How They Hack Your Website: Overview of Common Techniques

We hear the same terms bandied about whenever a popular site gets hacked. You know… SQL Injection, cross site scripting, that kind of thing. But what do these things mean? Is hacking really as inaccessible as many of us imagine; a nefarious, impossibly technical twilight world forever beyond our ken?

Not really.

When you consider that you can go to Google right now and enter a search string which will return you thousands of usernames and passwords to websites, you realize that this dark science is really no mystery at all. You'll react similarly when you see just how simple a concept SQL Injection is, and how it can be automated with simple tools. Read on, to learn the basics of how sites and web content management systems are most often hacked, and what you can do to reduce the risk of it happening to you.

SQL Injection

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.

When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.

The Simple SQL Injection Hack

In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.

Suppose we enter the following string in a Username field:

' OR 1=1

The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:

SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT’

…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.

So entering `OR 1=1 — as your username, could result in the following actually being run:

SELECT * FROM users WHERE username = ‘' OR 1=1 — 'AND password = '’

Two things you need to know about this:
['] closes the [username] text field.

'' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:

SELECT * FROM users WHERE username = '' OR 1=1

1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.

Let's hope you got the gist of that, and move briskly on.

Brilliant! I'm gonna go hack me a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank, evidently.

But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:

username field examples:

• admin'—
• ') or ('a'='a
• ”) or (“a”=”a
• hi” or “a”=”a

… and so on.

Backdoor Injection- Modules, Forums, Search etc.
Hacking web forms is by no means limited exclusively to login screens. A humble search form, for instance, is necessarily tied to a database, and can potentially be used to amend database details. Using SQL commands in search forms can potentially do some extremely powerful things, like calling up usernames and passwords, searching the database field set and field names, and amending same. Do people really get hacked through their search forms? You better believe it. And through forums, and anywhere else a user can input text into a field which interacts with the database. If security is low enough, the hacker can probe the database to get names of fields, then use commands like INSERT INTO, UNION, and so forth to get user information, change product prices, change account settings/balances, and just about anything else… depending on the security measures in place, database architecture and so on.

So you can have security locked down at the login, but poor security on other forms can still be exploited. Unfortunately this is a real worry regarding 3rd party modules for Web CMS products which incorporate forms, and for CMS products these 3rd party modules are often the weakest links which allows hackers access to your database.

Automated Injection
There are tools to automate the process of SQL Injection into login and other fields. One hacker process, using a specific tool, will be to seek out a number of weak targets using Google (searching for login.asp, for instance), then insert a range of possible injection strings (like those listed above, culled from innumerable Injection cheat-sheets on the Web), add a list of proxies to cover his movements, and go play XBox while the program automates the whole injection process.

Remote Injection
This involves uploading malicious files to inject SQL and exploit other vulnerabilities. It's a topic which was deemed beyond the scope of this report, but you can view this PDF if you'd like to learn more.

SQL Injection in the Browser Address Bar
Injections can also be performed via the browser address bar. I don't mean to have a pop at Microsoft, but when it comes to such vulnerabilities, HTTP GET requests with URLs of the following form are most often held to be vulnerable:

http://somesite.com/index.asp?id=10

Try adding an SQL command to the end of a URL string like this, just for kicks:
http://somesite.com/index.asp?id=10 AND id=11

See if both articles come up. Don't shoot your webmaster just yet if it's your own site and you get two articles popping up: this is real low-level access to the database. But some such sites will be vulnerable. Try adding some other simple SQL commands to the end of URLs from your own site, to see what happens.

As we saw above, access to the database raises a number of interesting possibilities. The database structure can be mapped by a skilled hacker through ill-conceived visibility of error messages — this is called database footprinting — and then this knowledge of table names and so forth can be used to gain access to additional data. Revealing error messages are manna - they can carry invaluable table name and structural details.

