So you think you have a safe website? You might have to think again. After a single day attending a class in hacking, even I, a coding nincompoop, can do some pretty snappy digital delving into the unintentional back doors and unguarded gateways of a website.
Thanks to Extreme Hacking - a class offered by consultants Ernst & Young in the basics of cracking websites and in how to act as maliciously as possible once you get in - I learned about common hacking tools, the technicalities of how various attacks work and how to protect against them.
By the end of the class, I managed to drag forth user names, passwords, account numbers and balances from a credit union website by making use of common vulnerabilities.
Why is the well-known consultancy firm gleefully teaching its students to be so naughty?
"Because people don't really understand how hackers actually hack sites. If they do it themselves, it helps them to know how to write better programs, to know what to test for, and to protect their sites better," says Mr Daniel Quealy, director of security and technology solutions, Ernst & Young Ireland.
In other words, they're teaching those who design programs and websites how not to do their jobs.
Around a long table in a large meeting room in Dublin, 15 computer professionals lean in to look more closely at the innocuous credit union website on their laptop screens. Their job: find the vulnerabilities, exploit them, see how much information you can prise out of the site and how much control you can gain over it.
Because of its short duration, the one-day Extreme Hacking course runs at an extreme pace. But even on this tight time schedule, class members are clearly shocked by how much sensitive information they can squeeze out of a website with only a day's instruction.
By late afternoon, we will find ourselves using - albeit clumsily and with lots of hints from our teachers, Mr Mike Harris and Ms Deirdre Hurley - sophisticated techniques such as "SQL insertion" and "cross-site scripting".
In a final exam on our new skills, most of us will be able to trick Ernst & Young's mock-up credit union site into giving us the kind of information that makes insurance companies panic.
However, such hacker glories seem far away at mid-morning, when everyone's head is swirling with the capabilities of cracking tools with names like Brutus, Achilles, N-Stealth and D-sniff.
The first lesson is in how to use these programs to determine details about a target system (so you know what tools to use against it) and how to "sniff" for unprotected computer "ports" (the vulnerable internet gateways in and out of a computer system).
Mr Harris instructs us in exploiting weaknesses in the way websites authenticate information flowing in and out of a site. Server software that handles Web pages is designed to respond to specific requests and verify that those requests are legitimate.
But without proper safeguarding, that process gives rise to numerous ways of tricking sites into giving up extra information that allows hackers to sneak in.
Key goals for hackers are to be able to get into the databases that hold critical information such as customer data and account passwords. They will also seek ways to take control of a computer system, to use it to delete information, conduct attacks on other computer systems, or grab storage space and bandwidth to run rogue sites, offering illegal copies of films, for example, or pornography.
"The point is, once you can get stuff up onto the Web server, the fun begins," says Mr Harris.
Hackers begin by trying to gather as much information as possible. This can be as simple as viewing the source code for a site, since some forgetful developers place sensitive data in "hidden" tags embedded in the code, that aren't all that hidden. Those tags might reveal passwords, or give a hacker the ability to change pricing on an e-commerce website.
"This was a common error three to four years ago," says Ms Hurley. "A lot of e-commerce sites weren't realising how much information they were giving away in the 'view source' button on the browser."
Programs such as Achilles allow you to intercept all the requests made by your computer to a website, and all the data sent back from the site to your PC.
That can reveal useful information; such as passwords or usernames contained in improperly protected "cookies", the tiny programs websites place on a site visitor's PC to track an online session.
A prime goal is to see if the Web server also can be tricked into returning informative error messages.
We're set to testing the technique against a Web page that is the front for a database full of information. To our amazement, the unprotected database lets us slowly reveal the name of database tables and subheadings and ultimately, the credit card contents of the table.
Initially, we need to use Achilles. But once we know the database is unprotected in this important way, we simply type extra detail into the site's URL in the browser, a technique called "string concatenation". It coughs up further revealing data.
Scripts - little programs that allow one website to send information to a related site - also can be tricked into returning error messages that reveal the vulnerabilities of a site. We try a lesson in using a "cross-site scripting" vulnerability, that lets us go through an unprotected hole in the server, then stick our own script into the website.
"Very dangerous, as you can run any malicious script you want," notes Mr Harris.
Hackers can use this technique to get the username and password of anyone who logs on to the site, or to attack other websites, he says.
In most cases, all these exploits bypass firewalls and other protections so that the victim never even knows a site has been hacked.
How do you protect against such evils? Many developers never take their server software off weak default settings or "harden" the system with greater protections, he says. They also let unused features remain operational in the program, which increases the number of ways a hacker can get in.
Finally, "Validation, validation, validation," says Mr Harris. "You have to allow users to do only what you want and deny everything else. That's the only way to be safe."
