The data is passed between client and server in the form of HTML pages through HTTP protocol. To hack websites as well as web applications, an individual requires knowledge of ASP, PHP, and SQL, among others. Knowledge of such languages combined with access to some web application hacking tools will enable you to hack almost any website or web application with relative ease.
According to Gartner market research, some 75% of all malicious hacking attacks target complex web applications, which is hardly surprising if we consider a couple of basic common sense facts. Web applications are popular due to the ubiquity of web browsers, and the convenience of using a web browser as a client.
Common Web Application Vulnerabilities
Hidden Field Manipulation — Hidden fields are embedded within HTML forms to
maintain values that will be sent back to the server. Such hidden fields serve as a mean for the web application to pass information between different parts of one application or
between different applications. Using this method, an application may pass the data
without saving it to a common backend system (typically a database). However, a major
assumption about hidden fields is that since they’re non-visible (i.e. hidden) they will not
be viewed or changed by the client.
Application Buffer Overflow — Web applications that receive parameters are
By sending long parameters or values it is possible to achieve a memory corruption in the application which can result in the application shutting down or the ability to gain high privileges on the server machine.
Cross-Site Scripting — A link to a valid web site can be manipulated so that one of the
parameters of the URL or maybe even the referrer will hold a script. This script will then be implanted by the server into a dynamic web page and will run on the client side. The
script can then perform a “virtual hijacking” of the user’s session and can capture
information transferred between the user and the legitimate web application. The user
activates the malicious link when he crawls through a 3rd party site or by receiving an
email with the link in a web enabled email client.
Web Applications Hacking
- Identify common attack vectors for web applications
- identify command injection attacks
- match the layer to the web service attack type that can be performed at that layer
- match the hacking activity to the stage in the web application hacking methodology
- match the web application hacking countermeasure to the type of attack it helps defend against
- determine what you test for at which stage of web application penetration
- identify web applications hacking techniques and tools and how to counter them