Showing posts with label $99 Security test. Show all posts
Showing posts with label $99 Security test. Show all posts

Wednesday, 13 April 2016

Why Hackers Can Target your Website?

Today website hacking does not limited to any one aspect or motive, there are different purpose for which websites are hacked now on a daily basis.
Defacement of website is generally what is considered as website hacking but it is not all, there is a lot more to it and is more than other things. Talking about website hacking we have classified the most sought reasons, 

which are as follows:
  • Lack of Awareness
  • Economic Gains
  • System resources
  • Revenge Hacking or Competition
  • Showing off skills
  • Script Kiddies
Capture

Lack of Awareness

This is one of the major cause of low security of the websites. People work on the outdated technologies and software, and also do not apply the vendor patches. They do not have any security measures installed to protect their websites against the attacks. This happens due to overconfidence or no knowledge about the security.
There are new ways and new vulnerabilities revealed every day which may or may not concern you but it may harm the website in some aspects, thus proper security and care of the website is very important. Once the user lose confidence due to website failure they will move to alternatives which will be a loss to the company. So to avoid this proper security measures are very important.

Economic Gains

As the name suggests this type of hacking is for Monitory Benefits. The attack of this kind are known as Drive by downloads and Blackhat SEO campaigns. Drive by Download means injecting some malicious code into the website and then affecting all the users of that website, by downloading the malicious files to their systems while Blackhat SEO refers to redirecting users to different websites which may have not been intent of the users. In this way, there will be a sense of dismal among the users giving a bad impression of the website and ultimately affecting the number of visits.
Example: Downloading a malware on user system and getting all credentials such as usernames and passwords of all the websites visited, including financial details.

System Resources

This is also a major cause for hacking of websites, the hackers use the resources such as bandwidth and physical server resources for their illegal purposes. The hackers compromise the website using the Bots and the Malicious Scripts which give them access to the server and they can use the resources as an administrator.
The bots can be used in different kind of distributed web attacks like Dos attacks, Brute force attacks or other automated attacks against other websites. Due to these illegal activities from your website your host may shut you down causing a lot of trouble for you and your users.
Example: Hacking to store illegal pirated software copies and pornographic contents. Also indulging in DOS attacks and DDOS

Revenge Hacking or Competition

Due to High competition in today’s world for providing services, there is a greater probability of your website getting hacked for the benefit of other websites.
Also the losses suffered by others due to your good services may come as a revenge threat. There may be some group of people who would like to bring down your website to bring a bad name and a situation of distrust among the users.
Example: Company A & B are into same business, A gets Hacked so the customers of A will be going to B for services thus eliminating A as a competition.

Show Off

Several Hackers just hack the websites for fun and showing off theirs skills to the hacker community to get name and fame. This kind of hacking is done without any purpose it just exploits the security vulnerabilities present in your website. There are a lot of hackers of this kind who continuously look out for vulnerable websites and hack them thus affecting the website and its services for quite some time.
Example: Posting the defaced website links and screen shots on public domain with the coded name and claiming to have hacked it.

Script Kiddies

Script Kiddies are the people who do not have the working knowledge of the computer and networks, they are people who are trying to hack a website using the scripts written by other hackers without understanding the process of hacking.
Script Kiddies do these things to make themselves famous among their peers to get recognition as a hacker or to attract attention of someone. There is no other motive than this, and any website having vulnerability can be exploited by the script kiddies, which will hinder the services of the website and will upset the users.

Conclusion

As your website holds your presence online therefore it is important to secure it. Also it gives your some revenue from the advertisements if it holds any. People are less aware of the website security threats in compare to web applications which leads them to be an easy bait for the hackers to bring down their website.
People will lose their trust on your services if your website is hacked, therefore proper security methods are required to secure your website from the threats, which can be implemented after a security audit by a professional or security company.
We are offering such website security services at a very decent price of $99, if you need any kind of security services do contact us at contact@briskinfosec.com

Posted by at No comments:
Labels: , , , ,

Thursday, 17 March 2016

DIRECTORY TRAVERSAL ATTACK

A Directory traversal attack is a HTTP exploit which enables the attacker to get the sensitive data such as username and password by traversing through the directories using commands. The attacker gets access to the files and folders which are not meant to be public, they are only for the Superuser or the Root. This attack is also known as the dot dot slash attack, directory climbing and backtracking.

TYPES OF DIRECTORY TRAVERSAL ATTACKS

  • URI encoded directory traversal
  • UNICODE/UTF-8 encoded directory traversal
  • ZIP/ARCHIVE traversal attacks

 URI encoded directory traversal

Some websites scan for the Query Strings such as dot dot backward slash (../) or dot dot forward slash (..\) or dot dot (..)   to prevent directory traversal attacks. But if we look on how are these query processed then we find out that they are URI encoded, therefore they are vulnerable to percent encoded directory traversals such as:
  • %2e%2e%2fwhich translates to ../
  • %2e%2e/which translates to ../
  • ..%2fwhich translates to ../
  • %2e%2e%5cwhich translates to ..\

 UNICODE /UTF-8 encoded directory traversal attacks

When Microsoft added Unicode support to their web server a new way of directory traversal attack was generated. Attackers had a new way of encoding the dot dot slash ( ../ ) ,multiple percent coding such as :
  1. %c1%1c
  2. %c0%af
These can be then translated to / or \ characters. Percent encodings were decoded into corresponding 8 bit characters by Microsoft webserver. Microsoft performed the anti-traversal checks without UTF-8 cannibalization, and therefore not noticing that (HEX) C0AF and (HEX) 2F were the same character enabling attackers to attack the webserver using directory traversal attack.

