Skip to main content

How did you get hacked? 

These are the most common reasons for server hack in 2024

Development PC Was Hacked

Keep your development PC secure, be cautious with downloads and emails. Always verify the source before downloading any software or opening email attachments. Use antivirus programs and keep them up-to-date to catch potential threats. Most PCs today are hacked either from dodgy download or via an unknown phishing email.  Some helpful links below:

3rd Party Server Web Plugin Had Vulnerabilities

When using third-party plugins, choose those with a strong reputation has regular updates and is being downloaded from the official source. Nearly all success hacks on WordPress isnt on WordPress itself, but within one the plugins that the developer chose to include. read more

When a plugin has been descovered to have a vulnerability, hackers will create internet bots that crawl thousands of websites to see if they can use it gain access to any of them; so even with plugins you trust, you should keep them up-to-date. Most developers will make public notes on whats changed in the new update and you will usually find security updates listed several times!

Credentials were Guessed

Always use strong passwords. Internet bots are always trying to login. Have your web application create logs of attempted loggins and watch how quick that log fills up!  Even within your application too; as its common for databases to be open to direct connects from the internet.

Insecure File Uploads

If you web application allows for file uploads, filter the filenames, limit the types  of files, and where they are stored. Its very common for file upload facilities to get exploited in some weird way that you hadnt thought about. We’ve seen servers comprimised by what was initially thought was a jpg file, but somehow got the server to run the contents of the jpg as a script.

User Input was exploited

Always validate and sanitise user inputs to prevent malicious data from affecting your application. Implement server-side validation and use prepared statements to handle input safely. Avoid relying solely on client-side validation, as it can easily be bypassed. Always validate inputs before processing. Here’s some common input exploits…

  • SQL Injection (SQLi) : Hacking the database by Injecting malicious queries into the app input fields. Prevent these SQL Injection attacks by using prepared statements and parameterised queries. Ensure that all user inputs are filtered/sanitised and validated before interacting with your database.
  • Cross-Site Scripting (XSS) : Protect against Cross-Site Scripting attacks by escaping user inputs and outputs properly. Implement a Content Security Policy (CSP) to restrict the sources of executable scripts. Test your application for XSS vulnerabilities.
  • Force the App to Give Up Sensitive Information : To prevent unauthorised access to sensitive information, ensure all data handling is secure. Implement proper access controls and encryption for sensitive data. Put any senstive data files in a seperate directory, restrict permissions to sensitive files.
  • Breaking Authentication : If you have created a login for your web app, make sure there are no holes in it. Have all login attemps stored in a log file along with a time stamp and source IP address.
  • Leak of Session Information : If a user login is tied to a session cookie, ensure that the session cookie cannot be exposed to other users. Make sure the session cookie is removed or deleted when the user logs out, and set an expiry time for the cookie in case the user does not log out.

Lowering the risks

It’s almost impossible to stop all possible hack vectors, but it is fairly easy to block out 99% of the most common hacks. There are more bots than people using the internet, and many of these bots are constantly scanning for systems connected to the internet and feeding various login attempts into them.

Does it need to be on the public internet?

If its only for internal use, block it from being accessed from the internet.

Is it for global use?

If the app is only to be used within your country, why is Russia able to see it.  Use firewalls to make your web application invisible from IP address which are outside of your country. Most common hacks come from China, Indonesia, Philippines & India; block them out atleast!

Server File permissions

Put any data files within a seperate folder and make sure they are hidden from public view

Filter, sandize and validate user input

eg. Here are some coding examples..

PHP:  $email = filter_input(INPUT_POST, ’email’, FILTER_SANITIZE_EMAIL);  read more

more examples on how to filter strings in PHP:

$email = filter_var($email, FILTER_SANITIZE_EMAIL);
$name = filter_var($name, FILTER_SANITIZE_STRING);
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
$url = filter_var($url, FILTER_SANITIZE_URL);
$int = filter_var($int, FILTER_SANITIZE_NUMBER_INT);
$safe_input = htmlspecialchars($user_input, ENT_QUOTES, ‘UTF-8’);
$text = strip_tags($user_input);

Python: valid_numbers = [x for x in user_input if isinstance(x, int) and x > 0] read more

valid_numbers = list(filter(lambda x: isinstance(x, int) and x > 0, user_input))
sanitized_input = user_input.strip() # Removes leading and trailing whitespace
sanitized_input = user_input.replace(“<“, “&lt;”).replace(“>”, “&gt;”) # Basic HTML sanitization
sanitized_input = user_input.strip() # Removes leading and trailing whitespace
sanitized_input = user_input.replace(“<“, “&lt;”).replace(“>”, “&gt;”) # Basic HTML sanitization
import re
sanitized_input = re.sub(r'[^\w\s]’, ”, user_input) # Removes special characters
import html
sanitized_input = html.escape(user_input) # Escapes HTML characters

Encode strings before storage

If storing in json, use json_encode($string)
if storing in mySQL,  use mysqli_real_escape_string($string)

Encoding strings before output

When outputing a string to a browser, always use htmlentities($string)
This insures that characters such as < are displayed and not treated as html tags.

Listen to the podcast

Leave a Reply

13 − thirteen =

AI assistant Powered by Queensland Tech