Some questions I'd love to get an answer to

[fenhopi]

Hi,
Let me be the first to say that I'm fairly new to all this, so excuse any ignorance my question might reveal; My impression is that the most commonly mentioned methods to hack websites are: SQLi, RFI and LFI. I've found that these methods usually only work on outdated and rather "small" sites though.. I was just wondering if there are any other methods used to exploit vulnerability in newer, more "up to date" sites?

Thank you in advance for any answers that might educate me.

[NeX]

That is actually not true.. There are like A LOT of SQL Injection vulnerabilities out there.. 'Outdated', and 'small' is inappropriate here because there are big and updated sites vulnerable to such attacks too..
Most of these attacks happen because of bugs in the code by already made software.. Like joomla,wordpress, etc..
Web applications is not the only way to get into a system, web servers aren't the only software running on the target

[ande]

This ^

However, I would like to add: I have noticed, after some experience. That on large or bigger and up-to-date sites, the vulnerabilities are harder to exploit and or find, but they are definitely there. Which is not that weird when you think about it. There are millions of computers (bots) that scan equally many sites every day, pentesters that use vulnerability scanners and not to mention all the hackers out there. So it is only natural that pages with a lot of traffic gets "attacked" and therefore also patched more than small sites. However, scanners will only take you so far. That is why flaws are often, not always, harder to find/exploit on large sites.

And, again, like NeX said. The web server is not the only way in. There are an infinite number of ways to approach an attack.


If you want some keywords to go on: CSRF, XSS, various flavors of Buffer Overflow and Format String Vulnerabilites.