Technology:Anatomy of a Web Site Hacker Attack

Previous: Technology:Photo Printing and related links Technology Index
This page is a chapter in the book Technology Index.
Many web sites get 'hacked' from time to time, as we well know. (AP was hacked in May 2011)

It begs the question how do the cretins get in and do damage?

Here is the layman's version of a technical explanation.
I've written this item in terms of the technology we use to power AP, namely PHP and MySQL.

For an attack to work the hacker must find a way to execute some malicious program code
on the target server.
FYI: This is different to a cross site scripting attack where the hacker gets some malicious
program code to run in people's browsers.

There are three typical methods of attacking a server.
  1. Send some block of text that overflows a buffer and causes binary code to run on the server.
    This method is traditionally used to attack Windows systems as the target hardware and
    operating system are well known.

  2. Send some form text to an unprotected dynamic SQL database statement,
    or other dynamic execution (PHP eval statement).
    eg: Say we have this psuedo code in our program:
    SELECT userid, username, password 
    FROM user
    WHERE username = '$Input_username' AND password = '$Input_password';
    If I sent the text ' OR 1; DELETE FROM user; -- as the $Input_username variable and it were not first
    sanitised the line execute becomes:
    SELECT userid, username, password 
    FROM user
    WHERE username = '' OR 1; DELETE FROM user; --' AND password = 'Password';
    The above attack would simply wipe out the user table in the database - crude but it demonstrates the problem.
    Note the -- means ignore the rest of the SQL statement ('--' is a comment marker)

  3. Set a cookie so that a similar attack as item 2 occurs.
    This attack is a bit more subtle as it requires setting a cookie that you know will be used
    without being first sanitised.

Attacks 2 and 3 were what happened to AP in the last fortnight.
Both require knowledge of what is running on the forum, i.e. where a weakness exists.

Stopping these attacks requires that all input from the client browser is assumed malicious
and it is filtered to escape ' and other characters into a harmless quoted format when
using that input in a dynamic (run time) SQL statement or PHP eval statement.
There are standard library filter functions to do this, but sometimes they get missed.

So the hacker to be successful needs to look at code used by the forum (eg. a well known plugin)
and then exploit any weakness found. The hacker skills in this case need not be particularly
advanced, this information and howto is well known.
Generally these sort of hackers are script kiddies.

So how do we stop this?
We just need to keep up to date with patches and check and double check any new 3rd party code.
I need to ensure (and I do) that my programming style uses the appropriate input filters by default.

Can a site be 100% safe?
Theoretically yes, but there are usually bugs in software than can be exploited.
So instead we just try to keep ahead of the game and also have a decent backup strategy, which AP does.
Previous: Technology:Photo Printing and related links Technology Index

Posting Permissions

Posting Permissions
  • You may not create new articles
  • You may not edit articles
  • You may not protect articles
  • You may not post comments
  • You may not post attachments
  • You may not edit your comments