In previous tutorials, we have touched on some of the techniques and tools for web app hacking. We looked at web app vulnerability testing, website cloning, web app footprinting, web app password cracking, and many others.
In this series, we will begin with the basics and slowly advance to more advanced techniques and tools. This is likely to be a very long series.
Let's begin by first giving you links to what we have already covered and then proceed to the basics of the attack vectors for web applications.
Vulnerability scanning with Nikto
Vulnerability scanning and backend mapping with Wikto
Scraping potential passwords with ceWL
SQL injection with sqlmap
Using BeEF to control the user's browser
Cross-site scripting (XSS) with Metasploit
Finding website directories with DirB
Spidering with WebScarab
Fingerprinting by banner grabbing with HttpPrint or Netcraft
Hacking web applications and this series can be broken into several areas.
Mapping the Server & Application
Like any hack, the more we know about the target, the better our chances of success. In the case of web applications, we probably want to know the target OS, the web server, and the various technologies supporting the web application.
In addition, mapping the application might include enumerating content and functionality, analyzing the application, identifying the server-side functionality, and mapping the attack surface. It's essential that we do this first and accurately before proceeding to any attack.
Web Application Attack Vectors
Although there are literally hundreds of ways of hacking web applications, they can be grouped into eight (8) basic types.
1. Hacking Client Side Controls
One of the most popular areas of web app hacking is attacking the client-side controls. In this regard, we will look at transmitting data via the client and capturing user data.
2. Hacking Authentication
We have looked briefly at hacking web app authentication with THC-Hydra and Burp Suite, but we will look at some other authentication tools as well as bypassing authentication such as capturing tokens and replaying them, client-side piggybacking, and cross-site request forgery.
3. Hacking Session Management
We will look at ways to hack the application's session management. Session management enables an application to uniquely identify a user across multiple requests. When a user logs in, session management enables the user to interact with the web app without having to re-authenticate for every request. Due to its key role, if we can break the application's session management we can bypass the authentication. Thereby, we won't need to crack the username and password to gain access.
4. Hacking Access Controls & Authorization
In this area, we will examine how to fingerprint ACLs and attack the ACLs in ways that will allow us to violate the ACLs.
5. Hacking Back End Components
We have done a bit of back-end hacking such as SQL injection with sqlmap, but we will expand this area with new SQLi tools and also attack and inject XPATH and LDAP. We will also look at path or directory traversal, file inclusion vulnerabilities, XML, and SOAP injection.
6. Hacking the User
Hacking the user is one of my favorite web app hacks. Technically, it's not web app hacking as we are actually hacking the end user, not the web app, by getting them to travel to our website and load malware to their browser and potentially their system. These techniques include cross-site scripting (XSS), cross-site request forgery, attacking the browser, and violations of the same origin policy.
7. Hacking the Web Application Management
In many cases, the web applications have a management console or other management interface. If we can access that console or interface, we can conceivably change everything about the website including defacing it.
8. Hacking the Web Server
In some cases, we can hack the underlying server of the web applications such as Microsoft's Internet Information Server (IIS), the Apache Project's Apache server, or Nginx. If we can gain control and access to the underlying server, it may give us an entry point to the web applications.
Keep coming back, my budding hackers, as we expand our repertoire of hacking tools and techniques to include web app hacking!