What is Web Application Hacking?

Web application hacking or web app hacking is the act of exploiting vulnerabilities and
weaknesses in web applications to gain unauthorized access, manipulate data, or perform
malicious activities.

It involves identifying security flaws in web apps and leveraging them to compromise their
integrity, confidentiality, or availability.

Web applications are software programs that run on web servers and are accessed through
web browsers. They are used for various purposes, such as online banking, e-commerce,
social media, and more. However, these applications often have security vulnerabilities that
can be exploited by hackers.

Web Application Hacking Methodology

The methodology for web application hacking in ethical hacking typically follows a
systematic approach to identify vulnerabilities, exploit them, and assess the impact of the
attack.

Here is a step-by-step process for web application hacking methodology:

1. Reconnaissance
Gather information about the target application, its infrastructure, and the technologies
used. This can include identifying the application's URL, server details, application
frameworks, and any associated subdomains.

2. Mapping and Discovery

Explore the target application to identify all available entry points, such as input fields,
forms, URLs, and hidden parameters. Use tools like web crawlers or manual exploration to
map the application's functionality and identify potential vulnerabilities.

3. Vulnerability Scanning
Use automated scanning tools to identify common web application vulnerabilities, such as
SQL injection, XSS, CSRF, and more. These tools can help identify potential security flaws
and save time during the initial assessment.

4. Manual Testing
Perform manual testing to validate and further investigate the vulnerabilities identified in the
previous step. This involves manually crafting and injecting payloads into input fields to test
for specific vulnerabilities and their impact.

5. Exploitation
Exploit the identified vulnerabilities to gain unauthorized access, manipulate data, or
perform malicious activities. This may involve crafting and injecting malicious code,
manipulating input values, or leveraging insecure configurations to gain control over the
application or the underlying server.

6. Privilege Escalation
If access to the application is limited, attempt to escalate privileges to gain higher levels of
access. This can involve exploiting additional vulnerabilities, such as privilege escalation
vulnerabilities or misconfigured access controls, to gain administrative or root-level access.

7. Post-Exploitation
Once access has been gained, explore the compromised system or application to gather
valuable information, such as sensitive data, credentials, or configuration details. Maintain
persistence within the system, if possible, to ensure continued access.

8. Documentation and Reporting

Document all findings, including vulnerabilities discovered, exploited systems, and the
impact of the attacks. Provide a detailed report with recommendations on how to mitigate
the identified vulnerabilities and improve the application's security posture.

It's important to note that web app hacking should only be performed with proper
authorization and within the bounds of the law. Ethical hackers or penetration testers
typically carry out these activities as part of security assessments to help organizations
identify and address vulnerabilities before malicious actors can exploit them.

Reconnaissance of web app

What’s Information Gathering?

Information gathering is the first phase of penetration testing in which we

collect publicly available information or internal information about target
while performing active reconnaissance as well as passive reconnaissance
which we can use it our further testing phases.

Now you’ll think about who is the target , what is active and passive
reconnaissance:

Information: Basically we’ll try to gain information about organization’s

digital footprints, like their IP addresses, DNS records, mail server,sub
domains , older snapshots of an web application , backend technologies,
server information, publicly disclosed vulnerabilities in the softwares
being used etc.

Target: Our target is nothing but web application on which we’ll perform
testing.

Active Reconnaissance: It means whenever we engage with target to

get information is called active reconnaissance.

Passive Reconnaissance: It means when we collect publicly available

information about target without engaging with target is known as
passive reconnaissance.

Vulnerability: Vulnerability is nothing but the weakness or lack of

security which we found in the target.

Now I hope it’s clear why we are performing information gathering, simple
for exploring all the functionalities, what technology is being used, which
features are sensitive n all.

Now let’s see what are the different techniques through which we can gather
information about the target.

Manually walking through the target:

This is is the first thing which you should, suppose our target is
example.com, so we should first use that application, we should note what
functionalities are there, as a user we should give much time on that target
to know more about it. Suppose you can create an account for example for
multiple roles like admin, normal user n all. SO you should use all the
functionalities.

After exploring all the features you should have a rough idea of what attack
surface(means from where a hacker can attempt to exploit the system or you
can say hack the system) is or what are the entry points are.

Then after that, we can start in-depth recon for that target.

Google Dorking:

Google dorking is a method of finding specific information about your target

or you can say, it’s used to shorten the results, suppose you get 138000
results for normal search but after google dorking you’ll get the results
below that 138000.

Google dorking can also find sensitive information, secret URLs that normal
search can’t find.

As the name suggests google Dorking, so here we just need your google
search engine and some information about google dorks.
 Google’s search engine has its own built-in query language that helps you
filter your searches. Here are some of the most useful operators that can be
used with any Google search:

site:google.com — This dork will give results only for the given domain
name.

inurl:login.html — This dork will give results of only those URLs which
are having login.html on their page.

intitle:password — This dork will give results if any site has a login in
their title.

allinurl:
This operator will allow you to search for results based on if all of the terms following it
are found in the website’s URL.

 Example: allinurl:pizza crust

allintitle:
This operator will allow you to search for results based on if all of the terms following it
are found in the website’s title.

 Example: allintitle:zoo animals

intext:
This operator will allow you to search for results based on text found in the website’s
content.

 Example: intext:films

allintext:
 This operator will allow you to search for results based on if all of the terms following it
are found in the website’s content.

 Example: allintext:comedy films