A web application is a program or software that runs on a web browser to perform specific tasks. Any web application has several layers – web server, the content of the application that is hosted on the web server and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components which have high availability.
Hacking is the process of the appropriating the web application from its actual user by tinkering in various ways. The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application.
Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.
There are four categories in which we can protect the web application:
A web application provides different roles for user access depending on the business requirement and use cases. A classic example is a digital banking scenario, where the customer wants to access the banking functions to get the balance from his account or transfer the cash to someone else. Another example is a scenario where a Linux administrator wants to provide privileges and rights to authorized users.
The web application uses the below security mechanisms:
Authentication is identifying a user to whom the credentials belong. This can be done using is a user name and password. Additional authentication can be done through the user’s mobile number or biometrics.
Session management is the process of the user being signed in throughout, while using the web application. Every time the user logs in to use the application, it is recorded as a session. Sessions can vary depending on the use case and application.
Access control is a process of protecting the HTTP requests in Web application. This is the last layer of defense in the user access.
All the user inputs in the web application are always untrusted. A web application should have defense mechanisms in place to prevent the user from writing malicious code or breaking the website. We can handle the user input validation at various levels based on the need of the business.
Input handling to reject all words related to hacking- this is a process of blacklisting them which the web server will check and confirm. These are called Semantic Checks.
Also creating a set of rules to accept the user inputs – for example, only numbers that are safe for Bank account access can be used. This is called Safe Data Handling.
We need to have multi-step validation where every component is checked for user inputs in the web application.
We can have boundary validation to check all the external interfaces with the applications.
To get more sensitive alerts in the web application we need to have following
We need to have application configuration with the key alert that has to be notified immediately when any hacker gets into the web application.
The top web technologies that developers are using for web development are as below:
The process of sending data from server to client is very common in web applications. The reverse is also true when client sends the data to the server. It is normal for software developers to assume that the client will not modify the data. Avoiding the storage of data within the user session can help in security and also increase performance. Modifying the data stored in the client side is easy in comparison to the server side by the hacker.
Two ways exist for bypassing:
For both the options, the following are the techniques to by-pass client side controls:
Web applications have both authentication and authorization as key concepts supporting the web applications.
Authentication refers to any verification process that checks whether a human or automated system is who or what it claims to be. Authentication is the process of verifying the identity of the individual. A unique identifier is added for the web application like Password, Login or username. We can use OpenID, OAUTH, and SAML. The entire Authentication depends on the HTTP/HTTPS implementation.
Authorization is a process in which we have controls to allow or restrict resources. It is entirely dependent on business use cases and it varies end to end. For strengthening the authorization we should implement logging for all privileged actions. Invalid sessions should be made to log out.
So we need to have strict controls on both the concepts to prevent hacking of web applications.
This is a type of injection in which malicious scripts are injected to trusted websites. A hacker uses a web application to send malicious code. This is in the form of browser-side script. The end user has no way to know that a hacker has entered into the web application and he continues to execute the script. Script can access cookies, session tokens and all other sensitive information and even have the capability to rewrite the entire HTML page content.
Types of XSS
All these can occur in Client XSS or Server XSS.
Blacklist refers to the practice of not allowing certain addresses and blocking them based on the need and requirement. They can be IP address, Networks and URLs.
Whitelist indicates that a server would only allow through requests that contain a URL on an accepted list, and other requests will fail.
Whitelist are harder to bypass as they are default controls in the web application. The concept is that it redirects to the internal URL. We can bypass a blacklist by
CSRF is an attack that forces an end user to execute unwanted actions on a web application which is already authenticated. The hacker can send a link via an email and chat, and may trick the users of a web application into executing actions. In case the attack is on an administrator account the entire web application can be compromised.
These are possible when a web application accepts untrusted input. This can cause the web application to redirect the request to a URL containing untrusted inputs. Through the modification of the Untrusted URL input to a malicious site, the hacker launches a phishing attack and steals the user credentials.
These redirects using credentials can also give the hacker the privilege functions which normally they cannot access.
We need to have the user provide a short name, ID or token which is mapped server-side to a full target URL and this gives protection to the entire process.
SQL injection is a process of injecting the malicious SQL query via the input data from the client to the web application.
The various formats of the attacks on the application server are listed below:
The hacker’s toolkit is as given below:
A few of the tools which belong to the above two categories:
In this article, we have covered the entire hijacking web application concepts end to end. We have discussed the concepts of web applications and covered topics such as - Core defense mechanisms, Web application technologies, Bypassing client-side controls, Authentication and authorization, XSS – Cross site scripting, Bypassing blacklists and whitelists, CSRF – Cross site request forgery, Unvalidated redirects, SQL injection, File upload vulnerabilities, Attacking the application server, Web application hacker’s toolkit, and Web application hacker’s methodology.
Your email address will not be published. Required fields are marked *
ITIL refers to a public framework which best descr... Read More