Professional Certificate Program in

Ethical Hacking and Penetration

Testing
Ethical Hacking
Hacking Web Application
 A Day in the Life of a Web Analyst

Mr. Jones works for an IT company as a web analyst. The

company has worked on several web-based applications.
Recently, the company faced a cyberattack due to a vulnerability
in the system that did not patch. Mr. Jones's senior wants him to
identify and patch all the systems and make sure such incidents
do not occur in the future.
In this lesson, he will learn about the various types of web
architecture, OWASP's top ten security risks, and other web
application threats.
 Learning Objectives

By the end of this lesson, you will be able to:

Explain web application hacking methodology

Identify web application vulnerabilities

Identify the types of web application architecture

Identify OWASP's top 10 and other web app threats

Web Application Concept
 What Is Web Application?

A web application is a computer-based program that uses web browsers to carry out
specified functions online. It is popularly known as a web app.

The browser sends a

URL

The server sends a html

page

Clien Serve
t r
 Popular Web Applications

Amazon, Netflix, and WhatsApp are some popular web applications used daily.
In addition, web applications are furnished on the World Wide Web.

Amazo WhatsApp
n

Netfli
x
 Web Application Architecture

A web application architecture is a blueprint that showcases how communication

happens between applications, middleware systems, and databases to ensure multiple
applications work simultaneously.

Administration Tool
Administration Layer

API
Managemen Administration
Documentation
t

Clients Recommender Server Generator

Server
Client Layer API Layer Application Layer Database Layer Data Mining
Layer
Application 1 Web Server API Online
Recommender
Services Action Based
(Actions) Generators
Application 2
Action Services
Application 3 Content Based
Offline (Associatio Generators
Recommendatio n Rules)
n Services

Third-Party
Metadata
Components of a Web Application Architecture

The components of web application architecture are:

Client Firewall Proxy Web server

Database Legacy Application

server Media server
application server
 Types of Web Application Architecture

In general, web applications are of three types:

Web Application architecture

Two-tier web Three-tier n-tier web

architecture web architecture
architecture
 Two-Tier Web Application Architecture

A two-tier web application architecture consists of the following layers:

Clien Layer 1
t
Client
Client platform that hosts a web
browser

Serve
r Web/App Services
Server Layer 2

Dynamic Server platform that hosts all

Database
HTML
Static server software components
HTML
 Three-Tier Web Application Architecture

A well-known software application design that divides applications into three logical
and physical computer tiers is three-tier architecture.

Client

Firewall

Proxy

Web Server Presentation

Layer

Application Server Backend Business

(Business Logic, (Legacy Layer
Connectors, Application,
Personalization, Data Enterprise Info
Access) System)

Data Layer
DBMS
 Three-Tier Web Application Architecture: Layers

A three-tier web application architecture consists of the following layers:

Layer 3
Presentation layer: It provides information
through a graphical user interface about services
frequently available through a web browser or web-
based application (GUI).

Layer 2
Application layer: It is derived from the
presentation tier, known as the logic tier, business
logic tier, or logic tier.

Layer 1
Data layer: Database servers are stored and
retrieved in this location.
 N-Tier Web Application Architecture

N-tier web application architecture, as the name suggests, requires multiple layers,
primarily more than three layers.

Application
Server 1 N-tier architecture is also called
Client Data multi-layered architecture.
Server 1
It is an expansion of the three-layer
architecture by replicating the
Client Application
Server 2 application, data servers, or
specializing servers.
Data
Client Server 2

Application
Server 3
Web App Threats
 What Is OWASP?

OWASP is a global non-profit organization based in Maryland, United States, dedicated to web
application security.

It is an online community that provides freely available articles, documentation, tools, etc.
 OWASP Top 10

These ten are considered the most critical security risks to web applications:

1 2
Broken Access Cryptographic
Control Failure

3 4
Injectio Insecure
n Design

5 6
Security Vulnerable and
Misconfiguration Outdated
Components
7 8
Identification and Software and
Authentication Data
Failure Integrity Failure
9 1
Security Logging 0 Server Side
and Request Forgery
Monitoring Failure (SSRF)
 Broken Access Control

Broken access control allows an attacker to function as a user or administrator.

