An essential guide on how websites get hacked through software exploits and bad programming practices. The guide shows you the tools hackers use, what they look for and how to protect your code from vulnerabilities, exploits and eavesdropping.
The aim of this hacking and security tutorial series is to provide application developers with the knowledge of how exploits in their code can be used against the application and how a simple validation error can cause a data breach.
Over time, these exploits were used for more sinister purposes, and hacking became a bad thing. Personal, confidential and money were stolen from computer systems and hackers were labelled the enemy. There are two main categories of hackers, white hat and black hat. White hat hackers, so called ethical hackers, attempt to breach security but don't perform any malicious acts. Instead they report their findings so that they vulnerability may be fixed and a reward given. Black hat hackers hack systems in a malicious way, either to deface a website, steal data or cause damage, physically, financially or through loss of reputation.
The tools and techniques presented here are not language or platform specific, it does not matter if you are writing a PHP application, ASP.Net Forms or MVC, nor if you use IIS, Apache, nginx or any other server technology. The practices are the same regardless.
It may surprise you to learn that all you really need to hack a website is Google Chrome, Firefox or IE with a developer tools and Fiddler, the free web debugging proxy. There other tools which offer a more automated, or brute force attempts, but the techniques are just as valid so I'll show you how Chromes developer tools combined with Fiddler can be used to identify risks and secure your website.
Google Chrome is my web browser of choice. Not only is it the fastest and lightest browser on the market, it also features a number of really useful developer options out the box. Additionally there is a large marketplace for third party plugins which further extend this functionality. Firefox is also a good browser and offers just as good developer tools and plugins, however I found over recent releases it was getting a bit bloated and slow. Although I use Google Chrome and Chrome Developer Tools in this article, the process is the same for using Firefox tools.
Developer Tools are accessed using the F12 key. This will open up a new window (or a docked panel). There is a lot of stuff that goes on in the developer tools, but for this tutorial we are going to focus on Elements, Network and Resources.
The Elements tab breaks down the DOM (Document Object Model) and allows you to drill down into the HTML markup. You can also access the elements quickly by right clicking on the web page and selecting "Inspect Element" from the context menu. In the Elements tab you can directly manipulate the DOM and add or remove elements, attributes or values.
The Network tab allows you to view the network activity for the page. It lists all the request to the server, the files downloaded, timings for each request and status codes.
Finally, the resource tab shows things like images, css and fonts used, cookies for the page and anything that uses local storage. We can use this when we work with cookies later on.
For this tutorial there is a Chrome plugin that we are going to use. It's called Cookie Inspector and available on the Chrome web store. There are other plugins available, however I like this one because it integrates well with the developer tools. Cookie inspector will allow us to manipulate cookies set by a website and allow us to change the values before they are sent back to the website.
The other application we are going to be using is Fiddler. This application is a free HTTP debugging proxy, which basically means it captures HTTP traffic to and from your computer and a server. It allows you to inspect and analyse these captured requests and responses, look at the headers, any form data submitted and the body content. You can also compose your own HTTP requests and analyse the results from the server.
My website and its content are free to use without the clutter of adverts, tracking cookies, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.