Grow your CSS skills. Land your dream job.

Website Hacking. I Have A Question

  • # July 16, 2013 at 12:37 pm

    Please I want to know if a static website (no CMS, no Database, no registration form, no log in form, no file upload) could be hacked and defaced. If yes. What type of malicious attack is a static website vulnerable to and how can one prevent such attack. The static website however has a contact form that sends data to a gmail account.

    # July 16, 2013 at 12:52 pm

    Although you can take steps to make it harder for hackers to gain access, no site is safe from intrusions. Since you stated that you have an input form, you might want to learn about common attacks and how to prevent them. @traq mentioned this in a similar discussion on the front page in the forums.

    # July 16, 2013 at 1:09 pm

    Validate the contact form input and don’t do something like:

    $(‘#feedback’).html(‘Thank you, ‘ + $(‘input[name="name"]‘).val() + ‘!’);

    Outputting user input without validating is asking for XSS. Though iirc jQuery does something with script tags (stripping or html encoding them) when used as parameter for `.html`, can’t find details about that.

    # July 16, 2013 at 1:15 pm

    If there is FTP access to the site/server, or Telnet or anything, files could be overwritten. Not sure if that should be called “hacking”, but it’s a way to deface a site.

    # July 16, 2013 at 1:22 pm

    Good practice is to change passwords on regular basis in FTP and Cpanel. Few months ago someone got access to my htaccess and redirected our URL to several dozen of porn sites.

    # July 16, 2013 at 1:30 pm

    > however has a contact form that sends data to a gmail account.

    !?

    Are we talking about SPAM here? or are we talking about if someone can hijack the actual code and “hack” the website? what would be their motive? how is important customer info shared? how does that page relate to other pages in that directory? what are the permissions? security, hacking etc are loaded words, be more specific.

    # July 16, 2013 at 1:56 pm

    I have a normal contact form with only three fields (Name, Email and Message). I set all of the three fields to html5 require. I used input type=”email” on the email field. I set maxlength of 40 to Name and Email input fields and 350 to Message textarea field. The contact form is located in the contact us page. When the form is filled and sent, the data will simply be sent to a gmail account and a thank you page will be echoed to the user.

    This is the contact page: http://www.ctrlshiftstudios.com/contact

    I want to know if the website as a static html website is still vulnerable to attcaks. If yes, what type of attack and how can I prevent it.

    I am not talking about users using the contact form to spam my email. I am talking about hijacking the website and deface it. As for my cpanel password, it’s very strong and very hard to guess. I used a word in my native dialect (which is impossible to guess) with uppercase and three special characters like #^!

    # July 16, 2013 at 2:20 pm

    Just as an aside, I almost closed the page on your contact page since I didn’t see a contact form or any contact details upon landing there. Perhaps it would be good to make it a little more obvious you need to scroll down further, or else raise the form up the page?

    __
    # July 16, 2013 at 3:21 pm

    >I have a normal contact form with only three fields (Name, Email and Message). I set all of the three fields to html5 require. I used input type=”email” on the email field. I set maxlength of 40 to Name and Email input fields and 350 to Message textarea field.

    none if this is relevant. I could write my own form to stand in for yours and submit it in the same manner. That’s why no client-side measures (html, javascript, etc.) can _ever_ be considered “secure”: they are for convenience only.

    >When the form is filled and sent, the data will simply be sent to a gmail account and a thank you page will be echoed to the user.

    That form submits to a php page on your website, so **yes**, there is a potential risk. You’d need to share the contents of your `thank-you.php` script for a more specific answer.

    # July 16, 2013 at 10:51 pm

    Here is the script of my thank-you.php. I hope sharing this here is not risky.

    < ?php
    if(isset($_POST)){
    $to=”myemail@gmail.com”;
    $subject=’Online Contact';
    $name=$_POST;
    $email=$_POST;
    $message=$_POST;
    $body=”Name: $namen Email: $email n Message: $message”;
    include (‘thanks.php’);
    mail($to,$subject,$body);
    }
    else {
    include (‘index.php’);
    }
    ?>

    __
    # July 17, 2013 at 2:07 am

    Seems fine (I did a test submit, if you get a weird message).

    # July 17, 2013 at 2:52 am

    Name: a

    Email: a@b.c

    Message: test

    I think a static website cannot be hacked if the attacker doesn’t have access to one’s cpanel.

    # July 17, 2013 at 3:01 am

    Not true.

    # July 17, 2013 at 3:09 am

    > Please I want to know if a static website (no CMS, no Database, no registration form, no log in form, no file upload) could be hacked and defaced. If yes. What type of malicious attack is a static website vulnerable to and how can one prevent such attack. The static website however has a contact form that sends data to a gmail account.

    It really depends on what you mean by “hacked”. Your credentials for the hosting provider you use could be stolen, then the whole content of your website could be duplicated and erased.

    # July 17, 2013 at 3:56 am

    > It really depends on what you mean by “hacked”. Your credentials for the hosting provider you use could be stolen, then the whole content of your website could be duplicated and erased.

    Exactly what I mean. That means since my credentials could not be stolen, my cpanel will remain safe and thereby my website.

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".