Competent site security audit
Web application security has always been a sore point. They talk a lot about it, but the overall picture does not change from this - hacker attacks are still many, and often they are very successful for attackers and costs for victims.
The owners of the South Korean trading platform Interpark faced a serious problem - a hacker entered their database, stole information about 10 million customers from it and now demands a ransom for its non-disclosure. Also included in the list of high-profile incidents is the hacking of the official Ubuntu forum using SQL injection through the well-known vulnerability in the vBulletin engine. The personal data of 2 million users has been stolen.
All this is only for the current July. And only regarding large sites. It is hard to imagine how many attacks on smaller projects. However, the researchers from Wallarm were not too lazy and counted - in 2015 they recorded 100 million attacks on the web resources of their clients.
One of the effective ways to protect your site is to conduct an audit of its security. So let's look at how this event goes.
Most often, the security check of a resource is carried out according to the “black box” method - a security specialist starts trying to hack his target, as if he were a real attacker and pursued some selfish goal: to hack a competitor, attack website visitors, monetize the site secretly from the owner or just amuse your ambition.
Thus, the tester must solve at least one of the global problems:
As you can see from this list, you can’t just take and audit the site. We need some preparation for penetration testing, without which it will either be ineffective, or it could become a real hacker attack with sad consequences. It is necessary to do at least the following.
Search for open sources. Since the “black box” method is used, the tester is completely unaware of how the attacked object looks from the inside, otherwise hacking would be an extremely trivial task. Therefore, a preliminary collection of information is used.
The specialist is primarily interested in the technical side of the web application - in what language it is written, which CMS it uses and with what extensions. You can even find out all this without resorting to special tools, sometimes only Google is enough. For example, you can find the employees of an attacked company on LinkedIn, identify programmers among them and determine which language they specialize in.
Moreover, if you wish, you can find out what exactly they were doing. To do this, just search by their names or nicknames, and you can find a lot of interesting things in the results. This can be, for example, a discussion on behalf of this programmer of a module for the engine or an order from a corporate account with a freelancer-contractor of a new plug-in with detailed TK.
Definition of protective equipment. The presence of any security software - intrusion prevention systems, DDoS protection, a firewall - can seriously complicate the task of hacking, so it must be discovered. Usually, special programs are used for this. For example, you can detect the presence of fireball using a port scanner, and anti-dos services are determined by the DNS records of the domain.
Using standard vulnerabilities.Before starting to search for unknown zero-day vulnerabilities, to study the logic of the web application and its architecture, the tester will check the site’s resistance to conventional attack methods. For example, it could be the use of a well-known exploit for an old version of the engine. It was at this point that the aforementioned Interpark and the Ubuntu forum suffered.
In general terms, the following usually occurs at this stage:
An unconventional approach. When well-known methods do not help, the tester, using a combination of all the above methods and his understanding of security systems, tries to circumvent the existing protection or to discover a vulnerability still unknown.
Not all auditors carry out this procedure, because it is quite complex, requires very high qualifications of specialists and costs a lot. As practice shows, very often zero-day vulnerabilities are discovered by outside researchers. However, they receive a corresponding reward for their discovery.
In fact, if your site is successfully tested for all standard types of threats, then the check can be considered successful. A more detailed and in-depth study of hacking methods relevant only for very large projects, for hacking which can attract really high-class hackers who can detect new security gaps.
The result of any penetration testing is a document that should include:
A properly performed audit is a very effective measure of finding the weak points of a site and its server. It is extremely rare that a test passes completely; usually, any detail is overlooked by developers. But even if the web resource was not able to be hacked, it is still the result - now its owner will be able to sleep peacefully.
The owners of the South Korean trading platform Interpark faced a serious problem - a hacker entered their database, stole information about 10 million customers from it and now demands a ransom for its non-disclosure. Also included in the list of high-profile incidents is the hacking of the official Ubuntu forum using SQL injection through the well-known vulnerability in the vBulletin engine. The personal data of 2 million users has been stolen.
All this is only for the current July. And only regarding large sites. It is hard to imagine how many attacks on smaller projects. However, the researchers from Wallarm were not too lazy and counted - in 2015 they recorded 100 million attacks on the web resources of their clients.
One of the effective ways to protect your site is to conduct an audit of its security. So let's look at how this event goes.
