First Order Vulnerabilities:
For our convenience we have divided the vulnerabilities into two categories – First and Second order vulnerabilities. The latter usually result in graver damage to a website.
Vulnerability 1: Unsecured website:
These websites are not SSL complaint. As a result, Google marks the website as unsecured in the URL address bar. On the other hand, the websites which are SSL enabled shows a padlock sign in the URL address bar.
What’s the Difference?
When the website shows https (SSL enabled) it means the data packets being sent from the user end to the web server and vice-versa is in encrypted form. On the other hand, http (unsecured website) sends the data packets to and from the web server in plaintext form.
Attackers use tools like Wireshark to sniff the data packets by connecting to a Wi-Fi. And since the packets are being transmitted in plaintext form in case of unsecured websites, the attacker can see the actual content being transmitted.
Consider a case where you login using public airport Wi-Fi to an unsecured website. A attacker that has also connected to the same Wi-Fi can store all your data packets. And, then analyze them later on to find your login credentials.
In fact, among the data packets captured, the hacker searches for http packets. Because these are the only packets which does not need decryption (hash cracking). Further to find the login details, attacker searches for POST verb as the login details are transmitted in the body of the POST verb. This is because, in GET verb the data is transmitted in the URL, and hence it would be unsafe to pass crucial parameters like login parameters.
Thus, hackers adopts the following procedure to capture important personal details especially the username and password:
How to Prevent Being Victims of Such Packet Sniffing:
To prevent being victims of packet sniffing do the following:
Important Learning Points:
Vulnerability 2: Excessive Disclosure:
In this context, disclosure mean revealing critical information about the network, web server, application used etc. In fact, web server fingerprinting is critical for a penetration tester. Knowing the version and type of web server, framework and Operating System allows tester to determine known vulnerability and then use appropriate exploits for compromising the website.
Why Disclosure is an Issue:
For example, if a pen-tester gathers information that web server used is IIS 8.0, then he can search for vulnerabilities in IIS 8.0 version on Google. Consequently, can employ the appropriate exploits for breaching the website
Appropriate Tool: Wappalyzer
Wapplyzer is a Firefox Chrome plug-in. It works only on regular expression matching and doesn't need anything other than the page to be loaded on browser. It works completely at the browser level and gives results in the form of icons. Although sometimes it has false positives, this is very handy to have notion of what technologies were used to construct a target website immediately after browsing a page.
Use of Wappalyzer for a website may show the following details:
How to Fix the Issue?
Important Learning Point:
Properly implemented headers by Facebook doesn’t expose crucial details
Vulnerability 3: Brute Force Attacks:
What is a Brute-force attack?
Brute force attack is an act of trying every possible combination of a given key-space or character set for a given length. Thus, the attacker first exhaustively tries all the single charecter passwords i.e, "a to z", "A to Z", "0 to 9", all the special characters etc. If the password is not compromised, it then moves on to all the possible combinations of two character sets and so on until it gets broken. This process may take even billion of years to break the password with the current processing speed we have in case of crazy long random passwords.
Hence, smart brute force processes are used by attackers. For example, dictionary attack where the attacker uses dictionary words as passwords. If the dictionary contains the correct password, attacker succeeds. Thus, you are advised never to use dictionary word alone as password.
Brute force attack are also used to crack the hash value and guess the password for a given hash. In this process, the hash value is generated for random password and matched against the target hash value till the right one is found. Hence, we should use higher levels of encryption (64 bit, 128 bit or 256 bit) to encrypt the passwords.
Most of the time, Word-press users face brute-force attacks against their websites.
Similarly, the different forms of brute force attack leverage:
Password Pattern Analysis:
A password analysis can provide useful information related to it’s creator and their pattern. This is usually deciphered by an attacker to determine the best suitable type of brute force attack needed to break the passwords. Let’s split the analysis into three patterns – Basic, Macro and Micro pattern.