It is considered the most critical security vulnerability.

https://www.packetlabs.net/posts/broken-access-control/
 Cryptographic Failures

• Cryptographic failures occur when sensitive stored data is compromised.

• It was formerly called Sensitive Data Exposure.

It occurs due to weak cryptographic algorithms.

https://www.pullrequest.com/blog/what-are-cryptographic-failures-and-how-to-prevent-giant-leaks/
 Injection

A web application becomes vulnerable when an attacker sends incorrect data into
it. This process is known as code injection.

There are different types of injections SQL, LDAP, CRLF, etc.

https://www.kiuwan.com/code-injection-vulnerabilities/
 Insecure Design

Insecure design vulnerability occurs when the designs contain some flaws. It
represents the weakness in the current designs.

Example

1. The attacker uses an

automated system to test 2. The attacker repeats login
a target’s credential list attempts until one is
successful

Automated system
Website with no failed
login limits set

While designing applications, developers are always recommended to use

secure design patterns to free the application from loopholes.

https://cheapsslsecurity.com/blog/what-are-the-owasp-top-10-vulnerabilities-and-how-to-mitigate-them/
 Security Misconfiguration

Security misconfiguration arises when the developer or administrator does

not configure the security framework properly.

Accounts
Finance
Administration
Transactions
Communication
Knowledge Mgmt
E-Commerce
Bus functions Database
Custom code
App configuration

Framework Development

App server QA servers

Web server
Insider Test servers
Hardened OS
Source control

It is a design or configuration weakness resulting from a configuration error.

https://www.wallarm.com/what/a6-security-misconfiguration-2017-owasp
 Vulnerable and Outdated Components

This attack occurs when the software is outdated, vulnerable, or not

supported.
All vulnerable and outdated components should be identified and patched.

This generally happens when the developer does not know what version of
the software is currently being used.

https://cheapsslsecurity.com/blog/what-are-the-owasp-top-10-vulnerabilities-and-how-to-mitigate-them/
 Identification and Authentication Failure

• It is related to authentication and session management.

• If implemented incorrectly, it would allow the attackers to compromise
passwords, keywords, sessions, etc.
• These have severe consequences and may result in a data breach.

https://support.f5.com/csp/article/K14998322
 Software and Data Integrity Failures

This happens when software updates, critical data, and CI or CD pipelines

are used without verifying integrity, allowing an attacker to execute the code
remotely.
It generally occurs when the code implementation and the infrastructure
cannot protect the code from integrity violations.

https://www.wallarm.com/what/a04-2021-owasp-software-and-data-integrity-failures
 Security Logging and Monitoring Failures

• Logging and monitoring a website should be done frequently, as failing to do so

leaves the website vulnerable by compromising sensitive data.
• It was previously called insufficient logging and monitoring.

https://cheapsslsecurity.com/blog/what-are-the-owasp-top-10-vulnerabilities-and-how-to-mitigate-them/
 Server-Side Request Forgery (SSRF)

Server-Side Request Forgery allows an attacker to send requests to an

unexpected destination even when a firewall or VPN protects the system.

An attacker could gain access and even modify the internal resources.

https://www.invicti.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/
 Other Web App Threats

Some of the other web app threats are as follows:

Cross- Remote
Director LDAP
site code
y injection
scripting executio
traversa
(XSS) n
l

When an
When an
attacker sends When the When malicious
attacker reads
malicious codes validation is malware is
files on the
to a web weak downloaded
server outside
application
of the directory
Hacking Methodology
 Web App Hacking Methodology

6. Maintain
1. Set target
access

Web app hacking methodology is

Web application the stepwise method used by a
5. Cover hacking 2. Spider and hacker to exploit the web
tracks methodology enumerate application and maintain
unauthorized access.

