Hacking Using Parse Database Injection

by Evan D'Elia

This new form of hacking was discovered through Blackbaud website management software.

However, this method for hacking into a website's client base could be adapted to many other platforms.  The basic idea behind this method of hacking is to place a part or piece of code on a web page that is hidden from the user and is difficult for the admin to detect.  This piece of code will be triggered when the user performs some action such as scrolling over a piece of text or clicking a button on the page.  Once the code is triggered, the information from any relevant text boxes is grabbed and stored in a Parse database that is owned by the hacker.  The hacker can then access their own Parse database, which may contain information such as names of buyers or clients and their phone numbers or credit card information.

There are benefits and pitfalls of hacking using this method, as will be further discussed.

Advantages

The first benefit of hacking with this method is that it requires very little effort on the part of the hacker.  For my implementation of the code, I used a fair amount of HTML and JavaScript.  The amount of code that needs to be written will vary from website-to-website depending on how well secured each website is.  During my first attempt at this method, I used the following pseudo-code:

$("#buttonId").onclick(function({
     Create new Parse object
     Save Parse object in database
});

The methods for creating the Parse object and saving the Parse object were also stored on the page by simply defining them in <script> tags hidden similarly on the web page.  As you can see, writing the code for the function itself is not very difficult.

In addition, this code will always be called when the button with #buttonId is clicked, so the hacker can leave this code on a web page and forget about it while it performs its function on its own.  The Parse API is simple to use as well and allows hackers to see the data collected at any time from any computer with an Internet connection.  This method of hacking is also nice because it does not raise any alarms with the admin.  If hidden properly, this piece of code should go unnoticed for a long amount of time.

Another advantage of using Parse is that you can easily modify database tables to include more columns.  Therefore, your database can be modular and change with the website you are trying to hack if the admin adds anything to their page.  These benefits make Parse database injection a great method for hacking for those on the inside of companies who have easy access to a website's code.

You may be asking what the purpose of such an attack would be if you already have access to a website's code.  More often than not, a company will have several programmers working for them to secure or modify their e-commerce website.  For security purposes, most smart web admins will create code on their e-commerce pages so that functions like the one above cannot be bound to other parts or tags on the webpage.  If such is the case, we can still pursue a Parse database injection so long as we can add code to the final HTML output of the web page.

In cases such as this when we cannot bind our main method to a tag on the page, we can simply create a hidden element - or one that is extremely difficult to find - somewhere on the page.

The pseudo code for such a situation may look like the following:

<script>
myMethod(){
     Method for creating and saving the Parse object
}
</script>
Initialize access to Parse database using Parse API
<div id="myHiddenTag">........ .<div>
$("#myHiddenTag").onhover(function({
     myMethod().then(function({
          console.log("Everything is fine");
     });
});

In the pseudo-code above, a hidden element is created using only periods (which may be colored specifically to look like the background of a web page) and, whenever someone hovers over this element, their information is saved into our own Parse database which we initialize using the Parse JavaScript key and database key (as explained in the Parse API).  Additionally, a message is logged to the console to say that "everything is fine" just in case the user is code savvy enough to inspect the page.  Although this method of hacking is simple and reliable, there are a few downsides to using it which one should be aware of before implementation.

Disadvantages

When initializing your Parse database, you must use your own JavaScript key and database key.  It is possible to obfuscate this code so that users cannot see the keys, but you may have trouble or may not be able to hide the keys from the admin.  If the admin has his or her own Parse account, this may allow them access to the database, thereby shutting down efforts to hack their web page.  However, the admin will still not have access to your other Parse databases or your Parse account.  They will only be able to see the particular database you have hidden on their site and only if they themselves have their own Parse account.  The second downside to using this hacking method is the issue of access.  As stated earlier, this attack is most easily performed if you have access to whatever software or code someone is using to manage their website.

Conclusion

In conclusion, this method of hacking is easy to implement, is lightweight, and is a great way to introduce oneself to the world of cyber security.  Knowing this method, one should protect their own web pages by first always being aware of the code on their pages.  It is important to always revisit your code to make sure new bugs have not arisen and that everything is how you left it.  Keeping a website's code unchanged for too long is bad practice both from a technical aspect and a design aspect.  Second, one should make sure that functions cannot be added to buttons or other tags once the page is loaded in order to make it more difficult for hackers to implement this method.  I do not condone the use of this method for any illegal or other reprehensible purposes.

I hope that this method of hacking is educational for those of you who wish to learn more about web security.

Return to $2600 Index