A web application (aka website) is an application based on the client-server model. The server provides database access and business logic. It is hosted on a web server. The client application runs on the client web browser. Web applications are usually written in languages such as Java, C#, and VB.Net, PHP, ColdFusion Markup Language, etc. the database engines used in web applications include MySQL, MS SQL Server, PostgreSQL, SQLite, etc.
Most web applications are hosted on public servers accessible via the Internet. This makes them vulnerable to attacks due to easy accessibility. The following are common web application threats.
- SQL Injection – the goal of this threat could be to bypass login algorithms, sabotage the data, etc.
- Denial of Service Attacks– the goal of this threat could be to deny legitimate users access to the resource
- Cross-Site Scripting XSS– the goal of this threat could be to inject code that can be executed on the client-side browser.
- Cookie/Session Poisoning– the goal of this threat is to modify cookies/session data by an attacker to gain unauthorized access.
- Form Tampering – the goal of this threat is to modify form data such as prices in e-commerce applications so that the attacker can get items at reduced prices.
- Code Injection – the goal of this threat is to inject code such as PHP, Python, etc. that can be executed on the server. The code can install backdoors, reveal sensitive information, etc.
- Defacement– the goal of this threat is to modify the page been displayed on a website and redirecting all page requests to a single page that contains the attacker’s message.
How to protect your Website against hacks?
An organization can adopt the following policy to protect itself against webserver attacks.
- SQL Injection– sanitizing and validating user parameters before submitting them to the database for processing can help reduce the chances of been attacked via SQL Injection. Database engines such as MS SQL Server, MySQL, etc. support parameters, and prepared statements. They are much safer than traditional SQL statements
- Denial of Service Attacks – firewalls can be used to drop traffic from a suspicious IP address if the attack is a simple DoS. Proper configuration of networks and Intrusion Detection Systems can also help reduce the chances of a DoS attack been successful.
- Cross-Site Scripting – validating and sanitizing headers, parameters passed via the URL, form parameters and hidden values can help reduce XSS attacks.
- Cookie/Session Poisoning– this can be prevented by encrypting the contents of the cookies, timing out the cookies after some time, associating the cookies with the client IP address that was used to create them.
- Form tempering – this can be prevented by validating and verifying the user input before processing it.
- Code Injection – this can be prevented by treating all parameters as data rather than executable code. Sanitization and Validation can be used to implement this.
- Defacement – a good web application development security policy should ensure that it seals the commonly used vulnerabilities to access the webserver. This can be a proper configuration of the operating system, web server software, and best security practices when developing web applications.
Hacking Activity: Hack a Website
This article has been written for educational purposes only. We don’t encourage hacking or cracking. We are here discussing the ways that hackers are using to hack our digital assets. If we know, what methods they are using to hack, we are in a very well position to secure us.
1. DOS/DDOS Attack – Denial Of Service /Distributed Denial Of Service to hack a website
DOS or DDOS attack is one of the most powerful attacks by hackers to where they stop the functioning of any system by sending the server’s request queue with several fake requests. In DDOS attack lots of attacking systems are used. Lots of computers at the same time launch DOS attacks on the same target server. As the DOS attack is distributed on multiple computers, it is called a distributed denial-of-service attack.
To launch DDOS attacks, hackers use a zombie network. A zombie network is a group of malicious computers on which the hackers quietly installed DOS attacking tools. Whenever the attackers want to launch an attack, they can use all of the computers of the zombie network to carry out an attack. If there so many members in the zombie network, the attack will be more powerful and just by blocking a few IP addresses one cannot survive.
There are numerous tools available on the Internet that are available free of cost to flood the server to perform an attack and few of the tools also support the zombie network as well.
How to Use the LOIC Free tool to hack a website using DOS/DDOS attacks:
LOIC (Low Orbit Ion Cannon): One needs to download the LOIC from the free open source from here: http://sourceforge.net/projects/loic/. Once you have downloaded it, extract the files and save it your desktop.
Now, in the second step open the software and you will get the screen like this:
Here in the screen, find out the text written: “Select your target and fill it in”. Now type or copy/paste the URL of the website in the box. If you would like to launch an attack on IP address then put up the IP address in the box and press the lock button just next to the text box you have filled.