3. Vulnerability
4. Exploitation
scanning

https://static.packt-cdn.com/products/9781801819770/graphics/Images/B17765_07_01.p
 Attacks Against Web Application

In hacking methodology, there are many vulnerabilities in the web application during the attack or
exploitation.
Some of the attacks against web applications are as follows:

7 40
% %
2
%
4
% SQL
16 Injection
% Path
Traversal
Local File
inclusion
Cross Site
scripting
OS
Commanding
Other

31 https://www.ptsecurity.com/upload/corporate/ww-en/images/analytics/article_300527/300527_3.jp
%
 Countermeasures Against Web Application Attacks

Some common countermeasures against web application attacks

are:

Restricting access Zero trust policy Regular scanning

https://img.freepik.com/premium-vector/hacker-is-trying-break-cyber-security_498048-118.j
 Footprinting Infrastructure

Phone Domain
number name
Footprinting a web application
captures information about the target
Legal
IP address web application and its tracks.
documents
It can be considered as follows:
• Knowing about the website’s DNS
Email
Policies information
address
• Grabbing its network map
Footprinting

https://miro.medium.com/max/1400/1*PJdKWdEm9hnbZTDtzoJDvw.png
 Tools Used in Footprinting

Footprinting is often done using hacking tools, either applications or websites, which allow the
hacker to locate information passively. Some tools used in footprinting of any web application
are listed below:

Nmap Recon-ng Maltego

Whois emailTrackerP theHarvester

ro
 Reducing Infrastructure Footprints

Tools are used to gather and track information. However, there is a need to reduce
infrastructure footprints. Some of the points that can be implemented are:

• Deactivate the old accounts

How to protect • Unsubscribe from unwanted emails

user's digital footprint • Use VPNs
• Use Search Engine Optimization

https://excellence-it.co.uk/wp-content/uploads/2019/06/
footprint1.png
 Attacking Web Server

After footprinting, the hacker's main task is to attack the web app server.

• The most crucial aspect is a web server

when a hacker targets a website.
• Attacking the web server can help
hackers find server-side vulnerabilities
and gain website access.

Attacking web servers

https://devqa.io/assets/images/hacking-web-
servers.png
 Attacks on Web Servers

An attacker attempts to take the web server down or make it unavailable to legitimate users. Some
attacks which are done on web servers are as follows:

File
uploa
d
CSR SQL
F I

XSS 010101001 010101001 • CSRF

010 010
• Injection attacks
010101001 01010
010 10 Server • XSS

User Hacker

Note: These attacks are also made directly on the website too, so don’t get confused
about web server and web application attacks.​

http://www.valencynetworks.com/blogs/wp-content/uploads/2020/01/web-exploitation.jpg
Countermeasure Against Web Server Attacks

Countermeasures against web server attacks are as

follows:

• Patch the web servers regularly

• Do not use default credentials
• Never store secret and private data in a clear format
• Block all unnecessary ports
• Use the latest version of the protocols

https://play-lh.googleusercontent.com/uXf-4EYiL-43zjGzmwQ93NcWhOduuAW_EX-
qs2Yzpi8O5efKokC08A4T4f7cjLqQDtJp=w600-h300-pc0xffffff-pd
 Analyzing Web Application

Application analysis is essential to securing the enterprise by

identifying vulnerabilities in software before it is deployed or purchased.

There are many ways to analyze the

web applications, like scanning
vulnerability assessment and
penetration testing

https://ds6br8f5qp1u2.cloudfront.net/blog/wp-content/uploads/2017/05/web-application-testing.png?x825
Software and Tools Used in Web App Analysis

Tools and software which can be used

in web app analysis are as below:

• Web proxies
• Web scanners
• Brute-forcers
• Fuzzers
• Web app testing frameworks

https://www.brainpulse.com/wp-content/uploads/2020/05/web-analysis-tool-1280x720.jp
 Importance of Web Application Analysis

Businesses these days are directly dependent on web applications. This is why the
analysis is crucial.

