Skip to main content

HACK WEB


What is a web application? What are Web Threats?

A web application (aka website) is an application based on the client-server model. The server provides the database access and the business logic. It is hosted on a web server. The client application runs on the client web browser. Web applications are usually written in languages such as Java, C#, and VB.Net, PHP, ColdFusion Markup Language, etc. the database engines used in web applications include MySQL, MS SQL Server, PostgreSQL, SQLite, etc.
Most web applications are hosted on public servers accessible via the Internet. This makes them vulnerable to attacks due to easy accessibility. The following are common web application threats.
  • SQL Injection – the goal of this threat could be to bypass login algorithms, sabotage the data, etc.
  • Denial of Service Attacks– the goal of this threat could be to deny legitimate users access to the resource
  • Cross Site Scripting XSS– the goal of this threat could be to inject code that can be executed on the client side browser.
  • Cookie/Session Poisoning– the goal of this threat is to modify cookies/session data by an attacker to gain unauthorized access.
  • Form Tampering – the goal of this threat is to modify form data such as prices in e-commerce applications so that the attacker can get items at reduced prices.
  • Code Injection – the goal of this threat is to inject code such as PHP, Python, etc. that can be executed on the server. The code can install backdoors, reveal sensitive information, etc.
  • Defacement– the goal of this threat is to modify the page been displayed on a website and redirecting all page requests to a single page that contains the attacker’s message.

How to protect your Website against hacks?

An organization can adopt the following policy to protect itself against web server attacks.
  • SQL Injection– sanitizing and validating user parameters before submitting them to the database for processing can help reduce the chances of been attacked via SQL Injection. Database engines such as MS SQL Server, MySQL, etc. support parameters, and prepared statements. They are much safer than traditional SQL statements
  • Denial of Service Attacks – firewalls can be used to drop traffic from suspicious IP address if the attack is a simple DoS. Proper configuration of networks and Intrusion Detection System can also help reduce the chances of a DoS attack been successful.
  • Cross Site Scripting – validating and sanitizing headers, parameters passed via the URL, form parameters and hidden values can help reduce XSS attacks.
  • Cookie/Session Poisoning– this can be prevented by encrypting the contents of the cookies, timing out the cookies after some time, associating the cookies with the client IP address that was used to create them.
  • Form tempering – this can be prevented by validating and verifying the user input before processing it.
  • Code Injection - this can be prevented by treating all parameters as data rather than executable code. Sanitization and Validation can be used to implement this.
  • Defacement – a good web application development security policy should ensure that it seals the commonly used vulnerabilities to access the web server. This can be a proper configuration of the operating system, web server software, and best security practices when developing web applications.

Hacking Activity: Hack a Website

In this practical scenario, we are going to hijack the user session of the web application located at www.techpanda.org. We will use cross site scripting to read the cookie session id then use it to impersonate a legitimate user session.
The assumption made is that the attacker has access to the web application and he would like to hijack the sessions of other users that use the same application. The goal of this attack could be to gain admin access to the web application assuming the attacker’s access account is a limited one.
Getting started
  • Open http://www.techpanda.org/
  • For practice purposes, it is strongly recommended to gain access using SQL Injection. Refer to this article for more information on how to do that.
  • The login email is admin@google.com, the password is Password2010
  • If you have logged in successfully, then you will get the following dashboard

Comments

Post a Comment

Popular posts from this blog

Top 20 Tools for hacking 2018

What are Hacking Tools? Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in computer systems, web applications, servers and networks. There is a variety of such tools available on the market. Some of them are open source while others are commercial solution. In this list we highlight the top 20 tools for Ethical Hacking of web applications, servers and networks 1)  Netsparker Netsparker  is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution. Features Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology. Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages. REST API for seamless integration with the SDLC, bug tracking systems etc. Fully scalable s...
Post a Comment
Read more

crypthography and network security

Cryptography, which translates as "secret writing," refers to the science of concealing the meaning of data so only specified parties understand a transmission's contents. Cryptography has existed for thousands of years; for most of history, however, the users of cryptography were associated with a government or organized group and were working to conceal secret messages from enemies. These days, millions upon millions of secure, encoded transmissions happen online each day -- and cryptographic standards are used to protect banking data, health information, and much more. Without cryptography, e-commerce as we know it would be impossible. Since online security threats evolve so quickly, there are dozens of different schools of thought on how best to use encryption to enhance network security -- not just for governments, but for businesses and end users, too. Classical Encryption Techniques Classical Encryption Techniques Explained at Purdue University (PDF) : These...
Post a Comment
Read more

12 ways to hack-proof your smartphone

A s we’ve recently seen from  leaked CIA documents , no one is immune to hacking attacks. Here’s how to protect yourself against them, whether they come from opportunist thieves or state-sponsored spies. 1. Keep up to date – and don’t open up holes yourself When it comes to protecting yourself against hackers, step one is always to install software updates as soon as they become available: that’s as true on smartphones as it is on computers. Yes, updating can be a tiresome and intrusive process, and it sometimes brings annoying changes to the interface that you’re used to. All the same, a huge proportion of successful hacks exploit vulnerabilities that have already been patched; exposing yourself unnecessarily is just daft. I’d also strongly advise against using unofficial tools to “root” your phone (known as “jailbreaking” on iOS), unless you know exactly what you’re doing. On a rooted phone, technical safeguards can be defeated, allowing apps to perform all sort...
Post a Comment
Read more