Rodney Keeling

This is part 2 of the Hacking Techniques post located here. In this post, I’ll go over some more techniques used in website hacking, such as the Distributed Denial of Service attack, different types of password cracking, cookie editing, and bypassing logins by editing Javascript fields.

4. Distributed Denial of Service (DDoS)
A Denial of Service attack on a website is actually a pretty simple thing to do – an attacker floods the website’s server with requests, thus crashing the server and leaving the website unusable. This is a pretty easy attack to defend against, for when the requests from a particular IP address increases to an obscure amount, the target web server can just block future requests from the attackers IP adress. The Distributed Denial of Service attack is different; the attacker floods the web server with requests from a variety (or distributed) amount of IP addresses. This makes it much more difficult for the target to block requests. One method to defend against this attack is, when a noticeable amount of requests are beginning to flood the server, to stop the target servers from responding to any requests for the remaining time of the attack(s).

5. Cookie Manipulation
By itself, changing cookies to give the attacker certain access will usually only work on lower-grade websites where there is minimal protection against hacking. Unfortunately, some websites still use unencrypted cookie names and values that will never expire per user session. In this case, changing cookies can be as easy as one, viewing the cookies (via the address bar):

javascript:alert(document.cookie);

This will popup with the cookie information and, if it’s a poorly-secured website as stated earlier, a few indications of what each field represents (e.g. user=rodney). To change these cookie values, the following may be done:

javascript:void(document.cookie=”user=admin”);

I cannot make this any more clear: if cookies are as simple as this on a particular website, the website is more than likely vulnerable to ten thousand other attacks. Heck, you may even find an admin password commented in the source ;]

6. Brute Force & Dictionary Cracking
I won’t go over these techniques too much, for I have a whole other post about using brute force to crack passwords. The first term, brute force, sounds a lot cooler than it actually is. Using a brute force method is usually the last resort in cracking a password due to the time it takes on passwords greater than four characters. Brute force is iterating through every single character combination until the correct combination is found. As a function, brute force grows exponentially per time unit. Next, a dictionary attack is a method of find a password by searching through a dictionary list (usually a plain text file) and trying each entry as the password. A deviation of the dictionary attack, called a hybrid attack, may test a combination of entries in the dictionary concatenated with other entries. For example, instead of just trying ‘pass’ and ’1234′, the hybrid attack may also try ‘pass1234′ and/or ’1234pass’.

7. On-the-fly Javascript Editing with Firebug
This technique is relatively simple and is similar in security level as cookie editing is. Firebug, an add-on for Firefox, can be used to edit webpages XHTML, CSS, Javascript, and more on the fly. Of course, the user may not save the file to be viewed by every visitor thereafter; however, it still is really useful. Before I begin explaining this, I just want to clarify that Firebug is not a hacking tool; it is used by a lot of web developers and designers to make changes to their sites without having to edit, save, then reload. It speeds things up and is an amazing tool. Anyway, if the creator of a particular webpage decided to put any type of potentially valuable information into the Javascript on a webpage (again, not a trait of an experienced security expert/developer), one may use Firebug to change this potentially valuable information and have everything submitted, parsed, and output a desired effect (e.g. changing administrative access) without doing an extreme amount of hacking.

So with a number of examples commonly used (some in combination with others), one may see how much of a variety of tools hackers have to gain access to websites. Of course there are a ton more techniques and weaknesses in web sites and servers, but I think this is enough for a base. More often than not, more than one technique will be employed while gaining restricted access to a website. For example, XSS is commonly used to either change or capture user cookie information to hijack a user’s session, thus gaining access to all of their content. I hope this has clarified some terms and concepts for those wanting to learn more about web security. Happy hacking!

Tweet This!