Grow your CSS skills. Land your dream job.

Website Hacking. I Have A Question

  • # July 17, 2013 at 3:58 am

    > That means since my credentials could not be stolen

    Wait… wat?

    # July 17, 2013 at 4:51 am

    I know one’s password can be stolen. But I hardly click on links in spam mails to avoid been phished.

    # July 17, 2013 at 5:08 am

    > I know one’s password can be stolen. But I hardly click on links in spam mails to avoid been phished.

    Haha, that’s so sweet. :)

    # July 17, 2013 at 5:13 am

    Servers can be hacked. Your site resides on a server.

    # July 17, 2013 at 7:17 am

    Lol Hugo :P

    > Servers can be hacked. Your site resides on a server.

    Especially true for shared webservers.

    @traq, you sure using `mail` like that is safe? What about header injection?

    # July 17, 2013 at 11:06 am

    I know servers can be hacked, but that is beyond my jurisdiction. My host will have to take care of that.

    Well, I started searching about whether a static website could be hacked and I landed here: https://www.mavitunasecurity.com/

    I downloaded their free website scanner. I installed it and entered my url. What the software does is to try to hack your website. It’s like penetration testing. The exercise lasted nearly an hour and I washed as the software was unleashing these attacks:

    Cross-site Scripting
    SQL Injection (Blind)
    Command Injection
    Local File Inclusion
    Remote File Inclusion
    HTTP Header Injection
    Remote Code Evaluation
    Web App Fingerprint
    RoR Code Execution
    WebDAV
    Open Redirection
    Expression Language

    on the website. I actually received about 300 junk emails from the software during the exercise. And I found out that the html5 ‘require’ was actually bypassed in some cases because I actually received an empty messages which shouldn’t have gone through ordinarily. After, the exercise, the website remained intact.

    I guess the reason is because the form data actually will be sent to a gmail account and not to a database. I think gmail actually prevented the software from hacking the website.

    Well, I am becoming more concerned now about web security. I will really like to learn how to tighten up websites and databases from malicious attackers.

    # July 17, 2013 at 11:19 am

    > I know servers can be hacked, but that is beyond my jurisdiction. My host will have to take care of that.

    You asked if your site could be hacked. We replied that it could. Who cares whose jurisdiction it is?

    > I downloaded their free website scanner. I installed it and entered my url.

    If you do that kind of stuff, I wouldn’t just say that your site CAN be hacked, but it probably WILL be, sooner or later.

    > Well, I am becoming more concerned now about web security. I will really like to learn how to tighten up websites and databases from malicious attackers.

    Don’t install free website scanning software would be a good start!

    # July 17, 2013 at 11:21 am

    >I found out that the html5 ‘require’ was actually bypassed in some cases

    …as I said earlier, **nothing** you give to the client is “secure.”

    #####Never Trust user Input.

    *****
    Here’s something else to think about in terms of security. Do you have a private server? If you’re on shared hosting, **there is no security**. You’re wide open.

    # July 17, 2013 at 3:02 pm

    > I found out that the html5 ‘require’ was actually bypassed in some cases

    For example if the browser doesn’t support `require`, so use JS fallback. Even if the browser supports it, you can strip the `require` tag with the element inspector. Even with JS, you can strip that rather easily. Even if not, there are other ways to generate a POST request then using your form at all.

    Don’t use client side validation *only*. Always validate on the server.

    # July 17, 2013 at 9:29 pm

    >@traq, you sure using mail like that is safe? What about header injection?

    Sorry, missed this.

    No, it should be fine, since he doesn’t add any custom headers (and `$to` does not come form user input).

    # July 18, 2013 at 8:24 am

    @traq
    > If you’re on shared hosting, there is no security. You’re wide open.

    I don’t agree. Shared hosting is secure but you have to choose the right host not those $1 hosts. Media temple has shared hosting (which I use) and I’m sure it’s secure enough.

    # July 18, 2013 at 8:41 am

    Host provider can only do so much. If one of the sites on your shared host builds crappy app and lets “hackers” in… your site is as safe as his.

    # July 18, 2013 at 10:37 am

    >I don’t agree. Shared hosting is secure but you have to choose the right host not those $1 hosts. Media temple has shared hosting (which I use) and I’m sure it’s secure enough.

    There _are_ solutions, but most hosts (MT included) don’t implement them at the “shared” level because of the processing expense. You need a [virtual] private server if you want security. On a shared host, for example, using mod_php, Apache runs all of its php processes under the same user. Getting the complete contents of another customer’s website scripts is trivial (for example, with [glob()](http://php.net/glob)). The same approach can get active user sessions, even database backups, etc., from the `tmp/` directory (a good reason not to use `tmp/`).

    Hacking your site is as easy as getting on the same server (as AlenAbdula says, _someone_ on your server is running a vulnerable site – it’s practically guaranteed).

    [Read more](http://catn.com/2010/01/28/securing-mod-php/).

Viewing 13 posts - 16 through 28 (of 28 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".