This is how hackers attack vol2

In this post I will elaborate how hackers use web applications to initiate their attacks.This is important for many of since most of us somewhat create web applications and some of us think about moving to marketing area to create a bigger cash flow.

Attackers, note down boxes used in the site for information inputs. They check whether these boxes use GET or POST method. Both of these methods give the hacker an idea how the website works and they start testing the weak spots of the system.

The web address is configured to show the main directory of the website and the attackers add different directory names and try to see what they can access. For example an attacker targeting a website called http://www.victimwebsite.com, would try to access a directory called http://www.victimwebsite.com/admin to see whether he can access the control panel of the website.

Another way to learn about hidden folders is to use robots.txt. This file is aimed to inform search engines which folders are worth listing and which folders should not be listed. This file can include knowledge a hacker is not supposed to know. Thus a specific naming convention should be used for folders in order to make them more stealth. An administrator also should avoid including important folder names on that list.

Moreover embedded codes in CSS files, gives clues about the ability of the coders to the hacker. These files can also create weaknesses for the hacker to exploit.

ATTACK is on the way
Now the attacker has the list of hidden folders, information about operating system, possible vulnerabilities and general map of the website.
There are many options to choose. The simplest is to use a software to crack the password on admin login and wait for it to find the password. This way he can steal information, sell it or simply change the login page. These attempts are generally used by young people who are trying to prove themselves and commonly known as “lamers”.
Real hackers, at large, aim at exploring the weaknesses of the websites. For example they inspect SQL services and try to access the database using telnet client. Experienced hackers will try further to access the database in order to list the tables in the database. They will call it success  when they can access credit card information or other important knowledge.
Advertisements