Top 10 Hacking Techniques
100’s of South African websites are being hacked daily. Between groups like Anonymous, Isis and hundreds of other entrepreneurial hackers in South Africa and overseas every website live on the web is being poked and prodded with automatic scripts as well as human hackers. Below is the list of the top 10 website hacking techniques which you need to ensure you protect your website from.
10. Injection Website Hacks
Injection Attacks occur when there are flaws in an SQL Database, SQL libraries, or even the operating system itself. Employees open seemingly normal files with hidden commands, or “injections”, unknowingly.
In doing so, they’ve allowed hackers to gain access to their private data such as credit card numbers or other financial data.
9. Cross Site Scripting Website Hack
Cross Site Scripting, also known as an XSS attack, occurs when an application, url “get request”, or file packet is sent to the web browser window and bypasses the validation process. Once an XSS script is triggered, it’s deceptive property makes users believe that the compromised page of a specific website is legitimate.
For example, if www.example.com/abcd.html has XSS script in it, the user might see a popup window asking for their credit card info and other sensitive info. They input their information believing it is the trusted site, but in fact they are giving their information to hackers.
This causes the user’s session ID to be sent to the attacker’s website, allowing the hacker to hijack the user’s current session. That means the hacker has access to the website admin credentials and can take complete control over it. In other words, hack it.
8. Broken Authentication & Session Management Website Hacks
If the user authentication system of a website is outdated or poor, hackers can take full advantage.
Authentication systems involve passwords, key management, session IDs, and cookies that can allow a hacker to access your account from any computer.
If a hacker exploits the authentication and session management system, they can assume the user’s identity.
This is scary stuff.
Ask yourself these questions to find out if your website is vulnerable to a broken authentication and session management attack:
- Are my user credentials weak?
- Can credentials be guessed or overwritten through weak account management functions (e.g. account creation, change password, recover password, weak session IDs)?
- Are session IDs exposed in the URL?
- Are session IDs vulnerable to session fixation attacks?
- Do session IDs timeout and can users log out?
If you answered “yes” to any of these questions, your site could be vulnerable to a hacker.
7. Clickjacking Website Hacks
Clickjacking, also called a UI Redress Attack, is when a hacker uses multiple layers to trick a user into clicking the top layer without them knowing.
Thus the attacker is “hijacking” clicks that are not meant for the actual page, but for a page where the attacker wants you to be.
For example, using a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password for their bank account, but are actually typing into an invisible frame controlled by the website hacker.
6. DNS Spoofing Hack
DNS Cache Poisoning involves old cache data that you might think you no longer have on your computer, but is actually “toxic”.
Also known as DNS Poisoning, hackers can identify vulnerabilities in a domain name system, which allows them to divert traffic from legit servers to a fake website and/or server.
This form of attack can spread and replicate itself from one DNS server to another DNS, “poisoning” everything in it’s path.
In fact, in 2010, a DNS poisoning attack completely shutdown the Great Firewall of China (GFC) temporarily and censored certain content in the United States until the problem was fixed.
5. Social Engineering Website Hacks
A social engineering attack is not technically a “hack”.
It happens when you divulge private information in good faith, such as your credit card number, through a common online interactions such as email, chat, social media sites etc.
The problem, of course, is that you’re not getting into what you think you’re getting into.
A classic example of a social engineering attack is the “Microsoft tech support” scam.
This is when someone from a call center pretends to be a MS tech support member who says that your computer is slow and/or infected, and can be easily fixed – at a cost, of course.
4. SYMLINKING Website Hacks
A symlink is basically a special file that “points to” a hard link on a mounted file system. A symlinking attack occurs when a hacker positions the symlink in such a way that the user or application that access the endpoint thinks they’re accessing the right file when they’re really not.
In different versions of a symlinking attack a hacker may be able to take control of the changes to a file, grant themselves more access, insert false information, expose sensitive information or destroy vital files.
3. Cross Site Request Forgery Hacks
A Cross Site Request Forgery Attack happens when a user is logged into a session and a hacker uses this to send them a fake HTTP request to get their cookie information.
In most cases, the cookie remains valid as long as the user or the attacker stays logged into the account. This is why websites ask you to log out of your account when you’re finished – it will expire the session immediately.
In other cases, once the user’s browser session is compromised, the hacker can generate requests to the application that will not be able to differentiate between a valid user and a hacker.
2. Remote Code Execution Website Hacks
A Remote Code Execution attack is a result of either server side or client side security weaknesses.
Vulnerable components may include libraries, remote directories on a server that haven’t been monitored, frameworks, and other software modules that run on the basis of authenticated user access. Applications that use these components are always under attack through things like scripts, malware, and small command lines that extract information.
By failing to provide an identity token, attackers could invoke any web service with full permission.
1. DDOS ATTACK – Distributed Denial of Service Website Hack
DDoS, or Distributed Denial of Services, is where a server or a machine’s services are made unavailable to its users.
And when the system is offline, the hacker proceeds to either compromise the entire website to do with what they like.
It’s kind of like having your car stolen when you really need to get somewhere fast.
The usual agenda of a DDoS campaign is to temporarily interrupt or completely take down a successfully running system.
The most common example of a DDoS attack could be sending tons of URL requests to a website or a webpage in a very small amount of time. This causes bottlenecking at the server side because the CPU just ran out of resources.
Denial-of-service attacks are considered violations of the Internet Architecture Board’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers.
If your website has been hacked by any of the above means, you need professional help to clean the infected website. Make sure you call a professional as quickly as possible to minimise the damage.