Overview and Introduction:
This article discusses information on the most popular methods used by today's hackers to break into web sites, along with suggestions for checking vulnerabilities & implementing a more secure web site using preventative methods. Our intent is to help site administrators become more aware of the tecniques used by hackers and how to prevent them from occurring.
Web site security is possibly one of the most overlooked functions of securing online data. Hackers are more frequently focusing their efforts on hacking web-based applications, such as shopping carts, login pages, forms and other impellent web content. Web sites are accessible 24 hours a day and can contain crucial information from various databases.
A common mistake most site administrators make is to assume that, because their site is not very popular, non-comercial, or in the top rankings, they are much less likely to become a victim of hackers. This simply is not the case. A hackers mission is to seek and destroy, using annonymity. They do not simply seek out the most popular sites, but any sites that leave themselves vulnerable. This includes yours. You can bet that, if your web site is vulnerable to attacks, it has already been tried, many, many times.
Once you decide that you are, infact, vulnerable to these attacks, the next logical question should be "what can I do about it?". Completely web site security, in my opinion, is a virtual impossibility to achieve. However, there are positive and productive steps you can take as an administrator to curtail these malicious attempts on your web site. Outlined below are the most popular methods used along with helpful suggestions for preventing these types of attacks.
Authentication hacking is a term used when the attacker breaks into the system by proving to the application that he is a known and valid user, the attacker gains access to whatever privileges the administrator assigned that user. This kind of attack is not a technological security hole in the Operating System or server software. It depends rather on how securely stored and complex the passwords are and on how easy it is for the attacker to reach the server (network security).
To verify whether an attack phase has succeeded or not, automated tools assess the returned error codes and page information from the host web server. A secure practice is to force any error or unexpected request to generate a HTTP 200 OK response, instead of the numerous 400 type errors. This will make it more difficult for the attacker to distinguish between valid and invalid login attempts.
An important measure in stopping automated brute-force authentication attacks is by adding random content on the page presented to the authenticating client browser. The client must be capable of successfully submitting this random content as part of the authentication process to proceed further in the web site or application. The best way to do this is to present the random phrase in a graphic GIF, JPG or PNG format using random fonts or colours each time. This can make it almost impossible for an automated process to succeed. See screenshot below for an illustration.
Dynamic scripting using the Common Gateway Interface (CGI) and Active Server Pages (ASP) could allow users on the Internet to execute arbitrary commands on your Web server.
The best way to defend against these types of attacks is to refrain from putting custom CGI/ASP scripts on the server until they have been verified as safe by a security professional. You should also hide CGI/ASP scripts by making them executable but not readable or writeable to prevent them from being analyzed by an attacker looking for security holes.
Restrict the areas of the file system where these scripts have access.
Beware of allowing anonymous FTP access to file system areas that are readable by the HTTP server. Unless file system access is restricted, an attacker can use anonymous FTP to upload a file that can be executed by the Web server.
A CRLF Injection attack occurs when a hacker manages to inject CRLF Commands into the system. This kind of attack is not a technological security hole in the Operating System or server software, but rather it depends on the way that a website is developed. Some developers are unaware of this kind of attack and leave open doors when developing web applications, allowing hackers to inject CRLF Commands.
The best way to defend against CRLF attacks is to filter extensively any input that a user can give. One should "remove everything but the known good data" and filter meta characters from the user input. This will ensure that only what should be entered in the field will be submitted to the server.
Cross site scripting:
Cross Site Scripting (also known as XSS or CSS) generally occurs when a dynamic web page gathers malicious data from a user and displays the input on the page without it being properly validated.
To prevent these attacks, dangerous characters must be filtered out from the web application inputs. These should be filtered out both in their ASCII and HEX values.
Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
First of all, ensure you have installed the latest version of your web server software, and sure that all patches have been applied.
Secondly, effectively filter any user input. Ideally remove everything but the known good data and filter meta characters from the user input. This will ensure that only what should be entered in the field will be submitted to the server.
SQL injection is a hacking technique which attempts to pass SQL commands through a web application for execution by a backend database.
The best way to defend against SQL injection attacks it to filter extensively any input that a user can give. One should "remove everything but the known good data" and filter meta characters from the user input. This will ensure that only what should be entered in the field will be submitted to the server.
Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.
Remove all pages identified by Google hacking queries.
More information about Google hacking can be found at the below web address:
Keep in mind that maintaining web site security is a never-ending process. You must remain vigilant and keep abreast of what is going on concerning current hacking tecniques along with the preventative measures you need to take.
Our next article will discuss security methods you can use for identifying hackers using your server Log Files, Host Files, External Link records, 404 logs, etc.
Other Articles and Tutorials by Jim Stiles:
Introduction to Cascading Style Sheets
Developing Cross-Browser Style Sheets
Validating Your Website
Introduction to Dynamic HTML
Microsoft Office Application Tutorials
Introduction to Computer Maintenance
Computer and Browser Security
Understanding Computer Viruses
Home Network Security
Web Site Security Vulnerabilities
Fighting Email Spammers
Fighting Forum Spammers