wAyS why the WEB is hacked
May 19, 2008 – 2:58pmSQL Injection
SQL injection plays on a simple problem: A Web page’s input fields often fail to distinguish between innocent user data–information like names or dates–and malicious commands. When a hacker’s hidden instructions are entered into a Web site’s input forms, the site may confuse them with user data and pull the commands into its Structured Query Language (SQL) database, where they can become integrated into the database’s code. That lets the hacker access the site’s data or add commands to the page so as to infect a visitor with malicious software. A survey of major Web sites by the Web security firm White Hat Security found that 16% of sites were vulnerable to this tactic.
Cross-Site Scripting
About 65% of the major sites surveyed by security analysts White Hat Security are vulnerable to an attack called cross-site scripting, which allows a disturbing upgrade to phishing attacks. The typical phisher e-mails users a link that brings them to a fraudulent site, conning them into sharing credit card information or other sensitive data. In a cross-site scripting attack, the link instead folds hidden command into a destination site’s code. That means even a legitimate page can be secretly tweaked so that when a user enters bank codes or other sensitive information, the data ends up in the hands of the phisher. The threat of cross-site scripting is yet another reason to watch out for links in unfamiliar e-mails.
Cross-Site Request Forgery
Cross-site request forgery, sometimes known as "sidejacking," takes advantage of a vulnerability that’s common to password-protected Web pages. When a user logs in to a private site, his or her identity is marked with a "cookie"–a temporary file downloaded to a user’s browser. But if that user can be tricked into visiting a malicious site while still logged in to that password-protected page, the second site can secretly steal his or her cookies, and with them, the user’s access to the first site’s private information.
Google Hacking
About two out of every three Web searches starts at Google. So, it seems, do many attacks on Web sites. "Google hacking" uses the search engine to probe the entire Web for sensitive information or hackable vulnerabilities in code. Just by entering the right search string, for instance, hackers are sometimes able to find repositories of credit card information or social security numbers stored on the Web. In April, an attack seeming to originate in China used Google to probe the Web for sites vulnerable to a certain strain of SQL injection, targeting more than half a million pages and infecting them with malicious software.
Forced Browsing
In some cases, "hacking" a Web site is as simple as changing a single digit in a Web address. By shifting the characters in a page’s address that refers to a name or date, a malicious user can sometimes gain access to pages he or she isn’t intended to see, a process security professionals call "forced browsing." In 2006, Phil Angelides, a Democratic contender in the California gubernatorial campaign, was accused of hacking rival Arnold Schwarzenegger’s Web site and obtaining a confidential audio file. But a source close to the Democratic campaign told News.com that Angelides’ aides had merely tampered with a URL to find the file.
Timing Attacks
As much as Web sites try to hide their inner workings from hackers, some pages reveal information in signs as subtle as how quickly they load. Security researchers have shown that software that guesses random usernames on a Web application’s login page sometimes reveals which usernames are valid even without a password–that’s because a valid username causes the site to pause for a slightly shorter time than an incorrect username would. In some cases, spammers can use that simple trick to collect thousands of valid e-mail addresses, which they then target with spam. In a 2005 issue of the hacker magazine 2600, another researcher revealed how to use timing analysis to determine the dealer’s hand in an online blackjack gambling site.
Captcha Breaking
One major challenge for security professionals is telling humans from software "bots" on the Web. In a webmail service, for instance, users are shown a "captcha," a distorted word or image, and asked to identify the text or picture. The goal is to foil software designed to sign up for accounts for the purpose of churning out spam. But in some cases, spammers have beaten the countermeasure by creating sites that enlist users to solve captchas by the hundreds in exchange for pornographic images. Google’s Gmail captcha was the latest victim of cybercriminals. Because the site offers an audio function that reads captchas aloud for blind users, hackers were able to use speech-to-text software to defeat the test automatically
Distributed Denial Of Service
Sometimes a hacker’s goal isn’t to steal information or infect users with malicious software but rather to a shut down a site altogether. In those cases, cybercriminals often employ distributed denial of service attacks, a technique that floods a Web server with requests for information and overwhelms it. Using botnets, armies of unsuspecting computers hijacked with invisible software, cybercriminals can vastly multiply the size of their attacks and also mask their origins.
