Can we hack websites? Content List Security in the virtual world is unfortunately always underestimated. Despite the fact that security experts give numerous warnings about hacking, theft, etc., many users still do not take the utmost care about their passwords in different accounts, and this causes a lot of problems for them. Website hacking, bank passwords, Gmail hacking, etc. are always exploited by people, but in any case, hacking is not the end of the matter. Developers have considered ways to recover and control these accounts. Website is a program based on Client-server model. The server provides access to the database and business logic. Hosted on a web server. The client application runs in the client web browser. Web applications are usually written in languages such as Java, C #, VB.net, PHP, Cold, and so on. Database engines used in web applications include MySQL, Ms Ql server, PostgreSQL, and so on. Most web applications are hosted on public servers accessible via the Internet. This makes them vulnerable to easy attacks. Web application threats Common threats to web applications include the following: SQL injection The purpose of this threat is to bypass login algorithms and corrupt data. Denial of Service This threat includes blocking and blocking the access of authorized users to the source. Cookie / Session poisoning The purpose of this threat is unauthorized access to data. Form Tampering The purpose of this threat is to modify form data, such as prices in e-commerce applications, to allow the attacker to receive items at lower prices. Code injection In this threat, codes such as PHP, Python, etc. that can be executed on the server are injected and their sensitive information is revealed. Defacement The purpose of this threat is to modify the page displayed on the website from a page that contains an attacker message that directs all user requests. Hack's site with software There are softwares that are available for free and can be used to measure the security of sites. These programs, like ettercap, are used to sniff the network. This means that it monitors the traffic passing through a network and steals unencrypted data such as username and password. As mentioned, there is also one of these automatic SQL injection programs called carrots, which helps security professionals find the extent of SQL penetration on a web page. Carrots help the user to find the database connected to the vulnerable program. Obtain database users and passwords and find columns and tables. With this action, the person who uses the carrot can access the system by executing sql commands and execute commands on it. Carrot software is one of the most successful software that has great potential, including: Ability to find admin login pages Ability to break important hashes Ability to test sql injection union based, error based Supports mySQL, Oracke and msSQL database types Hack sites in a simple way This method works for sites that are not yet complete and under development. Hack site using html code First, open the desired site on your system browser. Then press (Ctrl + U) to view the html code of the site. Then use the search key (clCrtl + F) to search for the password. If there is no result, continue the search with its derived words, such as password, pass and repeat until you reach the result. Then do the same search for other keywords such as login, username, user and their derivatives, you may have access to login information. You can search for words like root or admin to access the admin or admin section. If you do not find any information after doing these searches, close the code tab and type a wrong username, email and password to enter the site and press the login button. Then open the html page of the site again and repeat the previous searches. Use any information that may be useful in logging in so that you may be able to log in. For professional sites, this method is not your answer. There are other methods for hacking the site, one of which is social engineering, which is usually done by phishing and switch bait. Phishing method: In this method, hackers create a fake site from the desired site. Then, it directs the users of the main site to their fake site. After the users enter the fake site, they start filling in the credentials, including the details and They use their username and password and all these details are sent to the web attacker. In this method, the hacker usually obtains users' credit card information by forging the payment gateway. Phishing is one of the most common methods of infiltrating the site. 2. Bait method and switch: Another method of hacking a site through social engineering is the bait and switch method. In this method, the hacker buys banner ads on popular sites and places seemingly acceptable ads on them. But as soon as you click on these ads , users enter sites that are full of malware that are installed on the user's system and cause damage to the victim's system. Introducing other methods of hackers: Attack via IP (internet protocol) One of the easiest ways to hack is to attack via IP. This method of attack is done in two stages, first search and penetration and then operations. After discovering the serial number of the IP address, the hacker puts himself between the server and the user and steals the information by sending fake packets. You can hide your IP to counter this hacking method. Attack via tcp (transmission control protocol) In this method, the hacker separates the user from the server and introduces himself to the server instead of the user, so that the server recognizes the hacker as a valid user. From now on, information is exchanged between the server and the hacker. Attack via firewall In this method, the hacker examines open ports in the firewall and tries to open communication channels. Knowing which port of your firewall is open is useful information. To counter this attack, the best course of action is to close all open and intrusive ports. Attack on the passage of words One of the most popular and effective types of attacks among hackers is password attacks. It has been observed that in most organizations, very weak passwords protect very important packets, and unfortunately, despite security systems, these weak passwords are easily detected and hackers gain access to this information. To counteract these attacks, you need to choose passwords that are not in the dictionary. Words that consist of a series of uppercase and lowercase numbers and letters and symbols are very unlikely to be hacked. The method that hackers used to attack the passage of words is called brute force. A brute force attack is an attack in which all possible scenarios are examined until an answer is reached. In this method, the hacker uses special software to try to check all possible phrases to reach the desired password.