Common methods to hack a website

Gone are the days when website hacking was a sophisticated art. Today any body can access through the Internet and start hacking your website. All that is needed is doing a search on google with keywords like “how to hack website”, “hack into a website”, “Hacking a website” etc. The following article is not an effort to teach you website hacking, but it has more to do with raising awareness on some common website hacking methods.

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.

In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a User name field:

' OR 1=1 double-dash-txt.png
The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ‘' OR 1=1 — 'AND password = '’
Two things you need to know about this:
['] closes the [user-name] text field.
'double-dash-txt.png' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE user name = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.
Let's hope you got the gist of that, and move briskly on.
Brilliant! I'm gonna go hack me a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank,

But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:
  • admin'—
  • ') or ('a'='a
  • ”) or (“a”=”a
  • hi” or “a”=”a
… and so on.

Cross site scripting ( XSS ):

Cross-site scripting or XSS is a threat to a website's security. It is the most common and popular hacking a websiteto gain access information from a user on a website. There are hackers with malicious objectives that utilize this to attack certain websites on the Internet. But mostly good hackers do this to find security holes for websites and help them find solutions. Cross-site scripting is a security loophole on a website that is hard to detect and stop, making the site vulnerable to attacks from malicious hackers. This security threat leaves the site and its users open to identity theft, financial theft and data theft. It would be advantageous for website owners to understand how cross-site scripting works and how it can affect them and their users so they could place the necessary security systems to block cross-site scripting on their website.

Denial of service ( Ddos attack ):

A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.this is not actually hacking a webite but it is used to take down a website.
If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking

I recently wrote an article on Hack a website using denial of service

Cookie Poisoning:

Well, for a starters i can begin with saying that Cookie Poisoning is alot like SQL Injection

Both have 'OR'1'='1 or maybe '1'='1'

But in cookie poisoning you begin with alerting your cookies


Then you will perharps see "username=JohnDoe" and "password=iloveJaneDoe"

in this case the cookie poisoning could be:

Javascript:void(document.cookie="username='OR'1'='1"); void(document.cookie="password='OR'1'='1");

It is also many versions of this kind... like for example





and so on...

You may have to try 13 things before you get it completely right...

Password Cracking
Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it.
You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.

Know more about Brute force attack

A Few Defensive Measures

* If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
* Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
* Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
* If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
* Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
* Do a few Google hacks on your name and your website. Just in case…
* When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA

Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Kindly Bookmark it and Share it with Friends:


  1. which is the best method to hack a website and don,t being traced.

  2. hello sir can we get caught by doing DOS attacks from our home pc ???

    1. Yes..DoS attacks are childish. Why get caught taking something down when you can steal information that might be useful. I understand most people DoS a website because they oppose what they stand for but there are ways to hide your DoS attacks through tor like The j35t3r

    2. yes why not i have 3 crime with cyber in pk

  3. @King Adnan Anjum
    I think the best method is Sql injection and you can get traced for all above methods if you dont use a Proxy

    Yes you can get caught by Doing a DDos attacks,As long as you do it on your site then you have no problem

  4. Hellow sir,
    My name is Muhammad Irfan.
    I want to ask you that in order to apply all the above methods I think it will be better for me to creat my on website and do practice. I know how to develop a website but the problem is that I don't know how to upload it on the internet. Please guide me in this matter. Thanks.

  5. hello rafay plz teach me how 2 hack yahoo id this is my id plz add me

  6. hello sir m a networking student i want to get some tips about hacking website.and most important question for me can we get into or hack server from out client computer in LAN.plz send me my answer my email acount. " " it is just for learn not for harm purpose.

  7. sir i hav 2 questions?
    1) can v hack a website and change data there with out anyone being known abt dat?
    2) do the administrators keep copies of data placed on a website and use that copies for further use OR
    they always use the data placed on website for further use?

  8. Hi, this is nice post, but really i dont read this post to hack some one website! I read some kind of this stuff, so that I can save my things from getting being hacked.
    and i just bookmarked the site, and will keep my self updated with more info.

