May 11, 2021

How does hacking a website actually work

Home Forums How does hacking a website actually work

This topic contains 1 reply, has 2 voices, and was last updated by  DragonSided-D 4 weeks, 1 day ago.

  • Author
    Posts
  • #382254

    anonymous
    Participant

    I looked in the sub for other posts like this but couldn’t find any. Like I get the idea conceptually, but what exactly is happening, is the websites code being manipulated? Are you using your own code to simply get through or into the websites code. Is code involved at all? If the answer to any of these is yes could you go into more detail and maybe provide an example of code you would use/code that would be vulnerable/how you actually manipulate the code. Sorry if this sounds stupid but I genuinely have no idea how it works. If none of that is how it works could you explain how, and provide relevant examples. Also if there are any other posts addressing this that I missed I’d be fine with a link to that instead of a response

  • #382257

    TyScottsTots

    in a sense to sum things up. There are a set of tools hackers can use to scan for any vulnerability and exploit it. It’s a lot of text and series of commands and hoping shit works. Essentially if you get majorly hacked you were a target, minor hack is probably some punk kid playing with shit, and if your info leaks it’s always your fault.

    I hope this makes some sort of comprehendible sense, I am VERY high right now..

    also source, I was a security student that learned and did some minor (dummy) website hacking.

  • #382258

    liverstock

    Yes. To most or all of that. Look up OWASP top 10 to see common website vulnerabilities to get the basic idea. Websites can be hacked in many ways and are not all the same. Unfortunately your question is too broad. Read up on things like xss attacks and sql injection attacks. Those are pretty common, but there are many depending on the type of website it is. Not all are created equal.

    TLDR: Google OWASP top 10 2021

  • #382259

    beachandbyte

    Basically you abuse features on the website that interact with the server side code. This may give you errors that hint at the way the backend code is working. There are so many things for a programmer to do to handle all inputs correctly you are just looking for places they missed seeing how the server reacts and determining if you can use that for your benefit to make the server do something different.

  • #382255

    DragonSided-D

    You make the website run your code instead of its own code.

  • #382256

    thisdotstate

    This is kind of hard to explain to someone that doesn’t already have the prerequisite knowledge of understanding what the different components of the “website” are and how they interact with each other to serve content to the user. But here goes.

    The two main types of vulnerabilities that typically allow hackers to pwn a website are SQL injection and XSS.

    SQL injection is exploiting a bug in how the back end logic of the site will parse user input. So the typical flow of how a simple website is supposed to work goes like this: user types thing in a box and presses send, the servers receive that thing, do some logic, look up something in a database, do more logic, and then send a response back to the user. If the user is allowed to send something unexpected through that box, it is possible that this can break the logic going on in the back end – the wrong information from the database is pulled and it sends something back to the user that it wasn’t supposed to send, such as other usernames, email address, password hashes, etc.

    XSS is when users add their own content to a website (such as on a message board) but this is executed as code when someone else sees it. This then allows a malicious user to have code execute on someone else’s computer that says, “grab your authentication token and send it to the hacker.” Now the hacker can steal the account of anyone that visits the place where he was allowed to post his malicious code.

    —-

    These attacks are very hard to perform in the purest sense because everyone knows about them and security is baked into all the commonly used frameworks to build websites. However, people still manage to find ways to pull it off by chaining together a bunch of obscure bugs.

You must be logged in to reply to this topic.