SBN

How hackers check to see if your website is hackable

Introduction

“Memento mori” is Latin for “Remember that you are mortal.” According to tradition, this phrase was whispered to triumphant Roman military commanders on parades, to remind them they remained fallible humans. 

In these times, perhaps the tradition should be updated to whispering “you will be hacked” into the ears of website administrators. This may be necessary to remind them that no matter what defenses they have deployed, hackers are always looking for new ways to hack sites. 

But what are the methods that hackers use? Below, we look more closely at how website hackers may target client-side, server-side or direct vulnerabilities.

Server-side vulnerabilities

Aside from phishing and related attacks on administrators, hackers will frequently attempt to determine the web server type (e.g., Tomcat), web server software (e.g., node.js) and server operating system. This may be achieved by examining factors such as general intelligence (e.g., from comments on social media and tech sites), session cookie names, web page source code and more.

Once the backend technology has been determined, hackers can use a variety of methods to exploit unpatched vulnerabilities. Insecure server setup, such as insecure server default configurations, unrestricted access to server folders and open ports have all been exploited to hack sites.

Insecure default server configurations are often tested by hackers, such as leaving default credentials active. Scanning tools such as Grayhat Warfare are often used by hackers to find insecurely configured Amazon S3 bucket contents.

Open ports are easy for hackers to pick up using port scanning tools, and once detected, a variety of vulnerabilities may be exploited.

Similarly, tools to scan for files may find administrative tools that can be accessed with weak passwords — or no passwords at all. Inadequate restrictions on file uploading to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/iQaFmC394PY/