How to Hack Websites

Monday, January 03, 2011

Rafal Los


There has been a considerable amount of "hacking" lately going on.  Sites going down, content being stolen, DDoS being leveraged. 

So while there are various methods of "hacking" a site I think there is one thing that ties all of this insanity together.


Sure, you can DDoS a site right out of existence - but that's not really hacking.  If you think that hacking a site is the same thing as flooding it with bad traffic until the server or pipe chokes... you clearly don't understand the way that hacking or attack/defense actually works.

Layer 7 Breach

One of the more popular ways of hacking a site is by finding a flaw in the website such as via XSS (Cross-Site Scripting) or SQL Injection... flaws which almost all sites contain if you look hard enough. 

These types of hacks involve either injecting or extracting bits of information from the site's database(s)... if you're simply extracting data you want to do things like steal email addresses, passwords, personal details, credit cards or various other important things that are of financial value to criminals. 

If you're injecting data, you're typically putting something onto the site such as a script that will change the function of the site... the most common goal is to inject a Trojan which will attack and compromise the client. 

In either case the object is to be stealth and make as little noise as possible until you've gotten what you needed and are long, long gone.

Network/Systems Breach

These types of breaches are becoming less and less common but still happen.  A router with a wide open enable password allows for someone to jump on and monitor traffic, mirror some data and who knows... you've been compromise. 

With the myriad of network devices today from load balancers to firewalls to switches and routers - hardware OR software-based - it's not really uncommon to find at least one device that has open or at least easily breakable access to it. 

Servers aren't getting broken into as much directly either - since the legacy method of attack used to be to find a buffer overflow in the web server, execute the attack and hope the machine (a) doesn't crash and (b) has all the right memory addresses and processor architecture, etc in place to execute the attack.  Too hard, too much work, too easy to detect.

But Wait...

Why go through all that trouble, why devise attacks, craft packets and attempt exploits when you can simply download an database of 1.3Million username/password pairs from the latest compromise (Gawker media) via BitTorrent... and then try all those passwords against thousands of sites world-wide? 

I'm 100% serious here... password re-use is rabid, and people often use the same username/password pairs for their banking/credit card sites, throw-away promotional sites they'll never come back to, and things like Facebook -all the same password and username pairs. 

So is this really hacking?  Nope, it's 100x simpler, less messy, and a lot more rewarding... and sadly it's happening right now.

So What?

Sadly, today it's still down to passwords on websites.  Get a password management system that synchronizes between your phone [handset] and your computer, or just your mobile device by itself. 

Get something that's encrypted reasonably well, can generate passwords on the fly and can store them in a way that you can remember to retrieve them when you need them in a hurry. 

Otherwise, when the next site that gets compromised happens and their username/password combinations are all over the BitTorrents... you will be left wondering - Just how many sites did I re-use that username/password combination on?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
XSS SQl Injection Hacking Layer 7 Breach BitTorrents
Post Rating I Like this!
Rod MacPherson "Just how many sites did I re-use that username/password combination on?"

This is what lead to me using encrypted storage (truecrypt, then later KeePass) to store my passwords. Not being hacked or anything, but coming to the realization that I was using the same password all over the web and what would happen if one of those sites was breached and that password got out?

How much of my identity online, let alone financial info, depended on me being the only one who knew that password?
Rafal Los Rod - so you're left doing double-duty here. You have to use strong, per-site passwords stored in an accessible encrypted storage medium; yet you have to hope the site you're using doesn't get compromised and make that password moot. Not good odds.

Enjoy the post, thanks for reading and I encourage you to check out the rest of my blog!
Rod MacPherson Rafal,

Isn't what I said the same as what you said?

"Get something that's encrypted reasonably well, can generate passwords on the fly and can store them in a way that you can remember to retrieve them when you need them in a hurry."

Sounded to me like you were promoting the same sort of solution.

I think you are assuming that my password database is stored online...

No, not at all. You are right that wouldn't make it any better.

The password file is on a USB key that I keep on my person. I have a backup copy in a safe so that I can get in and change all the passwords if ever I lose my key. I am quite confident that I can change all of my passwords before someone can crack the encryption.

If you mean the site for which I've stored the password in KeePass... then what can I say. There is nothing I can do about that. The only point of control I have over the security of most websites is my choice of password. If someone gets into a site they only get into one site, not my whole life, and that's as much control as I have. If I want to use oh, let's say Facebook, and they get hacked, that means my Facebook is gone, but not my Facebook and my Gmail, and my eBay account, and My InfoSec Island account.

In the unlikely event that I forget the password for my passwords, that too is stored away somewhere safe. The key to that one is to choose something long and strong, but memorable to you.
daen nielle can you teach me how to hack a website? i'm not that good when it comes to programming but i understand the commands... is it possible to hack a private server game's website? thanks....
please send me an e-mail if you could teach me...
here's my email add... again lots of thanks...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.