Presented By:

Shubham S. Takode

B.TECH- TY CSE

2012BCS518

Website Hackingand

Preventive Measures

Department of Computer Science and Engineering ,Shri Guru Gobind Singhji Institute of Engineering and Technology,

Vishnupuri, Nanded. 1

What is Hacking? Website Hacking ?Typical communication over Internet.Types of Attacks.Step By Step :

SQL Injection Attacks.Session Hijacking Attacks:

• Wireshark.Hacking Facebook Account with Wireshark.

RFI and LFI Attacks. XSS Attacks.DDOS Attack.

Purpose of Hacking.Preventive Measures.Conclusion

Contents:

2

Hacking refers to an array of activities which are done to intrude some one else’s personal information space so as to use it for malicious, unwanted purposes.

Hacking is a term used to refer to activities aimed at exploiting security flaws to obtain critical information for gaining access to secured networks.

Becoming a hacker will take intelligence, practice, dedication, and hard work.

What is Hacking ?

3

What is Website Hacking ?

• Unauthorized access to the Resources on Web Server. ( RFI, LFI, Admin account password hacking )

• Changing the contents on Webpage . (XSS Attacks)

• Hacking User Accounts on typical Website.

• Sniffing data packets over network. (Session Hijacking and Packet Sniffing)

4

Client Server Communication Over Internet

Client

Web Server

DNS Server

INTERNET

http://www.google.com/

DHCP

ServerLocal DNS

Server

ISP

127. 120.120.110

5

Types of Attacks

• SQL Injection

• Session Hijacking or Packet Sniffing.

• RFI ( Remote File Inclusion ) , LFI ( Local File Inclusion ).

• XSS Attacks.

• DDOS ( Distributed Denial of Service ) Attack.

6

SQL Injection Attack• All about SQL Queries and vulnerable URL.

• Aim is to find the name and structure of your database and then step by step extract data from Database.

•For this hackers uses various sql commands, string parsing functions and try to make query result true.

• Extracted data could be anything stored in your db.• Username , Passwords• Emails • Credit Card Information , Personal

Information

7

SQL Injection Attack: Example

• Consider you wants to build a login page for your website as shown here

8

SQL Injection Attack: Example

• Consider database table as show below:

userid user_name Password

1 shubham shubham

2 anand anand

Table : site_user

9

<?phpsession_start();include 'db.inc.php';mysql_select_db("user",$con) or die(mysql_error($con));if(isset($_POST['submit'])){

if(!isset($_SESSION['logged']) || $_SESSION['logged'] != 1)

{if(!empty($_POST['username']) && !empty($_POST['password']))

{ $query="SELECT * FROM site_user WHERE user_name='".

$_POST['username']."' AND password='".$_POST['password']."'"; $result=mysql_query($query,$con) or

die("<center><br><br><b>USER NOT FOUND</b><br><br>".mysql_error()."</center>");

if(!$row = mysql_fetch_assoc($result)) { echo"<script>alert('Wrong User Credentials ... Please Retry....');</script>";}

else {echo "<script>alert(' Hii there ... You are logged in Sussessfully'); </script>";}

}}

}?>

SQL Injection Attack: ExampleConsider php backend for login validation check as

show below:

10

SQL Injection Attack: Example• The login page we have just designed is vulnerable to sql injection attack.

• If user enters correct username and password on login page then page will show alert message as “Hi there… You have logged in successfully ”.

•If user enters wrong username and password then page will show alert message as “Wrong User Credentials … Please Retry”.

•Now if user enters username as any string and password as “ ' or '1'= '1 ”then the page is showing “Hi there… You have logged in successfully ” . 11

SQL Injection Attack: Example

• This is the SQL Injection . Evens if the logic we have written at backend is correct , the output we are getting is not valid.

• Why this happens ? Next..

12

SQL Injection Attack: Example• It’s happening because of the input in the password field making the sql query to be a true (valid) and that why it is executing and returning the a valid result.

• Actual Query (when we enter valid or wrong input in login form):

SELECT * FROM site_user WHERE user_name=‘shubham' AND password=‘shubham’;

• Query with input ‘ or ‘1’ = ‘1 :

SELECT * FROM site_user WHERE user_name=‘anything' AND password=‘’ or ‘1’=‘1’ ; 13

• As per our login page backend login “Things are getting valid /true line by line” because the query is returning valid output.

