The Ease of Hacking Websites

Most web sites today use one form or another to generate their web site content. Some utilize the “offline” database back-ended approach, where pages are generated every so-often but the web site itself is made of static pages (HTML). Others utilize the “on-line” database back-ended approach, where pages are generated on-the-fly whenever a user requests them.

It is considered harder to hack an “offline” database back-ended web site, as you have no direct way to influence the content displayed by the web site if you send the web site malformed data. However as most webmasters would tell you the “offline” approach is harder to maintain, is slower to adapt to changes in content and requires greater thought into what is placed on-line – as content can take several minutes to hours to propagate into the static web site, that is why most of today’s web sites use the “on-line” approach.

This comes at a price – I will skip the hardware and software aspects – security wise of course. As the web site is built according to user provided data, this opens up the opportunity for the user in this case malicious in nature to manipulate the results returned by the server.

How common is it to see a web site get defaced via an IIS/Apache vulnerability? not very, and it usually occurs due to some newly discovered vulnerability in the mentioned products. How common it is to see a web site get defaced via a Windows/Linux vulnerability, it is roughly the same as seeing an IIS/Apache web site get defaced because of use of an old version of the software.

What is more common? web sites that get defaced due to improper usage of user provided data. These vulnerabilities are usually divided to the following categories:

  • Cross Site Scripting
  • SQL Injection
  • Code Execution

Would it be difficult to detect these vulnerabilities? no, would it be difficult to avoid having them in the first place? no.

Therefore why are these vulnerabilities still present in high profile web sites? I could name a few such web sites, major news agencies and broadcasting networks, but it won’t help the end-user or the web site’s owner. Everyone knows there are numerous solutions of preventing, detecting and stopping these vulnerabilities from happening, so why isn’t it happening?

Are web site vulnerabilities, such as those caused by bad usage of user provided data, considered low risk vulnerabilities? I don’t think these vulnerabilities can be regarded as low risk.

Take this example, I was able in a few minutes of wandering through one of these news agency, which utilizes the unbreakable Oracle database, to discover the complete structure of their articles table/schema as well as read any entry present in the table by utilizing columns such as author, date, priority and keywords – that would be otherwise impossible to use through their normal web access interface.

The next logical step for a hacker discovering this would be to insert or modify an article found in the database, insert into it some form of malicious content – I can name a few: Ad-Ware installing page, fraud related “donation” button, etc. Does this sound factious? nope, it has been done and there is nothing stopping anyone from doing this again.

As history has taught us, these kind of vulnerabilities would go unnoticed until someone will write a worm that would exploit these vulnerabilities to skip from one server to another, which like CodeRed, will create enough havoc to create an understanding by the security community to the importance of addressing such vulnerabilities.

Future NOTE: Even if I say that such a worm will be written, it doesn’t mean I wrote it :)

Share
  • http://www.whiteacid.org WhiteAcid

    It’s not hard to find sites vulnerable but it is hard to notify those organisations.

    I’ve come across sites where I could get full HDD read access but I couldn’t inform them about this as they didn’t have any email addresses to send anything to.

    While it is true that professional web designers should be taught to secure the web pages they should also be told to have an email address to the webmaster easily visible.

    Why are these flaws present in high profile website? Two reasons:
    1. Malicious hackers haven’t found the flaw yet
    2. There is no email address people like us can use to inform the organisation about the flaw or they don’t read/act on the emails.

    I don’t know why their web developers were stupid in the first place, maybe the site was based on old code, coded back when security wasn’t that big an issue. Either way, these companies should be notified… until they read and act on the emails.

    I don’t want them to have to learn the hard way.

  • http://www.whiteacid.org WhiteAcid

    There is another closely related problem regarding this. Not only do several high profile websites have security flaws but they have no way of reporting them. I’ve been to sites that (unintentionally) give read access to the entire HDD or easily exploitable SQL injection but don’t have a way for me to inform them abuot this. Either that or they don’t read any emails I send them.

    Why are these vulnerabilities still present in high profile web sites? There could be a few reasons;
    1. A malicious hacker hasn’t yet taught them the hard way.
    2. They make it hard for people like us to report the issue
    3. The site was based on code from bygone days when web developers weren’t clued in on security
    4. The site was recently coded by old web developers who still think security isn’t an issue.

    What can we do about this? Unless you design websites for large companies or know someone who does we can’t directly influence the companies. We can report flaws to every site that makes it easy to report flaws (if they have flaws of course). In the email describing the flaw you could suggest they do a full security audit.

    Of course some websites make it hell to report anything, I have no dea what could be done in these cases. I know some people would do a small defacing letting them know about the issue, but I wouldn’t do something illegal to report that it’s possible to do something illegal to them.

    I don’t want anyone to have to learn the hard way. Make your site secure, report issues on other’s sites. That’s the ethical approach IMO.

