CyberThreats Daily: 50 ways to hack a website

Well, really there are far more, but the latest study from Imperva of 10 million attacks against 30 large organizations from January to May of 2011 cites a cocktail of techniques used by would-be hackers to spot the weaknesses and exploit them. For those of us who’ve tailed a log file spinning out of control during an attack attempt, those numbers seem plausible. Over time, attacks have become slick and automated, often progressive, and adaptive, targeting the next phase based on what was found in the last.

In 2008 Microsoft Ireland home page redirected visitors to another page which showed as if the site was hacked. Surfers attempting to visit Microsoft’s Irish website via on Tuesday morning were greeted with a defaced page instead.

To understand a typical hack attempt, visualize a typical commercial office space break-in. There may first be a surveillance phase. Following that is a second phase that determines which doors are locked. Then, if an unlocked door is found near a machine shop, you may adapt your attack to include a truck to haul heavy equipment out during the theft. On the other hand, if you find a door open by an accounting office, you may adapt your attack to use a single backpack to steal an equivalent value. Attacks of the variety we’re talking about here follow progressive stages of discovery, adapting as they go to the “terrain” they find in a similar manner, and using different sets of tools for each.

To apply our analogy to a hack attempt, the first stage will be general, just trying to get the lay of the land, basically see what the hacker may be up against. The second phase will attempt to identify potential holes. Depending on the type of information discovered, the hacker will tailor the tool cocktail (and sequence) needed to get what’s likely inside. Some of the more popular styles found in Imperva’s study against Web applications were directory traversal (37%), cross site scripting (36%), SQL injection (23%), and remote file include (4%), aka RFI. Often these were used in combination.

Our goal here isn’t to help you better hack a website. But by understanding the mindset of a thief, you may be able to better assess the weaknesses in your systems, and bolster them accordingly. It also highlights the advice to build your systems with a defense-in-depth approach. This allows the least amount of access needed for a given task and separates functionality so a breach in a single system doesn’t allow a breach in another. Also, this helps to shed the load of would-be attacks at a perimeter layer before they have a chance to slow down or stop your content servers from functioning like they should.

Cameron Camp
ESET Research Systems Manager

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s