Web_Vectors 11-25-2016, 04:17 PM
#1
Every day, new web-based attack vectors are found and exploited.
What About The Average User?
These new attack vectors mean that the average user must become much more observant. While utilizing older methods of cryptography is dangerous, the attacks that are making it into the news are falling back on old methods used by hackers since the beginning of network access. All software, old and new, follows the same concepts that made computers work decades prior to now. The only difference today is the number of layers that have been added to make the process seem confusing and complex.
The only ones confused though, are the people for who the new layers were implemented to protect in the first place: the users. The pattern of cyber-attacks on everything from banks to bakeries, and across the board from Target to Apple, is showing that this world requires users to break the expectation of confusion and understand how Internet instigators are really coming after us.
The Goal Of Website Hackers
The motive behind attacks are varied. You had stuff to steal, your site could be used to display propaganda or broadcast spam, or maybe you just forgot to update and your forgetfulness was able to satisfy the bored desires of a curious script-kiddie � one of those reasons is why you got hacked. Every site can serve a purpose: to hold sensitive data, or at the very least, provide usable resources to send spam or attack other targets. Know that your website has value.
In this post, we�ll look at a few vectors hackers look for and use when attacking websites.
The Methods
To someone wanting to break into your site, it�s imperative they find a vulnerability they can exploit (this is known as an attack vector). These attack vectors come in a many forms, today you can usually categorize these into two categories:Access Control and Software Vulnerabilities.
Software Vulnerabilities
1. SQL Injection (SQLi)
Injection vulnerabilities are rated as the number one problem on the list of top 10 security issues put out by OWASP and are still a huge vulnerability for application and web developers looking to utilize the benefits of storing usable information in a local database. Due to the predictable nature of these types of applications, an attacker can craft a string using specific Structured Query Language (SQL) commands, and know it can be used to force the database to give up the data the attacker requires. These strings can be entered in places like search boxes, login forms, and even directly into a url to nullify simple client-side security measures on the page itself.
Why is this so dangerous? The database keeps the most important space on a system, and can not only be coaxed to give up usernames, passwords, and credit card numbers, but can also be attacked in a way that can give an attacker a foothold to gain access to the entire system, and to every other database for other websites and applications.
2. Cross-Site Scripting (XSS)
Often misunderstood, and even more often underestimated, XSS is a style of attack where the front of the website acts as a launching point for attacks on other users visiting the website. This happens when developers don�t properly test their code for the possibility of allowing scripts to be injected. The scripts can then be executed without the site's original functionality intending them to be.
If an XSS vulnerability is available on a website, then an attacker can create code that executes when other users open the same website. This causes the new users to interact with the malicious background entity created by the attacker. Once a connection has been started, usually via social-engineering attacks. convincing a user to do something they shouldn't, the attacker is able to attack your website visitors computers.
3. Inclusion Vulnerabilities: LFI and RFI
As a result of insecure coding, malicious users can find functionality within a web application, and use the underlying mechanics to execute their code. The two variations of this action can be to either execute code already on the system, or execute code that is located off the system.
Local File Inclusion
By targeting �include� parameters in PHP code, intruders can request an alternative file be used in the specified request instead of the file meant to go along with the program. This can lead to unregulated access to internal files and logs. Where a script should work like this � http://site.com/web-app.php?nextStep=goodfile.php � a vulnerable application can be changed to target an sensitive system file, or worse, something that is infected � http://site.com/web-app.php?nextstep=/etc/passwd
Where this can get even messier is when dealing with a highly skilled attacker that knows how to manipulate internal files. By sending malicious payloads to the site, without intending for them to work, a hacker can load log files with their own code. By pointing a vulnerable include parameter to a code injected log file by using an LFI technique, an attack can be launched.
Remote File Inclusion
Another method of running malicious software on a victims server is by simply asking it to go somewhere else on the Internet to find a dangerous script, and then run it from that location. This scary scenario is called a Remote File Inclusion (RFI) attack. An RFI can occur when functions are improperly crafted, allowing users to modify the URL parameters when web apps are launching components for their own purposes.
By changing the intended process in order to activate a far away malicious payload sitting on a public server, the attacker may be able to activate a piece of code that will give them a shell through a held connection between the victim site and the remote server that holds the designated file. Including a script in this way opens up a number of dangerous options that a hacker can use against you.
Access Control
1. Brute Force
If there is a form used to log in, then it is possible to set up scripts that continuously try different username and password combinations until a match is discovered, and the attacker gains access. This could be a brief attack, designed to check if the user has a weak password, and may only check the top 10 or top 100 most common passwords. It could also be a long-term targeted attack composed of lists of millions of passwords to try, and all the time in the world to wait for the right password to work.
More sophisticated Brute Force attacks compile password lists from keywords available on your website to test on your administrator login forms. The best way to protect yourself is by always using strong, unique passwords and two-factor authentication.
There is a difference between Brute Force and Denial Of Service attacks.
While we accept and recognize that these are common risks and dangers of operating a website today, its important to continue to be vigilant and current with the latest threats. Security, is not a Do It Yourself (DIY) project for most website owners; if reading this post felt foreign to you, then youre likely in that category.
Lack of awareness is no longer an excuse; how will you take action to keep yourself from being exploited and made into a victim of the most common and dangerous types of attacks?
What About The Average User?