In the third step, just skip the button that says “ ima chargin mah lazer” and move to the third section i.e attack options. Let the other options such as timeout, subsite, HTTP and the speed bar as it is but change the tcp/UDP section and enter a random massage here. In the port type, just put up the port on which you would like to launch the attack and the method field select UDP. If you would like to attack the website keep the port as it is but change it for Minecraft servers. Usually, the port no for Minecraft is 25565. Also, uncheck the option “wait for reply” and keep the threads at 10. If your computer system has a good configuration then you can make it to 20 as well but don’t make it more than 20. Ultimately your screen will look like as below:
At last the only thing that is required is to hit the button “IMMA CHARGIN MAH LAZER”. After pressing it you will see the requested column in the attack status that is to fill up with numerous numbers and stuff.
2. Using SQL Injection Attack to Hack a Website in 2019:
Another successful method to hack the website in 2018 is the SQL Injection attack. In this method, we can insert malicious SQL statements in the entry filed for execution. To successfully execute SQL Injection, one should find out the vulnerability in the application software. Hackers can exploit vulnerabilities from these systems. SQL Injections to hack a website is most commonly known as a vector for websites but it can be used to attack any kind of SQL database.
Most of the SQL Injections attack can be done on the SQL databases in lots of ASP websites.
Steps to hack a website in 2019 using SQL Injection:
- Browse Google and insert “admin/login.asp” in the search engine. Use the option to search in our own country.
- In step 2NDfind out some website that has “Adminlogin.asp” page in it as shown in the above image.
Now try the username as admin and password as 1’or’1’=’1 as shown below:
That’s all now you are logged in to the admin area. Admin panel might look as below:
If the above password is not working then you can use the below list of password for SQL Injection attacks:
List of injections:
- ‘ or 0=0 —
- ” or 0=0 —
- or 0=0 —
- ‘ or 0=0 #
- ” or 0=0 #
- or 0=0 #
- ‘ or ‘x’=’x
- ” or “x”=”x
- ‘) or (‘x’=’x
- ‘ or 1=1–
- ” or 1=1–
- or 1=1–
- ‘ or a=a–
- ” or “a”=” a
- ‘) or (‘a’=’a
- “) or (“a”=” a
- hi” or “a”=” a
- hi” or 1=1 —
- hi’ or 1=1 —
- hi’ or ‘a’=’a
- hi’) or (‘a’=’a
- hi”) or (“a”=” a
3. How to Use XSS or Cross-Site Script Attacks to Hack a Website in 2019:
What is XSS?
For example, let assume an attacker has found out XSS vulnerability in the Gmail and also injects malicious script to it. Whenever a visitor visits the site, the malicious script executed and the code redirects the user to the fake Gmail page or even can capture the cookies. Once the hacker steals the cookies, he can either log in to the Gmail account of others or can even change the password.
Before executing the XSS attack, you should know of:
- Basic understanding of HTTP client-server Architecture (Reference).
- Basic understanding of server-side programming including PHP, ASP or JSP.
How to do XSS Attacks on a Website in 2019:
Step 1ST: Search out the Vulnerable Website: To launch XSS attack hackers can use Google dork to find out the vulnerable website for example: use the dork “?search=” or “.php?q=”. This dork will display some specific sites in Google search results that can be exploited to hack.
Step 2nd: Test out the Vulnerability:
Now, we need to find an input field in which we can inject the malicious script, such as search box, username or password field or any other related field.
Now test the vulnerability by putting some string inside the field, let say for example insert “BTS” in the input field. It will display the results as follows:
Now right-click the mouse on the page and view the page source. Search for the string you entered that is “BTS”. Also, note the location where the input is placed.
Now we need to find out that the server is sanitizing our input or not? To check this, insert <script> tag just inside the input field.
Now again view the page source and find out the location where the input is displayed on the page.
If the server sanitizes our input, the code can be looked at as <script>. This signifies that the website is vulnerable to cross-site scripting attacks and we can launch the attack. In the above case, the code is not being sanitized by the server.
Step 3rd: Exploiting the vulnerability
A pop-up box will be displayed with the BTS string. This indicates that we have successfully exploited XSS vulnerability. By further extending the code with the malicious script, an attacker can steal the cookies or completely deface the website and can do even more
To know more about it and secure your website, visit TheWebOrion.com