Professional Documents
Culture Documents
First Edition
March 2020
Introduction to Hacking Web
Applications
• Use a wide array of exploits, all of which are extremely common and
found often throughout many of today’s web applications.
• You will have both the recon skills required to find bugs in
applications that you can exploit, and the offensive hacking skills
required to build and deploy payloads that take advantage of those
security bugs.
The Hacker’s Mindset
• The majority of hacking is actually data gathering and analysis.
• A good hacker is constantly on the lookout for clues that could lead
to the discovery of a vulnerability.
• The nature of this work means that even a good hacker can go a
significant amount of time without a big success.
• The hacker must also carefully keep a record of your prior attempts,
and the lessons learned from them.
Simple XSS
attack
1. The attacker injects a payload into the website’s database by submitting a vulnerable
form with malicious JavaScript content.
2. The victim requests the web page from the web server.
3. The web server serves the victim’s browser the page with attacker’s payload as part of
the HTML body.
4. The victim’s browser executes the malicious script contained in the HTML body. In this
case, it sends the victim’s cookie to the attacker’s server.
5. The attacker now simply needs to extract the victim’s cookie when the HTTP request
arrives at the server.
6. The attacker can now use the victim’s stolen cookie for impersonation.
(1) Stored XSS
• Stored XSS attacks are interesting because they are the easiest
type of XSS to detect, but often one of the most dangerous
because many times they can affect the most users.
• The scripts are stored as text server side, and are not evaluated.
(1) Stored XSS
• An XSS allows an attacker to inject a script into the content of a website or app.
When a user visits the infected page, the script will execute in the victim’s browser.
• This allows attackers to steal private information like cookies, account information,
or to perform custom operations while impersonating the victim’s identity.
• Compared to stored XSS, reflected XSS only require the malicious script to be added
to a link and that a user clicks on it.
(3) DOM-Based XSS
• DOM XSS attacks are much more difficult
to find and take advantage of than
traditional reflected or stored XSS, as they
require deep knowledge of the browser
DOM and JavaScript.
The SQL above is valid and will return ALL rows from the "Users" table,
since OR 1=1 is always TRUE.
SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;
A hacker might get access to all the user names and passwords in a
database, by simply inserting 105 OR 1=1 into the input field.
SQL Injection
The potential dangers of using user input in SQL statements:
SQL Injection Based on ""="" is Always True
Here is an example of a user login on a web site:
uName = getRequestString("username");
uPass = getRequestString("userpassword");
sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="'
+ uPass + '"'
Result
SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"
The code at the server will create a valid SQL statement like this:
Result
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always
TRUE.
(1) SQL Injection
(2) Code Injection
• Code Injection is the general term for
attack types which consist of injecting code
that is then interpreted/executed by the
application.
Consider a website that extracts a value from a URL parameter and applies the eval()
function to examine its content:
$myvar = "varname";
$x = $_GET['arg'];
eval("$myvar = $x;");
If there is no input validation on URL parameters, the attacker can inject a command
into the parameter:
http://example.com/index.php?arg=1; phpinfo()
The page will then evaluate the expression arg=1; phpinfo() and run the system
command planted by the attacker.
phpinfo() function is useful for gaining information about the configuration of the environment in which
the web service runs.
(2) Code Injection
(2) Code Injection
• Comparison between Code injection and SQL injection:
• /etc/shadow
Contains encrypted passwords for users
• ~/.ssh
Contains SSH keys for communicating with other systems
• /etc/apache2/httpd.conf
Configuration for Apache-based servers
• /etc/nginx/nginx.conf
Configuration for Nginx-based servers
(3) Command Injection
Example: File Name as Command Argument
• The call to system() will fail to execute, and then the operating system will
perform recursive deletion of the root disk partition.
(3) Command Injection
• That’s just an example of how logical DoS attacks are found and
exploited.