A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Site Hijacking

Misrepresenting a website by stealing and manipulating its content

Website hijacking occurs when an attacker steals content from your site and misuses it. Since the content you publish is publicly available, attackers can very easily take this content and republish it elsewhere, masquerading as your site and perhaps moving traffic from your site to theirs. Hijacking your domain name makes their fake site more believable (e.g., if your website is www.myfamilypage.com, they can try using www.myfanilypage.com). If they alter the content on their site to make it offensive or incorrect, they can damage the reputation of your site. Attackers can also steal the design of your website, which is frustrating if you have spent time and/or money on your site's design.

Another form of website hijacking occurs when spammers send automated programs (called spambots) to search the content of your site for contact information such as email addresses, mailing addresses, and telephone numbers. They can then use this information to send spam to your site’s visitors or steal your identity. These visitors may notice the connection between visiting your site and receiving spam and avoid your site in the future.

If you use an online service for sharing digital pictures with your family and friends, you should configure the site so that strangers cannot view your personal pictures and steal them. It is very easy to steal pictures online by just copying and pasting the image file or copying the source code.

A less probable, but possible, method of hijacking occurs when somebody on your network knows your MAC address and can trap your requests to the Internet. Each computer's network card has a unique MAC address, and every IP address eventually resolves to a unique MAC address. This ensures that information sent over the Internet reaches the right computer. If an attacker knows your MAC address, he can send malicious data directly to your computer, where there may be no security checks or virus checks. In this way, the attacker positions himself between you and the server you are trying to contact, similar to a man-in-the-middle attack. All of your information therefore first goes to the attacker, who in turn either forwards it to the intended server or sends a page to you that appears to be from the server and tricks you into entering confidential information.

On websites that gather information from users, somebody could introduce data that alters the behavior of the website if the site is not adequately protected. This type of attack is called cross-site scripting, and it generally occurs when a dynamic Web page gathers data from an attacker and displays the input on the page without properly validating the data. If you only have static pages on your website, you do not need to worry about this attack. This is only a threat if you have dynamic HTML (pages that use scripts like JavaScript, VBScript, etc.) on your site. A successful attack of this sort can result in loss of data, identification theft, cookie stealing, etc.

The most popular type of this attack occurs when hyperlinks are changed on pages that embed scripts like JavaScript and VBScript. For example, an attacker could change links on a page so that when a user logs on and clicks on a link, they are shown a page that looks similar to the expected page, but was created by the attacker. The attacker can then either hijack the user's session or lure the user into entering personal information on this page.

Protective Measures

Practices

  • Protect sensitive content with passwords: Consider protecting files with valuable or sensitive content with passwords so that only pre-authorized users (e.g., friends and family) can access them.

  • Don't publish sensitive business information: Never publish sensitive or confidential information about your company. Always check with your company’s system administrator or other responsible individual if you are not sure whether information is sensitive.
  • Use SSL and HTTPS to secure the communication on your website: Hijackers can monitor traffic leaving your Web server and steal content that way, even if it is password-protected. To protect against this, you can encrypt traffic from your site by using Secure Socket Layer (SSL) certificates to communicate over HTTPS, which is a secure way of displaying web pages.

  • Protect your email address: Programs called spambots troll the internet looking for email addresses on Web pages, newsgroups and chat-room conversations. They look for anything that could lead to your name or email address. Chat rooms are particularly vulnerable in this respect, since many people use the first part of their e-mail address as an identifier or screen name when chatting. Frequent users of chat rooms often receive large amounts of unsolicited email as a result of this.

    If you must display your email address on a Web page, you can make it unreadable by a computer, but recognizable to a human being. One way to do this is to replace the “@” symbol with either text that suggests this symbol (e.g., joe.smith[at]hotmail.com instead of joe.smith@hotmail.com) or with a graphics file (e.g., a .gif file) that represents that symbol. You can also display your entire email address using a graphics file. Of course, none of these tricks will stop a human being from getting your email address.

