Five Ways a Website Can be Hacked
In today’s world, one must think twice before claiming that (s)he is safe from hackers. Be it ordinary individuals, small companies, large technology corporations or even governments with vast resources, it seems everybody falls victim to a hacking incident these days.
We collected the top 6 risk factors affecting most websites. The list aims to give you a quick 360° panorama on the security risks of websites.
1. Web Application Vulnerabilities – it (usually) begins with an encoded escape character…
CTB-Locker (the website version) attacks WordPress sites specifically, so it’s not an executable file like other ransomware that runs on a desktop. CTB-Locker is a PHP program, so that means it’s designed to run on web servers that run PHP. This includes Linux and Windows servers that host WordPress sites. There is also a desktop version available, but we’ll discuss only the website version.
A significant portion of vulnerabilities emerge due to lack of sufficient input validation controls, where user supplied input “somehow” makes its way into the program code, and gets executed. Typical examples of inputs that hackers use as escape characters are apostrophe (') and quotation marks ("). The attacker can use techniques such as URL-encoding or HTML-encoding to disguise them (making the injected values %27, %22, ' or "), which helps bypass simple filters. If input validation is poorly implemented and fails to detect the injection of escape characters, then the attacker is free to start injecting code as well.
There are well known examples like SQL-injection and XSS, and then the ones that usually get undermined, such a OS Command Injection and different types of Code Injection vulnerabilities. Although most cases are easily preventable by preferring whitelisting methods over blaclisting and using up-to-date and proven libraries, these attacks still pose great risk for websites. OWASP’s famous Top 10 List for Most Critical Web Application Security Risks is a very comprehensive and respected guide in this field. Lucky for us all, an update to the latest 2013 version will be released in July 2017, but is already available now as Top-10 2017 Release Candidate.
On the other hand, hackers make use of search engines to locate sites containing these vulnerabilities (a.k.a “Google Hacking”).
Other significant examples in this category are File Inclusion and IDOR (Insecure Direct Object Reference), which are observed less frequently, but are definitely deadly. While a file inclusion vulnerability in your web application may permit code execution on your server, an IDOR in a banking application may permit an attacker to gain access to other customers’ bank accounts.
Thorough and regular web application security tests are a must, especially if your web site contains or processes financial transactions and/or other sensitive data.
2. OS Vulnerabilities – Achilles’ Heel
Hackers are well-informed workers. They discover new vulnerabilities every day. Whether your site runs on the latest version of Windows or a flavor of Linux, patch management is a key activity to save you from newly emerging threats.
After a hacker gains foothold to a server, lack of OS patches often provide the missing link, to escalate their privileges from low-profile OS accounts like www-data or apache to root on Linux systems, or a member of IIS_IUSER to NT Authority/SYSTEM on Windows.
And don’t forget the OS vulnerabilities that directly give away the keys to the kingdom, such as MS08-067 or MS09-050. A vulnerability scan on a large corporate network could still reveal such old vulnerabilities, as well as many similarly critical but newer ones.
3. Web Server or Content Management System Vulnerabilities – Didn’t you forget something?
Default credentials! The “sudden death” kick in any penetration test. The first item on any hacker’s checklist. So classic, yet still so effective. And yes, at some point most of us must have left a default password unchanged.
Check if the door is already open, before trying to pick a lock, most hackers would say. Default passwords of programs can be easily found with a simple Google search.
Placing the administration interfaces on an easily discoverable folder (E.g.: /wp-admin, /admin, /administrator or /config) is more usual than you might think. This lets the hackers to perform brute-force attacks. Tools such as DirBuster (for page discovery) or Hydra (for brute-forcing) are very effective.
Beside such classic vulnerabilities, misconfigurations in Cross-Origin Resource Sharing (CORS) or Flash/Silverlight Cross-Domain Policies override the Same-Origin checks and permit malicious websites to perform XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery) attacks against your visitors.
A hardening checklist comes in handy for preventing such vulnerabilities from taking place.
4. Shared Hosting
As of 8 April 2017, a simple Shodan query for the HeartBleed vulnerability still returns more than 182,000 results: IP addresses, server geo-location information and more. Furthermore, high-quality exploits are publicly and easily available for any novice hacker to view and download at Exploit DB.
The situation is similar for the other infamous vulnerabilities that have emerged in the previous years, such as Shellshock, Poodle, Drown, Ghost, Freak and MS Windows Schannel.
Performing regular vulnerability scans is a must, if you want to avoid being listed on Shodan.
5. DNS Poisoning – A Phantom Menace
Ensuring the security of your server is a lot of hard work and definitely an important achievement. However, it does not guarantee the security of your website users, in today’s complex threat landscape.
Meet DNS Poisoning. This sinister attack aims to manipulate the IP resolution data cached on DNS servers, thereby cause the DNS server to direct users to the IP of the hacker-controlled fake server. Such attacks are very hard for an end user to detect, yet still they can easily be used to steal session cookies, login credentials, credit card information and other sensitive data.
In this kind of attack, the attacker could have compromised your ISP’s DNS server and they have redirected your website to their hacker site. However, user would not be able to tell that it was the DNS that was hacked. As such, it is important to find a trustworthy DNS provider, who has right security measures in place to reduce the risk of DNS poisoning.
Getting acquainted with these risks, attack methods and protection mechanisms is critical to safeguard your systems. Whether you are running a humble personal blog or a large e-commerce site, be mindful of security threats and keep yourself up-to-date. You can also consider implementing some web security solutions like WAF, scanners, etc. to secure your website. The WebOrion Security Platform offers an affordable and easy solution to cover all your bases when it comes to web security, and takes less than 10 minutes to set up. We believe that every website owner deserves to have their own website security in their own hands.
Authored by: Reha Esen, CISA
Edited by: WebOrion Team
