WEB APPLICATION HACKING

Web application hacking refers to attacks on applications themselves, as opposed to the web server software upon which these applications run.

Web application hacking involves many of the same techniques as web server hacking, including input￾ validation attacks, source code disclosure attacks, and so on. The main difference is that the attacker is now focusing on custom application code and not on off-the shelf server software.

Techniques

• Manipulating Application via GUI.
• Tampering Uniform Resource Identifier (URI).
• Tampering HTTP Requests.

GUI

URI

URI describes a protocol (scheme) for accessing a resource (path) or application (query) on a server (authority).

The path describes the hierarchy of folders or directories where application files are located, and the query includes the parameters that need to be fed to application executables stored on the server(s).

The HTTP client (typically a web browser) simply requests these resources, and the server responds.

So if we try to manipulate parameters in URI field Ex :

https://server/folder/../../../../cmd.exe
http://server/folder/application?parameter1=aaaaa...256 a's...]
http://server/folder/application?parameter1=<script>'alert'</script>

HTTP Methods

GET  : Leaves all data in the URI
POST : Places the data in the body of the request

Finding Vulnerable Web App's with Google (Googledorks)

Search engines index a huge number ofweb pages and other resources. Hackers can use these engines to make anonymous attacks, find easy victims, and gain the knowledge necessary to mount a powerful attack against a network. Search engines are dangerous largely because users are careless.

Further, search engines can help hackers avoid identification. Search engines make discovering candidate machines almost effortless.

Get the list of accessible pages

Site:www.example.com

Find unprotected files

Index of /admin
Index of /password
Index of /mail
Index of /password.txt
Index of /hint
Index of /hint -email
Index of /htaccess
Ghdb for more

Web Crawling

Abraham Lincoln is rumored to have once said, “If I had eight hours to chop down a tree, I’d spend six sharpening my axe. ”A serious attacker thus takes the time to become familiar with the application. This includes downloading the entire contents of the target website and looking for Low Hanging Fruit, such as local path information, backend server names and IP addresses, SQL query strings with passwords, informational comments, and other sensitive data in the following items:

• Staticand dynamic pages
• Include and other support files
• Source code
• Server response headers
• Cookies

Web-crawling Tools
 • Wget
 • Httrack

Web Application Assessment

The ultimate goal of this activity is to thoroughly understand the architecture and design of the application, pinpoint any potential weak points,and logically break the application in anyway possible.

To accomplish this goal, each major component of the application is examined from an unauthenticated point of view as well as from the authenticated perspective if appropriate credentials are known (for example, the site may permit free registration of new users, or perhaps the attacker has already gleaned credentials from crawling the site).

Web application attacks commonly focus on the following features:

• Authentication
• Session management
• Database interaction
• Generic input validation
• Application logic

Web Application  Scanner Tools

• Browser plug-ins
• Free tool suites
• Commercial web application scanners

BrowserPlug-ins (XSSME, Tamper Data)

Browser plug-ins allow you to see and modify the data you send to the remote server in real time which is very useful during the discovery phase, when you’re trying to figure out the structure and functionality of the web application, and they are extremely useful in conforming vulnerabilities in verification phase.

Tool Suites (Burp, ZAP)

Typically built around web proxies that interpose themselves between the web client and the web server, tool suites are more powerful than browser plug-ins.

Invisible to theclient web browser, proxie scan also be used in situations where the client is not a browser, but instead some other kind of application (such as a web service). The integration of testing tools with a proxy provides an effective tool for ad hoc testing of web applications.

Web Application Security Scanners (Veag, W3af, WebScarab, Wfuzz)

The tools described previously are designed to provide specific components of an overall web application assessment—but what about all-in-onetools?

Application scanners automate the crawling and analysis of web applications, using generalized algorithms to identify broad classes of vulnerabilities and weed out false positives. these tools provide an all-in-one solution for web application assessment, although the rich feature set and functionality come at a high cost.