As a company’s operation and maintenance personnel, especially for large and medium-sized enterprises, it is not uncommon for websites and web applications to be attacked by hackers.
Web apps and website can be divided into three sections: individual operations, team/company operations, and government operations.
The proportion of personal websites is still very large, and most of these websites use open source CMSs.
Such as blogs: WordPress, Joomla, Typecho, Z-blog, More…,
Community categories: Discuz, PHPwind, StartBBS, Mybb, etc.
The proportion of commonly used open source CMSs used by team/company websites is also very large, and government websites are basically outsourced to develop more.
If it is broader, it can be divided into two major parts: open source and closed source.
What can effectively illustrate the pseudo-security of a website is to prove from the perspective of actual combat whether it is really solid.
The reason why I talk about intrusion methods here is not to teach you how to invade the website, but to understand the various methods of intrusion. Only by knowing yourself how the attacks happen, then can you learn how to protect.
A kitchen knife can be used to cut vegetables, and it can also be used to kill people.
Let’s talk about some common procedures for hackers to invade websites.
The common process for hackers to attack and hack websites
1. Information Gathering
1.1 Whois information – registrant, phone, email, DNS, address
1.2 Google hack – sensitive directories, sensitive files, more information collection
1.3 Server IP – Nmap scan, port corresponding service, C segment
1.4 Side note – Bing query
1.5 If you encounter CDN – Cloudflare (bypass), start with subdomains (mail, postfix), DNS transfer domain vulnerabilities
1.6 Server, components (fingerprint) – operating system, web server (apache, nginx, iis), scripting language
Through the information gathering process, the attacker has basically been able to obtain most of the information about the website. Of course, information gathering is the first step of the website invasion and determines the success of the subsequent attack.
2. Vulnerability Scanning
2.1 Scan the website/web application for vulnerabilities – (tools: acunetix, burpsuite, dirsearch, nikto etc)
2.2 XSS, CSRF, XSIO, SQL injection, permission bypass, arbitrary file reading, file inclusion…
2.3 Test for upload vulnerabilities – truncation, modification, analysis vulnerabilities
2.4 Is there a verification code (2fa)? – brute force attempt
By now, the attacker has a lot of information about your website and may have found vulnerabilities affecting your website. In the next step, they will begin to use those vulnerabilities to gain access to your website.
3. Vulnerability Exploitation
3.1 Thinking about the purpose – what kind of effect is achieved. (Exploit any found vulnerabilities)
3.2 Hidden, destructive – Find the corresponding EXP attack payload based on the detected application fingerprint or write it yourself
3.3 Start the vulnerability exploit, obtain the corresponding permissions, and get a webshell on the server, according to different scenarios
4. Privilege Escalation
4.1 Choose different attack payloads for privilege escalation according to the server type (Use Metasploit where possible)
4.2 Permission escalation is not possible, start password guessing based on the information obtained, and retrospective information collection
5. Implant a Backdoor
5.2 Check and update regularly to maintain persistence
6. Log cleanup (Clear your tracks)
6.1 Camouflage, concealment, to avoid alarming, they usually choose to delete the specified log
6.2 According to the time period, find too many corresponding log files. . .
Having said so much, how much do you understand these steps? Read more and research online.
Of course, the type of attack may largely depend on the motivation the hacker has.
Although the time is relatively long, the general idea is like this.
After talking about the intrusion process, let’s talk about why enterprise websites need to be secured..
First: Cybersecurity law regulations
The proposed cybersecurity law clearly requires for the provisions of critical information infrastructure operators (such as critical information infrastructure operators should themselves or Entrust a network security service organization to conduct inspection and assessment of its network security and possible risks at least once a year, and report the inspection and assessment results and improvement measures to the relevant department responsible for the security protection of critical information infrastructure), which is quite mandatory ——In the legal liability section, it is clearly mentioned that if these regulations are not fulfilled, the relevant competent department shall order rectification and give warnings;
Regarding the interpretation of the Cyber Security Law, you can click here to view
It is worth noting that penetration testing is a commonly used and very important method in information security risk assessment and web security.
Second: Penetration testing helps PCI DSS compliance construction
In PCI DSS (Payment Card Industry Security Standards Council) Section 11.3, there is such a requirement: at least every year or after any major upgrades or modifications to the infrastructure or applications (such as operating system upgrades, environment additions) Adding a network server to a sub-network or environment) needs to perform internal and external penetration testing.
Third: Baseline requirements for ISO27001 certification
ISO27001 appendix “A12 Information System Development, Acquisition and Maintenance” requirements establishes a software security development cycle, and specifically proposes that additional penetration tests should be conducted with reference to, for example, OWASP standards before going live.
Fourth: Requirements in the CBK’s multiple regulatory guidelines
According to the clear requirements in the multiple regulatory guidelines issued by the Central Bank of Kenya, the bank’s security strategy, internal control system, risk management, system security and other aspects need to be penetrated testing and control capabilities inspection and evaluation.
Fifth: Minimize business losses
In addition to meeting the compliance requirements of the policy, improving the operational safety of customers or meeting the requirements of business partners. The ultimate goal should be to minimize business risks.
Companies need to conduct as many penetration tests as possible to keep security risks under control.
In the process of website development, many hidden security problems that are difficult to control and discover will occur. When these large numbers of flaws are exposed to the external network environment, information security threats are generated.
This problem can be effectively prevented by companies through regular penetration testing, so that they can be detected and resolved early. The system will become more stable and secure after being tested and strengthened by cybersecurity professionals. The test report can help managers make better project decisions, at the same time prove the necessity of increasing the security budget, and convey security issues to the senior management. .
The difference between penetration testing and security testing
Penetration testing is different from traditional security scanning. In the overall risk assessment framework, the relationship between vulnerability and security scanning can be described as “continuing”, that is, as mentioned above, it is a verification and supplement to the scanning results.
In addition, the biggest difference between penetration testing and traditional security scanning is that penetration testing requires a lot of manual intervention.
These tasks are mainly initiated by cybersecurity professionals. On the one hand, they use their professional knowledge to conduct in-depth analysis and judgment on the scan results.
On the other hand, it is based on their experience to manually check and test the hidden security issues that the scanner cannot find, so as to make more accurate verification (or simulated intrusion) behavior.
Incase you need security service such as penetration testing, drop me a line on twitter @jimmwayans and I’ll be glad to work with you.