• Analysis helps in targeting the

loopholes to be exploited

• This helps analyze the techniques

used in creating a web app

https://www.rouge-media.com/wp-content/uploads/2019/05/web-app-illustration-1.pn
 Client-Side Controls

Before getting into bypassing client-side

Client Server controls, it is crucial to understand what
client-side control means.

When the client inputs data into the

browser and is verified at the client-side
code, like using JavaScript, it is known as
client-side control.

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ48u4Q1BK37S02-o-
0cjAGu75B_TveIB3F7g&usqp=CAU
 Bypassing Client-Side Controls

Bypassing client-side controls refers to the client's operations in a client-server

environment.
Some of the ways of bypassing client-side controls are:

• Bypassing hidden form fields

• Bypassing JavaScript validation
• Manipulating parameters
• Forced browsing

https://blog.knowbe4.com/hubfs/iStock-1221578901.jpg
 Preventing Client-Side Controls

To prevent bypassing client-side controls, restrictions are required on some fields which are
validated on the client side.

• Sanitize all the inputs from the user

• Design client-side code according to the
server-side acceptance of the court, which
means user input must not manipulate the
server side
• Validation must be done during file upload
on the server side, regardless of the client

https://img.freepik.com/premium-photo/cybersecurity-protection-concept-technology-background_371307-31.jpg?w=
Bypass Client-Side Control

Duration: 15 mins
Problem Statement:

You are given a task to bypass client-side access control.

 Assisted Practice: Guidelines

Steps to follow:
1. Setup proxy for Burp Suite
2. Setup Burp Suite
3. Enter commands to host DVWA
4. Go to File Upload in DVWA
5. Now, as desired by the control, change malware.py to jpeg
6. Use Burp Suite to bypass control on submission
 SQL Injection Attack

After bypassing client-side controls, the SQLi attack is the most used attack over the
databases.

1. Hacker identifies
2. Malicious SQL
vulnerable, SQL-driven
query is validated,
website and injects
and command is
malicious SQL query via
executed by
• This attack is made by injecting SQL
input data 2 database commands in the input field on the
1 Website input fields client-side
3. Hacker is granted • This may lead to illegal database
access to view and
access and database manipulation
alter records or
potentially act as
database administrator
3
Hacker Database

https://miro.medium.com/max/600/0*cJMKpHYBNIOaXVPV.png
 Input Validation Attack

Like SQLi attacks the user input fields. Input Validation attacks when the client
is not validated on the server side, or the user input is not sanitized.

For example, when the user enters

passwords or any input, it must be
sanitized before sending it to the
server.

http://1.bp.blogspot.com/-D2qsrpbiJA8/T5wEVFXcHVI/AAAAAAAAAHI/CD81zqztom4/s1600/7-Schema-Based-Input-
Validation.png
 Countermeasures Against SQLi and Input Validation Attack

Countermeasures against SQLi and

Input Validation attacks are:
Usernam Passwor
e
Email
d • Sanitize user input
***** ***** *****
***** ***** ***** • Prefer client-side controls
***** ***** *****
***** ***** ***** • Use stored procedures
• Use character encoding

https://academy.avast.com/hs-fs/hubfs/New_Avast_Academy/SQL%20injection/What%20is%20a%20SQL%20injection.png?width=660&name=What%20is%20a%20SQL%20injection.png
SQL Injection Attack

Duration: 15 minutes

Problem Statement:

You are given a task to perform SQLi and Input Validation attacks.
 Assisted Practice Guidelines

Steps to perform:
1. Enter commands to host DVWA
2. Go to the Login page of DVWA
3. Perform SQL injection attack
4. Attack successful
 Broken Authentication

In broken authentication, the hacker uses the legitimate user's credentials.

