Vulnerabilities that Hackers Exploit in Websites

...

Vulnerabilities that Hackers Exploit in Websites:

First Order Vulnerabilities:
For our convenience we have divided the vulnerabilities into two categories – First and Second order vulnerabilities. The latter usually result in graver damage to a website. 

Vulnerability 1: Unsecured website:
These websites are not SSL complaint. As a result, Google marks the website as unsecured in the URL address bar. On the other hand, the websites which are SSL enabled shows a padlock sign in the URL address bar. 

What’s the Difference?
When the website shows https (SSL enabled) it means the data packets being sent from the user end to the web server and vice-versa is in encrypted form. On the other hand, http (unsecured website) sends the data packets to and from the web server in plaintext form.

Attackers use tools like Wireshark to sniff the data packets by connecting to a Wi-Fi. And since the packets are being transmitted in plaintext form in case of unsecured websites, the attacker can see the actual content being transmitted. 

Consider a case where you login using public airport Wi-Fi to an unsecured website. A attacker that has also connected to the same Wi-Fi can store all your data packets. And, then analyze them later on to find your login credentials. 

In fact, among the data packets captured, the hacker searches for http packets. Because these are the only packets which does not need decryption (hash cracking). Further to find the login details, attacker searches for POST verb as the login details are transmitted in the body of the POST verb. This is because, in GET verb the data is transmitted in the URL, and hence it would be unsafe to pass crucial parameters like login parameters. 

Thus, hackers adopts the following procedure to capture important personal details especially the username and password:

  • Step 1: Connects to a public free Wi-Fi (as requires no password to connect. In essence, attackers connect to any Wi-Fi it has access, to capture the data packets).
  • Step 2: Uses Wire-shark to capture the data packets
  • Step 3: Stores them for future analysis
  • Step 4: Searches for http based packet > searches for POST verb > looks into the body of the POST verb to get the crucial private details.

How to Prevent Being Victims of Such Packet Sniffing:

To prevent being victims of packet sniffing do the following:

  • Do not connect to free public Wi-Fi: This is because to harvest your data packets, the attacker also needs to be connected to the same Wi-Fi. In case, of public free Wi-Fis, passwords are not required, hence the attacker can connect easily. The same is not the case with private Wi-Fi which have proper access controls.
  • If you must connect to a free and public Wi-Fi then do not surf unsecured website (surf only https websites and not unsecured ones i.e, http). This is because in case of unsecured websites, attackers can harvest the data packets you send to such websites and analyze them to find the private details like login credentials.
  • Use VPN: VPN (Virtual Private Network) always encrypts the data flow. Thus, even when connected to the http websites, the data flow is encrypted. Hence, can’t be deciphered by attackers especially, if the encryption is AES 256. 
  • Use HTTPS Everywhere add-on: This is a very popular “privacy enhancing” add-on. It enhances privacy by: Forcing browsers to use HTTPS on supporting sites and Forcing sites to use SSL encryption if available. Thus, it encrypts communication with websites. Some sites make it difficult to use HTTPS by having unencrypted HTTP as default or by filling encrypted pages with links that go back to unencrypted sites. HTTPS Everywhere extension fixes these problems automatically by forcing the use of HTTPS. 

Important Learning Points:

  • Tools of the Trade: Wire-shark (packet sniffer)
  • Exploit: Data packets can be sniffed and analyzed to find login credentials when surfing an unsecured website (http websites)
  • Solution: Don’t surf http websites on public Wi-Fi, use VPN and HTTP Everywhere add-on 

Vulnerability 2: Excessive Disclosure:  
In this context, disclosure mean revealing critical information about the network, web server, application used etc. In fact, web server fingerprinting is critical for a penetration tester. Knowing the version and type of web server, framework and Operating System allows tester to determine known vulnerability and then use appropriate exploits for compromising the website.

Why Disclosure is an Issue:
For example, if a pen-tester gathers information that web server used is IIS 8.0, then he can search for vulnerabilities in IIS 8.0 version on Google. Consequently, can employ the appropriate exploits for breaching the website

Appropriate Tool: Wappalyzer
Website: http://wappalyzer.com 

Wapplyzer is a Firefox Chrome plug-in. It works only on regular expression matching and doesn't need anything other than the page to be loaded on browser. It works completely at the browser level and gives results in the form of icons. Although sometimes it has false positives, this is very handy to have notion of what technologies were used to construct a target website immediately after browsing a page.

