Almost everyday we hear something about hacking. Everyday atleast one giant company gets hacked and data gets stolen or websites get defaced or password database gets stolen and many more similar incidents. Website hacking has become a trend to grab that bounty you get once you report the bug to the specific company. Many researchers find bugs in top companies websites and report them first and help them fix the bug and as a thankyou response they get a nice bounty. However, there are few people who find bugs but instead of reporting them to the company, they use the vulnerability to do bad stuffs like deleting datas from the server, installing backdoors, copying username and passwords of their clients etc. So here are few well known ways hackers use to hack your website:
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. The heavy traffic overloads the server and shutsdown all the services provided. Once the server gets shutdown and system gets offline, a hacker can then perform their evil task to compromise the system or install backdoor for their own benefit.
The most common way to DDos a server or website is by sending thousends or rather millions of URL requests to the website or a webserver in a constant manner at once. This will cause the CPU and RAM to get exhausted and shutsdown the system due to overload.
Cross Site Request Forgery Attacks (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so on. If the victim is an administrative account, CSRF can compromise the entire web application.
CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so on. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.
CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests.
It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
DNS Cache Poisoning
DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer (or any other computer). One of the reasons DNS poisoing is so dangerous is becuase it can spread from DNS server to DNS server. In 2010, a DNS poisoning event resulted in the Great Firewall of CHine temporarily escaping china’s national borders, censoring the Internet is the USA until the problem was fixed.
A DNS cache can become poisoned if it contains an incorrect entry. For example, if an attacker gets control of a DNS server and chages some fo the information in it, for example, they could say that google.com actually points to an IP address the attacker owns, that DNS server would tell its users to look for Google.com at the wrong address. The attcker’s address could contain some sort of malicious phishing website.
DNS poisoning like this can also spread. For example, if various internet service providers are getting their DNS information from the compromised server, the poisoned DNS entry will spread to the internet service providers and be cached there. It will then spread to home routers and the DNS caches on computers as they look up the DNS entry, receive the incorrect response, and store it.
DNS cache poisoning attacks usually incorporate elemets of social engineering to manupulate victims into downloading malware. The servers and websites that attackers ise to replace authentic IP addresssees are set up to appear lefitimate whilee they actually contain malware in disguise.
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
For example, imagine an attacker who builds a web site that has a button on it that says “click here to downlaod”. However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the “delete all messages” button directly on top of the “Download” button. The victim tries to click on the “Downlaod” button but instead actually clicked on the invisible “delete all messages” button. In essence, the attacker has “hijacked” the user’s click, hence the name “Clickjacking”.
SQL Injection Attack
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Check this article for more details: Understand Cross Site Scripting (XSS)
That’s all in this article. Remember all articles related security are for education purposes only, so use it for good cause. Catch you guys in the next one 😉 .