Griffin Studios Web Design & Development Blog

Website Security

Everyday, stories hit the news regarding websites which have been taken down by hackers. How does a person gain access to a website one might ask? What is the hackers aim in compromising a website? It is surprisingly easy to find vulnerable websites and is therefore extremely important for website developers to know of the common vulnerabilities and coding errors which create these vulnerabilities in order to prevent them. This post aims at equiping the general web developer with the knowledge of various hacking techniques and methodologies, as well as the mind of the hackers themselves.

Definition of a Hacker

The term “hacker” has changed over the years and therefore it is necessary to firstly define who a hacker is and is not.

Hacker

Hacker Hard at Work

A Hacker is a person who can identify vulnerabilities within a website or computer system and can exploit them to gain unauthorized access to said website or computer system. There are many varieties of hackers. Firstly, not all hackers are “evil”. The term “White Hat” refers to a person who hacks with the best intentions in mind. These may include identification of vulnberabilities in order to patch them ensuring the security of a website or computer system. Rogue white hats are not uncommon. They will penetrate a website/computer and email the administator informing them about their breach and how they accomplished it. Sadly, this tends to hurt the administrators “ego” and they respond with threats and sometimes legal action. This is detrimental to said administator because once they attack the white hat, they become a target for other hackers seeking retribution. The hacking community is very closely knitted and there is a lot of respect and support from fellow hackers. Network/Website administrators must realize that these white hats are only there to help and should act accordingly. Fix the security hole and thank the hacker. If it were not for them, they may have been attacked by a “Black Hat”.

A black hat hacker is someone who is out there to steal and destroy. They go after credit card details or website defacement. Website defacement is the removal of a website to be replaced with a page of bragging and ego boosting for the attacker. Website defacers are the least of ones problems however as more sophisticated black hats will secretly take control of a website in order to gain further access to a system or to turn the machine into a bot. A bot is a hacker controlled computer which [performs the hackers bidding. Be this in sending out large amount of spam, used as a tunnel through which to hack or combing them in a DoS attach (detailed below).

Cracker

A Cracker should not be confused with a hacker. Their main purpose it to bypass software security procedures such as anti-piracy methods. There is a wide range of anti-piracy methods (enough for 10 posts) yet no matter how complex the method, a cracker will endeavor to break it allowing people to use the applications free of charge.

Phisher

A Phisher is a person out to get personal information from people usually by means of fake emails or websites. The most common form of phishing email is one which apparently is sent from your bank asking you to update your back details. Never follow these links and complete the forms, no matter how legitimate they appear. No bank will ever send you and email requesting this.

Phreak

A Phreak is a person skilled in manipulating the telephone network. They are able to bypass call costs using a number of methods (again, a topic saved for another post). They are harmless to the general public and only of concern to the telecom companies which would be loosing the possible revenue from calls made by the phreak.

Website Vulnerabilities

That concludes our definition of various "hacker" labels. Lets get onto the meat of this topic: Website Vulnerabilities. Below I will detail some of the more common types of security flaws associated with websites. How to patch these vulnerabilities will not be covered here as the methods vary and  the solution relies on the programmer educating themselves further in the various forms.

SQLi (SQL Injection)

SQL Injection

SQL (Structured Query Language) is a database language used my multiple database software for creating, using and managing databases. Microsoft Access, MSSQL, MySQL, Posgress and more use the SQL language. SQL Injection is the process of injecting SQL code into a query in order for it to perform a request outside of those used on the website to allow attackers information regarding the website and its database. SQLi can be performed in many ways: using the address bar, form fields and even header manipulation. Prevention of SQLi relies on the programmer having query string filters in place to prevent execution of these injected commands, yet there are multiple means in which to bypass these filters and the programmer should be as comprehensive as possible.

XSS (Cross-Site Scripting)

XSS (Cross Site Scripting) allows users to inject JavaScript code into a website, either via the url or a form field to perform some function. Database information is secure however, a script can be inserted into the website which redirected other users to a different website. XSS is often combined with phishing in order to steal user’s login credentials or steal a users cookies (which are as good as taking their login credentials). Yet again, the best way to try and prevent this is to build JavaScript filters which remove any JavaScript code inserted into a form or url.

CSRF (Cross Site Request Forgery)

CSRF (Cross Site Request Forgery) attacks can allow an attacker to hijack a victim account, which may result in malicious requests being forged under that account. Proper CSRF exploitation can logout a user, transfer money, change a password, modify information, make posts, change user status; all of which is performed from within the victim account.

Not only is a CSRF attack relatively simple to achieve, but it can be very difficult to detect the attack itself. This is due to the fact that the attacks appear to be performed by a legitimate user.

LFI / RFI (Local/Remote File Inclusion)

LFI (Local File Inclusion) or RFI (Remote File Inclusion) allow an attacker to request files from the server to be displayed inside of a webpage. This vulnerability makes use of the PHP include command and is most prominent in website with the url:

http://www.website.com/index.php?file=filename

I could, for example, replace filename with index.php and get the page to display the source code (including the PHP code) within the webpage. Again, filters can be used to prevent files with certain file extensions from being opened but ofcourse, there are methods to bypass these filters.

DoS (Denial of Service)

A DoS (Denial of Service) attack is not one which you can prevent against. A hacker will flood a server with requests often with the use of bots (mentioned above). The constrant stream of requests slow down a server until it runs out of resources and crashes, taking the website and all others on that server offline. Large websites such as Yahoo and Google have been attacked by this. Some websites attempt to prevent this by limiting the number of requests sent by a computer, however, if 10 000 computers are all ending requests one after each other, the time limit does not help much.

Conclusion

These vulnerabilities are just some of the most common ways in which a website is compromised. There are many other lesser known or used forms and it is in the programmers best interest to research the various techniques in order to combat them. I hope this post has provided some insight into the various vulnerabilities which exists and provides web designers a starting point with which to further their knowledge on these vulnerabilities.