I'm finally finished exams and have got two months of "free" time to complete all the things I've been playing with. I was checking out some security/ hacking stuff a few days ago (I suppose your terminology depends on which side you sit) I've been trying to learn a few things on security seeing that I don't want to compromise my system. I came upon a few articles of "Google hacking" which made me realize a few things.

From what I can see, there are two approaches to hacking. The first is what I'd call a shotgun approach - basically you shoot everywhere and hope to hit something. Continuing with the gun analogy, the other approach follows that of a sniper - As a sniper identifies a single target and aims for only that. I suppose both approaches serves a hacker's needs depending on what they are looking for. Often, hacking involves identifying a vulnerability and exploiting it. Google comes to the party in the shotgun approach by searching millions of servers for certain strings which could indicate a specific vulnerability or weakness. E.g. Exception messages (stack traces) that are displayed to the end user could be cached by Google and can be looked up at a later stage by someone. These can provide a hacker with lots of information which could be used break into the system. E.g. If an SQL type exception is thrown and displayed which contains table names and/or columns, it may be used in an SQL injection attack. If a web application passes usernames and passwords directly from the page without some validation, inserting a few characters including comment characters in the password field could result in bypassing authentication totally. So by using only Google, a hacker could easily hack into many web applications. The lesson learned in this? I never realized the dangers in search engines caching exception messages by allowing uncaught exception messages to be displayed to the end user (apart from the poor impression made). The second is an old one - make sure that forms fields are checked for invalid characters.

These methods are not new but are highly effective. I managed to access a few servers by searching for admin login pages and trying a few different default usernames and passwords. How stupid can administrators be? Again, a lesson to be learned - make sure that the default user account is off!

|

0 comments


Twitter Delicious Facebook Digg Stumbleupon Favorites More