What is web application hacking
It is a process of detecting vulnerabilities in web applications, the web application hacker needs to have a deep understanding of the architecture of a web application in order to successfully hack it.
Web application hacking is all about breaking down a web application's defense mechanisms, it requires tenacity, attention to detail, observation and focus.
Main defense mechanisms
There are three (3) main mechanisms in which we can protect a web application:
- User access handling
- User data input handling
- Attackers handling
User access handling
This mechanism consists of validating whether the user has permission or authorization to access a resource in the web application.
When this mechanism is poorly implemented, vulnerabilities arise such as:
- Broken Access Control Allows an attacker to gain unauthorized access to an application's sensitive features and data.
- IDOR Allows an attacker to access objects directly through user input, this can happen through URL parameters, cookies, directories, among others.
User data input handling
This mechanism consists of validating the data that the user enters in the web application, in order to guarantee that the user enters only what the web application expects, avoiding possible vulnerabilities.
This is one of the most complicated mechanisms to implement, as the implementation is never 100% effective, since new exploitation techniques are always emerging.
Through the input of this data, several vulnerabilities can arise that can compromise the application, these vulnerabilities are called “Input-Based Vulnerabilities”, and these are some of them:
- Cross Site Scripting Allows the injection of javascript code into the web application, this same javascript code is reflected in the browsers of the application's users, and this can compromise the privacy of these users.
- SQL Injection Allows the injection of SQL commands into the application's database through an application input, allowing an attacker to be able to execute arbitrary commands in the database, and thus be able to view and edit any information.
- Open Redirect It allows an attacker to be able to redirect users to a malicious application through a trusted application URL.
- Server Side Request Forgery It allows the attacker to be able to forge requests or requests using the application server, it is often used to access internal resources on the application server network.
Attackers handling
This mechanism consists of monitoring the web application, giving notifications and statistics of the application to its administrators, and also hindering attempted attacks, through blocks, and other means.
When this mechanism is poorly implemented, the application runs the risk of suffering attacks and not defending itself against them, not saving logs and not even alerting administrators about what happened.
It is remarkable how important it is for a hacker to know how to break defense mechanisms, as these mechanisms are responsible for the security of the web application, and hacking a web application is nothing more than breaking its security.
In this article you understood what web application hacking is, what defense mechanisms are implemented in web applications and what vulnerabilities can arise if they are poorly implemented. If you liked it, please share this article.