTROL] + [A], copied [CONTROL]+[C] in any text editor such as Bloc-note or Notepad, and then saved on the hard disk in HTML. Then delete all the useless scripts like the JavaScripts and the functions which validate the fields. Then modify the tag by adding a relative (complete) path in the FORM tag: <_form………action = http://www.monsite.com/login ………>. When running a page locally, you must re-enter the identifiers and passwords; these are then saved in the database. A user account has now been created and is accessible, although it was originally non-existent.

To counter this type of attack, it is necessary to test the source of the data before it is added to the database. The way to do this is to check if the page’s URL corresponds to the correct page e.g. if the sent data comes from the ‘contact.php’ page:

<?php

if ($_SERVER['HTTP_REFERER']=="contact.php")

{

     echo "identical page";

}

else

{

die (Error from");

}

?>

Many shared folders can be accessed from the source code such as:

  • includes, inc, lib, etc, ini, conf
  • admin, adm, administrator, errors, classes
  • hidden, protected, archives, bills,

But also:

  • images: img, image, images;
  • JavaScript libraries: js, javascript, lib.

From the browser, enter one of the aforementioned folders to gain access to several items. For example, https://www.votreSite.fr/www will redirect the user to:

directory

 

 

From this folder, you can find documents, invoices or even folder wizards: .svn, .git, .ssh, .bash_history… The robots.txt file contains information about protected files such as access codes to the database and the user table.

Resolving this issue consists of inserting an index.php file in all folders and sub-folders. The latter can be done as follows:

<?php

header("Location: ../index.php");

?>

The header function, using the PHP language, sends an HTTP header i.e. it loads a new web page by losing the path of the previous button.

header

 

To test whether this has worked, let’s take the example of accessing a document. This URL is found on a web page: http://votreSite/download/categorie/famille1/document.pdf. The cybercriminal will try to access this folder by retaining the path: http://votreSite/download/categorie/famille1/ but will end up directly at the root of the website because the index.php file will run.

 

The navigation bar is another entry point for accessing the web pages of a website.

The links can be shown in two ways: http://votreURL/page=index.php ou http://votreURL/page=contact.php . These URLs show that a website calls on the same template to display the content of a page. The hacker can use these addresses to send malicious code: http://votreURL/page=<script>alert (‘coucou’) ;</script> or http://votreURL/page=&lt;script&gt;alert (&apos ;coucou&apos ;) ;&lt;/script&gt; Whatever way is used to send a character, the browser will interpret it as shown in the table.


tableau

 

The solution remains limited even with the use of filters. The best solution is to use clear links such as: http://votreURL/index.php ou http://votreURL/contact.php .

 

Attacks via forms

A form is a page comprising one or more fields to access additional pages.

The identification form is used to access a personal space/account i.e. only the user in question an access this area. A hacker does not necessarily want to obtain the password of a lambda user, rather he/she will try to discover the password of the user with the most rights e.g. the website administrator, a super admin or an ID 1.

The most common mistake is to use the same password i.e. in development and production. It is not unusual to find passwords such as 'ROOT' or 'admin' in production. However, even if the password is unknown, it is possible to directly access the database by performing a small SQL injection as follows:

password

The image shows an identification form with two fields: login and password. This form then grants access to the private account:

<?php

$login = $_POST['login'];

$password = $_POST['password'];

$sql="

SELECT id FROM user WHERE

login = $login

AND

password = $password

");

$result=query ($sql);

if ($result)

echo "Welcome to your account";

else

echo "Account not known";

?>

If no quote (quotation marks) exists in the SQL query, unwanted code may be sent. When sending form data, the identifiers are unknown. Consequently, it is advisable to send information of this type from a data entry form:

<?php

$login=" '' OR 1 ";

$password =" '' OR 1 ";

?>

We then obtain the following query:

sql = "SELECT id FROM user WHERE login = '' OR 1 AND password = '' OR 1 ";

Once the query has been executed, it sends this message:

Welcome to your account

So, we are connected even though we do not have an account. The consequences are disastrous because user accounts and their associated data can be stolen: emails, credit card details, coupons, activation keys, etc.

Protection consists of grafting on special characters contained in the character strings entered by the user. Adding these quotes will block the insertion of malicious code. For example, in PHP it is possible to incorporate the addslashes function to the variable sent by the form:

<?php

$login = addslashes($login);

$password = addslashes($password);

?>

Consequently, the query becomes:

SELECT id FROM user WHERE login = \'\' OR 1 AND password = \'\' OR 1

The response to this query will be:

Account unknown

Thus, the hacker can no longer use this technique to access the personal account. Another solution exists and includes an intermediate step, as it has to go through a prepared query.

