Skip to main content

Web Application Hacking Techniques Part - 1



Why it is important to learn Web Hacking

Introduction

   Welcome to the web application hacking techniques workshop. In this module, we will discuss why it is important to learn web application hacking techniques and what happens if organizations leave the web applications vulnerable. We will also go across and understand the web application workflows and the different attack vectors for hacking web applications.

  This workshop will also demonstrate the actual hacking into web applications and highlights the top vulnerabilities that exist in web applications.

Prerequisites

   Since this is an advanced topic, it will be required that you already have prior understanding of the following topics and posses some experience in the field of Information Technology. This is not the beginner’s workshop, however, we will try to cover everything from the beginning as much as we can.

• Knowledge of TCP/IP protocols
• Sound knowledge of HTML & SQL
• Basic knowledge on how Web Applications works
• Prior knowledge or experience with basic vulnerabilities concepts
• General concepts of programming in any computer programing language

If you don’t understand the above topics and still want to learn hacking web applications, you are welcome!

The Trend

    If you think hacking is an easy job, then you are mistaken. However, I do believe it was a real easy job couple of years back, but with the increase in the awareness about information security and with the rise of security products, like intrusion detection and intrusion prevention systems, it’s now much more difficult to hack into any system in the enterprise.

    What penetration testers had been doing was simply compromising systems that were unpatched, misconfigured or simply had no hardened security. Now, you have fully patched systems, proper change management, security awareness training for staff, a boom in getting industry recognized certifications in information security, like CISSP, CEH, CHFI, LPT, CCIE, and much more.

   Life was easy for penetration testers when penetration testing was simply the use of available exploits on famous websites and using some cutting edge penetration testing tools, like Metasploit or SARA, and network or vulnerability scanners, like nmap and Nessus.

    But these days, the trend has changed, if you do port scanning and run vulnerability scans only and you think you are an expert in the penetration testing, you are definitely mistaken. Such things are now the peanuts and mostly newcomers do this when they start their career in the field of penetration testing or you can say it’s script kiddies job to run such scans.

   In other words, now organizations have dedicated staff to analyze the security health checks of the enterprise and for this they hire security professionals with the job of protecting the organization’s information.

Existence of Web Applications

   Why are organizations concerned for their network or information’s security? What is there that they want to protect and invest a heavy budget each year in the Information Security sector?

There are two common answers to the above questions:

• Reputation & Customer Relations
• Business is Internet Driven

Reputation & Customer Relations

    This depends on the nature of the business an organization has, financial institutions and multinational organizations are more concerned with their reputation. In fact, if a bank’s online banking system is compromised, will you go and open an account with them? Probably yes, but only if you are not aware of such incidents!

Business is Internet Driven

   E-commerce is booming and it’s a hot market. Such organization’s business is totally dependent on the Internet. Hence, they are much more concerned with the security of their web applications. If eBay or Google is down for a day and customer information is stolen, then definitely, the business will be affected.

What happens next?

  In such scenarios, what usually happens is that the organization has a publicly exposed web application, that is important for the business to run and to present the ease of use to the potential customers, depending on the organization type.

   Organizations, which are connected to common people by the use of Internet, are more vulnerable to hacking and, hence, they need someone who can tell them how secure they are and put the required controls in place to protect them.

    Even organizations which don’t run an online business somehow do need the web security, because in today’s business, not all, but the majority of organizations do have their Internet face by means of providing their company’s website, which stands as their first contact with the people and presents the company information.

What happens if you don’t secure your Web Applications?

  Web applications are the number one target of choice for attacks by hackers.

   The 2010 Verizon Data Breach Investigation Report confirms that the majority of breaches and almost 95% of the data stolen in 2009 was perpetrated by remote organized criminal groups hacking “servers and applications.”

    What happens when organizations don’t care for the security of the web applications and lack adequate protection and security for their websites?