An Example: 
Use of Wappalyzer for a website may show the following details:

  • Web server version disclosure: IIS 8.0
  • Web Framework disclosure: Microsoft ASP.NET 2.050727 
  • OS disclosure: Windows Server 

How to Fix the Issue?

  • Use the security header – “X powered by”: They spill information about hosting environments and other frameworks. While they do not provide any usefulness to the application or its visitors but expose the web server and framework un-ncessarily. Unset this header to avoid exposing potential vulnerabilities. Note:Use htaccess file in the server, to implement the header globally. If APIs or third party stops working, then provide exceptions to them. 
  • Use Reverse proxy: Normally the HTTP requests are received at the standardized port 80 and HTTPS requests at 443. However, it can be modified by using reverse proxy like NGINX, GlassFish etc. They help avoid DDoS attacks or Slow Loris attacks in thread based web servers like Apache. They do so by receiving the request at newer ports and then redirecting them to the standardized ports 80 and 443. Multiple requests received at the non standardized ports, are filtered out there to curtail the DoS attacks. Besides, the outsider sees only the reverse proxy and hides the original web server. 

Important Learning Point:

  • Tools of the Trade: Wappalyzer 
  • Exploit: Depends on the details found. For example, if web server is Apache then Slow Loris attack (smart DoS) can be executed. 
  • Solution: Depends on the details. For example, if web server is Apache then Reverse Proxy like NGINX can prevent DoS attacks.

Properly implemented headers by Facebook doesn’t expose crucial details 

Vulnerability 3: Brute Force Attacks:
What is a Brute-force attack?

Brute force attack is an act of trying every possible combination of a given key-space or character set for a given length. Thus, the attacker first exhaustively tries all the single charecter passwords i.e, "a to z", "A to Z", "0 to 9", all the special characters etc. If the password is not compromised, it then moves on to all the possible combinations of two character sets and so on until it gets broken. This process may take even billion of years to break the password with the current processing speed we have in case of crazy long random passwords.

Hence, smart brute force processes are used by attackers. For example, dictionary attack where the attacker uses dictionary words as passwords. If the dictionary contains the correct password, attacker succeeds. Thus, you are advised never to use dictionary word alone as password. 

Brute force attack are also used to crack the hash value and guess the password for a given hash. In this process, the hash value is generated for random password and matched against the target hash value till the right one is found. Hence, we should use higher levels of encryption (64 bit, 128 bit or 256 bit) to encrypt the passwords. 

Most of the time, Word-press users face brute-force attacks against their websites. 

Similarly, the different forms of brute force attack leverage:

  • Custom Wordlist
  • Custom Wordlist + Rules
  • Dictionary/ Wordlist
  • Dictionary/ Wordlist + Rules
  • Mask
  • Hybrid Dictionary + Mask
  • Custom Wordlist + Rules
  • Combo
  • Custom Hybrid Attack
  • Custom Mask Attack
  • Brute-Force

Password Pattern Analysis: 
A password analysis can provide useful information related to it’s creator and their pattern. This is usually deciphered by an attacker to determine the best suitable type of brute force attack needed to break the passwords. Let’s split the analysis into three patterns – Basic, Macro and Micro pattern.

Basic - Pattern: 
Visually obvious when compared to similar groupings i.e, base word(s), digit(s) and language. For example, Ravi 1991@* and Arushi1993@* 

  • Each password uses a name: Ravi and Arushi
  • The passwords contains a 4 digit year date 
  • Ends with common special characters @*

Macro - Pattern: 
Statistics about the passwords underlying structure such as length and character set. E.g, Mango4569 and 4569Apple

  • Length structure can be summarized as: 4 digits + 5 words and 5 words + 4 digits
  • No special character used in the password 
  • Use of the common number 4569 
  • Macro pattern to capitalize the first character used in the word(s) of the password

The user is likely to have passwords less than 10 characters and with the consistent use of common 4 digit year, the characters effectively lower to 6 characters. This allows a hybrid attack (Dict+4569) or (4569+Dict).