Basic - Pattern:
Visually obvious when compared to similar groupings i.e, base word(s), digit(s) and language. For example, Ravi 1991@* and Arushi1993@*
Macro - Pattern:
Statistics about the passwords underlying structure such as length and character set. E.g, Mango4569 and 4569Apple
The user is likely to have passwords less than 10 characters and with the consistent use of common 4 digit year, the characters effectively lower to 6 characters. This allows a hybrid attack (Dict+4569) or (4569+Dict).
Micro - Pattern:
These pattern display micro pattern upon their analysis which allows custom combo attacks with rule or hybrid mask attack etc. For example, MAngodelhi123 and GUavacalcutta456
So when analyzing the passwords, be sure to group the passwords and look for possible pattern such as language, base word/ digits, charsets, length and subtle themes with possible contextual meaning
Reverse Brute-force Attack:
It uses a reverse approach to crack the passwords. In this method, the attacker tries one password against multiple usernames.
We can use brute force and reverse brute force on any website which does not block requests after few invalid trials.
Popular Tools for Brute-force Attacks:
This is the most popular wireless password cracking tool that comes for free. It comes with WEP/ WPA/ WPA2-PSK cracker and analysis tool to perform attacks on Wi-Fi 802.11. The tool can be used for any NIC, which supports raw monitoring mode.
This tool performs dictionary attacks to guess the password. More exhaustive and effective the dictionary is, more likely it will crack the passwords. You may download the tool using the link - http://www.aircrack-ng.org/
John the Ripper:
John the Ripper has been the favorite choice for attackers to perform brute force attacks. It supports multiple platforms including Windows. The tools combines several password breaking features and can automatically detect the type of hashing used in the password. You can download this tool using the link - http://www.openwall.com/john/
Other Brute Force Attack Tools:
Preventing a Brute Force or Dictionary Attack:
Un-guessable URLs for Admin Login Pages:
If you have a website that it must have an admin login page. The URL of this page should be long and random, so that it becomes extremely un-guessable. The admin page holds great significance for a website. Exposing that page renders it susceptible to brute force attacks. Thus, the URL of the page should neither be in the public domain nor easily guessable. Websites like Google, Facebook etc. have their admin page hidden.
Creating Unbreakable Passwords:
Create unbreakable passwords and usernames using the method detailed here:
Step 1: Recall a phrase that you never forget, which must be at-least 10 characters long.
For example, this phrase may be “Johnny Johnny Yes Papa, Eating Suger No Papa, Open Your Mouth, Ha Ha Ha”
Step 2: Now take out the initial letter of each word.
For the above example, it becomes – “jjypesnpoymhhh”. As you noticed, this password itself is very complicated. It’s almost impossible to shoulder shurf this password (see and remember such a complex password from behind in one go).
Step 3: Now, add some capital and special characters at specific places. For example, it may become – “ELEPjjypesnpoymhhhHANT” after adding capital characters and “ELEPjjypesnpoymhhHANT%&” after adding special characters.
Step 4: Finally add a number that is personally relevant to you. The best choice would be combination of two personally relevant numbers, which will make it extremely non-guessable. After this addition your final password may look like –
This password is so strong that it will take hackers forever (at-least trillion years) to crack it using the world’s best password breaking algorithms “brute force”. Since the password involves a well remembered phrase, and a combination of numbers that is personally relevant to you, the password is hard to forget. For the same above cited reasons, the password can be recalled very easily. Finally, this new password might look super-crazy and complicated to others, but only for you this is a simple password, which can be typed very swiftly.
Disabling the Account for Pre-defined Period of Time:
Automatically disable the account after a pre-determined number of failed login attempts. For example, the account may automatically reactivate after 30 minutes after 3 failed attempts, or the user might have to contact the site administrator to have the account reactivated. However, this runs the risk of denial of service attacks. For example, if the attacker incorrectly attempts the password three times after every 30 minutes, then he can effectively prevent that user from ever accessing the system. It will be highly damaging if used against an administrator account.
