Hacking attempts on websites are far more common than you might think.
While many of us don’t see them, silent attacks are always underway everywhere on the net. A good portion of attacks are targeted at web hosting accounts.
There are two broad categories of web hosting vulnerabilities. The first is general, while the second is more plan-specific. For example, among the types of web hosting plans, shared hosting is usually considered the most vulnerable.
Web Host Vulnerabilities
- Botnet-Building Attempts
- DDoS Attacks
- Web Server Misconfigurations
- Non-siloed Environments
- Software Vulnerabilities
- Shared IP
- Cross-site Security Forgery
- SQL Injections
- Exploitation of XSS Flaws
- Insecure Cryptography
- Virtual Machine Escape
- Supply Chain Weakness
- Insecure APIs
Generic Web Host Vulnerabilities
1. Botnet-Building Attempts
Malicious actors have been known to target entire web servers in their attempts to build Botnets. In these attempts, common targets include web server frameworks and generally involve publicly available exploits.
These advanced and concentrated efforts can often overcome less resilient web hosting providers. Thankfully, once discovered, the vulnerabilities are typically patched fairly rapidly by most web hosts.
2. DDoS Attacks
Distributed Denial of Service (DDoS) isn’t a vulnerability, but as the name implies, is a form of attack. Malicious actors attempt to flood a server (or particular service) with an overwhelming amount of data.
Web hosting services which are not prepared for this can be paralyzed by these attacks. As more resources are consumed, websites on the server are left unable to respond to real queries from visitors.
3. Web Server Misconfigurations
Basic website owners, especially those on low-cost shared hosting, will often have no idea whether their servers have been configured properly or not. A significant number of issues can arise from poorly configured servers.
For example, the running of unpatched or outdated applications. Although there are error handling mechanisms for technical issues that arise during execution, flaws can remain unseen until exploited.
Inaccurate configuration in the server, can cause the server to not verify access rights correctly. Hiding restricted functions or links to the URL alone is insufficient as hackers can guess the probable parameters, typical locations and then do a brute-force access.
As an example of this, an attacker can make use of something as small and simple as an unprotected JPEG to gain admin access to the server. They modify a simple parameter that points to an object in the system and then they are in.
Shared Hosting Vulnerabilities
In a shared hosting environment, it can be said that everyone is sitting in the same boat. Despite each server having potentially hundreds of users, a single attack can sink the entire ship, so to speak.
“All five (web hosting service providers) had at least one serious vulnerability allowing a user account hijack,” Paulos Yibelo, a well-known and respected bug hunter, told TechCrunch, with which he shared his findings before going public.
As Yibelo showed — The attack isn’t through any convoluted attack or busting firewalls. It’s simply through the front door of the site’s host, requiring little effort for the average hacker.
4. Non-siloed Environments
Shared hosting accounts are like broad pools of data. Although each account is allocated some resources, in general they all reside within a single environment. All files, content and data actually sits on the same space, simply divided by file structure.
Because of this, sites on shared hosting plans are intrinsically linked. If a hacker were to gain access to the main directory, all sites may be at risk. Even if a single account is compromised, attacks which drain resources will have significant impact.
5. Software Vulnerabilities
Although software vulnerabilities exist for all types of hosting accounts, shared servers are typically at far greater risk. Due to the large number of accounts per server, there may be a significant number of varying applications in place – all of which require regular updates.
In a similar fashion to software vulnerabilities, Malware can have a profound impact on a shared hosting server. These malicious programs can find their way onto shared hosting accounts in so many ways.
There are so many types of viruses, trojans, worms, and spyware that anything is possible. Because of the nature of shared hosting, if your neighbor has it – you will likely catch it as well, eventually.
7. Shared IP
Shared hosting accounts also share IP addresses. It is usual that multiple sites on shared hosting accounts be identified by a single IP address. This opens up a whole host of potential problems.
For example, should one of the websites behave badly (such as sending spam, etc) it is possible that all other sites sharing the IP end up blacklisted. Removing a blacklisted IP can be immensely challenging.
