When a hacker is determined to break a website, the first thing he does is go for gathering information about the target site as much as possible. Usually the information gathering phase is done in three steps.

Step1:
Navigate through the whole site to understand the files and folders structure, to know the programming language used to build the site, to know the type of web server is using to run the site, to get an idea about the volume of the site, to find the publicly accessible pages, to guess the areas that are protected, to be sure is there any framework/cms are used to build the site, to find the software company name who built the site and many more.

During the navigation seeing the HTML source code to look for comments, sensitive information, hidden variables, form tags, javascripts, image source etc. are an effective approach to understand the target application. The developers often make comments their code instead of deleting as they think they may need the code in future or in other places. Sometimes they write file name, db name, db credentials, login credentials etc. in the code and often forget to remove those before release.

While browsing the site if any forms are found, hit the submit button with valid/invalid data to see the error message returned by the application. Sometimes developers provide very helpful information to the users like “The password is incorrect”. That helpful information becomes dangerous when the user is a bad guy because it informs him that his username is correct but the password is not. Now he can try the dictionary attack in the password field only. Submitting invalid/malicious input may result server error, hackers read them very attentively because reading them gives an idea about the internal architecture of the application, database related information etc. Also monitoring what requests are made and what responses come from the server is a good advance to get a detail idea of the target. When monitoring the requests and responses hackers also try to know/experiment with GET and POST variables that help them to identify the weakness of the target.

Step2:
When the files and folder structure is revealed it’s now time to guess the other files and folders names and structures which is not publicly accessible. In this step hackers try to find the pattern of the file and folder name. Usually every software development company follows a strict naming convention which varies company to company or application to application but maintaining the same naming convention throughout the individual application is very common practice. Hackers take the chance, they look for files like adduser.php, edituser.php, deleteuser.php when he sees viewuser.php is used. If he find view_user.php then he tries add_user.php, edit_user.php etc. It really works whether the product is developed by an individual or by a standard software development company. The attackers not only tries the files name they also try some basic folder names like www.example.com/admin, /administrator, /adminpanel, /workarea, /cp, /cpanel, /controlpanel, /secure, /securesite, /scripts, /css, /images, /classes, /private, /db, /content, /pages and many more. They also tries for sub domain in the similar fashion.

Step3:
It is quite often that software companies reuse their own components in various sites where applicable. To reduce the development hour/cost sometimes they use free/open source solutions. Sometimes they buy some components from other companies and use them regularly in their applications. When such third-party tools/partial codes/snippets/components/controls are used, the developers rely on those, trust those. They think those are tested, those are functional and those are secured. And this helps the hackers to find a common hole once they get to know that particular vulnerable components are used in their target site. So they try to find out what third party things are used in the information gathering phase.

Today I will show how the above things helped me to find a basic security hole in few sites built by eVista Technologies. Basically many sites including brac bank, soft expo, abc real state sites built by eVista Technologies are in danger. I communicated with them about the vulns, they thanked me and promised to fix them as soon as possible. After a month of reporting the issues when I requested to let me know the status of the fix, they did not reply I waited for another fifteen days. In all of my communications, I mentioned that I am going to do a blog post on this matter. But they did not hear. I also informed the corresponding companies but did not hear back.

Note: eVista informed me that the security leak is fixed.