Web Application Hacking Techniques Part — 1

Update: This article is part of a series. Check out the full series: Part 1, Part 2, Part 3, Part 4, Part 5!

Welcome to the web application hacking techniques workshop. In this module, we will discuss why it is important to learn web application hacking techniques and what happens if organizations leave the web applications vulnerable. We will also go across and understand the web application workflows and the different attack vectors for hacking web applications.

This workshop will also demonstrate the actual hacking into web applications and highlights the top vulnerabilities that exist in web applications.

Since this is an advanced topic, it will be required that you already have prior understanding of the following topics and posses some experience in the field of Information Technology. This is not the beginner’s workshop, however, we will try to cover everything from the beginning as much as we can.

* Knowledge of TCP/IP protocols
* Sound knowledge of HTML & SQL
* Basic knowledge on how Web Applications works
* Prior knowledge or experience with basic vulnerabilities concepts
* General concepts of programming in any computer programing language

If you don’t understand the above topics and still want to learn hacking web applications, you are welcome!

If you think hacking is an easy job, then you are mistaken. However, I do believe it was a real easy job couple of years back, but with the increase in the awareness about information security and with the rise of security products, like intrusion detection and intrusion prevention systems, it’s now much more difficult to hack into any system in the enterprise.

What penetration testers had been doing was simply compromising systems that were unpatched, misconfigured or simply had no hardened security. Now, you have fully patched systems, proper change management, security awareness training for staff, a boom in getting industry recognized certifications in information security, like CISSP, CEH, CHFI, LPT, CCIE, and much more.

Life was easy for penetration testers when penetration testing was simply the use of available exploits on famous websites and using some cutting edge penetration testing tools, like Metasploit or SARA, and network or vulnerability scanners, like nmap and Nessus.

But these days, the trend has changed, if you do port scanning and run vulnerability scans only and you think you are an expert in the penetration testing, you are definitely mistaken. Such things are now the peanuts and mostly newcomers do this when they start their career in the field of penetration testing or you can say it’s script kiddies job to run such scans.

In other words, now organizations have dedicated staff to analyze the security health checks of the enterprise and for this they hire security professionals with the job of protecting the organization’s information.

Existence of Web Applications

Why are organizations concerned for their network or information’s security? What is there that they want to protect and invest a heavy budget each year in the Information Security sector?

There are two common answers to the above questions:

* Reputation & Customer Relations
* Business is Internet Driven

Reputation & Customer Relations

This depends on the nature of the business an organization has, financial institutions and multinational organizations are more concerned with their reputation. In fact, if a bank’s online banking system is compromised, will you go and open an account with them? Probably yes, but only if you are not aware of such incidents!

Business is Internet Driven

E-commerce is booming and it’s a hot market. Such organization’s business is totally dependent on the Internet. Hence, they are much more concerned with the security of their web applications. If eBay or Google is down for a day and customer information is stolen, then definitely, the business will be affected.

In such scenarios, what usually happens is that the organization has a publicly exposed web application, that is important for the business to run and to present the ease of use to the potential customers, depending on the organization type.

Organizations, which are connected to common people by the use of Internet, are more vulnerable to hacking and, hence, they need someone who can tell them how secure they are and put the required controls in place to protect them.

Even organizations which don’t run an online business somehow do need the web security, because in today’s business, not all, but the majority of organizations do have their Internet face by means of providing their company’s website, which stands as their first contact with the people and presents the company information.

What happens if you don’t secure your Web Applications?

Web applications are the number one target of choice for attacks by hackers.

The 2010 Verizon Data Breach Investigation Report confirms that the majority of breaches and almost 95% of the data stolen in 2009 was perpetrated by remote organized criminal groups hacking “servers and applications.”

What happens when organizations don’t care for the security of the web applications and lack adequate protection and security for their websites?

* Theft of data
* Malware infection
* Loss of consumer confidence
* Failure to meet regulatory requirements

Research confirms that 83% of websites have at least one serious vulnerability. No company today can afford the reputation that its web applications are vulnerable to hackers. And with many states, the federal government, and the payment card industry mandating full disclosure, it is unrealistic and extremely risky to merely hope that a hacker will attack someone else’s website.

Web Hacking Incident Database (WHID) Stats

The above stats show the reported web hacking incidents in 2014. The list is bigger and highlights somewhere around 1462 incidents so far in the current year.

A consultant said “an unprotected website is a security risk to customers, other businesses, and public/government sites. It allows for the spread and escalation of malware, attacks on other websites, and even attacks against national targets and infrastructure. In many of these attacks, hackers will try to harness the combined power of thousands of computers and sites to launch these attacks, and the attacks rarely lead directly back to the hackers.”

Web Hacking Facts & Figures

* 75% of breaches resulted from external threats, while just 20% were caused by insiders
* 81% of affected organizations subject to the Payment Card Industry Data Security Standard were found to be non-compliant prior to being breached
* 53% of stolen data records came from organizations using shared or default credentials
* 83% of hacks were considered avoidable through simple or intermediate controls

Figures from the latest Web Hacking Incidents Database Annual Reports

* 30% of the 57 attacks were carried out by SQL injection. The most common style of attack was SQL injection, which involves inputting commands into Web-based forms or URLs (Uniform Resource Locators) in order to return data held in back-end databases or plant malware in order to infect computers visiting the site.

* The second common attack was cross-site scripting. A cross-site scripting flaw can allow data or malicious code to be drawn from another Web site, which can potentially cause a data breach.

* Government, law enforcement and political Web sites were the most targeted categories of Hacked Web sites. The second most popular motivation was stealing sensitive information, which occurred in 19% of the hacked websites: 16% — planting malware — 13% — causing monetary loss.

The remaining attacks caused downtime for a Web site, planted worms and linked spam and information warfare.

The causes of data breaches

* Negligent insiders — 75%
* Outsourced data to vendors and other third parties — 42%
* Malicious insiders — 26%
* Social engineering — 2%
* Hackers — 1%

40% of Web hacking incidents are aimed at stealing personal information, with 67% of all attacks being profit motivated, according to the Web Hacking incidents Database project report for 2007.

Gartner has stated that 75% of all attacks on web sites and web applications target the application level and not the infrastructure.

NTA Monitor’s 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007.

All of the top 10 high-risk flaws are associated with services that are being made available to Internet users, demonstrating that with increased functionality comes the threat of reduced security.

Web applications are easily accessible targets for the hacker community, although it depends on the reason to hack and what hackers want to achieve. However, even if you think that you don’t have anything on your organization’s website, then it’s your reputation online and just a click away from hackers!

This is said that risk factors should be understood in order to build and maintain an effective website security program. It is recommended to integrate Web Application’s security into an organization’s overall security planning. Web Applications risk management requires ongoing attention to risks organizations face.

If you want to become an expert in ethical hacking and penetration testing, just using the available tools on the Internet doesn’t sound like an expert. You should be learning web application hacking, must be thorough in the web application top ten vulnerabilities that exist commonly in the market.

Importance of Web Hacking for a Security Professional

We have already presented the stats, which highlight the ratio of web application hacks. These days, security products, like Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) in combination with firewalls, play smart roles in protecting the network of the organization. However, these devices are configured to allow you to access the web applications of the organizations. So
your easy access is always the web applications, which are exposed on the Internet. If you don’t know how to hack into web applications then you are not the choice of the industry to hire you as an ethical hacker or a penetration tester.

In order to protect the web applications, you should first know how to hack them.

Originally published at https://learncybersec.blogspot.com.

Cyber Security Analyst & researcher