It includes sniffing, credential stuffing, session hijacking, or any other means to gain
unauthorized access to the target website.

(1)
Connection established
Client Server
(2)
Packet sniffing
and find sequence
(3) number (3)
Established connection Established connection
Hacker PC

(4)
Sniffed packet

https://i0.wp.com/gbhackers.com/wp-content/uploads/2016/10/session.png?resize=567%2C238&ssl
Common Reasons for Broken Authentication

Some of the common reasons for broken authentication are:

• Session ID is exposed clearly

• Session ID is vulnerable to
session fixation attacks
• Login credentials are assumable
or default

https://www.prplbx.com/static/665c5a21eb22a5aa5ae2e8106f9df486/4e258/card-image.p
 Broken Authentication Attack Scenario

Authentication is broken when attackers can compromise passwords, user account information,
and other details to assume user identities.
The attack scenario is illustrated in the image:

Forgot your
password?
Enter your email
address to reset your POST/ password/reset HTTP
password. 1.1
carlos@normal- Host: evil-user.net
user.com
Reset your
password

Vulnerable
website
Hello carlos,
To reset your
password,click the
following link: </
Token= http://evil-user.net/ >
a0bs0hjdserfsnccbhc Password reset?
bejrfbcsdsbcjhefbes token=

https://www.prplbx.com/static/ee2ab4e8a5966dc80ce6994e15460bb9/b1945/figure5-password-reset-
poisoning.png
 Countermeasures for Broken Authentication

Some of the countermeasures for broken authentication are:

Log
management

• Secure logging and monitoring

Collect • Use of MFA and Captcha

Search
• Use of secure authentication and
authorization protocols
Index
• Proper session management

Pinpoint
issues

https://www.prplbx.com/static/f054e423c8735f627bcd61a4f5b23c52/4b190/figure14.jp
Broken Authentication Vulnerability

Duration: 10 mins

Problem Statement:

You are given a task to check for broken authentication vulnerabilities in DVWA as
Weak Session ID
 Assisted Practice Guidelines

Steps to follow:
1. Enter commands to host DVWA
2. Go to the Login page of DVWA
3. Now, perform an authentication check on Weak Session IDs
4. Now, verify this by inspecting the element
5. Verification of the vulnerability
 Sensitive Data Exposure Vulnerability

After broken authentication, the OWASP list contains another

vulnerability known as sensitive data exposure.

Spear
Email filtering Compromised
phishing
(anti virus/spam) user
email

It is a vulnerability that occurs when an

organization's website unintentionally
exposes sensitive information, which
Attacker
may lead to unlawful activity.
Firewall

Sensitive Proxy,DLP,IPS Sensitive

data /IDS data

https://miro.medium.com/max/978/1*74LLez2daWXSvhSR0encrQ.jpeg
 Sensitive Data Exposure Attack

Sensitive data exposures can result from weak encryption, software flaws, or human
error.
This given image illustrates the attack procedure:

1 4 Evil site installs malware on the

The attacker sends an victim or phish for private
attack to the victim via information
email or a webpage

2
The victim clicks the link
containing an unvalidated
3
Application redirects victim
parameter to attacker’s site

https://www.indusface.com/wp-content/uploads/2019/08/Sensitive_Data_Exposure_blog.jp
Countermeasures for Sensitive Data Exposure

Some of the countermeasures for this vulnerability are:

• Pre-assessment of the risk associated

with the data
• Maintenance of an Incident
Response Plan
• Proper encryption of sensitive data
• Sanitization of user input
• Non-transition of session ID in clear texts
or URL

https://cdn.acunetix.com/wp_content/uploads/2021/05/ACX-Vulnerabilities-Attacks-Technical-SEO-Posts-1000X525.
Sensitive Data Exposure

Duration: 10 mins
Problem Statement:

You are given a task to find out sensitive data exposure vulnerability.
 Assisted Practice Guidelines