The following illustrative string is from Imperva.

http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT username, password FROM USERS

There are vast swathes of information on SQL Injection available, here are a couple of good sources:

• GovernmentSecurity.org
• SecurityDocs.com

Cross Site Scripting (XSS)

XSS or Cross Site Scripting is the other major vulnerability which dominates the web hacking landscape, and is an exceptionally tricky customer which seems particularly difficult to stop. Microsoft, MySpace, Google… all the big cahunas have had problems with XSS vulnerabilities. This is somewhat more complicated than SQL Injection, and we'll just have a quick look to get a feel for it.

XSS is about malicious (usually) JavaScript routines embedded in hyperlinks, which are used to hijack sessions, hijack ads in applications and steal personal information.

Picture the scene: you're there flicking through some nameless bulletin board because, yes, you really are that lazy at work. Some friendly girl with broken English implores you to get in touch. 'Me nice gurl', she says. You've always wondered where those links actually go, so you say what the hell. You hover over the link, it looks like this in the information bar:

[%63%61%74%69%6f%6e%3d%274%74%70%3a%2f%2f%77%7…]

Hmmm…what the hell, let's give it a bash, you say. The one thing I really need right now is to see an ad for cheap Cialis. Maybe the linked page satisfies this craving, maybe not. Nothing dramatic happens when you click the link, at any rate, and the long day wears on.

When a link in an IM, email, forum or message board is hexed like the one above, it could contain just about anything. Like this example, from SandSprite, which helps steal a session cookie, which can potentially be used to hijack a session in a web application, or even to access user account details.

Stealing cookies is just the tip of the iceberg though — XSS attacks through links and through embedded code on a page or even a bb post can do a whole lot more, with a little imagination.

XSS is mostly of concern to consumers and to developers of web applications. It's the family of security nightmares which keeps people like MySpace Tom and Mark Zuckerberg awake at night. So they're not all bad then, I suppose…

For additional resources on this topic, here's a great overview of XSS (PDF) and just what can be accomplished with sneaky links. And here's an in-depth XSS video.

Authorization Bypass

Authorization Bypass is a frighteningly simple process which can be employed against poorly designed applications or content management frameworks. You know how it is… you run a small university and you want to give the undergraduate students something to do. So they build a content management framework for the Mickey Bags research department. Trouble is that this local portal is connected to other more important campus databases. Next thing you know, there goes the farm

Authorization bypass, to gain access to the Admin backend, can be as simple as this:

• Find weak target login page.
• View source. Copy to notepad.
• Delete the authorization javascript, amend a link or two.
• Save to desktop.
• Open on desktop. Enter anything into login fields, press enter.
• Hey Presto.

Here's a great video of a White Hat going through the authorization-bypass process on YouTube. This was done against a small university's website. It's a two-minute process. Note that he gets into the User 1 account, which is not the Admin account in this case. Is Admin User 1 on your User table?

Google Hacking

This is by far the easiest hack of all. It really is extraordinary what you can find in Google's index. And here's Newsflash #1: you can find a wealth of actual usernames and passwords using search strings.

Copy and paste these into Google:

inurl:passlist.txt
inurl:passwd.txt
…and this one is just priceless…
“login: *” “password= *” filetype:xls

Such strings return very random results, and are of little use for targeted attacks. Google hacking will primarily be used for finding sites with vulnerabilities. If a hacker knows that, say, SQL Server 2000 has certain exploits, and he knows a unique string pushed out by that version in results, you can hone in on vulnerable websites.

For specific targets Google can return some exceptionally useful information: full server configurations, database details (so a good hacker knows what kind of injections might work), and so forth. You can find any amount of SQL database dumps as well (fooling around with a Google hack while preparing this article, I stumbled across a dump for a top-tier CMS developer's website). And a vast amount more besides.

johnny.ihackstuff.com is the man to go to for Google hacks. One interesting one I toyed with invited me to the Joomla! install page for dozens of sites… people who had uploaded Joomla!, decided against installing it, and subsequently had either left the domain to rot, or else set a redirect on the page to, say, their Flickr account (in one case). Allowing anybody to walk in and run through the installer. Other query strings target unprotected email/IM archives, and all sorts of very sensitive information. What fun we can have!

