visualization of a hacker
Hackers are sophisticated, diverse and determined to outpace your efforts to stop them. PHOTO: Khusen Rustamov

Website hacking is nothing new, but the techniques of a hacker are in constant flux.

In an attempt to keep up with this ever-evolving digital dark art, the US government alone spent a whopping $14 billion on cyber security in 2016 — a year that will go down in hacking history.

No Website Is Safe From Hackers

Not only were large organizations like Yahoo and Weebly directly targeted throughout the year, but the largest ever cyber attack in history was also recorded against Dyn, a domain name system (DNS) provider with massive clients. By attacking this one DNS provider, the hackers were able to bring down the likes of Twitter, Amazon and PayPal for a number of hours.

With that being said, hackers are by no means focused on major brands alone, as WordPress is still the most hacked content management system (CMS) on record — although that probably has a lot to do with the fact that it’s by far the most used CMS, too.

But how exactly do these modern hackers carry out their attacks?

Nine years ago, CMSWire created a useful overview of common techniques. As the New Year begins, we felt it was time to update our answer to this ongoing question.

As you might have guessed, there is no one answer. So we've summarized the most popular hacking methods being used today to create the ultimate guide to modern hacking techniques.

1. DDoS Attacks

A distributed denial of service (DDoS) attack is technically not a hack, since it doesn’t give the attacker access to the target’s data. However, DDoS attacks are still a big concern for major (and minor) online brands.

In short, a DDoS attack makes a website or service unavailable by overwhelming it with fake traffic or requests.

How It Works

The hacker (or hacking group) behind a DDoS attack will use a large batch of previously hacked or malware infected computers in order to carry out their attack. This group of computers is referred to as a botnet, which the hacker can remotely instruct to access the targeted website over and over again in an attempt to overwhelm the servers — thus bringing it down.

A visualization of a DDoS attack
A visualization of a DDoS attackPHOTO: DigitalAttackMap.com

The famous 2016 attack on the DNS provider Dyn was in fact a series of DDoS attacks, the likes of which the internet had never seen before. Interestingly though, the botnets used in that case were made up mainly of IoT devices, rather than traditional computers or laptops.

2. Injection Attacks

When a hacker injects code into a website or program to execute remote commands that can read or modify a database — that’s called an injection attack.

It’s an umbrella term that encompasses a range of different attack styles, although SQL injection attacks are most prominent.

How It Works

SQL injection attacks are prevalent because they can be started from easily accessible input fields like contact forms, login forms and anywhere else where the website or app allows for public user input.

The attacker uses these input fields to make SQL queries in an effort to interact with the website’s database and uncover sensitive information. An attacker may also be able to modify the database on the spot.

For example, if a website’s database uses an insecure SQL statement during the login process, like this one:

String sql = "SELECT id FROM users" +
" WHERE username='" + request.getParameter("name") + "'" +
" AND password='" + request.getParameter("password") + "'" +
" LIMIT 1";

Then that database is vulnerable to attack. Why? Because a hacker could come along and type the following into the username field:

' OR id=1 --

And that would force the database to serve up the details of user ID 1, putting them a step closer to logging in as an existing user.

That’s just one of many ways an attacker can use SQL injection to access a database, and if it doesn’t work, there cheat-sheets all over the internet for login strings that can gain access to weak systems.

3. Cross-Site Scripting (XSS)

A cross-site scripting attack, also known as an XSS attack, is actually a form of code injection. However, thanks to its growing popularity, I’ve decided to talk about it separately.

In a cross-site scripting attack, the attacker injects malicious code into a legitimate web page that then runs malicious client-side script when the victim visits said web page.

How It Works

To run malicious scripts in a victim’s browser, an attacker must first find a way to inject a that code into a web page that the victim will visit.

For that to happen, the hacker will need to identify a vulnerable website that the victim visits. For example, if an attacker spied the following vulnerable code on a website, they might have a chance:

print "<html>"
print "<h2>Recent Comments</h2>"
print database.latestComment
print "</html>"

This piece of code displays the most recent comment from the site’s comments database for everyone to see. This makes the website vulnerable because a hacker could submit a comment that contains a malicious payload such as:

<script>MyHackingScriptl();</script>.

By doing this, the website will display that comment — along with the malicious script — to anyone who visits. Resultantly, the attacker’s malicious script will execute within every visitor’s browser.

Such a script could give the hacker access to the visitor’s cookies (which is called cookie stealing) as well as the ability to send HTTP requests. More unnerving however, is the fact that JavaScript in modern browsers can leverage HTML5 APIs to access a user’s geolocation, webcam and microphone.

For additional information on cross-site scripting, here's a great overview of what can be accomplished through XSS.

4. Cross-site Request Forgery

Cross-site request forgery (CSRF or XSRF) is an attack that forces a logged in user to perform an action on a website without their knowledge.

How It Works

A cross-site request forgery attack happens when a user is logged into an account, and a hacker uses this opportunity to send them a forged HTTP request to carry out an action on their behalf.