 ZIP/ARCHIVE TRAVERSAL ATTACKS

This type of attack is carried out by providing a zip or archived file which can overwrite the files on the File System enabling backtracking. Code that decompress archive files can be written to check that the paths of the files in the archive do not engage in path traversal.

EXAMPLE OF DIRECTORY TRAVERSAL ATTACK

The URL which can be attacked can be of the following type:
http://www.somewebsite.com/itemone.php?page=notification.php
Now let’s assume that the webserver is running on UNIX like operating system. Then there will be a directory 'etc' on unix/linux which contains configuration files of programs that run on system. Some of the files are passwd, shadow, profile, sbin, placed in 'etc' directory, etc is generally the default folder so can be found out at certain level of hierarchy in file system.
Now to check for the directory traversal attack we need to do some adjustment in the given URL, we need to alter its path to the desired directory.
http://www.somewebsite.com/itemone.php?page=../../../../etc/passwd
The dot dot slash(../) will take you up the directory one level each time, so it totally depends upon the hierarchy as to how much dot dot slash (../) you will be needing in order to reach to the desired location.
If you reach the desired location, which means the passwd file you will get the contents of it which can give out valuable information such as username and password.

IMPACT OF DIRECTORY TRAVERSAL ATTACK

This attack can leak out the sensitive data stored in different folders which is not meant to be viewed by the public such as username and passwords. Using the data the attacker can get the administration as root and exploit the web server accordingly.
The attacker can erase, edit or sell the gathered data which would be a greater breach. Also the attacker can install some malicious programs such as malware, virus, backdoors, rootkits.
Attackers can also download files from the server and execute commands and expose the source code which may lead to more number of attacks.

 CONCLUSION

As we can see the severity of the attack and its highly undesired impact, one should take all the measures to protect himself or herself from this attack. These measures can be updating the Web Server regularly and patching all known vulnerabilities as soon as possible.
Also the data can be kept on different drive as traversing to other drives is not possible through this type of attack. Effectively filter any user input. Ideally remove everything but the known good data and filter Meta characters from the user input.

WebsitePentest:

We, Brisk Infosec provide website security services for any organizations. Guarantee for securing your websites from any vulnerabilities and attacks with ethical touch. We offer $99 for website security services. Website security organizations are like a black cat in a coal cellar, very hard to find. Brisk Infosec is one among them with more professional security analyst, who provides services in economical fixed prices and most importantly a trustworthy organization.
Reach us websitepentest@briskinfosec.com
  • You no need to pay if you not vulnerable
  • You no need to pay before testing
  • We just need your website with official conformation.
Still thinking to reach us? Well, there is an high probability of an intruder already found a loop to get into your website by now! “Before they starts, we will stop and secure you!!”,Hurry and send us email.
Posted by at No comments:
Labels: , , , , , ,

Wednesday, 16 March 2016

Is your WEB SITE safe? No, I’m not asking about your web Application!

 You got the question right? Well-nigh everyone chooses Web Applications over web sites, which clarifies that Web sites are unfortunately prone to security risk. Websites contains only information’s whereas Web Application is a service over website i.e performing certain tasks / interacting with the users etc. 

Web application security is expensive, yields more profit to security companies, and this is why Security companies concern about web applications but not websites. Websites have static content where the data displayed is the same for every visitor and content changes are infrequent. Web applications are dynamic and ever-changing, it relies on user interaction and the contents contributed to it. Everyone cared about Web application hence it contains interacted information, but they forgot websites – The Origin. Can’t believe? Now, Google it yourself and check out the priority!

“Web apps are the new future! Website is your past and present, which can make your future pleasant / unpleasant!! Better treat it right way”. Comparing the both, websites are more in number so as its security issues. Most of the Web Application source codes are kept confidential for security purpose on contrary web site source codes are often openly available. This is one main reason, why websites are easily compromised.

Website compromising-Intentions behind!
  • Heist of personal or sensitive data.
  • Devastating the reputation.
  • Altering website content.
  • Intercepting confidential data.
  • Making Services unavailable by performing DoS attacks.
Website -Security Glitch!
Websites contain both general and confidential information’s such as employee details, contact information and goes on.
  • Reputation of the organization/Institution is devastated.
  • Website compromising often leads to major attack.(Preparation Phase)
  • Initial phase of any attack is information gathering, which is started from the corresponding websites.
  • Phishing attacks are done often by using contact details.
Security Measures
  • Using cross-platform compatible encryption: Choose Encryption method which supports all platform and doesn’t unnecessarily limit user base.
  • Managing Website via encrypted connections: Using unencrypted connections such as unencrypted FTP or HTTP, prevents man-in-the-middle and login/password sniffing attack.
  • Data validation: Any input given by user must be validated; by this attacks like SQL injections are avoided.
  • Encrypted Login pages: If Authentication is to check the validity whereas Encryption is to maintain the validity.
Conclusion:
Remember the proverb? “Elephants are not afraid of mice, but terrified by Ants”, Got it now? How reputed your organizations is, a small attack on your website destroy everything! Almost Everything. Top companies concerned only about web applications (Mice) not the websites (Ants), because mice are what the profit yielders while websites is their assets. Websites are a huge part of the web and plays vital role in offering many information’s. More the information, more it gets compromised soon. Discovering the vulnerabilities / threats is one difficult task .People who are preferred them as Hackers, without much knowledge are often try their skills here only, thus unknown threat like this are more vulnerable compared to identified threats. Thus Security for websites is more significant.

WebsitePentest:
We, Brisk Infosec provide website security services for any organizations. Guarantee for securing your websites from any vulnerabilities and attacks with ethical touch. We offer $99 for website security services. Website security organizations are like a black cat in a coal cellar, very hard to find. Brisk Infosec is one among them with more professional security analyst, who provides services in economical fixed prices and most importantly a trustworthy organization.

References:


Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)