In this post, you will learn which techniques are used by the hacker to hack the Websites and you can stop your website from getting hacked.
Below are the common ways by which hackers can attack your website. The examples are valid in the PHP language.
1. Error Reporting: When a user tries to submit the manipulated data to the server, then the server sometimes triggers the error message when the server is unable to handle the manipulated data. This error message can generate information like OS name, directory names, software version and a lot of other things.
Example:
<?php
echo $_GET["number"];//Hacker can request this url without passing a query string.
?>
Now, on running this script it will generate an error
Notice: Undefined index: number in C: /wamp/www/index. Php on line 3
This error leaks a lot of information. Some of them are:
- Website runs on Windows OS
- Wamp Web server
- Target file is index.php
Solution : Disable Error Reporting/Displaying and enable error logging.
To prevent these kinds of errors we can do simple validation as shown below.
<?php
if(isset($_GET["number"]){
echo $_GET["number"];
}
else{
echo "Variable not set";
}
?>
2. HTTP Response Information Leakage Attack
We can stop web servers from leaking this information by changing some variable values in httpd.conf and php.ini files.
In httpd.conf file:
ServerTokens Prod
ServerSignature Off
In php.ini
Expose_php = off
3. Client-Side Validation Attacks
Never Depend on only client-side validations. A Hacker can easily bypass the client-side validations and hack the website.
Example:
<form action="/" method="POST">
Subscription Form
E-Mail: <input name="email" type="email" required>
<input type="submit">
</form>
<?php
if(isset($_POST["email"]))
{
if(file_exists("emails.txt"))
{
$emails = file_get_contents("emails.txt");
}
else
{
$emails = "";
}
$emails = $emails . "\n" . $_POST["email"];
file_put_contents("emails.txt", $emails);
echo $emails;
}
?>
The above code looks great, but hackers can easily break the client-side validation by changing the input type email to text and put the manipulated data in it for further analysis. Now, hackers can put anything random in the text field and now your website is vulnerable to spam.
To prevent this, we can validate the form data on the server-side.
<?php
if(isset($_POST["email"]))
{
if(!filter_var($_POST["email"], FILTER_VALIDATE_EMAIL))
{
echo "E-mail is not valid";
}
else
{
if(file_exists("emails.txt"))
{
$emails = file_get_contents("emails.txt");
}
else
{
$emails = "";
}
$emails = $emails . "\n" . $_POST["email"];
file_put_contents("emails.txt", $emails);
echo $emails;
}
}
else
{
if(file_exists("emails.txt"))
{
echo file_get_contents("emails.txt");
}
}
?>
4. SQL Injection
In this Technique, a hacker can inject the SQL command into the SQL statements.
Example:
<form action="/" method="POST">
Contact Details<br>
E-Mail: <br><input name="email" type="email" required><br>
Message: <br><textarea name="message"></textarea><br>
<input type="submit">
</form>
<?php
if(isset($_POST["email"]) && isset($_POST["message"])){
//we will construct the SQL statement and print it.
$sql = "INSERT INTO contacts ('email', 'message') VALUES('" . $_POST["email"] . "', '" . $_POST["message"] . "');";
echo $sql; //assume this code is executed.
}
?>
The above code is vulnerable to SQL Injection. A user can append the SQL Injection into the text area and hack your website.
Example code the hacker can inject into the Text area
Hii ’); drop table contacts; —
When the form is submitted the server execute this command
INSERT INTO contacts (’email’, ‘message’) VALUES(‘abc@gmail.com’, ‘Hii’); drop table contacts; — ‘)
This will result in deleting your whole table contacts, so your website is hacked.
This can be prevented by validating, escaping, and running SQL commands at low privilege.
So change your script like below.
<?php
if(isset($_POST["email"]) && isset($_POST["message"])){
if(is_string($_POST["email"]) and is_string($_POST["email"]) and filter_var($_POST["email"], FILTER_VALIDATE_EMAIL))//check data type and format
{
$mysqli = new mySqli('hostname', 'db_username', 'db_password', 'db_name');
$sql = "INSERT INTO contacts ('email', 'message') VALUES('" . $mysqli->real_escape_string($_POST["email"]) . "', '" . $mysqli->real_escape_string($_POST["message"]) . "');";
echo $sql;//execute code at low privilege
}
}
?>
5. Code Injection:
In this technique, a hacker can inject code into the web server for execution.
Example:
<form action="/" method="POST">
Domain Name
<input type="text" name="number1">
<input type="text" name="number2">
<input type="submit">
</form>
<?php
if(isset($_POST["number1"]) && isset($_POST["number2"]))
{
eval("echo ". $_POST["number1"] . "+" . $_POST["number2"] .";");
}
?>
This code Takes two number inputs and passes them to the eval function for the evaluation.
Now, this code is vulnerable to code injection. A hacker can put any PHP code script to execute on the webserver.
Example: He can put the following code:
<?php echo phpinfo ?>
When this form is submitted the PHP information is leaked.
This can be prevented by avoiding the eval function and validating the data.
Following is the enhanced code.
<?php
if(isset($_POST["number1"]) && isset($_POST["number2"]))
{
if(is_numeric($_POST["number1"]) && is_numeric($_POST["number2"]))
{
eval("echo ". $_POST["number1"] . "+" . $_POST["number2"] .";");
}
}
?>
6. File Inclusion
In this technique, a hacker can run the remote or local script to the webserver.
<form action="/" method="POST">
Enter a theme color:
<select name="color">
<option value="green">green</option>
<option value="blue">blue</option>
<option value="red">red</option>
<option value="yellow">yellow</option>
</select>
<input type="submit">
</form>
<?php
if(isset($_POST["color"]))
{
include($_POST["color"] . ".php");
}
?>
In this code, we are including the file and in this code, a hacker can run any piece of code for the execution.
Example: He can inspect the source code and change any option and put values like .htaccess.
Now, on submitting the code it will display all information related to the .htaccess configuration file.
This can be prevented by data validation. Below is the changed Script.
<?php
if(isset($_POST["color"]) && ($_POST["color"] == "green" || $_POST["color"] == "blue" || $_POST["color"] == "red" || $_POST["color"] == "yellow"))
{
include($_POST["color"] . ".php");
}
?>
People having good knowledge of Financial accounting can get an Accounting Certification Exams from StudySection to increase their chances of getting a job in this field. You can get a foundation level certification if you are new to Financial accounting or you can go for advanced level certification if you have expert level skills in Financial accounting.