Password Cracking

Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it.

You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.

A Few Defensive Measures

• If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
• Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
• Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
• If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
• Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
• Do a few Google hacks on your name and your website. Just in case…
• When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes.

UPDATE
I had posted a link here to a hacking bulletin board containing specific sql injections strings etc. The link pointed to a page which listed numerous hacks targetting various CMS platforms, but containing a disproportionate number of hacks for one platform in particular. In retrospect, and following a specific complaint, I have pulled down this link. Apologies to the complainant and to anyone else who found this link to be inappropriate.

30 Nicest Apple, MacOS and iPod Wallpapers

Apple products are often made to be simple and nice; their wallpapers should never be anything different. I’ve previously posted Windows Vista Wallpapers you should not miss and now here’s more wallpapers to decorate your desktop. After searching high and low, here’s some good 30 Apple related wallpapers (Apple logo, MacOS, iPod) that’s definitely worth a look. Full content after jump

Apple

Contributed by: Andrea Mancini

MacOS

iPod

Hardware

Get Windows 7 For Free.... Hurry!!!

Get on the party mood… Microsoft is boosting people to apply online and host a party to mark the Windows 7 launch on 22 October. One can choose a day from October 22-29 and the person selected will get not only receive a special Signature Edition of Windows 7 Ultimate but Windows 7 Party Pack too, declared Microsoft.

Microsoft has provided electrifying themes too for the party: Media Mania, PhotoPalooza, Setting up with Ease and Family Friendly Fun. The theme is chosen and now is the time for the applicants to receive an aid from the world’s leading party organizer, House Party.

House Party is a community-based site that aids people around the world to host parties that are normally held on the same day of the launch and are centered on the launch of a corporate event or product.
Once the theme is chosen, the host has an opportunity to upload photos and videos, chat with other hosts, blog the experience, and download fun favors from the personal House Party page.
The hosts also have a chance to win a PC worth US$750. Winners will be sent a word and their prizes delivered after Oct. 30.
Mozilla’s Firefox browser released in June asked the fans to host download parties. For the number of software downloads in 24 hours, the company desired to set a Guinness World Record and laid claim to log more than 8 million downloads of the browser in a day.
Microsoft is not the first one to ask its fans to throw a geek-themed party in respect of a software launch.
Microsoft has offered heavy discounts on pre-sale deals that let users place online orders for Windows 7, to be shipped when the system reaches retail.
Microsoft has declared a 90-day free trial period for enterprise consumers who want to try Windows 7 Enterprise edition Also, up to 15 percent discounts for users who buy Windows 7 Professional or Enterprise upgrades from volume resellers.

Yahoo launches a Twitter lookalike!

Yahoo, which is otherwise not doing very well in the tech market, has finally taken the first step towards improving its situation.

The giant has directly challenged the current favourite of netizens - Twitter and launched a microblogging platform called Yahoo Meme. Yahoo had previously launched a Portuguese language micro-blogging product, Yahoo Meme, which was obviously similar to Twitter and Tumblr.

It looks like Yahoo definitely has lofty ambitions for Yahoo Meme, as it has stealthily rolled the micro-blogging service out in Spanish and now in English to appeal to the masses. Yahoo Meme exactly works like Twitter.

Let's see if Meme does any good to Yahoo's image.
try Yahoo meme here

Coming soon: Dual-screen laptop

The world's first laptop with twin monitors is slated to hit the stores by the end of the year.

The dual-screen laptop, entitled Spacebook, was masterminded by Alaska-based technology firm gScreen.

The pioneering technology, that will let users to multi-task while on the move, will have two 15.4 in screens, reports the Telegraph.

