Skip to main content

Web Application Hacking Techniques Part - 2



Understand the web Application Workflow

Introduction

  In this module, we will be focusing on web applications, including the types of web applications, how they are designed and how different types of web applications work. To successfully hack into a web application, you first need to understand how the web application works.

  In the most simplest form, web applications are just the applicationsthat work over the web, and they only require a browser, which can browse web applications once connected to the Internet.

  From a web security standpoint, not all web applications are vulnerable to hackers; it depends on what type of web application it is and what type of information is available, both on the front end, as well as the backend of the web application. We will study in more detail as we walk through the module.

Types of Web Applications

    Generally, there are two types of web applications based on the design of the applications.

• Client Side
• Server Side

   Client side web application are just the static HTM/HTML pages. Bbasically, they do not perform any thing as dynamic, they simply execute at client side (on browser) & all the resources of pages load at the client’s side only.

   Server side web application are a step ahead from the client side web application as they execute at a central server in which page life cycle goes on at the server end. This means that this type of web application performs some dynamic work and does some automation or processing for you. They are mainly designed to provide you services. Normally, they have a backend database connected with them to meet the required job.

Advantages of using Web Applications

• Ease of use as the end user just needs the browser and Internet access
• Platform independent, no dependencies on the operating systems
• End user is only provided with what the user is supposed to know
• No special requirements for installation
• Easy to update and maintain

Disadvantages of using Web Applications

• They are required to be available 24x7 and/or depending on the user requirements, however, generally they are designed to provide the user with ease of access when and where the user needs.
• The main issue is the Web Application security, as they are required to be available 24x7, hence, security is required all the time.
• Users can easily copy the data and, if the web application has not been properly designed, data leakages occur very easily.
• Hackers love to hack web applications because they are easy access targets.
• If web applications get hacked, the reputational damage is huge.

Web Application Architecture

  Before we explain the design of a typical web application, let’s first understand the key components in the web application architecture.

• Client
• Web Server
• Data Sources

  Client is basically nothing but the browser used by the end user. It’s job is to create HTTP requests for specific URLs which map to specific resources on the web server.

  Web Server renders and returns HTML pages to the client, which the browser can display. The core of a Web application is its server-side logic. Microsoft has presented the layer architecture of the typical web application as shown in the figure below. This is based on the layered approach by distributing the components into three layers, including presentation, business and data layer. This is just to give you more understanding of how web applications work and are designed.


  The presentation layer of your Web application displays the UI and facilitates user interaction. The design should focus on separation of concerns, where the user interaction logic is decoupled from the UI components.

  You should consider using separate UI components and presentation logic components in complex interfaces, and base your UI components on standard Web controls where possible. You can compile the controls into an assembly for reuse across applications, or if you need to add additional features to existing server controls.

Presentation Layer

  The presentation layer’s job is to display the user interface and provide the user an interface to interact. However, usually the logic of the presentation exists in the server component and the client component only displays the HTML.

Business Layer

  The concept of introducing a separate layer as a business layer is to improve the maintainability and testability of the application, allow you to centralize and reuse common business logic functions.

Data Layer

  The key tasks of the data layer are to perform logic to access the database connected with the application. Using a separate data layer makes the application easier to configure and maintain and hides the details of the database from the other layers of the application.

Security Tips from Microsoft Library

     • Partition your application logically. Use layering to partition your application  logically into presentation, business, and data access layers. This helps you to create maintainable code and allows you to monitor and optimize the performance of each layer separately. A clear logical separation also offers more choices for scaling your application.

    • Use abstraction to implement loose coupling between layers. This can be accomplished by defining interface components, such as a façade with well known inputs and outputs that translates requests into a format understood by components within the layer. In addition, you can also use interface types or abstract base classes to define a shared abstraction that interface components must implement.

    • Understand how components will communicate with each other. This requires an understanding of the deployment scenarios your application must support. You must determine if communication across physical boundaries or process boundaries should be supported, or if all components will run within the same process.

   • Consider caching to minimize server round trips. When designing a Web application, consider using techniques such as caching and output buffering to reduce round trips between the browser and the Web server, and between the Web server and downstream servers. A well designed caching strategy is probably the single most important performance related design consideration. ASP. NET caching features include output caching, partial page caching, and the Cache API. Design your application to take advantage of these features.

   • Consider logging and instrumentation. You should audit and log activities across the layers and tiers of your application. These logs can be used to detect suspicious activity, which frequently provides early indications of an attack on the system. Keep in mind that it can be difficult to log problems that occur with script code running in the browser.

   • Consider authenticating users across trust boundaries. You should design your application to authenticate users whenever they cross a trust boundary; for example, when accessing a remote business layer from the presentation layer.

   • Do not pass sensitive data in plain text across the network. Whenever you must pass sensitive data, such as a password or authentication cookie, across the network, consider encrypting and signing the data or using Secure Sockets Layer (SSL) encryption.

  Design your Web application to run using a least-privileged account. If an attacker manages to take control of a process, the process identity should have restricted access to the file system and other system resources in order to limit the possible damage.

Typical Deployment Structure of the Web Applications



     This is the typical deployment structure of the web applications, simply running them from behind the firewall and considering its secure mechanism. Application layer is developed with the use of active server pages or some other dynamic programming language, which connects the database with the application and performs the necessary run time tasks for the web applications.

    Such web applications are the easiest targets for the hackers as they enjoy hacking into the database and stealing the data for fun and profit.

   Considering that we need to learn how to hack into web applications, it is enough for us to understand the high level architecture and the workflow of the web applications.

Summary

  In a quick summary, web applications are simply applications running with a browser as a client to access the web server over the Internet. We have listed advantages and disadvantages of the using web applications, as well. The corporate sector poses a risk in going live on web applications but it’s a business model and they have to accept the residual risk which would be less if the web
application is kept secure all the time.

  We have also discussed the types of web applications and the core design of the web application architecture and covered the layered approach to design the basic architecture of web applications.

  To ensure that your web application is secure, there are methods to apply. Hhowever, to keep your web application secure is not a one time job, it’s 24x7 activity!




Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more