In most articles about Hack you usually follow attacks by groups like Anonymous, LulzSec and AntiSec. And you’ve heard also spoke websites and platforms that have been hacked as Sony earlier this year, for example. But are you aware of the methods used to break down these services?
There are many tools and techniques that some hackers use to reach their goals but I will not give you all this turnkey. Here I will briefly explain the operating principle of the two most known attacks on the web.
— DDoS (Distributed) Denial of Service
— SQL injections or SQLi
DDoS attacks (Distributed) Denial of Service
First of all what is a DDoS attack?
A Denial of Service (also known as Distributed Denial of Service, or DDoS), resulting in denial-of-service attack. This kind of attack is to make available a service. Here I take the example (according to the diagram above) an attack on a web server by flooding the network to prevent its operation. You understood the objective and a successful DDoS attack is to render inoperative the website for everyone.
As it works?
In a DDoS attack, it’s all about logistics.
And nothing like an example to explain it all
Take a good million malicious people coming together in order to sabotage the company’s affairs X using its call center. They will coordinate their actions say Friday at 10am to call all at the same time the company X. This will be bombarded with millions of phone calls and probably will not manage. The result is that legitimate customers wanting to call this company will struggle to reach her.
A DDoS attack on a web server works exactly the same way. Indeed, there is virtually no way of knowing if the generated traffic comes from legitimate requests or hackers. It is a type of attack usually very effective but requires substantial resources following the targeted server.
Implementation of the attack
A DDoS attack works virtually like a brute force. You’ll need a fairly large number of computers to attack all coordinates simultaneously.
According to the example I gave you the call center, you can imagine that he rather difficult to directly control thousands of computers to attack a server. This is where the zombie machines come in.
As you probably know, there are a multitude of malware and trojans that once installed on a system dormant pending instructions from the hacker who created it.
One such instruction could be for example to send multiple requests to a web server. And so one hacker would have infected several thousand computers could use them to perpetrate the attack.
With the use of multiple botnets in general it is very difficult to trace the source of such attacks because the hacker does not have to use its own machine to perform its action (besides controlling botnets but it goes without saying).
SQL or SQLI injections
What is SQL injection?
A SQL injection is an achievement, that is to say a security flaw in an application connected to a database. Typically such flaws leverages bad programming techniques of some developers. ^^
This attack allows a compromise or even a server database if the user using the database system rights. But unlike a DDoS attack a SQLi attack can be easily avoided if a web application is programmed correctly.
Implementation of the attack
When you want to connect to a web site, you enter your user name and password. To test these settings, the web application will make a request of this type:
SELECT user_id FROM users WHERE username = ‘myuser’ AND password = ‘mypass’;
Note that the String variables must be enclosed in single quotes.
Thus the combination of username (myuser) and password (mypass) must match a line in the table of users (users) to a user_id is returned.
If no line is, no user_id is back and in this way the connection with the entered password is invalid.
However, if a user enters a substitution value that can be interpreted in the query, then at that time your application is susceptible to SQL injection.
Suppose myuser ‘- entered the fields username with any password. This would give:
SELECT user_id FROM users WHERE username = ‘myuser’ – ‘AND password =’ mypass’;
The key to this application is the inclusion of two hyphens (-). This is actually the token to comment out an SQL query. And so everything after the two dashes will be ignored. Here the query executed will be:
SELECT user_id FROM users WHERE username = ‘myuser’
As you have noticed most glaring omission here is the verification of the password! And this is by including in the fields username both indents that the password is completely ignored. This is called a SQL injection.
By imagining that the site has full control over its database, then the consequences can be quite devastating. This can give the possibility to hack delete, create or edit database records, etc …
To illustrate the damage that can be caused, consider this request as an example:
SELECT user_id FROM users WHERE username = ‘lama’; DROP TABLE users; – ‘AND password =’ mypass’;
Here we have entered the user name input fields Lama ‘; DROP TABLE users; -. The semicolon used to end a statement and to create a new following. DROP TABLE users; will delete the users table in the database. Basically the query executed by data base will be:
SELECT user_id FROM users WHERE username = ‘lama’;
DROP TABLE users;
Sure SQL permissions as the hacker can do a lot worse! As clear the entire database, create new logins, etc …
Protect a SQL injection
SQL injection can be easily circumvented by “disinfectant” or “escaping” the data. In English we can translate these words by “Sanitize” or “Escape”. In this way a chain inside a request can not be terminated prematurely.
For example, to search the user name Wada in database you are forced to escape the single quote after the L. So you can “sanitize” the chain by inserting a .
Returning to the previous SQL injection example with the value myuser ‘-.
SELECT user_id FROM users WHERE username = ‘myuser ‘ – ‘AND password =’ mypass’;
Escaping the single quote after myuser, the database will search the user name myuser ‘-. So the query is executed fully and includes the second condition on the password.
There are several methods to escape a string in a request. PHP for example you can use the mysql_real_escape_string () to escape a string in a request.
$ Sql = “SELECT user_id FROM users”;
$ Sql. = “WHERE username = ‘”. mysql_real_escape_string ( “myuser” – “). “”;
$ Sql. = “AND password = ‘”. mysql_real_escape_string ( “mypass”). “”;
$ Res = mysql_query ($ sql);
In summary :
That is just about anything you need to know about DDoS attacks and SQL injections. And although the attacks on the web are changing, becoming more sophisticated or moving into other types of vulnerabilities, it is important to remember that in general it is a negligence / developer (s).