The PC is estimated to cost enthusiasts around 3,000 dollars but not without concerns regarding the weight of the Spacebook and the pressure on the batteries to meet the energy demands of running two screens.

Gordon Stewart, the founder of gScreen, told US technology website Gizmodo, that the gadget could be expected to be up for grabs on Amazon by December this year, provided final modifications had been dealt with.e said: "We designed this knowing that many may not need the extra screen at all times."

Spacebook is thought to be the first of its kind with twin screens of equal size.

Loch Ness Monster surfaces on Google Earth?

Is this Nessie? Probably just a boat, unfortunately.

(Credit: Google Earth/Daily Mail)

Stop the presses: According to the U.K.'s Daily Mail, a security guard was hunting around on Google Earth and spotted a mysterious object that he believes is the storied Loch Ness Monster.

The most shocking part of the report: The fact that it took this long for anyone to claim that Google Earth has found something funny swimming around in Loch Ness. I mean, hello, people. Google Earth has been feeding us tasty satellite maps for over four years now. If Google Street View can surface multiple puking drunks and streakers, you'd think that a massive sea monster (enthusiasts claim it may be a long-thought-extinct reptile called a plesiosaur, to be more specific) would have a tough time staying hidden from Larry and Sergey's snooping.

As you may recall, earlier this year someone with way too much free time on his hands claimed he had found the lost city of Atlantis off the coast of North Africa, as evidenced by a grid-like pattern on Google Earth. Google's response was that it was basically feedback from sonar data collection (so boring), not a legendary sunken city.

Unfortunately for conspiracy nuts and "X-Files" loyalists, the "Nessie" of Google Earth is probably just a boat, as the Daily Mail article points out. The 65-foot-long object really does look pretty similar to other Google Earth aquatic oddities that are more obviously man-made watercraft, after all. So the search remains fruitless, I'm afraid.

But a side note: Shouldn't whoever was in that boat on Loch Ness be concerned that the monster might think they'd make a nice snack? Safety first, people.

What's the best phone for Google Voice?

I've been a fan of Google Voice since I started using it in earnest back in March. I now give out my Google Voice number (get yours here, but be prepared to wait a bit before it arrives) more than my mobile phone or my desk phone, and even have it on my business cards now. The features are great, but what I really like is that the number is truly portable: I just point the service at whatever phone, or phones, I want to use that day and my calls arrive there.

With Google Voice apps for mobile phones, I can also make calls from cellular phones that show the Google Voice number in the Caller ID displays of the people I'm calling. That is the killer feature of this killer app. But the experience is not the same on all phones. I've tried Google Voice on four different platforms -- iPhone, Blackberry, Android phone, and PC -- and one clearly stands out above the rest.

Not surprisingly, it's Google's own mobile phone platform, Android. The iPhone has great potential, but until Apple pulls its head out of its Apps Store, it's denied to us as a Google Voice platform. You can still use Google Voice in the iPhone, sort of, via the Safari browser, as I'll explain below.

There is a Blackberry version of the Google Voice app, which is not as full-featured as the Android app, but that has certain important advantages for corporate phone users. Finally, there's the old full browser-based Web app, which is highly useful even when you've got a Google Voice-equipped mobile phone sitting on your desk.

Let's look at how the platforms stack up for Google Voice, in order from good to bad...

The Winner: Android

Google Voice on the Android phone is better than Visual Voicemail on the iPhone.

The Google Voice app for Android is fully integrated with the Android mobile phone operating system. It's the only Google-supported platform that lets you use the phone's native dialer to make outgoing calls that appear to be coming from your Google Voice number. What I really like, though, is an optional feature that makes the app ask you, when you're making a call, whether you want to place the call from your mobile phone's number or from Google Voice. Or you can set it to dial from just the Google Voice number, or the phone's. Basically, you get two numbers in one phone, and it's up to you which one, if any, is the main number. That's handy.

