Hacking Web Applications
By Abir Atarthy
This writing is totally intended for educational purpose and does not in anyway encourage hacking. The real purpose of this site is prevention from hack attempts. Read the disclaimer section of the site for details.
Web applications are programs that reside on a web server to give the user functionality beyond just a website. Database queries, webmail, discussion groups, and blogs are all examples of web applications. In a web application the browser you use is basically client and the webserver is basically a server. Attackers may try to deface the website, steal credit card information, inject malicious codes, exploit server side scriptings, and so on
Now the question is why hackers target web applications. The reason is simple:To get confidential data.
Web applications are critical to the security of a system because they usually connect to a database that contains
information such as identities with credit card numbers and passwords. Web application vulnerabilities increase the threat that hackers will exploit the operating system and web server . Hacking a webserver means basically hacking a website.
information such as identities with credit card numbers and passwords. Web application vulnerabilities increase the threat that hackers will exploit the operating system and web server . Hacking a webserver means basically hacking a website.
To hack a webserver you can follow five steps.
Web Application Threats
Many web application threats exist on a web server. The following are the most common threats:
Cross-site scripting :- Cross-site scripting occurs when an attacker uses a web application to send malicious
code; generally JavaScript
code; generally JavaScript
SQL injection : - SQL Injection is one of the many web attack mechanisms used by
hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.
Command injection :- The hacker inserts programming commands into a web form.
Cookie poisoning and snooping :- The hacker corrupts or steals cookies.
Cookie poisoning and snooping :- The hacker corrupts or steals cookies.
Buffer overflow :- Huge amounts of data are sent to a web application through a web form to execute commands. Almost all known web servers, application
servers, and web application environments are susceptible to attack (but not Java and J2EE environments
servers, and web application environments are susceptible to attack (but not Java and J2EE environments
Directory traversal :- The hacker browses through the folders on a system via a web browser or Windows explorer.
Zero-day attacks :-take place between the time a vulnerability is discovered by a
h researcher or attacker and the time that the vendor issues a corrective patch
h researcher or attacker and the time that the vendor issues a corrective patch
Hacking Tools:-
There are many tools/programmes you can write to hack different web applications, web servers etc. Being an Ethical hacker i won't discuss them. but i will mention one tool here
called Brup that hackers useses for attacking and testing web applications.
Countermeasures:-
Following are the countermeasures for different of the web application vulnerabilities.
Cross-site scripting :-Validate cookies, query strings, form fields, and hidden fields.
SQL injection : - 1) Check the user’s input provided to database queries
2) Validate and sanitize every user variable passed to
Command injection :-Use language-specific libraries for the programming language.
Cookie poisoning and snooping :-1) Do not store plain text or weakly encrypted password in a
cookie
cookie
2) Implement cookie’s timeout
3)Cookie’s authentication credentials should be associated with
an IP address.
an IP address.
Buffer overflow :- Check bounds and maintain extra care when using loops to copy data
Directory traversal :- Define access rights to the protected areas of the website
Zero-day attacks :-1 ) No security solution can claim that they will totally protect
against all zero-day attacks
against all zero-day attacks
2)Enforce stringent security policies
Remember that hacking webapplications is basically not easy. Its a vast subject. I have just given an brief idea. You have to work very hard to hack any web applications.
By the way let me introduce you with one of our hackingheart team member Somenath Singh, has done a nice job in this weebly.com blog site. There is huge collection of different types of very useful softwares links. A extremly useful site for all. Thanks Somnath for your work.
Click here to visit
Click here to visit
Thats a good article..keep it up...I will keep checking regularly..
ReplyDeleteNice article
ReplyDeleteThanks to all..For ur encouraging words
ReplyDeleteThis is Priya from IEM. Though i have not met with you,but I am your great fan. This article is very nice. But why didn't you go more deep into the subject?I mean step by step process on how to hack a site? some more tools on it etc.
ReplyDeleteRanitha from Australia. How r u? hope you recognized me?????
ReplyDeleteDat's a good article. But why din't you tell details steps by steps process for web hacking? R you feared???