Hacking Your Own Site - Website Vulnerabilities

(Page 2 of 3 )

Malicious hacking often takes primarily two things, time and software.  This means that most web sites or applications are vulnerable in some way.  But it also means that most weaknesses can be protected by time and applications; for example, in the context of hacking, the difference between a five-digit password and an eight-digit password including a number is approximately 22,000 years. I mean by this that it would take a hacker, using some kind of dictionary attack program around 22,000 years to find your password if it was eight alphanumeric characters. As a standard rule of thumb, enforce your users into creating passwords of at least 8 characters in length and ask them kindly not include words found in the dictionary. This is for your site's protection as much as their own and that of their fellow users.

Web Forms 

Web forms are an easy target for hackers or anyone who simply wants to break your applications, as the user is given the opportunity to pass information to your web server, which performs calculations using that information. If you have any forms on your site, (which you undoubtedly will) visit one of them now and in the first text input field you come to type:

<b> I could use this field to execute a script<b>  

Press the Go! or Submit! button and you should see:

I could use this field to execute a script

Okay, so you'll probably have some kind of form validation implemented to prevent fields in your forms being left blank, but you can see what I'm getting at here. You just hacked your own form, albeit in a very basic way. 

Fortunately, there is a very simple php function which prevents this from happening: HTMLSpecialChars. It's a function that is usually used in conjunction with mySQL database queries, but can be put to work in form processing php scripts as well. 

Let's say, for example, that the first text input field on your HTML form captures visitors' names and is called 'name'. This would be assigned the variable '$name' in the php script that's invoked when the submit button is pressed. All you need to do to prevent code execution on your forms is include:

$name = HTMLSpecialChars($name)

somewhere near the top of the php file. Repeat the above example, and the text should be displayed normally. It won't prevent hackers from trying to hijack your applications, in the same way that locking your car won't prevent it from being stolen, but it's a function that should be included in any form processing script you write as a basic security consideration.

If your site uses multiple forms, in a shopping cart for example, it will probably rely upon hidden fields to transfer information from one page to the next (often referred to as persistence). You'll find that if you save the source code of a page containing hidden forms, you can modify the values of hidden forms and then reload the modified page in your browser. Try experimenting this with some of the simpler forms you use that contain hidden fields; if you've been successful, not only have you hacked your own site again, but you've highlighted the fact that others can do this too.

This is an open door to hackers, especially in the case of shopping carts; what would happen to your business if a hacker were able to use the above technique to change the price of all of your products to $1?

One way around this would be to use a one-way hash such as md5 to generate an outgoing message digest containing a concatenated string of all the hidden field names and values plus a secret key. When the form is submitted, it contains an incoming form digest which is also a concatenated string of all hidden field names and values plus the secret key. If the outgoing digest differs from the incoming digest, the hidden field values have been tampered with. An easier, but admittedly slightly less secure method of preventing hidden field manipulation would be to use an html encryption tool on pure html pages, thus hiding the names and values of any field names.

Next: Solutions to Website Vulnerabilities >>
 

More Security Articles
More By Dan Wellman

Comments On: Hacking Your Own Site

· are you joking? 'netcat to crash their computer'?? lmao.    · soundsl ike an article written by someone who did a quick intro to security tutorial...    · Methinks if you implement the netcat and the"200 404" you will just interest a real...    · No offence taken (well not much anyway), firstly tho, where in the article do I say...    · the maxchar one was too simple,as (i think) anyone who knows html should know that...    · Its a good point and well made. Apart from the section about netcat (which, as I...    · Just in case anyone hadn't heard of this group before:...    · Thanks for the overview of security. I dont care if some are so far into thier own...    · I'm glad that some people at least are taking the article for what it is. It's a...    · I think it was a good introductory article on web security.    · "I know a little bit less about hacking and preventing hacking than a lot of people...    · (i don't know any in english because i use chinese program)The worst Kind, tho we...    · (i don't know any in english because i use chinese program) to shut down all your...    · What do you have against hackers? some are very good people.my son is a hacker and...    · i think he knows what hes talking about but he dosen't know how to describe it in...    · can someone help me find a good & helpful site describing the vulnerabilities of a...    · What makes you think your site is being hacked? Do you have a database connected to...    · yes i do have databases and using classic asp. got a few forms on the site, as...    · although the first comment by anonymous lozah was over a year ago i would like to...    · <a href="{link1}">{text1}</a>, <a href="{link2}">{text2}</a>    · Netcat CAN crash your computer(s).You can use it this way or the other.Your...    · give him a break hes just trying to help people ot. damn haters    · He says tons of times that not all hackers are bad, and what the good ones do. You...    · ei... can u give me sites that teaches how to hack a computer...all about...    · start at the hack faq (http://www.nmrc.org/pub/faq/hackfaq/index.html)   >>> Post your comment now!