  9. @USI
    I am very glad that you do so. As lots of people read these kind of articles to damage other belongings.

  10. sir please teach me clearly to hack a id is

  11. Really nice Work... Mr.Rafay. Not only for this post but over all activity on this blog is awesome. Still there are some posts which can be expand further with some more details. Cheers for all good work done by you.....\m/

  12. In addition to Rafay post, It is very important that we don't leave vulnerabilities in our code, this SQL injection attack can easily be defended by putting some checks in your code. Other than that i want to draw your attention towards infostealers that are more popular these days. Such malwares can easily steal your information like hotmail account info. or messenger IDs or your banking information. It is important that we use gmail or such services which use IPsec or HTTPS that sends encrypted traffic over the wire despite hotmail in plain text.
    Trust me you wont need any anti virus program if you take care about small things.

    Security Engineer

  13. @Faheem
    Faheem you are absolutely right that SQL injection attack can be prevented by putting some checks in the codes, About the infostealers HTTPS will prevent majority of attacks but not all of them, You see that there is a tool called as Firesheep commonly used for session Hijacking,which will even work if HTTPS is enabled because a End to end encryption is required.

  14. Actually m creating my own website from Visual Studio, Access as DB. and this ' OR 1=1 logic clearly got successful. But in most of other company's website they are using sql server as DB. Still they didn't allow me access in it. Means this logic not get successful in all condition.

  15. Plez hw cn i communicate wth u Rafay, plez i jst wnt 2 lern many tings frm u, plez! ur an exprt kk
    mi emal add is & i've alredy sbcrbed, kk

  16. hi...just wanted to know if we can get the ip address of an orkut user,when the profile has not been used for approx. 6 months

  17. i wntd 2 knw hw 2 change mi ip addrss evn whn jst do'in a test'in hck'in (WEBSITES). tat iz mi only drawbck plz!?

  18. hi i want to learn hacking..........

  19. @Rafay baloch...
    well you know if you even behind a vpn..then also you can be traced..
    and you just tell the methods you should give a good brief description on especially .sql, xss ,lfi and rfi ..

  20. Prof3ssional HaCk3rFebruary 2, 2011 at 11:16 PM

    Rafay Its for Beginners brother keep it Im founder of PCA-HR (PAK CYBER ARMY HACKER RULEZ Group)..............

  21. Someone has tried to change our passwords-

    How can they do this as it is a server we dont control -


  22. aslam o alikum
    my name is shahzad from okara pakistan
    i want to hack a web site , can any person help in this situation.
    i m very thank ful to him if any suggest me. my cell no is +92 315 3934230. and yahoo id is

  23. can some1 hack a site for me?

  24. Is there a great book about SQL injection? your feedback will be very appreciated gentlemen! ;)

    Great article in here btw

  25. My Name Is Kashif Qadeer from Lahore.
    I Want to learn hacking.
    Anybody wanna teach me.


  27. sir my name is sachin

    i do not understand where and how to use this sql injection, i am very exited to hack my own website
    please help me

  28. hello rafay.
    i have found this site via google and already bookmarking. waiting for easy hacking tutorial. ex. easy method to hack wordpress/joomla
    not for harm people, just for learning purpose
    kind regard.

  29. Its really interesting and thanks for helping on how to hack a website.

  30. I am new to Affiliate Marketing. I started out by using ClickBank. However, I have gotten no orders and feel that I have done all there is to do in order to get business. I have read many e-mails telling me that they can exploit ClickBank, Commission junction, FaceBook and others to intercept orders. I believe they can even incept orders where the URL is hidden such as How do they do this and how can I stop it?

  31. This is definitely a topic thats close to me since we are into website designing ,so Im happy that you wrote about it. Im also happy that you did the subject some justice. Not only do you know a great deal about it, you know how to present in a way that people will want to read more

  32. My name is bharath and Im new to this Site Some pls tell me how to hack a website..... Like changing the content or picture in that website Like these hacking techniques.... Pls tell me plssss.
    If anyone likes to help me pls contact my id.