Steps to be followed:
1. Enter commands to host DVWA
2. Go to the Login page of DVWA
3. Go to XSS (Reflected)
4. Perform an attack to expose sensitive data
 Attack Scenario of XEE
This attack occurs when a weakly configured XML parser processes XML input containing a
reference to an external entity. The following steps describe the attack scenario:

XML External Entity Attack (XXE)

5. Sensitive data is shared with
hacker

5
1
1.Hacker identifies a web application
with a weakly configured XML parser
Hacker and sends an XML request Web application

2
2
3

2.XML processor retrieves malicious

external entities within the document
type declaration (DTD)

3.XML processor validates DTD

and involves a malicious external
entity

Hacker Server Target Server

4. XML request is parsed

https://spanning.com/wp-content/uploads/2019/09/XML-external-entity-attack-example.pn
 Countermeasure for XEE attack

Some of the countermeasures of XEE attacks are:

• Configure each parser thoroughly and

manually
• Use multiple layers of encoding
• Perform XEE vulnerability detection
regularly

https://www.indusface.com/wp-content/uploads/2020/07/how-to-prevent-xml-external-entities.pn
 Remote File Inclusion

Remote File Inclusion is a vulnerability where the reference function is exploited by the
hacker.

Attacker uses a search O Attacker uses a scanner

engine to identify a
website with vulnerable
components
R to identify a website with
vulnerable components.

• During the RFI vulnerability, the hacker

finds the vulnerable website, which can
refer to the external scripts.
Attacker exploits the remote
file inclusion vulnerability to
upload a backdoor shell..
• Then, using this vulnerability, the hacker
installs a backdoor or shell from the remote
URL or, say, a different domain.

Site is compromised.
Malware is installed. Server is hijacked Data is compromised
pages are defaced or Server is used as a Passwords and
deleted. DDoS bot. information are stolen

https://www.imperva.com/learn/wp-content/uploads/sites/13/2019/01/what-is-rfi-attack.png
 Local File Inclusion

Local File Inclusion is when attackers trick a web application into running or exposing
files on a web server.

Local file inclusion (LFI)

1. Hacker identifies web application
2. Hacker modifies URL string using
with insufficient filtering or
“../” directive to ensure
validation of browser input from
Directory(path) traversal is possible.
users
• The difference is that hackers need not
https://example.com/?page=filename.php
find any other vulnerable domain but the
filename.php 🡪 ../../../../etc/test.txt
https://example.com/?page=../../../../etc/test.txt website that accepts any scripts or
1 references.
2

hacker.php • As shown in the figure, the URL refers to

3
Hacke 4 Server the server's root file, and the server
r filename.php 🡪 ../../../../etc/hacker.php responds with the file.
https://example.com/?page=../../../../etc/hacker.php

3. Hacker backdoor uploads

4. Request is improperly validated
malicious .php file to host server and
and hacker is permitted to run
attempts to locate script using same
malicious script on host application.
method as step 2.

https://spanning.com/wp-content/uploads/2021/05/local-file-inclusion.png
 Countermeasures for RFI and LFI

Some of the countermeasures of RFI and LFI are as follows:

• Sanitize the parameters in the

request, whether URL, GET, POST
• Perform Input Validation at user-
side
• Use web apps like Firewall and
Secure Proxy

https://brightsec.com/wp-content/uploads/2021/12/Local-File-Inclusion-LFI.png
RFI or LFI Attack

Duration: 10 mins

Problem Statement:

You are given a task to test the Local File Inclusion.

 Assisted Practice Guidelines

Steps to be followed:
1. Enter commands to host DVWA
2. Go to the Login page of DVWA
3. Go to File Inclusion
 XML External Entity Injection

This is an injection attack that allows the hackers to access the XML data, which the
application itself can access.

