Web Application and its Common Vulnerabilities

Web application provides an interface between the web server and the client to communicate through a set of web pages generated at the server end or that contain script code to be executed dynamically within the client Web browser.

The term Web app may also mean a computer software application that is coded in a browser-supported programming language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable.

The data is passed between client and server in the form of HTML pages through HTTP protocol. To hack websites as well as web applications, an individual requires knowledge of ASP, PHP, and SQL, among others. Knowledge of such languages combined with access to some web application hacking tools will enable you to hack almost any website or web application with relative ease.

Also Read:

According to Gartner market research, 75% of all malicious hacking attacks target complex web applications, which is hardly surprising if we consider a couple of basic common sense facts. Web applications are popular due to the ubiquity of web browsers, and the convenience of using a web browser as a client.

Common Web Application Vulnerabilities

Hidden Field Manipulation — Hidden fields are embedded within HTML forms to maintain values that will be sent back to the server. Such hidden fields serve as a mean for the web application to pass information between different parts of one application or between different applications. Using this method, an application may pass the data without saving it to a common backend system (typically a database). However, a major
assumption about hidden fields is that since they’re non-visible (i.e. hidden) they will not be viewed or changed by the client.

Application Buffer Overflow — Web applications that receive parameters are typically limited in the number of characters for both the name of the parameters and their values. By sending long parameters or values it is possible to achieve a memory corruption in the application which can result in the application shutting down or the ability to gain high privileges on the server machine.

Cross-Site Scripting — A link to a valid web site can be manipulated so that one of the parameters of the URL or maybe even the referrer will hold a script. This script will then be implanted by the server into a dynamic web page and will run on the client-side. The script can then perform a “virtual hijacking” of the user’s session and can capture information transferred between the user and the legitimate web application. The user activates the malicious link when he crawls through a 3rd party site or by receiving an
email with the link in a web-enabled email client.

Web Applications Hacking

  • Identify common attack vectors for web applications
  • identify command injection attacks
  • match the layer to the web service attack type that can be performed at that layer
  • match the hacking activity to the stage in the web application hacking methodology
  • match the web application hacking countermeasure to the type of attack it helps defend against
  • determine what you test for at which stage of web application penetration
  • identify web applications hacking techniques and tools and how to counter them