SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
5.
Some Common Hacking Incidents
• Defacement
• Changing the look of the website – e.g. hackers break into into
the web server and modify the content
• Stealing Information
• Getting some sensitive information (e.g. exam paper) because
they are not properly protected
Ref: https://www.pinoyhacknews.com/web-hacking-terms-what-is-
website-defacedefacement
6.
• Modifying Information
• E.g. Hackers break into the server / through websites
vulnerability to modify the database content, like school grades
• Upload Trojan / Shell
• Hackers upload a backdoor to control the webserver, they can
change website content, spread virus, make webserver as
zombie, etc…
• Etc…
Ref: http://vanish.org/t/images/bot1.jpg
7.
Some Common Vulnerabilities
• SQL Injection
• A website vulnerability that allow hackers to input gain access
to database or even execute commands, e.g. dump database,
modify content, upload files
• Vulnerable Components
• Using some vulnerable software like outdated CMS, vuln
version of Wordpress plugin, old web servers (e.g. webdav
exploit)…
Ref: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
8.
• Sensitive Files
• Important files are not properly protected, e.g. simply putting
them to be internet accessible
• Weak Passwords
• Using weak password like 000000 and no brute force
protection
9.
Demo – Can we deface your Web in 10mins?
• There is a sample Educational Website
10.
Can we deface your Web in 10mins?
• Hacking in progress…
• Browsing the website
• Finding vulnerabilities
• Uploading a shell…
• Defacing the homepage…
12.
What did the hacker do?
• Browsing the website
• Got interesting directories: /intranet
• Have to login?
• Got an interesting page: /intranet/fck.php using FKCEditor?
• Finding vulnerabilities
• Bypass login by SQL Injection…
• Misconfigured FCKEditor, a vulnerable component J
• Uploading a shell…
• A file that can control the website
• Defacing the homepage…
• Mission completed
13.
Tips
• Do security assessment on your websites
• Websites vulnerabilities
• Servers configuration
• Apply countermeasures if necessary
• Improve security awareness
• Be aware of the news about the technology that the school is
using
• Education