Here’s an example of how that could play out.

A hacker sends out a mass email to people that are clients of a (poorly secured) online payment company. The email contains a large sparkly image that invites the reader to a discounted online sale. But here’s what that image really looks like:

<img src="https://www.paymentwebsite.com/transfer?amount=1000&amp;destination=mister-hacker">

As you can see, any unsuspecting bargain hunter who clicks on the image will trigger a script that instructs their logged in session — which is open in the next tab over — to send funds directly to the hacker’s account.

cross site scripting
Yeah, this seems totally legit ...

5. DNS Spoofing

Also referred to as DNS cache poisoning, this hacking method allows the attacker to divert traffic from legitimate servers to a malicious ones — leading unsuspecting website surfers to malicious script bearing websites.

How It Works

To spoof a DNS, a hacker must introduce corrupt domain name system data into a DNS resolver's cache. By taking control of where the DNS directs requests, the hacker can steal information and redirect traffic.

Commonly, hackers use this method to divert traffic from legitimate websites to malicious ones, where they might launch another type of attack.

For more information on DNS cache spoofing, check out this extensive guide.

6. Social Engineering

This increasingly popular hacking technique entails the attacker convincing the victim to part with sensitive information — like a credit card number — in good faith. It’s less about code, and more about sneakiness.

How It Works

Phishing is perhaps the most popular form of social engineering, and one common way hackers engage in phishing is to send emails pretending to be from a reputable company.

They then confidently ask for the victim’s personal information, including passwords and credit card numbers in order to supposedly assist them.

Another classic phishing example is the “Microsoft tech support” scam, where malicious callers pretend to be calling from Microsoft in an attempt to extract emails, passwords, and payment information from unsuspecting Microsoft users. It’s an age-old way to hack, and yet it’s rampant even today.

7. Symbolic Linking

A symbolic link, or symlink, is method used to hack Linux servers. The symbolic link is essentially a shortcut, much like the shortcuts Microsoft users know and use.

Hackers deploy symlinks to gain access to the server's root directory, even when their user has limited access to it.

How It Works

The hacker can create a symbolic link from his directory, where he has limited permissions, to the root directory — where he shouldn’t have any permissions. A company employee with limited access to the root server for example, could perpetuate an inside job through a symbolic link.

Access to the root server gives the hacker the opportunity to change files, change permissions, insert malicious code and expose data.

8. Arbitrary Code Executions

This hacking technique describes an attacker's ability to execute any command on a target computer. When the victim machine is separate from the attacker’s machine, this act is often referred to as remote code execution.

How It Works

Arbitrary code execution is often performed by taking control of a program’s instruction pointer (or program counter), which points to the next line of code that is to be processed. This can be done via malware infection (more on that later).

By changing the instruction pointer to instead point to the attacker’s malicious code, the attacker can then gain control of the user account running on that machine. From there, the attacker attempts to escalate the user's privileges (if needed), in order to fully take over the machine for use in future attacks — like a DDoS attack.

9. Clickjacking

Clickjacking is the practice of manipulating a website user's clicks by concealing hyperlinks beneath clickable content, like a video play button. Using this sneaky tactic, attackers can trick website surfers into clicking on a link that they were unaware of.

After reading that, you’re probably thinking about all the times your clicks were jacked, as it is indeed a common tactic among shady movie streaming websites. However, their intentions are usually less to do with hacking, and more to do with ad clicks.

How It Works

Clickjacking is a simple case of hiding hyperlinks beneath something that a website user will actually want to click. This could be a video play button or a social sharing button.

If the clickjacking is malicious, the attacker can send the victim to another website, where another type of attack (like a cross-site scripting attack) could be launched.

10. Google Hacking

Google hacking is when a hacker tries to find exploitable targets and sensitive data by using search engines like Google. It sounds easy, because it kind of is.

How It Works

The Google Hacking Database (yes, there’s an actual database) is home to a long list of queries that you can search on Google. Each of these queries is designed to identify sensitive data — or vulnerable web pages — on websites across the web.

A simple Google search brings up some potentially vulnerable login pages
A simple Google search brings up some potentially vulnerable login pages.

Google has done its part by blocking most Google hacking queries, but hackers got around that by using their own tools to crawl websites before applying the queries directly onto the crawled content.

11. Malware

Ah, good old malware. It’s an umbrella term that includes the horrifying likes of Trojan horses and keyloggers.

In short, the word malware can be used to describe any software that’s designed to damage or otherwise compromise a computer system or its data.

How It Works

There are countless ways for hackers to get victims to download malware, and with over 1 million new pieces of malware emerging every day, the threat is very real.

Malicious software is often disguised as commonly downloaded music or video files, but in a ‘Bait and Switch’ attack, the hacker disguises their code as authentic software, tricking victims into downloading and installing it.

Trojan horse viruses get introduced alongside things like email attachments and other downloads that victims would otherwise trust. They then act as a backdoor, contacting a remote controller, which can then gain unauthorized access to the affected computer.