Micro - Pattern: 
These pattern display micro pattern upon their analysis which allows custom combo attacks with rule or hybrid mask attack etc. For example, MAngodelhi123 and GUavacalcutta456 

  • Each password begins with a fruit name: Mango and Guava
  • Fruit name is followed by a city name: Delhi and Calcutta
  • Ends with 3 digit character
  • Consistent capitalization of first two character of the word in the password

So when analyzing the passwords, be sure to group the passwords and look for possible pattern such as language, base word/ digits, charsets, length and subtle themes with possible contextual meaning

Reverse Brute-force Attack:
It uses a reverse approach to crack the passwords. In this method, the attacker tries one password against multiple usernames. 

We can use brute force and reverse brute force on any website which does not block requests after few invalid trials. 

Popular Tools for Brute-force Attacks:
Aircrack-ng:

This is the most popular wireless password cracking tool that comes for free. It comes with WEP/ WPA/ WPA2-PSK cracker and analysis tool to perform attacks on Wi-Fi 802.11. The tool can be used for any NIC, which supports raw monitoring mode. 

This tool performs dictionary attacks to guess the password. More exhaustive and effective the dictionary is, more likely it will crack the passwords. You may download the tool using the link - http://www.aircrack-ng.org/

John the Ripper:
John the Ripper has been the favorite choice for attackers to perform brute force attacks. It supports multiple platforms including Windows. The tools combines several password breaking features and can automatically detect the type of hashing used in the password. You can download this tool using the link - http://www.openwall.com/john/

Other Brute Force Attack Tools:

Preventing a Brute Force or Dictionary Attack: 
Un-guessable URLs for Admin Login Pages:

If you have a website that it must have an admin login page. The URL of this page should be long and random, so that it becomes extremely un-guessable. The admin page holds great significance for a website. Exposing that page renders it susceptible to brute force attacks. Thus, the URL of the page should neither be in the public domain nor easily guessable. Websites like Google, Facebook etc. have their admin page hidden. 

Creating Unbreakable Passwords:
Create unbreakable passwords and usernames using the method detailed here: 
Step 1: Recall a phrase that you never forget, which must be at-least 10 characters long. 
For example, this phrase may be “Johnny Johnny Yes Papa, Eating Suger No Papa, Open Your Mouth, Ha Ha Ha”

Step 2: Now take out the initial letter of each word.
For the above example, it becomes – “jjypesnpoymhhh”. As you noticed, this password itself is very complicated. It’s almost impossible to shoulder shurf this password (see and remember such a complex password from behind in one go). 

Step 3: Now, add some capital and special characters at specific places. For example, it may become – “ELEPjjypesnpoymhhhHANT” after adding capital characters and “ELEPjjypesnpoymhhHANT%&” after adding special characters.  

Step 4: Finally add a number that is personally relevant to you. The best choice would be combination of two personally relevant numbers, which will make it extremely non-guessable. After this addition your final password may look like – 

“ELEPjjypesnp76104567oymhhHANT%&” 

This password is so strong that it will take hackers forever (at-least trillion years) to crack it using the world’s best password breaking algorithms “brute force”. Since the password involves a well remembered phrase, and a combination of numbers that is personally relevant to you, the password is hard to forget. For the same above cited reasons, the password can be recalled very easily. Finally, this new password might look super-crazy and complicated to others, but only for you this is a simple password, which can be typed very swiftly. 

Disabling the Account for Pre-defined Period of Time:
Automatically disable the account after a pre-determined number of failed login attempts. For example, the account may automatically reactivate after 30 minutes after 3 failed attempts, or the user might have to contact the site administrator to have the account reactivated. However, this runs the risk of denial of service attacks. For example, if the attacker incorrectly attempts the password three times after every 30 minutes, then he can effectively prevent that user from ever accessing the system. It will be highly damaging if used against an administrator account. 

In another case, the attacker may conduct a reverse brute force attacks, rendering the lockout login ineffective.  

Carefully Word Your Error Messages: 
The error code should not help a brute force attacker. Hence, it’s important to create appropriate error messages in response to failed login attempts. Many websites inadvertently help attackers through helpful error messages. Consider the case of error codes – “Username not found” and “Incorrect password”.