• Theft of data
• Malware infection
• Loss of consumer confidence
• Failure to meet regulatory requirements

   Research confirms that 83% of websites have at least one serious vulnerability. No company today can afford the reputation that its web applications are vulnerable to hackers. And with many states, the federal government, and the payment card industry mandating full disclosure, it is unrealistic and extremely risky to merely hope that a hacker will attack someone else’s website.


Web Hacking Incident Database (WHID) Stats


  The above stats show the reported web hacking incidents in 2014. The list is bigger and highlights somewhere around 1462 incidents so far in the current year. You can access the data via the link presented below.

https://docs.google.com/spreadsheet/ccc?key=0AvaknFl7LiV2dHRLNEVoNks4YlJuZ1JIWHhyaG 5OM2c&usp=drive_web#gid=1

  A consultant said ”an unprotected website is a security risk to customers, other businesses, and public/government sites. It allows for the spread and escalation of malware, attacks on other websites, and even attacks against national targets and infrastructure. In many of these attacks, hackers will try to harness the combined power of thousands of computers and sites to launch these attacks, and the attacks rarely lead directly back to the hackers.”

Web Hacking Facts & Figures

• 75% of breaches resulted from external threats, while just 20% were caused by   insiders
• 81% of affected organizations subject to the Payment Card Industry Data Security Standard were found to be non-compliant prior to being breached
• 53% of stolen data records came from organizations using shared or default credentials
• 83% of hacks were considered avoidable through simple or intermediate controls

Figures from the latest Web Hacking Incidents Database Annual Reports

   • 30% of the 57 attacks were carried out by SQL injection.
The most common style of attack was SQL injection, which involves inputting commands into Web-based forms or URLs (Uniform Resource Locators) in order to return data held in back-end databases or plant malware in order to infect computers visiting the site.

    • The second common attack was cross-site scripting. A cross-site scripting flaw can allow data or malicious code to be drawn from another Web site, which can potentially cause a data breach.

    • Government, law enforcement and political Web sites were the most targeted categories of Hacked Web sites. The second most popular motivation was stealing sensitive information, which occurred in 19% of the hacked websites: 16% – planting malware - 13% – causing monetary loss.

   The remaining attacks caused downtime for a Web site, planted worms and linked spam and information warfare.

The causes of data breaches

• Negligent insiders – 75%
• Outsourced data to vendors and other third parties – 42%
• Malicious insiders – 26%
• Social engineering – 2%
• Hackers – 1%

  40% of Web hacking incidents are aimed at stealing personal information, with 67% of all attacks being profit motivated, according to the Web Hacking incidents Database project report for 2007.

  Gartner has stated that 75% of all attacks on web sites and web applications target the application level and not the infrastructure.

  NTA Monitor’s 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007.

   All of the top 10 high-risk flaws are associated with services that are being made available to Internet users, demonstrating that with increased functionality comes the threat of reduced security.

  Web applications are easily accessible targets for the hacker community, although it depends on the reason to hack and what hackers want to achieve. However, even if you think that you don’t have anything on your organization’s website, then it’s your reputation online and just a click away from hackers!

  This is said that risk factors should be understood in order to build and maintain an effective website security program. It is recommended to integrate Web Application’s security into an organization’s overall security planning. Web Applications risk management requires ongoing attention to risks organizations face.

Summary

   If you want to become an expert in ethical hacking and penetration testing, just using the available tools on the Internet doesn’t sound like an expert. You should be learning web application hacking, must be thorough in the web application top ten vulnerabilities that exist commonly in the market.

Importance of Web Hacking for a Security Professional

  We have already presented the stats, which highlight the ratio of web application hacks. These days, security products, like Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) in combination with firewalls, play smart roles in protecting the network of the organization. Hhowever, these devices are configured to allow you to access the web applications of the organizations. So
your easy access is always the web applications, which are exposed on the Internet. If you don’t know how to hack into web applications then you are not the choice of the industry to hire you as an ethical hacker or a penetration tester.

 In order to protect the web applications, you should first know how to hack them.


Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more