ppt slides

profileayo231
annotated-Webapplicationsecurityandhacking-1.docx.pdf

1

Web application security and hacking

Modupeola Sasore

Dr. Joel Christensen

University of Fairfax

IA8060-ONLINE

May 30, 2023

2

The Architecture of Web Applications:

Web apps are server-side scripts that provide browser-based access to online

services. They are made up of several parts that all perform together to provide the user with

information and features. The user's browser represents the client in the client-server paradigm

of web application architecture. The server is the computer running the actual program.

The presentation layer contains the user interface, the application layer handles

business logic, and the data layer stores and retrieves information. In addition to displaying

web pages, the presentation layer is in charge of the user interface. It is composed of browser-

based code such as HTML, CSS, and JavaScript (Devi,2020). The business logic, along with

user requests, data processing, and content generation, all live on the application layer. Server-

side programming languages like PHP, Python, and Java are often used to create this layer.

Finally, the data layer is responsible for storing and retrieving data from various databases and

other sources.

Protocols like HTTP provide communication between clients and servers in the

context of web applications. When a client makes a request, the server takes care of it by

communicating with the underlying application and data layers before responding

appropriately.

3

Developers and security experts both need a firm grasp of how web apps are put

together. It aids in the detection of security flaws and the development of foolproof systems.

Developers may safeguard their systems from attacks by implementing security measures and

using best practices when they have a thorough understanding of the interplay between the

various levels.

Objectives of Web Application Hacking

In this context, "hacking" a web application is discovering and using its flaws for

malicious ends. Web application hacking may be performed by hackers and security experts

for several reasons. The major goals of web application hacking may be broken down into the

following groups:

Gaining Unauthorized Access is a Primary Goal of Web Application Hacking in

Order to Access Private Data or Computer Systems (Hoffman,2020). Web applications are a

potential target for hackers that want to steal sensitive information, money, or intellectual

property.

Some hackers' motivations for defacing or vandalizing online programs are

political or social. A hacker might cause disruption by replacing the site's content with their

own words or visuals.

DoS Attacks are possible by hacking into a web application as well. Attackers may

make a web application inaccessible to its intended users by flooding it with traffic or

fraudulent queries.

Breaking Down an Assault

4

To properly protect against, identify, and react to threats, knowing their anatomy is crucial.

Each phase of an assault on a web application has its own unique features.

Reconnaissance is the process through which an attacker learns about the

technological stack, possible vulnerabilities, and underlying infrastructure of a targeted online

application. In this stage, you will do passive reconnaissance activities including surfing the

website, inspecting the source code, and assessing the accessible information.

The scanning phase of a web application attack is when the attacker actively

searches for weak spots in the system (Hoffman,2020). Common vulnerabilities like SQL

injection and cross-site scripting (XSS) may be detected by automated techniques that evaluate

the application's answers. The objective is to identify possible exploitable entry points or flaws

(Dorofeev,2019).

When an attacker finds a security hole, the next step is to try to use it to his advantage by

performing some kind of exploit. SQL injection, cross-site scripting (XSS), and remote code

execution are just some of the vulnerabilities that may be exploited by sending specially crafted

requests or inserting malicious code.

Dangers to Web Applications:

Threats to the confidentiality, availability, and performance of web applications

abound. The only way to effectively fight these dangers is to be aware of them. Some typical

dangers to web apps include:

5

Attackers may launch injection attacks on a website by inserting malicious code or

instructions into the application's input fields or parameters. Injection attacks like SQL

injection and XSS (cross-site scripting) are common (Dorofeev,2019). These flaws may allow

for arbitrary code execution on the server or the client, as well as unauthorized access to data.

In a Cross-Site Scripting (XSS) attack, malicious scripts are inserted into user-

facing websites. These scripts may be used for data theft, session hijacking, and website

sabotage. Insecure JavaScript implementations, invalid user input, and insufficient output

encoding are all potential sources of XSS vulnerabilities.

Cross-Site Request Forgery (CSRF) is an attack that takes advantage of the

relationship of trust that exists between an online service and its authorized users. By abusing

a user's session information, attackers may deceive them into sending malicious requests. This

may result in fraudulent transactions being made in the user's name or in their account settings

being altered without their knowledge.