In another case, the attacker may conduct a reverse brute force attacks, rendering the lockout login ineffective.
Carefully Word Your Error Messages:
The error code should not help a brute force attacker. Hence, it’s important to create appropriate error messages in response to failed login attempts. Many websites inadvertently help attackers through helpful error messages. Consider the case of error codes – “Username not found” and “Incorrect password”.
The message “Username not found” tells the attacker that the user he is trying to breach does not exist in the system. Thus, there is no point continuing the brute force attacks for that username. Thus, saving him from thousands of useless requests and hours of time
Similarly, “Incorrect password” tells the attacker that a username with the attack name exists but the password is wrong. Thus, there is a potential victim and attacker can step up his efforts on breaking the user’s password.
The web server in ideal scenario should send ambiguous messages like “Incorrect username or password” when a login attempt fails. It does not disclose which part of the credential was wrong. Therefore, does not aid the hacker in his work.
Re-captcha have been designed with the sole purpose to defeat the brute force attacks. They are normally implemented in both administrator and users login accounts. The re-captcha is usually in the form of a puzzle for example, finding fire extinguishers, buses, hills etc among the group of photos. In other cases, it might be performing correct arithmetic operations like addition or subtraction.
The basic idea is that a human user should be able to resolve the puzzle but a botnet is unable to due to its Artificial Intelligence (AI) limitation. Thus, a human user bypasses this roadblock but machine fails, thereby stopping the brute-force attacks. In some cases, even if the machine somehow passes the challenge, the speedy is massively reduced, rendering such brute force attacks almost ineffective (as it is possible to bypass the re-catcha!!)
The brute force attacks are a real life threats. There are automated tools that come pre-bundled with Kali Linux which enables even immature and script kiddies to perform such attacks. The most effective solution lies in using highly complex un-guessable passwords.
For websites, using re-captcha solves the problem, besides they should make every attempt to hide the admin login page from public access. Lastly, with passing time the processing capabilities of computer is growing exponentially. Hence, the problem poses even serious concerns to be dealt with.
Important Learning Points:
Tools of the Trade: Selenium based scripts, John the Ripper, Aircrack-ng, Hashcat
Exploits: Breaching login accounts using above tools
Solution: Using Re-captcha, Carefully wording error messages
Vulnerability 4: Disclosure of Admin Page:
If there is a website then it must have an admin login page. The URL of this page should be long and sufficiently random, so that it becomes extremely un-guessable. The admin page holds great significance for a website. Exposing that page renders it susceptible to brute force attacks.
Compromising an admin page can lead to irreversible damage like deletion of old content, posting of illegal materials like pornography, obscene images etc. Hence, it is very crucial for a website to protect the admin account from unauthorized access.
Thus, the URL of the page should neither be in the public domain nor easily guessable. Websites like Google, Facebook etc. all have their admin page hidden.
Consider a WordPress website having the URL – https://example.com, then the URL of the admin should not be any of the following:
The actual URL of the page should be extremely un-guessable. For example, https://example.com/af6AF*&dsf2628Apple
Otherwise, as discussed above the easily guessable URL of admin page will make it susceptible to Brute Force attacks and the accompanying damages.
To further secure the admin login, it should not only have re-captcha but also be 2 Factor Authentication (2FA) enabled.
Important Learning Points:
Tools of the Trade: Not required
Exploit: Brute force after finding the admin login page
Solution: Have un-uessable login page, additionally secured by 2FA
What are Cookies?
Cookies are small file or text only string registered in the memory of a web browser, and are used to identify a website user. For example, when a user enters his/ her user name credentials into the website example.com, then the website places a cookie in the browser. Every time the user connects to the example’s server, the website verifies the user’s logged in status and identity based on the cookie in the browser. Once the user logs out, the cookie is destroyed.