  • Advise users to make sure they enter the correct address for your website: Advise your users to be careful when entering the address of your website, and point out common mistakes that the user might make in entering the site address. Occasionally check for common spelling errors that users might make, and warn users against these errors. You may also want to try purchasing all domain names that are similar to your own so that all misspellings go to your website.
  • Periodically check for cross-site scripting loopholes: Check your site occasionally to see if all links on your site lead to the correct Web pages. You should also check the source code on a regular basis for any modifications to the hyperlinks. This can be done by keeping a master file of all the hyperlinks that were used in the source code. You can then use customized programs to automatically search for all hyperlinks used in the source code and match them with the master file. If the program finds a hyperlink that does not match the master file, the link may have been maliciously modified.
  • Use proper session management: A session is used to store the status information of an authenticated user throughout a website so that he doesn't have to log in every time he visits a different page. Your site should check for a valid session on every page that contains confidential information. Otherwise, a user could gain access to highly sensitive pages by bypassing the security checks at the login page. The best way to keep this from happening is to create a session with a corresponding privilege level for each user who logs in. Then check the session on every sensitive Web page to make sure that the user has the proper privilege level for that page.
  • Keep a database of user login information: Maintain a database to keep track of all login information and user activity. This is useful because it allows you to review user activity and possibly detect and track malicious activity. Logs are automatically created in Apache Web servers by default. These logs can be accessed by viewing the Logs folder in the WebApps directory of the Apache Installation.
  • Perform proper string parsing on user input: If you don't do this, somebody could breach your security by exploiting SQL vulnerabilities. For example, special symbols such as single quotes or semicolons can be used to fool SQL. Single quotes are used for comparing strings in a database, and semicolons are used to terminate SQL queries, so if the user enters these symbols, the backend queries can get modified. Strings should therefore be parsed to remove special symbols before they are fed to the database.
  • Prevent users of your site from entering HTML tags in form fields: If you have forms on your site, do not allow users to put HTML tags into your form fields. If HTML tags are allowed, anybody can modify your website, since the HTML tags can be interpreted by Web browsers as part of the page. You can prevent this by making sure that the user input does not contain special characters.
  • If you publish a blog, you must remember that without site authentication, you have no control over who sees the information you post: If you post information that is private or embarrassing, you could put your reputation at risk. Do not post personal information on your blog or website: Be careful not to use phone numbers, names of real people, or addresses when writing about events. People could misuse this information, and the more you reveal, the more vulnerable you are. If possible, make your profile or blog private: Many blogging sites let you set your blog so that only certain people, whom you specify, have access to your profile or blog.
  • Check the protection offered by your Web hosting service: If you use a Web hosting service, contact your service provider to find out what kind of protection they offer against website hijacking.

Tools

  • SSL certificates: Secure Sockets Layer (SSL) encryption keeps data from being intercepted when someone logs into a restricted part of your website or sends personal information through a form. When entering credit card information in an online form or visiting a secure area of a website you may have noticed a yellow or gold lock symbol on the bottom row of your browser window. This is a sign that SSL encryption is active and any data you send to the Web page should be secure.

    SSL encryption has become the industry standard in security, so if you want to build an e-commerce site you should have an SSL certificate. This will reassure customers that their personal information is safe.

  • HTML Protector: It is possible to download an image from a website by right-clicking on it, choosing the "Save Picture As" option on the resulting menu, and copying the picture to a directory on the local machine. The HTML Protector  tool prevents this from happening by disabling the use of the right-click on your website. This is an effective way to make sure people don't steal and use pictures from your website.
  • Vulnerability Scanner: Vulnerability scanners, such as the Acunetix Web Vulnerability Scanner , help detect locations in your site where a vulnerability can be exploited. The scanner runs through the entire source code of your page, locates places where attacks are possible, and helps to correct the code to prevent an attack.

Legal Issues

Copyright law prevents people from appropriating other people's websites for commercial use, so illegal modification of a website by an attacker can be prosecuted under copyright law.

You can be prosecuted for publishing any content, such as software, music or movies, that is copyrighted or doesn't belong to you.

Deliberately publishing false information can be considered defamation. Individuals who have spread rumors or disclosed confidential information about companies have been prosecuted for it.

Privacy Issues

Since posting your email address online can lead to receiving unsolicited email, you may want to have several email addresses. You can give your personal email address to family and friends and use other "throwaway" email addresses to post things online. This way, if one email account begins to receive a lot of unsolicited email, you can stop using it without missing important messages.

My home page