Tim TrottTim TrottDon't let your dreams just be dreams

Introduction to Hacking

By , Wednesday 10th July 2013 in Security & Privacy

An essential guide on how websites get hacked through software exploits and bad programming practices. The guide shows you the tools hackers use, what they look for and how to protect your code from vulnerabilities, exploits and eavesdropping.

The aim of this hacking and security tutorial series is to provide application developers with the knowledge of how exploits in their code can be used against the application and how a simple validation error can cause a data breach.

A Brief History of Hacking

The term hacking dates back to the early 1950's when it was a positive label given to a group of students at MIT who came up with some ingenious campus pranks. The pranks started way back in 1926 when a group of students "parked" a car on the wall the dormitory building. The term hacker was coined in the early 1950's when MIT computer gurus started to push computer systems beyond the defined limits. They would often find and exploit security holes into computer systems based purely on curiosity. Curiosity of what the system did, how the system could be used, how the system did what did, and why it did what it did.
In 1926, a group of MIT students decided it would be a good idea to hoist an actual car up the side of a building - the Class of 1893 Dormitory
In 1926, a group of MIT students decided it would be a good idea to hoist an actual car up the side of a building - the Class of 1893 Dormitory

Photo Source: MIT

Over time, these exploits were used for more sinister purposes, and hacking became a bad thing. Personal, confidential and money were stolen from computer systems and hackers were labelled the enemy. There are two main categories of hackers, white hat and black hat. White hat hackers, so called ethical hackers, attempt to breach security but don't perform any malicious acts. Instead they report their findings so that they vulnerability may be fixed and a reward given. Black hat hackers hack systems in a malicious way, either to deface a website, steal data or cause damage, physically, financially or through loss of reputation.

Introduction to Hacking

The tools and techniques presented here are not language or platform specific, it does not matter if you are writing a PHP application, ASP.Net Forms or MVC, nor if you use IIS, Apache, nginx or any other server technology. The practices are the same regardless.

Tools Involved

It may surprise you to learn that all you really need to hack a website is Google Chrome, Firefox or IE with a developer tools and Fiddler, the free web debugging proxy. There other tools which offer a more automated, or brute force attempts, but the techniques are just as valid so I'll show you how Chromes developer tools combined with Fiddler can be used to identify risks and secure your website.

Google Chrome

Google Chrome is my web browser of choice. Not only is it the fastest and lightest browser on the market, it also features a number of really useful developer options out the box. Additionally there is a large marketplace for third party plugins which further extend this functionality. Firefox is also a good browser and offers just as good developer tools and plugins, however I found over recent releases it was getting a bit bloated and slow. Although I use Google Chrome and Chrome Developer Tools in this article, the process is the same for using Firefox tools.

Pro Tip: Using Chromes "Incognito" mode is very handy as it automatically clears down all the cookies, cache and history information when the tab is closed. This means that when you open it up again, you are working with a fresh version of the site. All the past history is gone.

Google Chrome Developer Tools

Developer Tools are accessed using the F12 key. This will open up a new window (or a docked panel). There is a lot of stuff that goes on in the developer tools, but for this tutorial we are going to focus on Elements, Network and Resources.

Chrome Developer Tools
Chrome Developer Tools

The Elements tab breaks down the DOM (Document Object Model) and allows you to drill down into the HTML markup. You can also access the elements quickly by right clicking on the web page and selecting "Inspect Element" from the context menu. In the Elements tab you can directly manipulate the DOM and add or remove elements, attributes or values.

The Network tab allows you to view the network activity for the page. It lists all the request to the server, the files downloaded, timings for each request and status codes.

Finally, the resource tab shows things like images, css and fonts used, cookies for the page and anything that uses local storage. We can use this when we work with cookies later on.

For this tutorial there is a Chrome plugin that we are going to use. It's called Cookie Inspector and available on the Chrome web store. There are other plugins available, however I like this one because it integrates well with the developer tools. Cookie inspector will allow us to manipulate cookies set by a website and allow us to change the values before they are sent back to the website.

Fiddler

The other application we are going to be using is Fiddler. This application is a free HTTP debugging proxy, which basically means it captures HTTP traffic to and from your computer and a server. It allows you to inspect and analyse these captured requests and responses, look at the headers, any form data submitted and the body content. You can also compose your own HTTP requests and analyse the results from the server.

Fiddler Debugging Proxy
Fiddler Debugging Proxy

My website and its content are free to use without the clutter of adverts, tracking cookies, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

About the Author

Tim Trott

Tim is a professional software engineer, designer, photographer and astronomer from the United Kingdom. You can follow him on Twitter to get the latest updates.

Leave a Reply

Your email address will not be published.