Scribd Logo
Upload

Welcome to Scribd!

  • 203 views

    Web Hacking Basics PDF

    Uploaded by

    rana322
    This document discusses web hacking basics and provides rules and classifications for different types of attacks. It summarizes that web applications can be found in many places and outlines five classes of web hacking: attacks on the web server, web client, web application, web user, and network. It emphasizes that all inputs should be validated and interactions assumed malicious (Rule 1) and that attackers have unpredictable motives, skills, and targets (Rule 2). Common attacks discussed include SQL injection, file inclusion, password guessing, and cross-site scripting.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Web Hacking Basics PDF

    Uploaded by

    rana322
    203 views13 pages
    This document discusses web hacking basics and provides rules and classifications for different types of attacks. It summarizes that web applications can be found in many places and outlines five classes of web hacking: attacks on the web server, web client, web application, web user, and network. It emphasizes that all inputs should be validated and interactions assumed malicious (Rule 1) and that attackers have unpredictable motives, skills, and targets (Rule 2). Common attacks discussed include SQL injection, file inclusion, password guessing, and cross-site scripting.

    Original Title

    web-hacking-basics.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses web hacking basics and provides rules and classifications for different types of attacks. It summarizes that web applications can be found in many places and outlines five classes of web hacking: attacks on the web server, web client, web application, web user, and network. It emphasizes that all inputs should be validated and interactions assumed malicious (Rule 1) and that attackers have unpredictable motives, skills, and targets (Rule 2). Common attacks discussed include SQL injection, file inclusion, password guessing, and cross-site scripting.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    203 views13 pages

    Web Hacking Basics PDF

    Uploaded by

    rana322
    This document discusses web hacking basics and provides rules and classifications for different types of attacks. It summarizes that web applications can be found in many places and outlines five classes of web hacking: attacks on the web server, web client, web application, web user, and network. It emphasizes that all inputs should be validated and interactions assumed malicious (Rule 1) and that attackers have unpredictable motives, skills, and targets (Rule 2). Common attacks discussed include SQL injection, file inclusion, password guessing, and cross-site scripting.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 13
    At a glance
    Powered by AI
    The document discusses various types of web hacking attacks and emphasizes that all inputs should be validated and interactions assumed to be malicious.

    The five classes of web hacking attacks are attacks on the web server, web client, web application, web user, and network.

    Common attacker motives include defacement, accessing network/system resources, stealing locally stored data, source code, user accounts, and administrator privileges.

    Web Hacking Basics

    2010 MAD Security, LLC


    All rights reserved

    Where Do We Find Web Apps?

    Social Media
    Webmail
    Ecommerce
    Online Banking
    Corporate Intranet sites
    Customer & Project Management
    Bug tracking
    Routers & Firewalls

    Printers
    Gaming Consoles
    Database Management
    Filesharing Clients
    Virtual Machine Management
    Everywhere

    nmap -p http* 192.168.1.1-255

    Rule #1
    Never trust the client, the server, or the
    network.
    All inputs must be validated. All interactions with other parties must
    be assumed to be malicious until proven otherwise.

    Rule #2
    Attackers have unpredictable motives, skills,
    and targets. Attackers are therefore
    unpredictable.
    Never assume that an attacker cannot find a target, cannot find a way
    to exploit it, or would choose not to attack a target.

    Attacker Motives

    Defacement
    Network Resources
    System Resources
    Locally Stored Data
    Source Code
    User Traffic
    User Accounts
    Administrator Privileges
    Vulnerabilities

    Five Classes of Web Hacking


    Attacks on the web server
    Attacks on the web client
    Attacks on the web application
    Attacks on the web user
    Attacks on the network

    Server Attacks

    Earliest form of web hacking


    Best understood attacks
    Most easily prevented attacks
    Still extremely common
    Requires careful programming,
    configuration and maintenance to
    prevent.

    Shell Command Injection


    File Inclusion
    SQL Injection
    Executable Uploads
    Information Leakage

    Client Attacks
    Malicious code is served up and
    executed on the client-side.
    Next logical step after server
    attacks.
    Compromises the system or web
    browser.
    Defenses are improving, but there
    is no reliable proactive defense.
    Keep patches up to date.

    Trojans, Malware
    Drive-By Download
    Parsing Flaws in media

    ActiveX
    PDF
    Flash
    Images
    Movies

    No Website Is Trusted
    The old Dont browse untrusted sites
    mantra is meaningless.

    Application Attacks
    Goal-oriented
    Focused on abusing application
    logic, not compromising systems

    Session manipulation (prediction,


    spoofing, fixation)
    Incomplete access controls
    Some cryptographic attacks

    User Attacks
    Users are predictable and easily
    manipulated
    Forcing user action can
    circumvent controls
    Classic cons and scams can be
    easily repurposed for the web

    Clickjacking
    Password Guessing
    Phishing
    Social Engineering
    Cross-site Scripting and Crosssite Request Forgery are a unique
    combination of User, Browser,
    Server, and Application attacks.

    Network Attacks
    Are not unique to web security
    Have unique consequences

    Traffic Sniffing
    DNS Poisoning
    ARP Poisoning
    SSL Attacks

    Rule #1
    Never trust the client, the server, or the
    network.
    All inputs must be validated. All interactions with other parties must
    be assumed to be malicious until proven otherwise.

    You might also like