This article highlights well-known website vulnerabilities, bad practices, flaws and security issues that allow hackers to compromise websites. Its purpose is strictly educative, and it should be used as a guide to enhance the web security applied to websites and web applications.

The material presented below is gathered based on common mistakes made by Internet users having very limited computer science skills. The base-level information shared here depicts an entire arsenal that leads to a successful cyber attack, resulting in legitimate websites getting blacklisted by search engines and security manufacturers.

1. - poor username and passwords
2. - key-loggers (PC malware) stealing user credentials that are further used to access and hijack website
3. - SQL injection to dump content of database copying login credentials stored in it
4. - installation and use of vulnerable plugins for widely used CMSs like WordPress, Joomla and Drupal
5. - shared hosting issues - hacked website allows access to all websites installed on the same server
6. - bad configuration of PHP (php.ini) resulting in remote files injection and remote code execution
7. - XSS flaws - cross site scripting vulnerabilities based attack as most pervasive

“Invalid handling and poor validation of the user input are most common reasons for web application crash and for opening access to website internals.”

As human beings, it is pretty difficult for us to think of complicated username and password for each and every online service and, more of it, is pretty difficult for us to recall it then. Even for the services used on a daily basis.

So how password management implemented on the site? In general, every provided password is passed through a one-way mathematical function (called hash function) which maps between password and appropriate hash value (text comprised of digits and characters). During authentication phase, website user/visitor enters previously registered username and password, website code process inputs via the hash function and further checks whether function output identical to previously stored value. If calculated hash value is identical to the stored one - user passes the validation; otherwise, the login is rejected.

While one-way functions require minimal resources to calculate an appropriate hash value for provided input, it is pretty expensive to do the same in the opposite direction, - mapping from known hash value to original input. For example, MD5 [1], MD4 [2], SHA-1 [3] or in general any cryptographic hash function [4] could be used to map from user’s password to appropriate hash value.

With modern CPU’s capabilities, one could easily conquer this problem and run such function hundred of times per second and simply verify whether provided input generates required hash values. In other words, given required hash value(stolen from third party database) and wordlist containing few millions of words, it does not take much time to go over all input words and find which one produces the desired hash value.

There are more than enough of free tools available that could be used for this purpose. Most popular of them are “John the Ripper” and “Hashcat”.

Basics that can help you minimize the risk of stolen credentials:

1. Use automatic tools to generate complicated password
2. Use KeePass (or similar utilities) to create/store/manage your password
3. Use more complex or homemade algorithms for hash function implementation
4. Use strong passwords (more than 10 symbols)

References:

• MD5
• MD4
• SHA-1
• Cryptographic hash function

Key-loggers are software programs capable of monitoring and logging to a file every keystroke performed on the monitored device. Such programs can monitor web browser activity, instant messengers or email client applications while sending the collected data to the remote server for further analysis by the attacker. Initially, key-loggers have been used by IT staff to analyze and fix technical issues, monitor device activity, for parental and employee control. They were later utilized by cyber-criminals to steal email addresses, login credentials and other sensitive user information to get financial profit. Software key-loggers may be classified into these major classes:

a) Web browser add-on or extension listening on JavaScript events and log web browser activity

b) Stand-alone process monitoring keyboard activity. Cheap to develop from one side but from another side it is easily detected by most AV engines.

c) Shared library (dynamic linking library) injected into memory of another process and further running with execution permissions of the exploited process.

d) Kernel module (driver) loaded into kernel space of compromised operating system. Such key-logger can be implemented as a rootkit or keyboard device driver, and it is hard to detect by security software.

Some keyloggers are very popular and are freely available on the Internet, while more than 90% of such applications are used for malicious purposes. Search[1] for “keylogger” word on softpedia.com returned 17 pages.

Identical to all known kinds of malware, key-loggers can be installed on the targeted device without any user interaction (for example via “Drive-by-download” attack). It then runs transparently and insensibly to the common work of the compromised device.

Well-known and widely spread malicious key-loggers are Zeus[2] and Spyeye[3].

Basic preventive security measures:

1. Keep your PC clean from malware using common AV and anti-keylogger solutions
2. Avoid login into your dashboard from not trusted devices like public PC

References:

• Keyloggers-Monitoring
• Zeus
• Man in the browser

A dominant percent of websites run on (or their back-end uses) SQL ( Structured Query Language ) database to store website content and management information. On these sites, users input is processed by website application code and stored in SQL database for future access and or presentation. Interaction with SQL database is done via SQL commands called queries.