Penetration Testing
Most often, the security check of a resource is carried out according to the “black box” method - a security specialist starts trying to hack his target, as if he were a real attacker and pursued some selfish goal: to hack a competitor, attack website visitors, monetize the site secretly from the owner or just amuse your ambition.
Thus, the tester must solve at least one of the global problems:
- To violate the confidentiality of customer information.
- Restrict access to key data.
- Change or destroy any information without the possibility of its restoration.
As you can see from this list, you can’t just take and audit the site. We need some preparation for penetration testing, without which it will either be ineffective, or it could become a real hacker attack with sad consequences. It is necessary to do at least the following.
- Signing a non-disclosure agreement. The researcher in the course of his work can gain access to very valuable confidential information. Reliable organizations involved in security testing are unlikely to use it for their own purposes, but it is not always possible to verify the integrity of the contractor, therefore it is better to conclude a contract.
- Conducting an audit on a full copy of the main site. The tester will use all the methods of hackers, including those leading to the breakdown of the web resource or the destruction of data on it. It is better not to expose the combat version of the project to such stress and limit yourself to a clone.
- Concealment of the audit. The less people know about testing, the better. Attackers rarely warn of their attack, so if you tell a large number of people about the event, this can distort the result.
Penetration Testing Methods
Search for open sources. Since the “black box” method is used, the tester is completely unaware of how the attacked object looks from the inside, otherwise hacking would be an extremely trivial task. Therefore, a preliminary collection of information is used.
The specialist is primarily interested in the technical side of the web application - in what language it is written, which CMS it uses and with what extensions. You can even find out all this without resorting to special tools, sometimes only Google is enough. For example, you can find the employees of an attacked company on LinkedIn, identify programmers among them and determine which language they specialize in.
Moreover, if you wish, you can find out what exactly they were doing. To do this, just search by their names or nicknames, and you can find a lot of interesting things in the results. This can be, for example, a discussion on behalf of this programmer of a module for the engine or an order from a corporate account with a freelancer-contractor of a new plug-in with detailed TK.
Definition of protective equipment. The presence of any security software - intrusion prevention systems, DDoS protection, a firewall - can seriously complicate the task of hacking, so it must be discovered. Usually, special programs are used for this. For example, you can detect the presence of fireball using a port scanner, and anti-dos services are determined by the DNS records of the domain.
Using standard vulnerabilities.Before starting to search for unknown zero-day vulnerabilities, to study the logic of the web application and its architecture, the tester will check the site’s resistance to conventional attack methods. For example, it could be the use of a well-known exploit for an old version of the engine. It was at this point that the aforementioned Interpark and the Ubuntu forum suffered.
In general terms, the following usually occurs at this stage:
- Attempted remote code execution.
- Attempted SQL injection.
- Exploiting XSS, RFI and LFI vulnerabilities.
- Search for storage locations for backups and access to them.
- Manipulations with the authorization system: brute force, search for unsafe password recovery, authentication bypass.
- Studying the file structure of the site in order to detect files whose access is limited only by the absence of an explicit link to it.
- Traffic interception and research.
- Search for unauthorized access to confidential information.
An unconventional approach. When well-known methods do not help, the tester, using a combination of all the above methods and his understanding of security systems, tries to circumvent the existing protection or to discover a vulnerability still unknown.
Not all auditors carry out this procedure, because it is quite complex, requires very high qualifications of specialists and costs a lot. As practice shows, very often zero-day vulnerabilities are discovered by outside researchers. However, they receive a corresponding reward for their discovery.
In fact, if your site is successfully tested for all standard types of threats, then the check can be considered successful. A more detailed and in-depth study of hacking methods relevant only for very large projects, for hacking which can attract really high-class hackers who can detect new security gaps.
Audit completion
The result of any penetration testing is a document that should include:
- Information about the methods used at the time of the audit.
- Development of the concept of an attacker, his potential goals and motivation.
- Description of attack scripts developed and implemented by testers.
- A detailed report of all vulnerabilities found.
- Recommendations for their elimination.
A properly performed audit is a very effective measure of finding the weak points of a site and its server. It is extremely rare that a test passes completely; usually, any detail is overlooked by developers. But even if the web resource was not able to be hacked, it is still the result - now its owner will be able to sleep peacefully.