How hackers crack your sites 2
During the in-depth analysis, hackers examine the source code of the site’s pages. They cannot see the source codes of PHP scripts because these are executed on the server side and are not sent in the page code to the client. However, even the HTML code the client receives may contain interesting tidbits. At this stage, hackers concentrate on the following areas:
Comments – these may contain valuable information about the way the code works or the purpose of in the parameters. Sometimes, programmers comment out code fragments, which may allow hackers to locate potential code vulnerabilities more rapidly.
Hidden forms and parameters – the latter may be sent as the parameters of the GET or POST methods and may contain important information.
Names – This includes the names of all parameters used in the program and the names of the scripts, to which these parameters are passed.
When the maximum available information has been collected, hackers start testing scripts to see if they process the input data correctly. This can be done by sending trash in parameters, that is, such characters as hyphens, underscores, semicolons, slashes and backslashes. Many of these characters are reserved in certain cases – for example, when opening files or working with data bases. When some character causes a script to issue an error message, this message most likely will contain the code line, in which the error occurred, and the name of the function or SQL request. This gives the hacker additional information on how to proceed with breaking into the server, based on the function that issued the error. The most critical functions are the following.
System-access functions, such as system() and exec() – If no check for reserved characters is performed when these functions are called, hackers will try to use them for executing system commands, for example, ls to view the contents of the current directory in UNIX. If the Web server’s access privileges are high enough for executing important commands, they can easily do at least the following two things to the site:
Deface it, that is, replace the home page. All they have to do is replace the main page script with one of their own.
Destroy the entire site. If hackers have access to the command for deleting files (rm in UNIX systems), they will have the rights for deleting script files.
File-handling functions, such as include() and readfile() – These allow hackers to read the configuration files, for example, the etc/passwd file and, even better, the etc/shadow file, which store the user names and their encrypted passwords, respectively, in UNIX systems. They will not be too bothered that the password are encrypted, because experience shows that at least 25% of passwords can be broken using the dictionary method.
SQL requests- Hackers can use these to delete or change database data or obtain access to confidential information for example, a password table.
The main vulnerability of scripts occurs when they do not check whether the parameters or data received from users meet the requirements. When calling system functions in your scripts, you should prohibit slashes, backslashes and semicolons in the parameters passed to these functions. But parameters are not the only things used by hackers in their attacks. The can also resort to the cross-site scripting and flooding attacks.
Comments – these may contain valuable information about the way the code works or the purpose of in the parameters. Sometimes, programmers comment out code fragments, which may allow hackers to locate potential code vulnerabilities more rapidly.
Hidden forms and parameters – the latter may be sent as the parameters of the GET or POST methods and may contain important information.
Names – This includes the names of all parameters used in the program and the names of the scripts, to which these parameters are passed.
When the maximum available information has been collected, hackers start testing scripts to see if they process the input data correctly. This can be done by sending trash in parameters, that is, such characters as hyphens, underscores, semicolons, slashes and backslashes. Many of these characters are reserved in certain cases – for example, when opening files or working with data bases. When some character causes a script to issue an error message, this message most likely will contain the code line, in which the error occurred, and the name of the function or SQL request. This gives the hacker additional information on how to proceed with breaking into the server, based on the function that issued the error. The most critical functions are the following.
System-access functions, such as system() and exec() – If no check for reserved characters is performed when these functions are called, hackers will try to use them for executing system commands, for example, ls to view the contents of the current directory in UNIX. If the Web server’s access privileges are high enough for executing important commands, they can easily do at least the following two things to the site:
Deface it, that is, replace the home page. All they have to do is replace the main page script with one of their own.
Destroy the entire site. If hackers have access to the command for deleting files (rm in UNIX systems), they will have the rights for deleting script files.
File-handling functions, such as include() and readfile() – These allow hackers to read the configuration files, for example, the etc/passwd file and, even better, the etc/shadow file, which store the user names and their encrypted passwords, respectively, in UNIX systems. They will not be too bothered that the password are encrypted, because experience shows that at least 25% of passwords can be broken using the dictionary method.
SQL requests- Hackers can use these to delete or change database data or obtain access to confidential information for example, a password table.
The main vulnerability of scripts occurs when they do not check whether the parameters or data received from users meet the requirements. When calling system functions in your scripts, you should prohibit slashes, backslashes and semicolons in the parameters passed to these functions. But parameters are not the only things used by hackers in their attacks. The can also resort to the cross-site scripting and flooding attacks.
posted by Timur S @ 1:39 AM
0 Comments:
Post a Comment
<< Home