As an example for user input let’s take a user registration form where it is required to provide login credentials, avatar and other information relevant to the registration process. Next, the website hashes the provided password, as described in 1, and stores all acquired information including newly generated password into the SQL database. Following is a PHP command example which adds new customer to existing customers table:

mysqli_query($con,“INSERT INTO Customers (First_Name, Last_Name, Age, Id, Pass, Email) VALUES (‘Michael’, ‘Fish’,35, b354390b8d81c0a880a42bee9f586fd5, Michael@fish-net.cc)“);

Next time when during the login procedure, the user submits his/her username and password and this information is retrieved from the database and compared to the submitted values.
So what is SQL injection attack? SQL injection is, essentially, an insertion of SQL query via the user input data form into the backend database. Successful injection of SQL query may provide access to the valuable information such as a list of stored passwords or credit cards numbers. It may allow to run administrative commands like ‘dump’ or erase database content.

Now let’s say that the data form validation handler contains a security vulnerability and does not validate whether the provided email is truly an email address. An example PHP code looks like this:

mysqli_query($con,“SELECT * From Customers WHERE Email LIKE $email;”);

When the user submits a valid email address, $email variable contains Michael@fish-net.cc and such command returns user record previously created by “INSERT INTO” command. However, if for example user inserted “%@gmail.com”, where % is SQL wildcard symbol, this command will select all registered users with Gmail email address. This simple case shows that website behavior may depend on user input and perform not-predictable operations.

Of course, SQL injections today are much more sophisticated, and our intent was just to highlight its principle.

In conclusion, SQL injection is very dangerous attack since in addition to the compromised website you can damage your reputation if user sensitive data is stolen and published on the web. Like it happened with social games developer RockYou, who was attacked back in December 2009 when more than 32 millions of user passwords have been publicly disclosed on the web.

Basic preventive security measures:

1. validate and verify every user input
2. periodically test your website with SQL injection scanners like http://www.mavitunasecurity.com or www.gamasec.com
3. Move your website to NoSQL (https://en.wikipedia.org/wiki/NoSQL) databases like MongoDb (http://www.mongodb.org/) or couchdb (http://couchdb.apache.org/) databases.

In last ten years, open source CMS packages/frameworks experienced pretty huge boost. These days the majority of very popular websites are implemented on open source CMS.
Free CMS solutions have a very big community which provides support for such CMS and enhances them with new extensions and plugins. Such plugins come to enrich initial CMS functionality, help maintain website content and to add other useful capabilities. However, when implemented with bugs they often inject serious security vulnerabilities into the system.

Vulnerability statistics links:

• WordPress (http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337)
• Drupal(http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367)
• Joomla(http://www.cvedetails.com/product/6129/Joomla-Joomla.html?vendor_id=3496)

Big arsenal of security vulnerabilities can be found in such plugins including XSS, Denial of Service, access to sensitive information, injection of malicious PHP and or JavaScript code, SQL injection, exploits injection, etc… Quttera users frequently detected malicious plugins and from time to time we post about this cases on our blog.

Unfortunately, it takes some time from underground discovery of such vulnerability until public knowledge and bug fix. While during this period cyber criminals exploit it and compromise thousands or maybe tens of thousands of websites.

Basic preventive web security measures:

1. Use only well known and well tested plugins
2. Monitor your website with web malware scanner to detect malicious content as soon as possible using scheduled and on-demand malware scan
3. Regularly check list of installed plugins for newly discovered and published security vulnerabilities
4. Use most recent and stable version of the CMS
5. Update plugins as soon as new version is available

You can run a free scan of your site anytime with online malware scanner available on our home page.

Before digging into security issues of shared hosting let’s try to understand what shared hosting is and why web hosting providers widely use it.

So what shared hosting is? As the name implies, we can think of it as one physical server and one web server (like Apache) hosting and servicing hundreds or maybe thousands of websites. Which in turn share the same physical server, HTTP/web server and the same hard disk used to for physical storage of the content presented on the website.

As long as main server CPU strength, network bandwidth or network capabilities of cable (network environment) connecting this server to internet and size of physical storage allows it there is no limit as to how many different websites can be hosted on one shared server.

So what are pros of such solution? In general, it is a price per month that may be as low as few US dollars. If you are managing a small website, you do not need and probably will never use all the capabilities provided by the physical server. The dedicated physical web server costs much more, and it takes much time to manage and operate it.

Usually, shared hosting provides you with dashboard UI to operate with files, FTP credentials to manage your content, Email management and capabilities to install some applications to enhance your website. The other side of the coin is the security of provided service.

Once you share the resource with hundreds or maybe thousand of other websites, you cannot be sure for 100% that all these guys are committed to keeping their site secure and free of malware. Add to this the use of outdated CMS with vulnerable plugins, and you get a recipe for disaster. Finally, once any of those websites are compromised, your chances to be hacked as well multiplied by tens or maybe hundred times. A successful attack may allow the hacker to read/write to the files of any other accounts.