These new attack vectors mean that the average user must become much more observant. While utilizing older methods of cryptography is dangerous, the attacks that are making it into the news are falling back on old methods used by hackers since the beginning of network access. All software, old and new, follows the same concepts that made computers work decades prior to now. The only difference today is the number of layers that have been added to make the process seem confusing and complex.
The only ones confused though, are the people for who the new layers were implemented to protect in the first place: the users. The pattern of cyber-attacks on everything from banks to bakeries, and across the board from Target to Apple, is showing that this world requires users to break the expectation of confusion and understand how Internet instigators are really coming after us.
The Goal Of Website Hackers
The motive behind attacks are varied. You had stuff to steal, your site could be used to display propaganda or broadcast spam, or maybe you just forgot to update and your forgetfulness was able to satisfy the bored desires of a curious script-kiddie � one of those reasons is why you got hacked. Every site can serve a purpose: to hold sensitive data, or at the very least, provide usable resources to send spam or attack other targets. Know that your website has value.
In this post, we�ll look at a few vectors hackers look for and use when attacking websites.
The Methods
To someone wanting to break into your site, it�s imperative they find a vulnerability they can exploit (this is known as an attack vector). These attack vectors come in a many forms, today you can usually categorize these into two categories:Access Control and Software Vulnerabilities.
Software Vulnerabilities
1. SQL Injection (SQLi)
Injection vulnerabilities are rated as the number one problem on the list of top 10 security issues put out by OWASP and are still a huge vulnerability for application and web developers looking to utilize the benefits of storing usable information in a local database. Due to the predictable nature of these types of applications, an attacker can craft a string using specific Structured Query Language (SQL) commands, and know it can be used to force the database to give up the data the attacker requires. These strings can be entered in places like search boxes, login forms, and even directly into a url to nullify simple client-side security measures on the page itself.
Why is this so dangerous? The database keeps the most important space on a system, and can not only be coaxed to give up usernames, passwords, and credit card numbers, but can also be attacked in a way that can give an attacker a foothold to gain access to the entire system, and to every other database for other websites and applications.
2. Cross-Site Scripting (XSS)
Often misunderstood, and even more often underestimated, XSS is a style of attack where the front of the website acts as a launching point for attacks on other users visiting the website. This happens when developers don�t properly test their code for the possibility of allowing scripts to be injected. The scripts can then be executed without the site's original functionality intending them to be.
If an XSS vulnerability is available on a website, then an attacker can create code that executes when other users open the same website. This causes the new users to interact with the malicious background entity created by the attacker. Once a connection has been started, usually via social-engineering attacks. convincing a user to do something they shouldn't, the attacker is able to attack your website visitors computers.
3. Inclusion Vulnerabilities: LFI and RFI
As a result of insecure coding, malicious users can find functionality within a web application, and use the underlying mechanics to execute their code. The two variations of this action can be to either execute code already on the system, or execute code that is located off the system.
Local File Inclusion
By targeting �include� parameters in PHP code, intruders can request an alternative file be used in the specified request instead of the file meant to go along with the program. This can lead to unregulated access to internal files and logs. Where a script should work like this � http://site.com/web-app.php?nextStep=goodfile.php � a vulnerable application can be changed to target an sensitive system file, or worse, something that is infected � http://site.com/web-app.php?nextstep=/etc/passwd
Where this can get even messier is when dealing with a highly skilled attacker that knows how to manipulate internal files. By sending malicious payloads to the site, without intending for them to work, a hacker can load log files with their own code. By pointing a vulnerable include parameter to a code injected log file by using an LFI technique, an attack can be launched.
Remote File Inclusion
Another method of running malicious software on a victims server is by simply asking it to go somewhere else on the Internet to find a dangerous script, and then run it from that location. This scary scenario is called a Remote File Inclusion (RFI) attack. An RFI can occur when functions are improperly crafted, allowing users to modify the URL parameters when web apps are launching components for their own purposes.
By changing the intended process in order to activate a far away malicious payload sitting on a public server, the attacker may be able to activate a piece of code that will give them a shell through a held connection between the victim site and the remote server that holds the designated file. Including a script in this way opens up a number of dangerous options that a hacker can use against you.
Access Control
1. Brute Force
If there is a form used to log in, then it is possible to set up scripts that continuously try different username and password combinations until a match is discovered, and the attacker gains access. This could be a brief attack, designed to check if the user has a weak password, and may only check the top 10 or top 100 most common passwords. It could also be a long-term targeted attack composed of lists of millions of passwords to try, and all the time in the world to wait for the right password to work.
More sophisticated Brute Force attacks compile password lists from keywords available on your website to test on your administrator login forms. The best way to protect yourself is by always using strong, unique passwords and two-factor authentication.
There is a difference between Brute Force and Denial Of Service attacks.
While we accept and recognize that these are common risks and dangers of operating a website today, its important to continue to be vigilant and current with the latest threats. Security, is not a Do It Yourself (DIY) project for most website owners; if reading this post felt foreign to you, then youre likely in that category.
Lack of awareness is no longer an excuse; how will you take action to keep yourself from being exploited and made into a victim of the most common and dangerous types of attacks?
Knowledge is free..
Retaining that Knowledge takes work..
Retaining that Knowledge takes work..
![[Image: 4aeb044653a17ba3f4588cdf214cdf77.gif]](http://i.picasion.com/pic85/4aeb044653a17ba3f4588cdf214cdf77.gif)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
