Introduction
In the digital era, cybersecurity has become an indispensable concern for both enterprises and individuals. However, in Taiwan, many companies, institutions, and even personal users often overlook fundamental security measures, making it easy for hackers to infiltrate systems, steal confidential information, and even cause operational paralysis.
Common cybersecurity vulnerabilities do not always require advanced hacking techniques; instead, they often stem from a lack of basic security awareness, allowing attackers to exploit weak points effortlessly. This article explores some of the most prevalent cyber attack methods in Taiwan, including weak password exploitation, Cookie-based Privilege Escalation, and website API vulnerabilities.
Although these attack techniques may appear simple, they frequently lead to severe security breaches due to inadequate awareness and insufficient preventive measures. The insights shared in this article are derived from real-world cases and observations, aiming to enhance awareness of common cybersecurity risks.
Wi-Fi Password Security Risks
In Taiwan, many enterprises and public venues use overly simple and easily predictable Wi-Fi passwords, allowing hackers to infiltrate internal networks without requiring brute-force attacks or advanced hacking techniques.
Key Risk Factors:
- Predictable passwords (e.g.,
12345678
,88888888
). - Company or landline phone numbers.
- Unified business number. (8 digits)
- Personal mobile phone numbers.
Weak passwords are highly susceptible to dictionary attacks. Additionally, publicly available company information or personal phone numbers can be exploited via open-source intelligence (OSINT) or social engineering attacks. To mitigate risks, it is recommended to use special characters or longer, readable passphrases.
For example, a company Wi-Fi password can be set as:
|
|
Alternatively, for home networks, a password can be set using mobile number + special character + word:
|
|
Using longer and more readable passphrases effectively reduces the risk of being cracked and is significantly more secure than purely numeric passwords.
While fully random passwords (e.g., ^Wa091UW!N@U123QQ-USA
) offer the highest level of security, they are difficult to enter and remember for the average user, ultimately reducing practical usability.
Vulnerabilities in Domain Management Automation Scripts
IT administrators (MIS engineers) typically utilize domain management to centrally manage user workstations, configure access permissions, and monitor user activity in real time, including login IPs, connection status, and access logs.
These automation scripts are often hosted on specific domain URLs and can be identified using Autoruns, which allows users to inspect startup scripts executed when a system boots up and determine the corresponding server paths.
A major security flaw arises when the system stores the Administrator
account password in plaintext on the server, without implementing proper encryption or access controls.
|
|
By obtaining this file, an attacker can extract the highest-privilege user’s password on the local machine, thereby escalating their access permissions.
Additionally, to streamline IT management, some administrators package privileged installation files separately, allowing standard users to install necessary software without direct administrative intervention.
These packaged executables can leverage the Win32 API to escalate privileges or encapsulate password modification scripts within an executable file. Upon execution, the script is unpacked to a designated system directory, executed, and then automatically deleted. However, if not properly managed, this approach introduces significant security risks.
By unpacking the executable, an attacker can extract the password modification script. The stored password is often recorded in ASCII format, allowing it to be easily decoded into plaintext.
|
|
Obtaining the password essentially gives an attacker full access to each computer, representing a serious security vulnerability.
Bypassing Login Restrictions and Gaining Elevated Privileges Using WinPE
To gain full administrative privileges or access to hard disk files, if BitLocker is not enabled on Windows, tools like WinPE (such as USBOX 7.0) can be used to bypass login restrictions and directly modify or extract relevant files.
Once accessing the system through WinPE, open the Command Prompt, back up the Magnify.exe file, and then replace it with the Command Prompt (cmd.exe).
|
|
Restart the computer and access the Windows login screen. Click on Ease of Access in the lower-right corner, select and launch Magnifier. At this point, the system will open cmd.exe and execute it with SYSTEM privileges.
Next, execute the following command to enable the local Administrator account and set the password to MY_NEW_PASSWORD
:
|
|
Once successful, restore the system files:
|
|
Restart the computer and log in as Administrator to perform the desired tasks.
Make sure to verify if the system has written any related scripts during reboot. Some scripts may clear all users under the Administrator account upon login. Therefore, it is recommended to disconnect the network during this process.
To prevent this type of WinPE access to system files, enable BitLocker encryption to protect the disk contents from being accessed via WinPE.
Cookie Authentication Vulnerability
Some websites use Cookies to authenticate user login sessions, which can pose a security risk.
As previously mentioned in the article “CVE-2024-9970: Vulnerability Analysis of Privilege Escalation in NewType FlowMaster BPM Plus System”, a system used Cookies to authenticate identity, where the user ID was stored in the Cookie in Base64 encoding. Due to the lack of proper verification and preventive measures, an attacker can easily impersonate other users by modifying the ID in the Cookie.
Most implementations follow this process:
- User login authentication: The user submits credentials (such as username and password), which the server validates and then generates a unique session token or JWT, potentially containing the user ID and other identity information.
- Credential processing and transmission: The server sends the token to the client via Cookie. Modern secure implementations encrypt or digitally sign the Cookie contents to prevent tampering.
- Subsequent request validation: The user’s browser automatically sends the Cookie in subsequent requests, and the server verifies the legitimacy, integrity, and validity of the token to confirm the user’s identity and permissions.
