Today we will cover How hackers check to see if your website is hackable in this article.
“Memento mori” is Latin for “Remember you are mortal”. According to tradition, the phrase was whispered to triumphant Roman military commanders in parades to remind them that they remained fallible men.
In this day and age, perhaps the tradition should be updated to whispering “you’re going to be hacked” into the ears of website administrators. This may be necessary to remind them that no matter what defenses they put in place, hackers are always looking for new ways to hack sites.
But what are the methods that hackers use? Below, we’ll take a closer look at how website hackers can target client-side, server-side, or direct vulnerabilities.
Server-side security flaws[How hackers check to see if your website is hackable ]
In addition to phishing and related attacks on administrators, hackers often attempt to determine the type of web server (eg, Tomcat), web server software (eg, node.js), and the server’s operating system. This can be done by examining factors such as general intelligence (eg from comments on social media and tech sites), session cookie names, website source code, and more.
Once the back-end technology is determined, hackers can use various methods to exploit unpatched vulnerabilities. Insecure server settings such as default insecure server configurations, unrestricted access to server folders, and open ports have all been exploited to hack sites.
Insecure default server configurations are often tested by hackers, for example by leaving the default credentials active. Scanning tools such as Grayhat Warfare are often used by hackers to find insecurely configured Amazon S3 bucket contents.
Open ports can be easily obtained by hackers using port scanning tools and once discovered, various vulnerabilities can be exploited.
Similarly, file finders can find administrative tools that can be accessed with weak passwords—or no passwords at all. Inadequate restrictions on file uploads to server folders are also a boon to hackers, allowing them to upload and run malware.
Client-side security flaws
Common client-side vulnerabilities include:
- SQL injection: Insertion of SQL statements into requests, resulting in unauthorized release of data or modification of database records
- XSS: Malicious code injection
- CSRF: User session takeover
The OWASP Top Ten Web Application Project found injection attacks to be the number one threat type.
Hackers have readily available tools to automatically test websites for these vulnerabilities in the same way that legitimate pentesting is done. However, in this day and age, it would be very surprising and careless if a website did not have sufficient protection against SQL injection and CSRF attacks. However, XSS continues to pose threats as new vulnerabilities emerge, especially as websites (including those embedded in mobile applications) become more functional and complex. Once found, the vulnerability can be quickly exploited on sites that have not patched it.
Frameworks and Cyber Threats
The current practice of web development with a heavy reliance on open source libraries, plugins and frameworks is a rich source of vulnerabilities for hackers to exploit. Hackers put a lot more effort into researching library vulnerabilities than the typical web developer ever will, and these bugs often only show up after they’ve been used for successful hacks.
APIs and Cyber Threats
Websites that use APIs to communicate with backend systems can have those APIs targeted by hackers. In this case, hackers will look for poor API security, such as credentials or access codes or tokens accessible from query strings, variables, and other sources.
Hackers will also attempt to gain information about the internal architecture of an API-based system by deliberately calling APIs with invalid parameters and monitoring the resulting error messages for leaks about the system. This information can be almost anything, such as database type and configuration. All these bits of information can come in handy later when a new vulnerability appears.
Direct cyber attacks and token attacks
In addition to general attempts to hack client-side and server-side systems, direct attacks on user and administrator accounts are common. Hackers currently focus on using credentials (passwords) more than brute-force attacks on username and password authentication, as well as attempts to manipulate or reuse access tokens.
With 61 billion credential attempts in the 18 months to June 2019, this attack method is proving popular. Credential stuffing includes automated login attempts using usernames (or email addresses) and passwords obtained from server-side breaches to attempt to gain access to user or administrator accounts.
Often issued via OAuth2 or OpenID Connect (OIDC), access tokens are essential in today’s web environment as they authorize requests for resources such as user account data, APIs, and other resources. This ubiquity gives hackers another prime target – as we saw in the 2018 Facebook breach, for example.
Similarly, hackers will also try to exploit the insecure handling of token signatures to change token access rights, expiration times, and so on without invalidating the signature. One simple method that hackers try is to change the signature algorithm value stored in the JWT header to “none”. In an insecure implementation, the signature verification code will then ignore the token signature, meaning that changes to the token’s content will not be missed.
One last thought
Modern web application development and phishing tactics have opened up the scope for attack so much that websites and web applications are highly vulnerable across countless entry points.
But one final thought: just like squirrels, hackers don’t think like you and have no limits on what they’ll try. If their attempts crash the site or destroy the database, that’s not a problem for them. When you think you’ve tested your website for vulnerabilities, you still need to be careful.
- Public buckets by grayhatwarfare, Grayhat Warfare
- OWASP Top Ten, OWASP
- State of the Internet/Security: Media Under Assault, Akamai
- What Facebook’s Hack Can Teach about Token Theft, WhiteHat Security