Ever wondered how on earth hackers hack your website? Is it easy, or is it difficult? Why do the hacker-guy Justin Long, in Die Hard 4 find it easy to hack? Can we stop it? Why on earth do that junkie guy in Mr. Robot get through with just small information? Is there a Neo that would save everybody from the oppression of these hackers? Don’t worry website owners, we’ll tell you how these egoistic cyber terrorists get through your sites and how to prevent them from doing so.
A Real-life Example
Earlier in the year of 2015, hacktivists attacked a cluster of Philippine government sites in demand for justice for the SAF 44. Reported by The Inquirer on Independence Day, hacktivists defaced the site of the National Historical Commission of the Philippines (NHCP) and left a message for the president of the Philippines, President Benigno Aquino III. Months later, these hacktivists defaced the site of the National Telecommunications Commission (NTC) because of the poor and expensive Internet services provided to the Filipino netizens.
A number of reports from India states their encounters with website defacing of hacktivists. These are mostly e-commerce sites which effected monetary incomes to the companies and leave the CEO’s scratching their heads.
In the far western side of the earth, there were also articles and reports of DDOS and defacing of sites of small and known companies. They think most of these attacks originated from the Chinese networks.
These were the reports in the past months on websites of government and commercial websites getting hacked. It was reported that sites have been “defaced” by so-called hacktivists, individuals who use their hacking skills who believe it’s for a good cause. Website defacing basically is an attack by changing the visual appearance of the site. The attackers “trick” the web servers into believing that their websites are the real sites.
How do they do this?
Methods of website hacking vary depending on the target website (e.g. if it is using a CMS platform or is it a custom built application). Listed below are the common methods of how hackers hack your website:
SQL Injection. It is a code injection technique where malicious SQL statements are used. This attack can extract data from SQL relational databases from the client-side of the web application.
Remote File Inclusion. It is an attack that targets web servers (usually in PHP language). This attack can make the server believe that a file uploaded is, for example, an image file but really a .php script. This will be executed by the server because it is a script and not an image file.
Local File Inclusion. This attack exploits the vulnerability in the process of uploading un-sanitized files through web browsers.
Exploiting CMS Reported Vulnerabilities. This is basically where it all begins: most hackers bank on vulnerability announcements of certain platforms and prey on websites that have not updated their platform. (So you now see how important keeping your system updated is?)
How do I secure my website?
Below are some easy steps in securing your website. Point #1 is relatively for everyone; the rest are for web developers to take note of:
Update update update. This is the easiest of them all (even if you’re not a web developer). If you’re using a CMS platform (e.g. WordPress, Joomla, Drupal, etc.), you can easily prevent website defacing is to update your platforms. This will eventually thwart the hackers attempt to exploit reported vulnerabilities.
Sanitize user input and data output. To prevent SQL injections, parameterized your queries and apply proper escape characters.
Sanitize data output. To prevent XSS, when displaying data, make sure you also apply proper escape characters to ensure that the browser will not interpret the data as code.
Minimize error message details. We should also be aware in how much information we would give away in error messages. This can give away some key information that might lead to SQL and code injections.
Use HTTPS. You wouldn’t want a hacker to see your passwords in clear text right? Ensure encrypted communication between browsers and your website by enabling SSL. We’ll cover how to setup HTTPS on your website in our next blog.
To ensure that you detect existing and future web attacks such as SQL injections or XSS towards your website, get WebRanger installed on your website. It is the detective, preventive, and corrective website security control that keeps your websites protected 24/7. It’s for free! Visit WebRanger’s website to learn how it actively protects your website.