The message “Username not found” tells the attacker that the user he is trying to breach does not exist in the system. Thus, there is no point continuing the brute force attacks for that username. Thus, saving him from thousands of useless requests and hours of time

Similarly, “Incorrect password” tells the attacker that a username with the attack name exists but the password is wrong. Thus, there is a potential victim and attacker can step up his efforts on breaking the user’s password. 

The web server in ideal scenario should send ambiguous messages like “Incorrect username or password” when a login attempt fails. It does not disclose which part of the credential was wrong. Therefore, does not aid the hacker in his work. 

Re-Captcha:
Re-captcha have been designed with the sole purpose to defeat the brute force attacks. They are normally implemented in both administrator and users login accounts. The re-captcha is usually in the form of a puzzle for example, finding fire extinguishers, buses, hills etc among the group of photos. In other cases, it might be performing correct arithmetic operations like addition or subtraction. 

The basic idea is that a human user should be able to resolve the puzzle but a botnet is unable to due to its Artificial Intelligence (AI) limitation. Thus, a human user bypasses this roadblock but machine fails, thereby stopping the brute-force attacks. In some cases, even if the machine somehow passes the challenge, the speedy is massively reduced, rendering such brute force attacks almost ineffective (as it is possible to bypass the re-catcha!!)

Conclusion: 
The brute force attacks are a real life threats. There are automated tools that come pre-bundled with Kali Linux which enables even immature and script kiddies to perform such attacks. The most effective solution lies in using highly complex un-guessable passwords. 

For websites, using re-captcha solves the problem, besides they should make every attempt to hide the admin login page from public access. Lastly, with passing time the processing capabilities of computer is growing exponentially. Hence, the problem poses even serious concerns to be dealt with.  

Important Learning Points:
Tools of the Trade: 
Selenium based scripts, John the Ripper, Aircrack-ng, Hashcat
Exploits: Breaching login accounts using above tools
Solution: Using Re-captcha, Carefully wording error messages

Vulnerability 4: Disclosure of Admin Page:
If there is a website then it must have an admin login page. The URL of this page should be long and sufficiently random, so that it becomes extremely un-guessable. The admin page holds great significance for a website. Exposing that page renders it susceptible to brute force attacks.

Compromising an admin page can lead to irreversible damage like deletion of old content, posting of illegal materials like pornography, obscene images etc. Hence, it is very crucial for a website to protect the admin account from unauthorized access. 

Thus, the URL of the page should neither be in the public domain nor easily guessable. Websites like Google, Facebook etc. all have their admin page hidden. 

Example:
Consider a WordPress website having the URL – https://example.com, then the URL of the admin should not be any of the following:

  • https://example.com/admin
  • https://example.com/login
  • https://example.com/wp-login.php
  • https://example.com/wordpress/login
  • https://example.com/wordpress/wp-login.php
  • https://example.com/wp-admin etc 

The actual URL of the page should be extremely un-guessable. For example, https://example.com/af6AF*&dsf2628Apple 

Otherwise, as discussed above the easily guessable URL of admin page will make it susceptible to Brute Force attacks and the accompanying damages.

To further secure the admin login, it should not only have re-captcha but also be 2 Factor Authentication (2FA) enabled.

Important Learning Points:
Tools of the Trade: 
Not required
Exploit: Brute force after finding the admin login page
Solution: Have un-uessable login page, additionally secured by 2FA

Vulnerability 5: Improper Cookie Policy:
What are Cookies?

Cookies are small file or text only string registered in the memory of a web browser, and are used to identify a website user. For example, when a user enters his/ her user name credentials into the website example.com, then the website places a cookie in the browser. Every time the user connects to the example’s server, the website verifies the user’s logged in status and identity based on the cookie in the browser. Once the user logs out, the cookie is destroyed. 

