Hack an online store in 60 seconds

The constant growth of hacker activity and the lack of control over the security of web applications is accompanied by a massive compromise of resources. How an attacker can attack a site using the example of an online store, what consequences this leads to and how to counteract such attacks, especially during an increased load, we will share in this article.

To maintain a high level of site security during a period when staff efforts are aimed at solving a number of additional tasks related to the transition to a remote mode of operation, it is necessary to think about automation of issues related to information security. Consider common development errors and web resource weaknesses.

RCE

Remote code execution — a critical vulnerability included in the list of threats of category A1 according to OWASP version allows an attacker to execute arbitrary code on a remote server. If such a vulnerability is discovered, the attacker can execute arbitrary code through a command shell (for example, Bash) on the server, gain access to the database and source code, change the output pages, attack website visitors and much more.

Information provided for informational purposes only. Do not break the law!

For demonstration we deployed a virtual stand with an online store containing common vulnerabilities and configuration errors. Using the RCE vulnerability, we change the source code of the web application, after which all its visitors are redirected to the malicious site:

In this case, redirection becomes clear by the HTTP header “referer”, information about which is available in the lower right corner of the image:

SQLi

SQL Injection is another way to access database content based on embedding arbitrary SQL code in a query. This critical vulnerability is also included in the A1 threat list according to OWASP and allows access to user data and other confidential information, client accounts, and the site control panel (for further compromise of the web server). To demonstrate how this vulnerability is exploited, and what consequences it leads to, we will use the same stand.

Using SQLMap, a popular tool for exploiting SQL injections, we gain access to the contents of the database tables of the online store. In tables, in addition to official and commercial information, we find personal user data and a password hash:

XSS

Cross Site Scripting is a vector of attack on visitors to a web application associated with the ability to embed HTML code in a vulnerable page. Successful exploitation of the vulnerability could allow attackers to intercept user sessions or obtain other critical information in such a context.

The attacker, having discovered the possibility of XSS execution in the comment field, places malicious code and intercepts the administrator’s cookie when the latter moderates the comment left:

After a successful attack, an attacker gains access to a site with administrator privileges:

Brute-force

Brute force attacks are another popular way to compromise web resources, the purpose of which is to select values. Most often, passwords or other confidential information are exposed to such attacks. The brute force method is one of the most commonly used when attacking web resources, and often the most inconspicuous, allows you to access users personal data, bonuses and various advantages of loyalty programs. In our practice, we face distributed brute-force attacks using > 60,000 IP at a time. Without a high-quality system for detecting such attacks, they can disable a web server in a few minutes. But most often, such attacks go unnoticed by the owners of the resource and come to light either by chance or after the introduction of specialized tools. To block attacks by brute force in Nemesida WAF, we use the principle based on Levenshtein distance and fuzzy logic:

We examined the most common attack vectors for web applications, but there are many others. To protect online stores, personal accounts, portals, sites and APIs from hacker attacks, we recommend using Nemesida WAF. Using a comprehensive analysis based on signatures and machine learning, Nemesida WAF also identifies new types of attacks, protecting web applications, including from brute force attacks.

Nemesida WAF is easy to install and use and have the free version. When trying to exploit vulnerabilities, for example, RCE, an illegitimate request will be blocked by Nemesida WAF:

Attempts to “untwist the cheekbone” to gain access to the database will also be blocked:

Information about the attack is available in the Nemesida WAF Cabinet and allows you to better understand the incident. The cabinet, presented as an installation package, contains various tools for visualizing information about incidents and generating statistics and reports.

Using Burp Suite, a popular tool for analyzing the security of web applications, we will reproduce the transfer by the attacker of malicious code in the comment field of the site (the left part of the image), and in the right part we will get the result of the work of Nemesida WAF — blocking such a request:

And it looks like a blocked attempt to operate XSS (a malicious payload is automatically highlighted in red):

Nemesida WAF is available as installation packages for popular Linux systems: Debian, CentOS and Ubuntu.

The machine learning module, vulnerability scanner, virtual patch system and other features of Nemesida WAF will provide high-quality protection for online stores, personal accounts, portals, websites and APIs from hacker attacks, especially during the period of overloading technical specialists.

Just calculate how much it will cost to eliminate the consequences of a successful attack by an attacker. Use Nemesida WAF or Nemesida WAF Free, stay healthy and protected.

From Information Security With Love