•

SQL Injection Attack: Example

14

Session Hijacking or Packet Sniffing

• Aim is to capture the packets / data / cookie / session by using packet sniffing tools such as WireShark.

• Hackers takes advantage of stateless nature of HTTP.

• They capture the packets flowing across network, extracts data from packets and inject required data such as cookies and browser state in their own browser and due to this Web Servers unable to differentiate between hacker and actual user.

15

Session Hijacking Attack: Step By Step• Hacker requires packet sniffing tools such as WireShark

• Hacker need to connect to the local network in which the user is also connected. 16

Session Hijacking Attack: Step By Step• Consider any websites such as Facebook , Gmail, Yahoo Mail which uses cookies for tracking user (As HTTP is stateless Web Servers needs to track users for indentification).

• To be specific we will consider Facebook.

• Suppose you logged in successfully on your facebook account using some wifi access point.

• When you logs in on your facebook account, the Facebook Servers sets cookies with names “ datr” and “cuser” which are used to indentify you and track your sessions on server. 17

Session Hijacking Attack: Step By Step• With each request (GET/POST) this cookies are sent in headers of request back to facebook server and facebooks server matches those values of cookies with the one that on the server and if match found then your request is served otherwise not.

• So if anyone able to access this cookies then he/she can easily logged in to your account.

• When we are accessing internet through any local networks such as Wifi Hotspots or Cyber Cafes then this network uses broadcast mechanism for moving data across any node in the network.

18

Session Hijacking Attack: Step By Step• In broadcast network mechanism data packet moves across the whole network that is even if the packet is not for your PC (Node) still it comes to your PC and you can even capture it.

• This flowing packets contains data such as PROTOCOL HEADERS , COOKIES .

• The packets flows underneath of domain.

• Softwares such as Wireshark are able to capture such flowing packet and Hacker uses such softwares for sniffing your cookies.

• Once hacker gets your cookie he/she just need to inject those cookies in the browser and once page is refreshed hacker gets logged in to your account.

19

How to capture packets using WireShark

Open WireShark

20

How to see our own cookies and Request Headers

Open Chrome

21

How to inject cookies in your browser

Open Firefox

22

RFI and LFI Attacks• Both are old method.

• Aim is to upload .php , .asp , .sh script on server and execute those script.

• RFIConsider url http://downloadlabss.com/p?u=http://www.pragyaa.org/q/1.txt

It means resource on one server is accessible/executable on other server

• LFI• Vulnerable Upload Servers 23

XSS Attacks

• A Play with JavaScript and vulnerable backend logic.

• Example: A Comment Box Hack.

24

DDOS Attacks

• Worlds most powerful attack technique.

• DDOS stands for Distributed Denial of Service Attack

• More than one Users (PCs) are involved.

• Whole server may crash down.

• Idea is to take control of hundreds of PCs on Internet and send bulk request to target server.

25

DDOS Attacks• Sometimes uses Exponential Approach

Hacker’s Server

Network Server 1

Network Server m

Network with

X1 PCs

Network with

X2 PCs

Target Server

Bulk Requests

26

Purpose of Hacking

• To stole information and sale it.

• Spying by different Government Agencies for sake of international or national politics .

• Getting access to money resources .. Bank accounts , share markets and commodity markets accounts.

• To become world famous.

• Just for the fun.

27

Preventive Measures • For SQL Injection :

• Use mysql_string_parse( ) function.• Avoid use of urls from which backend logic

accesses data directly.• Parse or validate input data in well manner.• Use POST method for sending data.• Use latest version of PHP and MY_SQL.

• For Session Hijacking :• Use SSL / HTTPS connection which

encrypts dataflowing across network• Avoid use of cookie , use session instead to

track user• Encrypt cookies

28

Preventive Measures

• For RFI and LFI Attacks :• Use proxy servers instead of using PROXY

SERVER SOFTWARE (As a Web App).• Develop a mechanism to parse the contents

received from other servers.• Improve business logic.

• For XSS Attacks :• Well parse the user inputs .

• For DDOS Attacks:• Use firewalls and antivirus programs.• Avoid giving major permission to websites.• Block IPs on server which send bulk

request. 29

Conclusion

Developers thinks that once web application is developed then work is finished but this is not true for web apps. In case of web apps maintenance is much more important and things are need to be well updated, if not so then single hole of vulnerability may crash down your whole web app and servers.

Be careful !!!!

30

Any Questions ????

31

Thank You !!!!!

32