- Security attribute configuration: To prevent risks like Cross-Site Scripting (XSS) attacks, security attributes like HttpOnly and Secure are set on the Cookie, ensuring it can only be read by the server and transmitted only over encrypted communication.
The website in question writes the ASP.NET_SessionId
Cookie, which is generated and managed automatically by the ASP.NET Session management system. However, the final implementation introduces a security flaw due to custom security implementations.
Cookie Attack Techniques
After a user logs into a website, the server and client authenticate the user through Cookies, which effectively act as a digital identity card. If an attacker can steal the Cookie, they can impersonate the user, bypassing password verification and gaining access to protected system resources.
There are several ways an attacker can obtain a user’s Cookie, including:
- Exporting and importing through browser extensions
- Man-in-the-Middle (MiTM) attacks
- Cross-Site Scripting (XSS) attacks
- Local access or related tools
- Others…
Due to the fact that most websites do not actively verify changes in the user’s device or environment, stolen Cookies are often difficult to detect. To reduce the risk of Cookie leakage, it is essential to ensure that the device is used only by the authorized user to prevent unauthorized access. Advanced protection measures include installing antivirus software to prevent malicious software from tampering with the system’s root certificates, which could lead to the interception or theft of sensitive data.
Insecure API Authentication Mechanisms Leading to Unauthorized Access and Data Tampering
In API design, some websites overly trust client-provided credentials without conducting strict backend verification, allowing attackers to bypass the authentication mechanisms and perform unauthorized access or data tampering, severely compromising system security.
Such API request contents can be intercepted and modified using tools like Fiddler AutoResponder or the browser’s built-in Developer Tools, which allow attackers to locally overwrite requests or responses, influencing the server’s handling and creating security risks.
To ensure API security, the following measures should be implemented:
- Backend validation: All requests should undergo complete validation by the server, rather than relying solely on credentials provided by the client.
- Request signing: Use HMAC, JWT, or other encryption mechanisms to ensure the integrity and authenticity of API requests, preventing tampering.
- Response integrity validation: Perform integrity checks on response data to prevent attackers from intercepting and modifying the response content to deceive the system.
API design should prioritize security to minimize the risks of unauthorized access and data tampering, ensuring the safety of system and user data.
Below are three possible API security flaw cases for reference:
API Authentication Vulnerability Leading to Unauthorized Privilege Escalation
A website’s login mechanism relies on a backend API for identity verification and returns results to enable specific features. However, the system completely depends on the API response to determine the page display status. As a result, attackers can intercept and modify the API response to gain unauthorized administrator privileges, leading to privilege escalation or data leakage.
Missing API Parameter Validation Leading to Price Tampering Vulnerability
In an online ordering platform, when users add items to their shopping cart, the frontend sends an API request containing price, product ID, and other information. However, the API does not perform server-side validation on the price parameter, nor does it encrypt the request content. As a result, attackers can intercept the API request and manually modify the product price, allowing the transaction to be completed at a price lower than the actual one, causing revenue loss.
Insufficient Email API Field Validation Leading to Sender Forgery Vulnerability
A website’s “Export Report” feature allows users to send reports via API to a designated email address. In the original design, the API’s default sender is admin@google.com
, while the recipient is specified by the user. However, the API allows clients to directly submit sender and recipient email addresses, and the backend does not restrict changes to the sender field. As a result, attackers can forge the sender identity and impersonate any email address to send malicious emails.
The above cases highlight the severe risks posed by weak API authentication mechanisms. Therefore, enterprises should ensure the following when designing APIs:
- Robust authentication mechanisms to prevent credential tampering and identity spoofing.
- Integrity protection of requests and responses to safeguard against malicious data tampering.
- Critical parameters should not be directly controlled by the client to minimize business risks and attack surfaces.
By implementing comprehensive security mechanisms, enterprises can significantly reduce the cybersecurity risks posed by API vulnerabilities and ensure the security of systems and user data.
Conclusion
As digitalization progresses, hacking techniques continue to evolve, yet many enterprises and individuals still overlook basic cybersecurity measures, making systems vulnerable to attacks. Issues such as weak passwords, domain management vulnerabilities, Cookie-based Privilege Escalation, and API validation flaws all stem from insufficient security awareness and inadequate protection mechanisms.
To mitigate risks, the following measures should be adopted:
- Strengthen authentication: Use strong passwords, enable two-factor authentication (2FA) to prevent account theft.
- Ensure domain and permission security: Encrypt management scripts, limit high-privilege account access, and prevent unauthorized actions.
- Enhance Cookie and session management: Set HttpOnly, Secure flags, implement Session Timeout, and reduce the risk of credential theft.
- Never trust client-provided data: All client-side inputs (API requests, Cookies, URL parameters, form data, etc.) should be validated and filtered on the server-side, protecting against SQL injection, XSS, privilege escalation, and other attacks.
- Choose secure system solutions: Avoid using low-cost, unsupported systems and regularly conduct security tests to ensure compliance with cybersecurity standards.
- Enable BitLocker encryption: Prevent the theft of disk data through WinPE or physical access.
Cybersecurity is an evolving risk management process; enterprises and individuals should establish long-term defense strategies, regularly test for vulnerabilities, monitor for anomalous behaviors, and enhance cybersecurity awareness to ensure the safety of data and systems.