So what are security issues in shared web hosting environment? The cancer of shared web hosting servers is the “directory traversal” attack (http://en.wikipedia.org/wiki/Directory_traversal_attack) allowing by the specially crafted path to access and change files of other websites. So once at least one website was compromised, and hacker gained access to an entire hard disk he can do whatever he wants. That includes: deleting content from all websites, changing index files, infect web pages with malicious code or redirecting traffic to malicious resources or simply install shell (like C99) to manage files and directories and maybe distribute malware from the infected website. In some cases, websites get compromised with SEO spam injection and appear in search engines with spam content. The biggest problem, in this case, is that you cannot be sure that upon remediation of your website, the reinfection will reoccur. Therefore, such danger is present until the malware is removed from an entire shared web server, of course.

Useful links:

• http://www.acunetix.com/websitesecurity/directory-traversal
• http://en.wikipedia.org/wiki/Directory_traversal_attack
• http://en.wikipedia.org/wiki/File_inclusion_vulnerability

Since 1995, PHP is one of the major players on web infrastructure market. Due to its simplicity, PHP is known as not that much a secure environment. Often, PHP developers concentrate on the development of web application itself without paying required attention to the security issues and user input sanitation.

Regardless of web application vulnerabilities and bugs, unsecured PHP configuration may open gates for the number of known attacks including SQL injection leading to leaks of sensible information, XSS (cross site scripting) , directory traversal which provides access to server’s file system, local and remote file insertion allowing execution of any PHP code as a part of website functionality. Following is pretty simple example of a code, vulnerable to remote page insertion attack:

<?php $req_page = $_GET[‘page’] include( $req_page ); ?>

In this example, ‘page’ parameter is passed to PHP code via arguments passed inside URL and may contain a reference to any local or remote files.

So how to overcome all these issues? Proper configuration of PHP is a pretty difficult task and should be adopted to application needs. For example, you can disable use of several PHP functions accessing OS interfaces like “exec”, “shell_exex”, “system”. Periodically test application code with static code analysis tools like RIPS (http://rips-scanner.sourceforge.net/). Validate any user input parameter passed as arguments to SQL queries. Following is a list of third party links that may help you to protect your website from PHP driven vulnerabilities.
Useful links:

• PHP Security Best Practices: http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
• http://www.tenable.com/blog/configuration-auditing-phpini-to-help-prevent-web-application-attacks
• http://feross.org/cmsploit/
• Securing Apache: http://www.symantec.com/connect/articles/securing-apache-step-step
• Securing PHP: http://www.symantec.com/connect/articles/securing-php-step-step
• Open source vulnerability scanner: http://www.openvas.org/
• Securing WordPress configuration: http://blogvault.net/wordpress-security-1-securing-wp-config-php/
• 30+ PHP best practices for beginners: http://net.tutsplus.com/tutorials/php/30-php-best-practices-for-beginners/
• PHP security manuals: http://php.net/manual/en/security.php

XSS or cross-site scripting website security vulnerability provides the attacker with the possibility to insert/inject JavaScript code to be executed as a part of an original web page viewed by the site visitor. The malicious JavaScript code provided as a part of user input arguments of the original URL and without proper sanitation is inserted by the web server into the body of the HTML page.
XSS attacks classified as non-persistent and persistent.

During non-persistent XSS attack, the user simply accesses a vulnerable website using specifically crafted URL, containing the malicious script. The code running on the side of vulnerable web server copies this input into the targeted HTML document and returns it back to website visitor giving to injected script possibility to run as a part of the legitimate content of the required web page. Following is an example of non-persistent XSS attack.

The specifically crafted URL:
http://myxsssite.com?name=Myname

The vulnerable PHP code injecting the name argument into outputted web page without any proper validation:

<?php $name = $_GET[‘name’]; echo “<p>Hello $name</p>”; ?>

What happens here is that $name argument passed to the echo routine without any validation and resulted in the following HTML code

<p>Hello <script>alert(“Hello World”) </script></p>

This simple and harmless example opens an alerting window with text “Hello World” but in place of this simple script, the attacker can put any malicious script that may steal session information, inject iframes and redirect website visitor to another malicious website.

During the persistent XSS attack, the injected malicious script is stored into website’s backend database and is injected into normal web page shown to the visitors. An example of such attack is a website of a social network that allows storing user profile information on the server side. Now if the website is vulnerable and is not implementing input sanitation, instead of his name or occupation description the malicious agent will put the malicious code. This code is stored on server’s database and is shown (run) every time other users visit malicious agent’s profile page. Such kind of attacks may steal session information or website administrator credentials giving hackers full access to the attacked web server.

Basic preventive web security measures: Validate every user’s input provided to website as a part of referenced URL Validate user input before this information stored into websites database Periodically test your website with available XSS vulnerability scanners

Useful links:

• Cross site scripting presentation: http://intellavis.com/blog/?p=353
• Detecting cross site scripting vulnerabilities: http://intellavis.com/blog/?p=325
• Zed testing tool for finding vulnerabilities in web applications: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

As usual, we are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from a suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk