How A Website Hacker Can Compromise Your Website

July 11, 2016 in Cyber Attacks

Cybercriminals are unpredictable. They’ll surprise you by sneaking into your website, executing attacks and harming your data and business. You can think of it like a baseball game in which the website hacker is trying to make it to the next base without getting called out. Secure all your bases by learning a little about how hackers attack your website.

A baseball field

On Deck – Targeting a Victim

Before a cybercriminal can take their first swing, they need to target a website for attack. In order to do this, they’ll need to gather a list of sites.

Google Dorking, or Google Hacking, is a hacking technique, which uses Google Search to identify website security holes. When Google Dorking, cybercriminals will use advanced queries to find specific strings of text within the search results. The hacker is often looking for specific versions of vulnerable web applications. Instead of typing “find vulnerable websites” in the search engine, hackers can get more sophisticated with their searches.

Google Dorking examples:

Filetype: Followed by Doc, PDF, XLS

Inurl: Followed by a particular string of text

Intext: Followed by specific words with the string anywhere in the text

Website hackers can also search for multiple websites that share the same IP. With this list, they can use bots to scan multiples sites at once.

Baseball player's foot touching first base.

First base: Finding Website Vulnerabilities

The cybercriminal has a successful at bat and can now move to first base, in which they will try to find vulnerabilities to exploit.

A website hacker uses tools to scan sites for vulnerabilities. Essentially, any website scanner that you can purchase, a cybercriminal can purchase, too. A scanner will alert the cybercriminal to vulnerabilities found in a victim’s website. They can also scan for vulnerable ports, plugins, applications, and networks.

Sometimes, attackers use static application testing to run automatic analysis on a website’s source code. With over 90% of vulnerabilities found in web applications, static application testing is used to find vulnerabilities in custom and third party applications.

Baseball glove with ball tagging second base.

Second Base: Exploiting the Vulnerability

Now that the cybercriminal has found the vulnerabilities, they can sneak over to second base to exploit the vulnerabilities.

A website hacker can use a brute-force attack to bypass security login forms. A brute-force attack is a trial-and-error attack used to obtain unauthorized access to sensitive information, like passwords and email addresses. The attacker will use a brute-force attack to generate a large number of consecutive password guesses by using dictionary words, commonly-used passwords or a combination of letters and numbers.

Cross-Site Scripting (XSS) is a common web application vulnerability that a website hacker will exploit. It allows an attacker to inject malicious client-side scripts into web pages viewed by others. When using XSS, a cybercriminal can exploit a vulnerability on a website and hope for victim interaction.

SQL Injection (SQLi) is another code injection technique that exploits security vulnerabilities in an application’s software. With SQLi, a cybercriminal can attack data-driven applications by inserting SQL statements into an entry field for execution.

Third base

Third Base: Causing Damage to the Website

Now that the vulnerability is exploited, the website hacker can steal third. This is where they can cause the most damage.

With XSS, the attacker can access a user’s account, allowing them to view anything available to the authorized user. If the user stores personal information in the account, such as an e-mail address, home address or credit card information, the criminal can steal that data. The criminal can also combine XSS with different techniques to perform other attacks, like session hijacking, scraping sensitive information and malicious redirecting.

Much like XSS, SQLi allows an attacker to bypass authentication and impersonate specific users. SQL injection is used to view, tamper and delete data stored in a website’s database.

Home plate

Home Plate: Successful and Undetected

At this point, the cybercriminal has successfully reached home plate. They targeted a website, found and exploited the site’s vulnerabilities – all while remaining undetected.

With the stolen data, the attacker can make a profit. Cybercriminals can retrieve emails lists from databases for phishing scams, which often aim to redirect users to bogus webpages. Or, the cybercriminal can simply monetize on that email list by selling it to other cybercriminals on the black market.

Be on the Winning Team

The website owner and the cybercriminal are essentially racing to find the vulnerability first. If the owner finds the vulnerability first, they can take proper security measures to fix it. When a cybercriminal is the first to find one, they will exploit it. There are measures you can take to be on the winning team.

Make sure the website hacker strikes out before they can reach first base. You can use the same tools a cybercriminal uses to find website vulnerabilities. Start with a website scanner to identify and classify security holes. When vulnerabilities are found, it will alert you of it immediately. A leading website scanner can search in many different areas on a website to find vulnerabilities, such as source code, networks and ports.

By performing static application security testing (SAST), you can find vulnerabilities in your applications before they allow malware in. SAST will analyze a website’s source code, line by line, to check for security issues. Typically, these tests are non-disruptive with zero server-load.

A web application firewall (WAF) can be used to block brute-force attacks and help prevent SQLi and XSS. A WAF will protect your website from cybercriminals attempting to steal your data for traffic and profit.

If you want to prevent a cybercriminal from scoring a home run on your website, give the SiteLock security experts a call at 855-378-6200 for a free website risk assessment.

Latest Articles
Categories
Archive
Follow SiteLock