WK_FPCid=2617336423.41343539:lv=2451310816973:ss=24513108138189apple.com/348576456348564546584385345*MUID3EB7CCF35DD667392CFCCF7559D667 48apple.com/434564358765836583658358345833456435*MC1GUID=34bf6934c01bf84b9ed7be056293a40e&HA SH=3564&LV=23676&V=3&LU=26457324653247apple.com /283468346284632487236423462384632846328746*AI&I=AxU 1BgAAEBuCIaRDSYlMEQ+AVjfwww!!apple.com /50275982752952562758625782652656532765*
Many website use them to implement access control schemes. For example, sites requiring login passes a cookie to the browser the first time you login. There after sites provides access to the restricted pages if your browser can produce a valid cookie. Thus, the site need not look up your username and password, each and every time you access a page.
A cookie has 6 parameters:
Out of all of these parameters, only 2 are compulsory – Name and value. A semicolon (:) separates each parameter when it is set explicitly.
1. Name, Value:
The name and value of a cookie is set by pairing them together. Example,Name=Example
This parameter is used to set the lifetime of the cookie. Example,expires=Sun, 6-Mar-2019 4:30:00 GMT. If this parameter, is not set then by default the expiry is set to the end of the session. The length of a session is considered to be the time that the browser window remains open. This is the case even if the user is no longer at the website.
This parameter establishes the URL path within which the cookie remains valid. If the user reaches pages which are not contained in this path then the browser can no longer use this cookie e.g,path=/document. If this parameter is not set explicitly, then by default it takes the path as the URL of the document that has created the cookie.
Consider a case where a site uses multiple servers for one domain. In this case, it is important to specify the domain parameter in a way to make the cookie accessible to any of the pages of these multiple servers e.g,domain=example.com.
It’s possible to assign cookie to either an individual machine or to an entire internet domain. To be able to set a cookie for a domain, the server should be a member of that domain. If the parameter is not set explicitly, then by default the full domain of the document that has created the cookie is taken.
Secure parameter indicates that a cookie with this parameter should only be used under secure sever condition i.e, SSL enabled websites.
A properly implemented cookie parameter should have different values of cookie before and after login and again a different value after log-out. More importantly, it should not allow login with the logout value of the cookie. Otherwise, cookies can be intercepted easily and with this value one can login, bypassing the authentication mechanisms.
How to Find the Value of Cookie:
An example with the website cyber-cops.com opened in Mozilla Firefox
As you can see in the above photo, the value of cookie is clearly visible under the head “Value”. This is the pre-login value. Log into the website to find the log-in value of cookie and then log-out to find the log-out value. If all of them vary, means the cookie parameter has been properly implemented.
On the other hand, if the website allows login with the log-out value of the cookie, then by manipulating headers using tools like Burp Suite, anyone can login using the intercepted cookie value, thus bypassing the access control.
Important Learning Points:
Tools of the Trade: Mozilla Firefox, Burp Suite
Exploit: Remote login with stolen Login cookies
Solution: Differ the value of cookies at each stage, don’t permit login with log-out cookies value
This blog explains the vulnerabilities a website may have, which are exploited by hackers. The website owners are expected to understand the dangers and plug in the gaps in their websites. There are cases where Indian websites are defaced by Pakistani elements. Plugging these vulnerabilities will help avoid such an unwelcome experience. For any doubts you should join our Forum Section to clarify any issues.
In the next blog on hacking we will understand even graver dangers and hope to cope up with them, which include - SQL insertion, XSS (Click jacking) attacks, CSRF (Cross Site Request Forgery) etc etc. There is vast amount of literature freely available on the internet meant to secure the world from such attacks. We recommend you the website https://www.owasp.org/index.php/Main_Page for more information. This site is considered the Gold standards on hacking, among thousands of websites freely available on the internet on hacking.
Additionally, you must have conceptual clarity about the following beforehand to firmly grasp the subject:
We will also deal with them in the up-coming blogs.