The purpose of a keyloggers on the other hand, is to record the keystrokes of the affected computer’s owner. From those recorded keystrokes, the hacker can figure out passwords and other sensitive information.

12: Fake Wireless Access Points

Have you ever noticed a suspiciously large number of open wireless access points at a coffee spot? Well, your suspicions were well founded.

Hackers regularly set up fake wireless access points (WAPs) in order to lure the free Wi-Fi scrounger that exists within us all.

How It Works

Once you’re connected to a hacker-managed Wi-Fi spot, the hacker can (potentially) see everything you’re doing. That includes typing in passwords and credit card information.

Hackers set these fake WAPs up in busy areas in order to draw in more people. This kind of attack is called a ‘Waterhole Attack’.

13. Brute Force Attacks

If, like me, you’ve ever tried to gain access to your sibling’s Facebook account by guessing the password repeatedly, you can consider yourself a seasoned brute force hacker.

Essentially, brute force hacking is the act of repeatedly trying different passwords or encryption keys in order to get the right answer.

How It Works

At the grassroots of brute force attacking, you’ve got me guessing my brother’s Facebook password. But at the other end of the spectrum, advanced hackers are deploying brute force attack tools that automate the process on a grander scale. In other words, it’s trial and error on steroids.

brute force attacks
One more try should do it ...

The real danger here is that many of us use the same passwords for multiple accounts — both personal and professional. So, if a hacker can crack your Gmail password, there’s a good chance they’ve cracked the password for your company’s intranet, too.

14. Directory Traversal Hacks

Also known as path traversal attacks, this hacking technique can give an attacker access to files, directories, and commands that are located outside a website’s root directory.

How It Works

An attacker can type in malicious character sequences into a URL in such a way that the website executes an action or discloses content from the web server.

The ../ (known as the dot-dot-slash hack) sequence is a common sequence that is used by an attacker to access files or to execute commands on the file system.

Here’s what a vulnerable system might look like:

<?php
$template = 'red.php';
if (isset($_COOKIE['TEMPLATE']))
$template = $_COOKIE['TEMPLATE'];
include ("/admin/apps/templates/" . $template);
?>

An attack against this system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd

15. Buffer Overflow Attacks

Buffer overflow attacks are primarily used against (poorly built) apps and operating systems. Essentially, the attack aims to overflow the app or program’s memory buffer with useless data.

How It Works

When an app, program or operating system needs to move data, it often stores it in a temporary location built to store excess data in transit. This excess data storage location is called the buffer.

When that buffer zones fills up and overflows, it’s possible for an attacker to then write or rewrite into permanent areas of the program, which can house executable code. Naturally, such an attacker would write something malicious enough to grant them access to the host computer.

This detailed video on buffer overflow attacks will tell you everything else you need to know.

16. Encryption Bypassing

Encryption protocols help protect the user information flowing through major websites and messaging services. It’s a system that keeps our data and private messaging safe from prying eyes.

However, those encryption protocols are sometimes bypassed, allowing hackers to access private information.

This simple video on how encryption works will give you the finer details.

How It Works

There are many ways to bypass an encryption. Some hackers leverage the combined processing power of their botnets to carry out brute force attacks. Others hunt for the algorithms the encryption software uses in order to crack the code.

However, like the with the famous Heartbleed vulnerability, most hackers exploit existing weaknesses in popular Transport Layer Security (also known as SSL) protocols to gain access to encrypted data. More recently, the LogJam vulnerability has given rise to more attacks.

7 Quick Tips: How Not To Get Hacked

Whether you’re a global conglomerate or a humble local news blogger, your website and data are targets for hackers the world over.

These quick and simple tips will help you shore up your defenses:

  1. If your CMS provider has a development blog, subscribe to it. Not only will it give you a heads up on any security issues that might impact you, but you’ll also be in the loop regarding imminent updates — as well as what the provider is protecting you from.
  2. Whenever a website offers it, always make use of two-factor authentication. This security feature requires users to not only enter a password, but also to confirm entry with another item of information, like a code texted to your phone. It’s not unhackable, but it is highly secure.
  3. If you’re using enterprise software, the vendor likely provides you with ongoing support. Make use of this by regularly touching base with the vendor regarding their next security releases, and how you can build up your website’s defenses even more.
  4. Update all 3rd party modules and themes as a matter of urgency — especially if you’re a WordPress user.
  5. If you have an admin login page for your custom built CMS, disguise its importance by naming it something like 'blogging.php'. Calling it "AdminLogin.php" is simply inviting trouble.
  6. Enter some confusing data into your website’s search and login fields like the sample Injection strings shown above. If you get an unusual error message disclosing server-generated code — take action.
  7. Use tools such as ScanMyServer and Sucuri in order to further probe your site for vulnerabilities.

Have we missed any major hacking techniques that webmasters should be wary of in 2017 and beyond? Let us know in the comments below.

We're all in this fight together.