The Android app gives you the cool "karaoke" feature of Google Voice, in which it will highlight words in transcribed voicemails as it plays them.

Nits include the necessity for the phone to have a good data connection (not just a voice signal) to use Google Voice. There's some handshaking that goes on over the Internet, apparently, and if the phone doesn't have a connection, it will either fail to dial out or it will dial from the phone's own number. Also, you might have to do some work in your address book, as numbers have to include a "1" and an area code in front of them, or the phone will, again, use its native dialer.

Close second: Blackberry

The Blackberry app runs a close second to Android.

The Blackberry version of the Google Voice app gives you all the main features of the service, including the karaoke feature, but it's not fully integrated with the phone -- more like, maybe, 85 percent. While you can dial from your phone's address book using Google Voice, you have to select the "Call using Google Voice" option each time. Pressing the phone's green "call" button will always dial from the phone's own number. And you cannot use Google Voice from the missed call list.

Google Voice on the Blackberry is a very important app, however, since it gives corporate users of locked-down Blackberrys access to a second, perhaps personal, line on their phones (assuming their handset isn't so locked down that they can't install the app). It saves people who want to keep personal and work lines separate from having to carry two phones. Details for calls placed via the Google Voice app don't show up in the Blackberry phone logs.

Highly useful: PC or laptop and the Google Voice Web site

It's great to have a full-screen version of your voicemail and SMS archive when you're at a computer.

(Credit: Screenshot by Rafe Needleman/CNET)

For computers, Google Voice is a Web site. It's not a VoIP app. It can't turn your computer into a phone. But it can make whatever phone you're sitting next to into an extension on your Google Voice account, and that's one of the things I really like about the service.

A real computer's big screen is the best place to manage your Google voice contact list and review old messages. And if you are a big text messager, it's great to be able to read and write them on the PC, and then finish your SMS conversations on your mobile when you step away from your desk.

Google Voice dialers for other platforms

There are no native Google Voice apps for Windows or other smartphone platforms, but there are third-party apps. GVdialer, for example, lets you place calls on your phone that appear to come from your Google Voice number. iDialer is similar, and also works with JaJah accounts. I haven't tried these apps, and neither is available for the iPhone. (If you have experience with these apps, leave a comment below.)

A load of crap: iPhone (and other platforms)

The mobile browser version of Google Voice is a cruel, cruel joke.

(Credit: Screenshot by Rafe Needleman/CNET)

There is no Google Voice for the iPhone. Hopefully the FCC's investigation (see also: results) will encourage Apple to approve the app so this is changed. Meantime, if you want to use the service on the iPhone you're stuck with the unattractive mobile version of the Web site.

It's quite pathetic. It's ugly and slow, and when you want to play your voicemails, the Web browser gives way to your phone's media player, which is a disruptive interface switch (and it didn't always work in my testing).

You can -- sort of -- dial out from your Google contacts, that show up in the Web app, and from a "quick call" option on the main screen of the mobile Web site that lets you enter a phone number. In either case, when you want to make a call, the service calls you on your iPhone and also the person you're calling, and it connects you. You need a data connection for this to work. This makes sense when you're using Google Voice from your desktop computer, but it's a poor experience on a mobile phone.

At least it's possible to sync your iPhone address book with your Google contacts, even if you can't place Google calls from the address book app on the phone. Neither can you dial out from your iPhone's recent call list, nor the built-in dialer.

Advice

Google Voice is a breakthrough telephony product. If you are moving your telephony and text messaging activities to the platform, and you need to do it today, you want an Android phone. If you have a corporate Blackberry, you, too, can get a pretty good Google Voice experience. iPhone user? Sorry. But you might not want to throw the phone out the window just yet, since it is likely that the Google Voice will make it to the platform. That's my belief, and it's why I'm hanging on to my iPhone for a little while longer.