  • someone

    WhiteAcid if you know that there’s a sql injection bug, or any other bug that provides illegal access.. that means that you did some illegal acts. So I think you’re better to stop saying “oh but they don’t provide email addresses to say them they are vulnerable” (for free btw?! you’re so cute :) ). It’s like someone forcing (or even without forcing) access to enter your house and then saying “yo! I did it to prove I could enter your house! it’s not secure! congrats!” seriously… Another point, Noam, web based worms already exist. You’re talking about ‘informing security community with a redcode-like worm’, well, it’s funny as you didn’t know that web based worms already exist (example: http://isc.sans.org/diary.php?date=2004-12-21 the santy worm exploiting a phpbb bug), looks like you don’t know the security community. we, in the security community, already know for sql injections for a whiiiile.. When we do pentests (‘Penetration Tests’) we always think about the webapplication and it is well scanned (checking for sql injection, path disclosures, code exec through escape to shell, etc). I think you are a newbie in this domain Noam and you WhiteAcid just a wannabe l33t (oh, wait, but ‘WHITE’ hat, haha) :)

  • http://www.BeyondSecurity.com noam

    When I was talking about a worm, I was refering to one that would exploit an SQL injection vulnerability, and as such Santy does not exploit an SQL injection vulnerability, rather a code execution vulnerability.

    I happy that you do pen-tests, and that you look for such vulnerabilities, still it doesn’t explain why there are high profile web sites that are still vulnerable to these vulnerabilities.

    The only conclusion would be that someone isn’t his job properly, either you are informing the companies and they are ignoring you (very likely) or that you are doing a job infrequently enough for the web site to contain new pages that are vulnerable.

  • http://Secret Admin CC

    I may have some work for you if you are interested, i wish to close down a website belonging to someone i know that has started giving a lot of hassle to our community, if you are interested in helping then please contact me

    regards

    Admin of another site !

  • http://www.BeyondSecurity.com aviram

    You came to the wrong web site, I’m afraid.

    We try to help people defend from attacks (by checking their web sites for security holes, for example), we never ever attack web sites. There is a very big difference between the two.

  • http://www.whiteacid.org WhiteAcid

    I do realise that finding the flaw in the first case is usually an illegal act (sometimes it really is accidental).
    We weren’t saying that you don’t know about the issue, of course you do. The original question was why is large web sites still vulnerable? Why haven’t their web devs twigged that something serious could happen?

    While I don’t want to start a stupid little war I would like to poit out that I’m not trying to be leet, and that the ‘White’ part has nothing to do with being white-hat, or my ethnicity.

  • http://howdosthishelp how dos this help

    how dos this help

  • learning

    can someone teach me how to hack into a website like neopets so i can get np and other items?

  • ashley

    I too agree that security is very important, but I myself wish to hack into my own website. When I was young and stupid and thought I was in love, I made a homepage and put my name on it and I now completely regret it. Thing is, I haven’t a clue what the password was to access the site- nor the password for the email that I might have used. I have no way of shutting down the site. I have explained many times to the hosts that I wish for it to be removed but no one has ever answered me. I can understand it might be a security issue in itself for me to ask them to close the site, but it is embaressing for me to have this. I’m married now, and my maiden name was quite uncommon so anyone who might consider searching for it, say on google, would immediatly find this website. It is incredibly embaressing. Could anyone offer any advice at all?

  • http://- J.M.S.

    Heh. Nice try ashley. Funny to think people don’t realise this is a security site.

  • NoAm

    Can someone help me hack Hotmail, I lost my password.

  • alan

    very intriguing information. Hope these problems may be resolved sooner.

  • http://www.gangparadise.com hartley1

    plz will u b able to get onto my account i have lost my password on it plz can u help

  • Jason DePriest

    More than a year later and the problems are still out there. Has it gotten better? Nope.

    There is one potential cause for these unknown holes that has not been mentioned: canned apps.

    Lots of companies don’t have the time or money for in-house development and buy an app from some vendor that has its own fancy web presence.

    They put their logo on it, plug it into their database back-end and let ‘er rip.

    Just because you pay some other company ridiculous amounts of money for a product, doesn’t mean it is secure.

  • http://www.yahoomail.com gs

    I am not able to access my yahoo mail account. It is restricted. Please provide the solution to access my yahoo account.

  • New way

    make a bogus copy of a site and upload it via ftp(it only works if the site has write access

  • http://www.street-racerz.com blueturbo

    can u get my password for blueturbo plzzzzzzzzzzzzzzzz iave spent alot of time on the game.

  • lotus

    hi my name is lotuschild98, at least thats my screen name, lol. i was wondering if it is possibale to hack neopets that easeily, by just making your own page and then uploding it using three ftp, and if its not, could you plz tell me how ive been trying to figure it out for a while now, so i wouls be thankful for the help, if u dont mind plz just email me back at mindys_baby_boy@yahoo.com thank you

  • http://www.mega-forces.com Meli-Hacker

    Nice TUT!

  • http://www.nymethod.com Method

    Recently I have been told by a friend that my website has vuln. I was surprised to hear him say that. Can you analyze my site for potential security risks (if there are any) and give me a solution to fix them.

  • Frank

    I just published my 1st website in many years. I already had someone say they went to it and could change whatever they want. However, they wouldn’t say how. Nobody has my password and I don’t use ftp (my isp’s control panel instead). I can’t find anything on how to reasonably secure a website from site changes. Does the “read only” method work? Do I do that to the http folder or each file? Other suggestions?
    Thanks!

  • http://www.BeyondSecurity.com Aviram

    Frank,

    They are most likely referring to an SQL injection vulnerability. Check out the following SQL injection walkthrough:
    http://www.securiteam.com/securityreviews/5DP0N1P76E.html

  • Frank

    Aviram, thanks for the response. I will have to watch that for form pages. But, what about in normal sites with no log-ins? Here is my site that is supposedly hackable eclipseyourcar.com