  33. I wanted to thank you for this excellent read!! I definitely loved every little bit of it.Cheers for the info!!!! & This is the perfect blog for anyone who wants to know about this topic. You know so much its almost hard to argue with you .........

  34. I think you have more knowledge about hacking sites. Can you hack any site?

  35. i would want a full explanation on basic a thing that fascinates a networking will help me go a long is all dat matters

  36. sir i have tried ur sql injection hack process on my coll website
    when i entered (' OR 1=1 — ') in username and (') in password its giving an error as right paranthesis missing
    please help me out in this

  37. i appreciate your work sir..

    Thanks for making this perfect blog for anyone who wants to know about this topic.

  38. hellow , can u teach me how to browse free of charge with my zantel modem and via phone u can rch me via email

  39. Hello sir...i don't understand hack system...plz give easy instruction of hack....

  40. Nice information is provided through this blog and it is nice to visit this blog and the information provided here. It is an educational blog which increase our information and news.

  41. want a website we can make it for u!!!
    Come and join us!!!!!!
    see mine

  42. Its quite confusing but interesting !! Thats a huge task ifever to know it completely.

  43. i saw a book on the books.goolge and i want to get the book for free. please revert to me

  44. Hello sir,i want to hack a website which has a dns server and i know that from which city it is but it is showing its location from washington or from chicago i am in a very big confusion please help me out

  45. Hello sir iam a small lad of 15 years and i want to hack a website.
    but iam not able to crack its firewall can you please help me.

  46. hello frndss and mr admin i want to hack my college website so can u please tell me how to do it.........
    my email id is

  47. Am from Kenya and want to learn how to hack and crack passwords. Am a programming student My email id is if you are willing to help Email me I will be more than grateful

  48. SO many people asking to learn to hack websites. Guy's its not just a simple 2 lesson course and your immediately a hacker than can break past any encryption and security software thrown at you. It takes many years of studying networks, learning how firewalls are set up and how they act, how web servers respond to queries etc etc. Guys don't ask because people that know how to Dont have the time to teach any script kiddy.

  49. Pretty great publish even i may possibly say that complete internet website is wonderful. I preserve knowing new problems every one and just about every solitary evening from publish like these. extraordinary things!

  50. I'm really impressed that there's so much about this subject that's been uncovered and you did it so well, with so much class. Good one you, man! Thanks for the post on tire.

  51. hi to everyone i want to learn hacking a website or a blog.. can anyone teach me how to do it.. its highly appreciate for your help.. email me long live to hackers!!!!!

  52. Hi this post is really nice and looking to learn more. Frankly speaking I need more guide and don't think this much thing will help me as I am Zero in this field.

  53. sir, can you teach how to hack this site this is my e-mail thnk!

  54. hellow respected sir my chat site has been hacked can u give me some tips to distrub the hacker am totly pist off plg plg plg is off ftf server my site is email me

  55. Can my bf spy on my gmail chats if he doesn't know my secret account? I don't use my own pc

  56. hmm this site is really amazing and familiar to me, i am impressed by this site and really gonna share this site to my friends.

  57. want banks guide and more informations.....go to visit our site

  58. fantastic post and Thanks for sharing this info. It's very helpful.
    web agency brussels

  59. These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the post, writing is simply great, thank you for the post

  60. want to know easier way to hack then dis is what u want.
    also earn free money....hahahaha....\oo/

  61. How do i hack a website with no input?

  62. Live Chat Application is a powerful tool that helps you talk to your website visitors and convert them into customers.

  63. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life...

    Email Database

  64. Thank you for the info. It sounds pretty user friendly. I guess I’ll pick one up for fun. thank u...

    Email Database

  65. If someone wants to do something good . Hack this server and delete everything . No worries this is a illegal Cardsharing server and the Hoster dont want to do anything against it .

