Web Application Hacking

 What is web application ?

 Web-application is an application program that is usually stored on a remote server,
and users can access it through the use of web-browser.
 A web application can contain online shops, webmail's, calculators, social media
platforms, etc
Web application vulnerabilities

 Web application vulnerabilities involve a system flaw or weakness in a web-based

application. 
 Largely due to not validating or sanitizing form inputs, misconfigured web servers, and
application design flaws, and they can be exploited to compromise the application’s security.
 In general refers to the exploitation of applications via Hypertext Transfer Protocol (HTTP)
which can be done by manipulating the application through its graphical web interface,
tampering the Uniform Resource Identifier (URI) or exploiting HTTP elements. 
 Web application security vulnerabilities are as follow
 SQL Injection
 Cross site Scripting
 Security Misconfiguration
 Directory Traversals
 SQL Injection
 SQL Injection is a code injection techniques used to execute
mslicious SQL statements on the database.
 Preventive measure:
 Perform strict input validation
 Consider a web application firewall to filter out malicious
data.
 Continuously monitor SQL statements from database-
connected applications
 Discard any unwanted or unimportant database functionality.
Cross Site Scripting
 Cross Site Scripting (XSS)is a code injection attack executed on the client side
of a web application.
 Attackers inject the malicious script through the web browser
 The malicious script is execute when the victim visits the web page and web
server.
 Steal cookies , session tokens and other sensitive information.
 Also used to modify the content of the website.
 Prevention
 User input escaping
 Consider input has a treat
 Data Validation
 Sanitize data
Security Misconfiguration

 Security misconfigurations arise when security settings are not defined,

implemented, and default values are maintained. 
 Misconfiguration normally happens when a system or database administrator or
developer does not properly configure the security framework of an application,
website, desktop, or server leading to dangerous open pathways for hackers.
Directory Traversal

 Directory traversal an HTTP attack which allows attackers to access restricted

directories and execute commands outside of the web server’s root directory.
 The web server provides two main levels of security mechanisms.
 Access Control Lists(ACLs)
 Root Directory\
 Countermeasures:
 Don’t store old, sensitive ot otherwise non public files on your Web server
 Ensure that your Web server is properly configured to allow public access
only to those directories that are needed for the site to the function.