Website use cookies to authenticate users, personalize data, to assist customers with online sales/ services, to collect statistical and demographic data etc. Cookies can be deleted, and if done is it is recreated when you close the browser. This is because all cookies are held in the memory of the browser till it’s closed. A sample cookie:

WK_FPCid=2617336423.41343539:lv=2451310816973:ss=24513108138189apple.com/348576456348564546584385345*MUID3EB7CCF35DD667392CFCCF7559D667 48apple.com/434564358765836583658358345833456435*MC1GUID=34bf6934c01bf84b9ed7be056293a40e&HA SH=3564&LV=23676&V=3&LU=26457324653247apple.com /283468346284632487236423462384632846328746*AI&I=AxU 1BgAAEBuCIaRDSYlMEQ+AVjfwww!!apple.com /50275982752952562758625782652656532765* 

Many website use them to implement access control schemes. For example, sites requiring login passes a cookie to the browser the first time you login. There after sites provides access to the restricted pages if your browser can produce a valid cookie. Thus, the site need not look up your username and password, each and every time you access a page. 

A cookie has 6 parameters:  

  • Name of the cookie
  • Value of the cookie  
  • Expiration date of the cookie  
  • Path the cookie is valid for
  • Domain the cookie is valid for  
  • Requirement for a secure connection to use the cookie.

Out of all of these parameters, only 2 are compulsory – Name and value. A semicolon (:) separates each parameter when it is set explicitly. 

1. Name, Value:
The name and value of a cookie is set by pairing them together. Example,Name=Example

2. Expires:
This parameter is used to set the lifetime of the cookie. Example,expires=Sun, 6-Mar-2019 4:30:00 GMT. If this parameter, is not set then by default the expiry is set to the end of the session. The length of a session is considered to be the time that the browser window remains open. This is the case even if the user is no longer at the website. 

3. Path:    
This parameter establishes the URL path within which the cookie remains valid. If the user reaches pages which are not contained in this path then the browser can no longer use this cookie e.g,path=/document. If this parameter is not set explicitly, then by default it takes the path as the URL of the document that has created the cookie. 

4. Domain:
Consider a case where a site uses multiple servers for one domain. In this case, it is important to specify the domain parameter in a way to make the cookie accessible to any of the pages of these multiple servers e.g,domain=example.com

It’s possible to assign cookie to either an individual machine or to an entire internet domain. To be able to set a cookie for a domain, the server should be a member of that domain. If the parameter is not set explicitly, then by default the full domain of the document that has created the cookie is taken. 

5. Secure: 
Secure parameter indicates that a cookie with this parameter should only be used under secure sever condition i.e, SSL enabled websites.

A properly implemented cookie parameter should have different values of cookie before and after login and again a different value after log-out. More importantly, it should not allow login with the logout value of the cookie. Otherwise, cookies can be intercepted easily and with this value one can login, bypassing the authentication mechanisms.

How to Find the Value of Cookie:

  • Step 1: Open the website whose cookie value you want to intercept in Mozilla Firefox 
  • Step 2: Click on f12 and look under the heading “Value” 

An example with the website cyber-cops.com opened in Mozilla Firefox

As you can see in the above photo, the value of cookie is clearly visible under the head “Value”. This is the pre-login value. Log into the website to find the log-in value of cookie and then log-out to find the log-out value. If all of them vary, means the cookie parameter has been properly implemented. 

On the other hand, if the website allows login with the log-out value of the cookie, then by manipulating headers using tools like Burp Suite, anyone can login using the intercepted cookie value, thus bypassing the access control.

Important Learning Points:
Tools of the Trade: 
Mozilla Firefox, Burp Suite
Exploit: Remote login with stolen Login cookies
Solution: Differ the value of cookies at each stage, don’t permit login with log-out cookies value

Conclusion:

This blog explains the vulnerabilities a website may have, which are exploited by hackers. The website owners are expected to understand the dangers and plug in the gaps in their websites. There are cases where Indian websites are defaced by Pakistani elements. Plugging these vulnerabilities will help avoid such an unwelcome experience. For any doubts you should join our Forum Section to clarify any issues.

In the next blog on hacking we will understand even graver dangers and hope to cope up with them, which include - SQL insertion, XSS (Click jacking) attacks, CSRF (Cross Site Request Forgery) etc etc. There is vast amount of literature freely available on the internet meant to secure the world from such attacks. We recommend you the website https://www.owasp.org/index.php/Main_Page for more information. This site is considered the Gold standards on hacking, among thousands of websites freely available on the internet on hacking.

Additionally, you must have conceptual clarity about the following beforehand to firmly grasp the subject:

  • Verbs
  • Headers 
  • Response Codes / Error Codes
  • Ports etc

 We will also deal with them in the up-coming blogs.