VPS / Cloud Hosting Vulnerabilities
However, the potential of access to more advanced interconnected servers means that the payday for hackers is also more lucrative. As such, more advanced methods of intrusion can be expected.
While a reliable backup system can work wonders, there's simply no ignoring some vulnerabilities that put entire servers (virtual or not) at risk.
8. Cross-site Security Forgery
Also known as cross-site request forgery (CSRF), this flaw is typically observed affecting websites based on poorly secured infrastructure. At times, users save their credentials on certain platforms and this can be risky if the corresponding website does not have a strong infrastructure.
This is especially common on web hosting accounts which are accessed regularly. In these scenarios, the access is repetitive so credentials are usually saved. Through forgery, users are encouraged to perform an action that they didn’t plan in the first place.
These techniques have in recent times outlined potential weakness to account takeovers in various popular hosting platforms including Bluehost, Dreamhost, HostGator, FatCow, and iPage.
An example of this can be demonstrated as a typical financial fraud scenario.
Attackers can target CSRF-vulnerable persons visiting a valid URL. An automatically executed masked code snippet on the site can instruct the target’s bank to transfer funds automatically.
The code snippet can be buried behind an image perhaps, using codes such as the following:
<img src=http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 width=0 height=0 />
*Note: This is merely an example and the code will not work.
9. SQL Injections
For any website or online platform, the most important constituent is data. It is used for projections, analysis and various other purposes. Secondly, if confidential financial information like credit card pins gets into the wrong hands, it can create massive problems.
Data sent to and from a database server must pass through reliable infrastructure. Hackers will try to send SQL scripts to servers so they can extract data such as customer information. This means you need to scan all queries before they reach the server.
If a secure filtering system is not in place, important customer data can be lost. IT should be noted though that such an implementation will increase the time taken to extract records.
10. Exploitation of XSS Flaws
Harmful XSS-based scripts can either access confidential information or redirect visitors to links targeted by the hacker. In some cases, companies may also use techniques like this to carry out fraudulent business operations.
11. Insecure Cryptography
Cryptography algorithms usually use random number generators but servers are mostly run without much user interaction. This could lead to the possibility of lower sources of randomization. The result may be easily guessable numbers – a point of weakness for encryption.
12. Virtual Machine Escape
Multiple virtual machines are run on top of hypervisors in physical servers. It is possible that an attacker can exploit a hypervisor's vulnerability remotely. Although rare, in these situations the attacker may be able to gain access to other virtual machines as well.
13. Supply Chain Weakness
While resource distribution is a major advantage of Cloud hosting, it can also be a point of weakness.
If you’ve heard the term “you are only as strong as your weakest link”, that applies perfectly to the Cloud.
Sophisticated attack and rests mainly on the cloud service providers. This is not specific to the Cloud and can happen anywhere else. Downloads from live update servers can be added with malicious functionality. So, imagine the many users who have downloaded this software. Their devices will be infected with this malicious program.
14. Insecure APIs
Application User Interfaces (APIs) are used to help streamline cloud computing processes. If not secured properly they can leave an open channel for hackers to exploit the Cloud’s resources.
With reusable components so popular, it can be difficult to sufficiently safeguard against the use of insecure APIs. To attempt an intrusion, a hacker can simply try basic access attempts over and again – all they need is to find a single unlocked door.
When the majority of us think about website security, it is usually from the angle of overcoming the weaknesses of our own websites. Unfortunately, as you can see, it is equally the responsibility of web hosting providers to safeguard against other attacks as well.
While there isn’t much you can do to convince a service provider to protect itself, this awareness can help you make better web hosting choices. For example, by observing the emphasis a web host places on security, you can get a better idea of how secure they keep their own servers.
Some web hosts implement very rudimentary security safeguards – if possible try to avoid those. Others may go so far as to work with notable cybersecurity brands or even develop aggressive in-house security tools and solutions.
The price of web hosting goes beyond the resources allocated to you – so balance your options wisely.