From my experience the most websites that are hacked are WordPress websites. This is because of 2 reasons:
1) WordPress is open source and many people write code for it, often not the best programmers and there are lots of buggy plugins.
2) Because of its popularity and weak architecture there are lots of automatic scanners that find vulnerabilities, either with massive scans for a specific vulnerability, or scanning all plugins on a particular WordPress site.
What I found out is that, custom written websites usually have bugs too, often more, but it’s slightly more difficult to detect them, but not impossible. I actually like authoring custom written websites. Its more challenging, and the level of complexity is slightly higher, thus making the pentesters to use different techniques and get a better understanding of how actually things work!.
I have been using SQLMap for a year or so. Its’ an excellent tool that can be used to identify vulnerabilities on your websites which may be buried deep down in your code and also to exploit them using the different options/techniques it supports. I even found a couple problems on my websites, which I didn’t even noticed I had.
I am often asked to run scans on custom websites. Authors often have small mistakes or use code that haven’t properly been reviewed and those bugs might affect the website’s integrity, but it’s less likely that it will be found by automated tools.
Apart from some code I pushed on GitHub, this is my only contribution to humanity and an excellent hobby. First identifying vulnerabilities on different websites, then tell the authors how to fix them. So the universe is happy with me. Most of the times anyway :).
I heard from a friend about psalidaki.com. I opened the website, and thought this looks custom enough, let’s take a look. I confirmed that I was allowed to test it by dropping an email to the owner explaining what I would like to do. It goes without saying that an NDA was signed, and upon getting his final written approval, I kicked off!
Most of the website was secure. Usual suspects for SQL injections were not there (exposed GET parameters like articles ids etc).
Then I found a possible XSS vulnerability. Video Viewer is basically an iframe to:
http://psalidaki.com/youtube/video.php?video_=http://www.youtube.com/v/2v378b-Dw4I
From what I saw the youtube id, 2v378b-Dw4I was copied into the code. I then tried:
http://psalidaki.com/youtube/video.php?video_=http://www.youtube.com/v/”><script>alert(“Hello!”)</script>
and the I was greeted with a “Not Acceptable” security warning, which blocked my attempt to execute the script and thus confirm if that was a real vulnerability :).
I was ready to give up and then I saw the poll. I quickly opened Firefox HTTP Headers plugin, and clicked on an answer. The request was a post request to:
http://www.psalidaki.com/poll/poll.php
and the post data was:
id=16&ac=vote&onLoad=%5Btype%20Function%5D&a=1
With the help of the SQLMap I identified that parameter ‘id’ “seemed” to be injectable. That was certainly a vulnerability which, potentially and under specific circumstances, could lead to unauthorised access to the website’s database!
I was able to list the names of a couple of tables, but my purpose was not to proceed further (legal aspects)!
I soon after contacted the owner of the website and told him the details of the vulnerability. His response was quick and professional, the vulnerability was fixed in the same day and he even allowed me to write about it.