Web Server Vulnerabilities
I have to say that this sub-chapter is proving to be a bit of a headache because the subject of cyber security, web security, internet security, malware, cybersecurity types of attacks and so forth is so and ever changing that it’s a challenge just to highlight a few cases because all are possible and probably in the ever-vulnerable world of internet.
As per PentaSecurity: Cyberattacks on web applications are increasingly common. As more and more governments and businesses move their services online, web applications become an easy target for cybercriminals. Web attacks are one of the biggest threats to corporate security and data security.
What is a web application ?
- A web application is an application program that is installed on a remote server and delivered through the internet, with the website being the user interface. Think about email, social media, and e-commerce sites — you are basically using these applications on the web without having the need to install it locally on your computer.
So in other words, a web application is exactly the type of service my website is providing.
As per Cisco: A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network.
Cyber threats nowadays typically consist of the following types:
- Advanced Persistent Threats
- Phishing
- Trojans
- Botnets
- Ransomware
- Distributed Denial of Service (DDoS)
- Wiper Attacks
- Intellectual Property Theft
- Theft of Money
- Data Manipulation
- Data Destruction
- Spyware/Malware
- Man in the Middle (MITM)
- Drive-By Downloads
- Malvertising
- Rogue Software
- Unpatched Software
Part of Spyware/Malware we have:
- Cross Site scripting (XSS) attack — which is when a website has a vulnerability that allows the injection of scripts. Attackers exploit such vulnerabilities and inject malicious JavaScripts into the website’s database. When a user later requests these data, the user’s web browser would execute the malicious JavaScript. This would allow the attacker to steal the browser’s cookies for session hijacking1. Hackers can then use the session information to exploit additional vulnerabilities, possibly gain network information and control the user’s computer. This is especially critical for the corporate environment as one XSS attack could compromise the whole network.
But this was not the case as my site had no javascript, nor php.
- OS command injection attack — An OS command injection is when attackers input operating system (OS) commands into the server that is running the web application. It differs from an SQL injection because it enters from the server-side instead of the application-side. However, the consequences are very similar to an SQL injection attack, where attackers can take full control of the application. Attackers can command the application to display sensitive information, as well as modifying and deleting data. The application can also be utilized to compromise other parts of the corporate network, leading to further attacks within the organization.
This was not the case as I was only displaying stuff, like a poster on a wall
- LDAP injection attack — Lightweight Directory Access Protocol (LDAP) is a software protocol mostly used for corporate intranets. It enables anyone on the network to find resources from its directory, such as other individuals, devices, files, as well as usernames and passwords as part of a single sign-on (SSO) system. An LDAP injection attack is when a vulnerability allows attackers to send queries without proper validation. Attackers could then alter the queries to gain access to critical resources, leading to devastating consequences.
This again was not the case as there was no link between my database (which is mainly unused) and the website
- Brute force attack — A brute force attack, sometimes called a password attack, is one of the simplest forms of web attacks. The hacker simply tries different combinations of usernames and passwords repeatedly until it logs into the user’s account. Take a standard eight-digit password, for example, 52 letters (uppercase and lowercase) and 10 digits provide 62 total possible characters, making a total of 628 = 2.1834011×1014 possible combinations. Of course, it would take years for a single computer to try all the combinations. But when hackers gain control of multiple computers or develop a powerful software-based computing engine, things can become very easy.
This was indeed the case as you can see in below snapshot
I removed the ‘ “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36” ‘ from the end because it was useless to prove my point.
208.168.239.183 - - [23/Feb/2021:04:47:23 +0100] "GET /phpmyadmin/ HTTP/1.1" 200 16536
208.168.239.183 - - [23/Feb/2021:04:47:24 +0100] "GET /phpmyadmin/index.php?pma_username=popa3d&pma_password= HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:25 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=bitnami HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:26 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=root HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:27 +0100] "GET /phpmyadmin/index.php?pma_username=test&pma_password=test HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:27 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=mysql HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:28 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password= HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:29 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=123456 HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:30 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=123 HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:31 +0100] "GET /phpmyadmin/index.php?pma_username=admin&pma_password=admin HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:31 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=admin HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:32 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=password HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:33 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=toor HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:34 +0100] "GET /phpmyadmin/index.php?pma_username=wordpress&pma_password=wordpress HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:34 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=1234 HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:35 +0100] "GET /phpmyadmin/index.php?pma_username=joomla&pma_password=joomla HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:36 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=0 HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:37 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=12345 HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:37 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=test HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:38 +0100] "GET /phpmyadmin/index.php?pma_username=user&pma_password=user HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:39 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=letmein HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:40 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=root123 HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:40 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=dbadmin HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:41 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=r00t HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:42 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=qwerty HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:43 +0100] "GET /phpmyadmin/index.php?pma_username=popa3d&pma_password=popa3d HTTP/1.1" 200 16535 "-"
208.168.239.183 - - [23/Feb/2021:04:47:44 +0100] "GET /phpmyadmin/index.php?pma_username=root&pma_password=123456789 HTTP/1.1" 200 16535 "-"There were many other IPs such as this, you might think that they are foolish and naive to try such things but funny enough they are successful in 34% of the cases, unbelievable but true!
There was one guy who literally tried breaking into my web server with his username and no password :)) — he sent like 56 requests in less than 20 seconds, this brings me to the last type of attack:
- Denial-of-service (DoS)/ Distributed-denial-of-service (DDoS) attack
A denial-of-service attack is when an attacker sends an enormous amount of traffic to a website in an attempt to overwhelm the hosting server to disrupt and even paralyze service. What’s more, for websites renting cloud servers with volume-based costing, they could be charged with an astronomical cost by the service provider. A distributed-denial-of-service is the same concept, except that this time, the hacker gains illegal control over a number of computers to launch the attack on a larger scale.
I hope that this article has been a valuable resource for you, and that you have gained some useful insights on the types of threats that are out there and can impact your web app.
Bogdan Tudorache | Founder @ berrynews.org
If you like the article and would like to support me, make sure to:
👏 Clap for the story (50 Claps) to help this article be featured
🔔 Follow me Bogdan Tudorache
📰 Find more tech content in Tech & ML Articles
