1
LET’S HACK A WEBSITE

This book will teach you the essential security knowledge you need to be an effective web developer. Before getting started on that, it’s a useful exercise to see how you would go about attacking a website. Let’s put ourselves in the shoes of our adversary to see what we are up against. This chapter will show you how hackers operate and how easy it is to get started hacking.

Software Exploits and the Dark Web

Hackers take advantage of security holes in software such as websites. In the hacking community, a piece of code that illustrates how to take advantage of a security flaw is called an exploit. Some hackers—the good guys, commonly called white hat hackers—try to discover security holes for fun, and will advise software vendors and website owners of the exploits before making them public. Such hackers often collect a financial reward for doing so.

Responsible software vendors try to produce patches for zero-day exploits (exploits that have been publicized for less than a day, or not publicized at all) as soon as possible. However, even when a software vendor releases a patch to fix a software vulnerability, many instances of the vulnerable software will remain unpatched for some time.

Less ethically minded hackers—black hats—hoard exploits to maximize the time windows during which they can use vulnerabilities, or will even sell the exploit code on black markets for bitcoin. On today’s internet, exploits get rapidly weaponized and incorporated into command line tools widely used by the hacking community.

Solid financial incentives exist for black-hat hackers who use these exploitation tools. Black markets for stolen credit card details, hacked user accounts, and zero-day exploits exist on the dark web, websites available only via special network nodes that anonymize incoming IP addresses. Dark websites, like the one pictured in Figure 1-1, do a brisk business in stolen information and compromised servers.

Figure 1-1: Hi, yes, I would like to buy some stolen credit card numbers since you are clearly a high-level Russian hacker and not an FBI agent hanging around the dark web as part of a sting operation.

Hacking tools that can take advantage of the latest exploits are freely available and easy to set up. You don’t even have to visit the dark web, because everything you need is a quick Google search away. Let’s see how.

How to Hack a Website

It’s remarkably easy to get started hacking. Here’s how to do it:

1. Do a Google search for kali linux download. Kali Linux is a version of the Linux operating system specifically built for hackers. It comes preinstalled with more than 600 security and hacking tools. It’s completely free and is maintained by a small team of professional security researchers at Offensive Security.

2. Install a virtual container on your computer. Virtual containers are host environments that allow you to install other operating systems on your computer, without overwriting your current operating system. Oracle’s VirtualBox is free to use and can be installed on Windows, macOS, or Linux. This should allow you to run Kali Linux on your computer without too much configuration.

3. Install Kali Linux in the container. Download and double-click the installer to get started.

4. Start up Kali Linux and open the Metasploit framework. Metasploit, as shown in Figure 1-2, is the most popular command line tool for testing the security of websites and checking for vulnerabilities.

   

   Figure 1-2: Hacking can be achieved only with sufficient ASCII-art cows.

5. Run the wmap utility from the Metasploit command line on a target website and see what vulnerabilities you can find. The output should look something like Figure 1-3. The wmap utility will scan a list of URLs to test whether the web server exhibits security flaws. Make sure you run the utility only on a website you own!

   

   Figure 1-3: Hacking engaged—expect a visit from law enforcement imminently.

6. Pick an exploit in the Metasploit database that will permit you to take advantage of the vulnerability.

At this point, we will stop our hacking tutorial, because the next step would likely constitute a felony. However, the main point should be apparent: it’s really easy to start hacking websites! Metasploit and Kali Linux are used by real-world hackers and can be set up in a few minutes. They don’t require any particular expertise to use, yet they are phenomenally good at identifying vulnerabilities in websites and exploiting them.

This is the reality we are dealing with as web developers today. The websites we build are available to anyone with an internet connection, as are the hacking tools that can be used to target them. Don’t panic, though! By the end of the book, you will (hopefully) know as much about security as the hackers themselves, and be fully prepared for when they attack your site. So, let’s get started by discussing the building blocks of the internet protocol suite.