Countermeasures:

Countermeasures must be in place to prevent assaults on online applications. In

order to lessen the likelihood of being exploited, businesses should have stringent security

procedures. Important preventative steps include:

Users' data should be checked and sanitized before being used, hence it's important

to provide stringent input validation. This aids in protecting against SQL injection and cross-

site scripting threats. Sanitize user input with the right validation methods and you won't have

to worry about any dangerous stuff getting through.

6

Use safe coding methods to lessen the possibility of security flaws being

introduced. Included in this category are concepts like "secure session management," "secure

configuration management," "secure input/output validation," and "proper error handling."

Strong authentication measures, such as multi-factor authentication, should be used

to restrict access to just those who need it. Implement stringent password requirements and use

secure technologies such as HTTPS. To avoid privilege escalation and guarantee that users

only have access to the resources they need, strong authorization rules should be put in place.

Perform vulnerability assessments and penetration tests, as well as other forms of

thorough security testing, on a regular basis. The application and the infrastructure may both

be tested for flaws and vulnerabilities using these tools. Start and end the software development

process with secure development methods including code reviews and security testing.

Web servers, frameworks, and application components must all have secure

configurations to prevent vulnerabilities (Saha,2020). Turn down unused services, modify

default logins, and update and patch your system often. Adhere to vendor-provided security

setup recommendations and accepted industry practices.

Web Application Hacking Tools:

In order to find and exploit security flaws in online applications, hackers use web

application hacking tools. Experts in the field of security may utilize some technologies for

lawful reasons, while bad actors may use others for nefarious ends. Some typical hacking tools

for web applications are listed below.

7

Burp Suite is an all-inclusive suite of tools for manual and automated security

testing of online applications. Features like proxying, scanning, fuzzing, and session

modification help security analysts find and attack weak spots.

The Open Web Application Security Project (OWASP) has released a web

application security scanner called ZAP (Zed Attack Proxy). It is useful for finding typical

security flaws like as injection attacks, XSS, and incorrect settings. ZAP's user-friendly

interface and support for both manual and automated testing make it a versatile tool.

While Nmap's primary purpose is to scan networks for security flaws, it may also

be used to check for open ports, services, and web application vulnerabilities (Saha,2020).

Security analysts are able to learn more about the targeted application and locate

vulnerabilities.

When it comes to finding and exploiting SQL injection vulnerabilities

automatically, nothing beats sqlmap. Data extraction, authentication bypass, and unauthorized

SQL command execution are all possible for security experts.

Conclusion

Security experts may benefit greatly from web application hacking tools in order

to discover and fix flaws in their apps. However, they should be used only in accordance with

the law and ethical standards at all times. To keep their systems and data safe, businesses

should pay attention to new threats and vulnerabilities, invest in strong security solutions, and

conduct frequent web application security assessments.

8

References

Devi, R. S., & Kumar, M. M. (2020, June). Testing for security weakness of web applications

using ethical hacking. In 2020 4th International Conference on Trends in Electronics

and Informatics (ICOEI)(48184) (pp. 354-361). IEEE.

https://ieeexplore.ieee.org/abstract/document/9143018/?casa_token=Hgi0B7XbfJcAA

AAA:lBj_auqeVcnjER7CDtJw7_OxsHVHWEzQVYLDr6Aak2SIutD3gDp8b0wMD

v3HVClhIEEg4Gx58Bk38A

Dorofeev, A. V., Markov, A. S., & Rautkin, Y. V. (2019). Ethical hacking training. In CEUR

Workshop Proceedings (Vol. 2522, pp. 47-56). https://ceur-ws.org/Vol-

2522/paper5.pdf

Hoffman, A. (2020). Web Application security: exploitation and countermeasures for modern

web applications. O'Reilly Media.

https://books.google.co.ke/books?hl=en&lr=&id=3R3UDwAAQBAJ&oi=fnd&pg=P

R2&dq=Web+application+security+and+hacking&ots=PGghFvbQXs&sig=Z8NC1a

WRO34QYVmgxhtLE8v7Tqo&redir_esc=y

Saha, S., Das, A., Kumar, A., Biswas, D., & Saha, S. (2020). Ethical hacking: redefining

security in information system. In Proceedings of International Ethical Hacking

Conference 2019: eHaCON 2019, Kolkata, India (pp. 203-218). Springer Singapore.

http://real.mtak.hu/105347/1/139.pdf