Web Application Hacking Methodologies
Web applications are programs that allow users to interact with web servers. They are run on web browsers with the help of client- and server-side scripts.
The web application architecture consists of:
- Client/presentation layer
- Business logic layer
- Database layer
The client/presentation layer consists of devices on which the application runs. Such devices include laptops, tablets, smartphones, etc.
The business logic layer has two layers:
Web-server logic layer which consists of components that handle requests and responses, and the coding that reads and returns data to the browser
Business logic layer which contains the application data
The database layer consists of a B2B layer and a database server in which the organization’s data is stored.
Web Application Threats and Attacks
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
OWASP Top 10 project produces a document that describes top 10 application security threats.
The latest document lists the following top 10 security threats:
Injection attack is an attack in which the attacker injects malicious data into commands and queries which are then executed in the application.
This attack targets input fields or entry points of the application and allow attackers to extract sensitive information.
Most commonly used injection attacks are:
- SQL Injection is an attack in which the attacker injects malicious SQL queries into the application
- Command Injection is an attack in which the attacker injects malicious commands into the application
- LDAP Injection is an attack in which the attacker injects malicious LDAP statements into the application
Broken authentication refers to threats and vulnerabilities in authentication and session management.
Attackers exploit these vulnerabilities to impersonate their targets.
Some of the existing vulnerabilities include:
- Session IDs in URLs
- Unencrypted passwords
- Improperly set timeouts
Sensitive data exposure
Sensitive data exposure threats occur in applications that use weak encryption code for data encryption and storage.
This vulnerability enables attackers to easily crack the encryption and steal the data.
XML External Entity
XML External Entity attack is an attack in which the attacker takes advantage of a poorly configured XML parser causing the application to parse XML input coming from an untrusted source.
Broken Access Control
Broken access control refers to threats and vulnerabilities in access control. Attackers exploit these vulnerabilities to evade the authentication and gain admin privileges.
Security misconfiguration refers to vulnerabilities that exist in applications with a poorly configured application stack.
Some of the problems that cause security misconfiguration vulnerabilities include:
- Unvalidated input fields
- Form and parameter manipulation
- Poor error handling
Cross-Site Scripting (XSS)
Cross-Site Scripting attack is an attack in which the attacker injects scripts into web pages which are executed on the target’s system.
Insecure deserialization refers to a vulnerability which attackers exploit by injecting malicious code into serialized data which is then sent to the target.
Because of the insecure deserialization vulnerability, the malicious serialized data is deserialized without the malicious code being detected, which allows the attacker to gain unauthorized access to the system.
Using Components with Known Vulnerabilities
Using components with known vulnerabilities allows attackers to exploit them and execute attacks.
Insufficient Logging and Monitoring
Insufficient logging and monitoring occur when the application fails to log malicious events and activities. This causes difficulties in detecting attacks on the system.
Web Application Hacking Methodology provides attackers with steps to follow to execute a successful attack.
These steps are:
Web Infrastructure Footprinting
Footprinting web infrastructure helps attacker gather information about the target web infrastructure and identify vulnerabilities that can be exploited.
In this process, the attacker performs:
- Server discovery to learn about the servers that host the application
- Service discovery to determine which service can be attacked
- Server identification to learn information about the server such as version and make
- Hidden content discovery to discover hidden contents
Web server attack
The information gathered in the footprinting step allows hackers to analyze it, find vulnerabilities to exploit, and use various techniques to launch attacks on the server.
Web application analysis
Attackers analyze target web application to identify its vulnerabilities and exploit them.
To hack the application, attackers need to:
- Identify entry points for user input
- Identify server-side technologies used for generating dynamic web pages
- Identify server-side functionality
- Identify attack areas and associated vulnerabilities
Client-side Controls Evasion
Attackers attempt to bypass client-side control of user inputs and interaction.
To bypass the client-side controls, attackers attempt to:
- Attack hidden form fields
- Attack browser extensions
- Review the source code
Attackers attempt to exploit vulnerabilities that exist in the authentication mechanisms.
By exploiting such vulnerabilities, attackers are able to perform:
- Username enumeration
- Password attacks
- Session attacks
- Cookie exploitation
Authorization attack is an attack in which the attacker accesses the application through a legitimate account that has limited privileges and then uses that account to escalate the privileges.
To perform an authorization attack, the attacker uses the following sources:
- Parameter tampering
- POST data
- HTTP headers
- Hidden tags
Access Control Attacks
Attackers analyze the target website in an attempt to learn the details about the implemented access control.
During this process, attackers try to learn about who has access to which sets of data, who has which access level, and how to escalate privileges.
Session Management Attacks
Attackers exploit vulnerabilities in authentication and session management to impersonate their targets.
The process of generating a valid session token consists of two steps:
- Session token prediction
- Session token tampering
With a valid token, attackers are able to perform attacks such as MITM, session hijacking, and session replay.
Attackers take advantage of unvalidated form inputs to inject malicious queries and commands.
Application Logic Vulnerability Exploitation
Poor coding skills can make the application vulnerable due to its logic flaws. If the attacker succeeds in identifying such flaws, then they are able to exploit them and launch an attack.
Database Connection Attacks
Attackers execute attacks on database connection to gain control over the database and thus gain access to sensitive information.
Web Services Attacks
Attackers target web services integrated in the web application to find and exploit the application’s business logic vulnerabilities.
They then use various techniques to execute an attack on the application.