Hacking Web Applications
                      By Abir Atarthy
This writing  is totally intended for educational purpose and does not in anyway encourage hacking. The real purpose of this site is  prevention from hack attempts. Read the disclaimer section of the site for details.
Web applications are programs that  reside on a web server to give the user functionality beyond just a website.  Database queries, webmail, discussion groups, and blogs are all examples of web   applications. In a web application the browser you use is basically client and  the webserver is basically a server.  Attackers may try to deface the  website, steal credit card information, inject malicious codes, exploit server  side scriptings, and so on
Now the question is why hackers target  web applications. The reason is simple:To get confidential data.
Web applications are  critical to  the security of a system because they usually connect to a database that  contains
information such as identities with credit card numbers and passwords. Web application vulnerabilities increase the threat that hackers will exploit the operating system and web server . Hacking a webserver means basically hacking a website.
information such as identities with credit card numbers and passwords. Web application vulnerabilities increase the threat that hackers will exploit the operating system and web server . Hacking a webserver means basically hacking a website.
To hack a webserver you can follow five  steps.
Web Application Threats
Many web application threats exist on a web server. The  following are the most common threats:
Cross-site scripting  :-  Cross-site scripting occurs when an attacker uses a web application to send  malicious
code; generally JavaScript
code; generally JavaScript
SQL injection  : -     SQL Injection is one of the  many web attack mechanisms used by  
 hackers   to steal data from organizations. It is perhaps one of the most common   application layer attack techniques used today. It is the type of attack   that takes advantage of improper coding of your web applications that allows   hacker to inject SQL commands into say a login form to allow them to gain   access to the data held within your database.
   Command injection  :- The hacker   inserts programming commands into a web form.
Cookie poisoning and snooping :- The hacker corrupts or steals cookies.
Cookie poisoning and snooping :- The hacker corrupts or steals cookies.
Buffer overflow   :- Huge   amounts of data are sent  to a web application through a web form to   execute commands. Almost all known web servers, application
servers, and web application environments are susceptible to attack (but not Java and J2EE environments
servers, and web application environments are susceptible to attack (but not Java and J2EE environments
Directory traversal :-   The hacker browses through the folders on a system   via a web  browser or Windows explorer.
Zero-day attacks  :-take place   between the time a vulnerability is discovered by a
h researcher or attacker and the time that the vendor issues a corrective patch
h researcher or attacker and the time that the vendor issues a corrective patch
Hacking Tools:-
There are many tools/programmes you can   write to hack different web   applications, web servers etc. Being an  Ethical hacker  i won't   discuss them. but i will mention one tool here
called Brup that   hackers useses    for attacking and testing   web applications.
  Countermeasures:-
Following are the   countermeasures for  different of the web application vulnerabilities.
Cross-site   scripting :-Validate cookies, query strings, form fields, and hidden   fields.
SQL injection  : - 1) Check the user’s input provided to database queries
                     2) Validate and sanitize every user variable passed to
Command injection  :-Use   language-specific libraries for the programming language.
Cookie poisoning and snooping  :-1)   Do not store plain text or weakly encrypted password in a
cookie
cookie
2) Implement cookie’s timeout
3)Cookie’s authentication credentials should be   associated with
an IP address.
an IP address.
Buffer overflow   :- Check bounds   and maintain extra care when using loops to  copy data
Directory traversal :-    Define access rights to the protected areas of the website
Zero-day attacks  :-1 ) No security   solution can claim that they will totally protect
against all zero-day attacks
against all zero-day attacks
2)Enforce stringent security policies
Remember that hacking webapplications is basically not easy. Its a vast   subject. I have just given an brief idea. You have to work very hard to hack   any web applications. 
By the way let me introduce you with one of our hackingheart team member Somenath Singh, has done a nice job in this weebly.com  blog site. There is huge collection of different types of very useful softwares links. A extremly useful site for all. Thanks Somnath for your work.
Click here to visit
Click here to visit
 
 
Thats a good article..keep it up...I will keep checking regularly..
ReplyDeleteNice article
ReplyDeleteThanks to all..For ur encouraging words
ReplyDeleteThis is Priya from IEM. Though i have not met with you,but I am your great fan. This article is very nice. But why didn't you go more deep into the subject?I mean step by step process on how to hack a site? some more tools on it etc.
ReplyDeleteRanitha from Australia. How r u? hope you recognized me?????
ReplyDeleteDat's a good article. But why din't you tell details steps by steps process for web hacking? R you feared???