The ‘action’ field in a form can also be targeted. It is important to pay attention to different types of attacks as a hacker can perpetrate several attacks at the same time.

To prevent this, it is a good idea to add a PHP_SELF variable to the character strings. It returns the running script and the name and path of the current file. Most of the time it is used in the form’s ‘action’ field. In fact, its title is only useful when designing a form.

The PHP_SELF function is written as follows:

<?php

echo $_SERVER['PHP_SELF'];

?>

If it is found on http://votreSite.fr/contact.php, you will obtain /contact.php by using it. In the case of a form, it places itself in the action field of the <form> tag and is triggered when the user hits the ‘Send’ button.

Using this variable is not compulsory but is very useful. Without it, it is impossible to know the name of the page corresponding to a comment left at the bottom of an article for example.

texte

 

Inserting PHP_SELF in a form is carried out as follows:

<?php

if (isset ($_POST) && (sizeof($_POST) > 0))

{

echo "Your input: ".$_POST['input']."<br />";

}

?>

<html>

<body>

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

Your text : <input type="text" name="input" />

<input type="submit" value="Submit" />

</form>

</body>

</html>

The example shows that, on the same page, there is a data entry part and a processing part. The sent data will be processed if the action has been triggered.

However, this variable carries a security risk as it can be subject to XSS attacks. The solution to prevent this type of PHP attack is to employ htmlentities(). The <form> line is composed as follows:

<form method="POST" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>">

It is essential to do the same for all the entered variables in order to obtain the result below, otherwise the injection will be processed as follow:

echo "Your input: ".htmlentities($_POST['input'])."<br />";


saisie texte

 

Network attacks

There are different command-line attacks on Windows with 'CMD' and on Linux via the console.

Denial of Service' (DoS) attacks send a large number of queries at the same time in order to crash the website (for the time required to reboot the server) due to a memory overflow, commonly known as a ‘Buffer Overflow’. There are several ways to achieve server or firewall saturation e.g. the storm sync with a maximum of TCP/IP links, the lock flood system that enters the log file of the firewall frequently enough to saturate it, the data flood, and the open-close. These attacks are carried out by a group of people or several intermediary machines.

There is no silver bullet to mitigate these types of attacks. However, cloud offers and regular security management can limit problems. In terms of the server, it is possible to install a firewall that filters the input and output of the gateway. Another solution is to add an intrusion detection tool on the gateway. However, only regular audits and continuous integration can limit the risk of attacks.

 

CMS and Framework attacks

With only limited technical know-how, it is easy to determine the CMS or Framework used to build a specific website. All you need to do is look at the page’s source code from the browser.

The most common CMSs on the market are:

This information, available in plain text, indicates the paths to files, modules, etc.

The previously listed attacks are difficult to carry out on these CMS, which natively offer all the protection techniques and solutions mentioned above. Therefore, a hacker will employ different approaches such as exploiting flaws in modules or associated plug-ins, or those detected on sites referencing them as CVE security or CVE details. By consulting these sites, it is not only possible to discover the security flaws but also the techniques used to hack a website at its origin.

vulnerability trends

Therefore, it is important to be aware of any flaws and the various listed alerts.


SQL injection vulnerability
CVSS Scores and Vulnerability Types

 

Moreover, it is advisable to have regular CMS updates to prevent any unpleasant surprises.

The tools

To help administrators manage and simulate attacks, a wide range of tools are available on the market. The most common families of solutions are:

  • intrusion testing platforms e.g. metasploit or Aircrack-ng;
  • password resistance tests e.g. John the ripper;
  • network and application protocol sniffers and analysers e.g. Wireshark;
  • port and vulnerability scanners e.g. nmap;
  • password recovery solutions e.g. Cain & Abel;
  • web browser emulations e.g. Paros proxy or proxy charles;
  • Query captures and application proxies e.g. Zed Attack proxy, or Parox proxy;
  • audits of web applications e.g. burp suite, spiderfoot and brain.

The majority of these software programmes are free or open source and thus easy to obtain.

CONCLUSION

Today, development relies on CMSs or frameworks enhanced with plug-ins, modules and libraries. Good practices have been developed for each and programmers must implement them.

However, there are still many flaws often linked to human error. So, even if CMSs and frameworks have very high security levels, additional elements e.g. plug-ins constitute a weak link.

Therefore, it is important to anticipate and simulate attacks in the early stages of web development in order to block them. It is also necessary to intervene in terms of the design, code, and network, as well as employing continuous integration and using tools (e.g. Jenkins, Bamboo, TeamCity, etc.). And it goes without saying that it is crucial to monitor and apply software updates in a proactive manner including applying patches to detected faults.

 

Let's discuss your projects together.

contact