    Cardsharing server ip by Hetzner open ports

  66. These comments are funny, teach me how to hack and all that. its not something you will learn over night, hackers taking down websites or changing them can take days not a few mins, i see a few people here wanted to take down a website, maybe LOIC myt do that for you if you and others can arrange something lol.

    but pretty good info about this, defo not for educational for some people :P

  67. Can you please help to hack the following website?

    I would love to add text that tells these assholes they are a bunch of losers who are too lazy to get a real job and exploit animals who cannot speak for themselves. Maybe bringing down their site too?

  68. hello sir

    i want to download a database of a website. i am using httrack website copier but it fails while downloading. please suggest me the best software to download website for offline browsing.
    website is

  69. hello sir i want to know how to hack into a blog facebook site..ive tried a lot of methods but never worked...its blog here in school..
    how to i do it..

  70. ...nice tutorials,..i have visited hack forums,..i did try diff. way of hacking...many failed,..because the last steps,..also did failed,..some hackers have hacked the site already bfor i got it ..jejejeje....

  71. i wan't to hack a joomla based site,..can i ask some help Sir,..needing your Advice,..plz' tell me some tricks,..com_user&view=reset&layout=confirm doesn'n work at all,..they have improve and sanitized the filters..< " '> $JGAGFS$$ etc. it does not work,... here is my-

  72. Hi i need help :D I want to hack a site, and i don't know how. i need user and pass od the admin. How to get them? Thanks

  73. looking for someone to destroy a website I pay for

  74. Hello Sir!! i hv read all your articles...all were really useful....i m stuck hacking a website whose URL ends with .net/admin_login.aspx ... plz help me as soon as possible ... speaking frankly that is my website which is hacked by someone and i want to recover it without anyone know that my site is hacked...that will bring shame to me.... i hv made that site for some tutorial classes students... if u want further more about the site plz let me know thnQ!

  75. hello Sir,
    please teach me how to hack or bypass in cyberoam??

  76. Hello Sir, I am MD SHAMMI.I want to know about third party website source code Download/hacked.
    Please Help Me.


  77. Hi i have created my wordpress blog which is so nice and looking so beautiful.And i have created its profile.Sgt. Hack Blob

  78. What a nice blog commenting you have share about this site and mostly people like this comment.Wedding Ring in singapore

  79. what a nice site you have send for this site.Proposal Ring

  80. Hey....I want to block out and hack two blogs....can you help me with it???

  81. Thank you very much for sharing this informative post. Hacking is an art to break into the password protected sections of the website. After entering into the website, the hacker can do anything.

  82. If you want to ddos DONT USE UR HOME CONNECTION!
    use a WAY stronger method! is fucking awesome! I took down DdoS protected sites even!

  83. Do you require the services of a pro hacker? Contact us at

  84. can u please show me tricks and hacks for premium accessing the digital libraries for thesis research, i need to access them for articles
    such as springerlink, jstore, emerald, elesiver, science-direct etc etc
    please help me out
    u can contact me on my email

  85. its possible hack joomla 2.5 website? sample:

  86. Pls sir, teach me step by step on how to hack into any website without being traced! Send to

  87. Hack these assholes! Good practice ;)

  88. Hi, everyone, just thought I'd share this guy's contact with you guys as I noticed a lot of you need hackers for one thing other, this guy's helped me graduate, catch my cheating ass girlfriend and even helped my colleague clear criminal records, here's his contact just in case anyone need it,, he might be reluctant to help as hacking is illegal but don't worry, just say you're from Mr. Bonds, good luck people.

  89. The chopping is for those people who think that the presidents of the world make only shit. If thus somebody causes a world war like Obama, Kim Yong Yun or Putin, it will be the hackers who save the world.

  90. Thanks for this article, please tell a good wordpress plugin for protecting it from Dos attack and from SQL injection & also tell is there any automated SQL injection tool that can hack a website?

  91. Asslam O Alikom.....

    Uncle Can You teaCh Me Sql InjeCtion ... Step By Step Please I 'll Pay For that ..

    My Email :

  92. Thank you very much for sharing this. I like it and hope that you continue posting. adult dance classes atlanta

  93. Hi< script >alert("Hello")< / script >


Blog Archive


Recent Comments


Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.