• In some scenarios hacker

escalates this attack which can
lead to an SSRF attack.
XML • This attack helps hacker access
Praiser
Payload the external data of the back-end
Internal infrastructure.
files

https://miro.medium.com/max/1400/0*prf8NM_OPXKLd13P
 Directory Traversal

It is an attack where the hacker traverses the web server's directory for unauthorized
access.

passw
d

“/
etc”

This attack traverses the web server's

directory and gains privileged access.

https://cdn.invicti.com/app/uploads/2022/06/28120725/directory-path-traversal-attack.pn
 Directory Traversal Attack Scenario

A Directory Traversal vulnerability results from insufficient filtering or validation of user browser
input. The steps in the attack scenario are:

1. Hacker identifies web applications

2. Valid GET request is used to retrieve and
with insufficient filtering or validation
of browser input from users
return an expected file from the web server • Identify applications with no
input validation
https://example.com/?file=filename.php Server
1.
2. • Change valid GET request
../
Hacke
r 3.
4. ../ • Modify the request

https://example.com/?file=../../../../etc/passwd

3. Hacker modifies the URL string

using the “../” directive in an attempt
to retrieve the desired file from a
higher directory
• Get a response to the
4. GET request is performed, and the
hacker is granted access to a file malicious request
containing sensitive information without
proper validation

https://spanning.com/wp-content/uploads/2020/10/directory-traversal-example.png
Countermeasures for Directory Traversal Attack

Some of the countermeasures of the Directory Traversal

attack are:

• The application must validate the user

input before processing
• API security must be implemented and
tested

https://www.internetsecurity.tips/wp-content/uploads/2020/09/What-is-path-traversal-and-how-to-prevent-it-
1280x720.png
Directory Traversal Attack

Duration: 12 mins

Problem Statement:

You are given a task to test for the Directory Traversal vulnerability.
 Assisted Practice Guidelines

Steps to perform:
1. Launch DVWA in Kali Linux
2. Find the URL where the user can try a directory or path traversal attack
3. Try manipulating the URL
 XSS (Cross-Site Scripting)

Cross-Site Scripting is an attack where a hacker tries to insert a malicious script in the input
fields or parameters, which gets stored in the database or gets reflected.

What is XSS?
[Cross-Site Scripting]
This way, the hacker can steal
XSS sensitive data and hack
websites or user accounts.

https://dltlabsweb-media.s3.amazonaws.com/images/Cross%20Site%20Scripting%20Latest%20%20by%20Shobhit%20Singhal-9ae66bd7-9836-4bd9-8161-
d637507d0989.png
 Types of XSS Attacks

Types of XSS vulnerabilities:

• DOM-based (local) • Non-persistent (reflected) • Persistent (stored)

o Problem exists o Data provided by a web o Data provided to an

within a page’s client is used by server- application is first
client-side script side scripts, to stored and later
generate a page for displayed to the user
that user on a web page
o Potentially more serious,
if the page is rendered
more than once

https://slideplayer.com/slide/697516/2/images/7/Types+of+XSS+vulnerabilities.jp
 XSS Attack Scenario

Cross-site scripting works by manipulating a vulnerable website so that it returns

malicious JavaScript to users. The most common attack scenario of XSS looks like:

Cross-Site Scripting (XSS)

1. Hacker 2. Victim visits a
injects trusted trusted website
website with and triggers the
malicious malicious script
script

1 Trusted website 2
3. Victim’s browser
executes the malicious
script and unknowing
forwards desired
information (session
token, cookie, etc.) to the
hacker
Hacker 3 Victim

https://spanning.com/wp-content/uploads/2019/05/cross-site-scripting-example.png
Countermeasures for the XSS Attacks

Some of the countermeasures of the XSS attack are as

follows:

• Encoding data on input and output

• Proper response headers
• Implementation of Content Security
Policy
• Filter and sanitize input on arrival

https://academy.hackthebox.com/storage/modules/103/logo.png
XSS Reflected Attack

Duration: 10 mins

Problem Statement:

You are given a task to test for reflected XSS vulnerability.

 Assisted Practice Guidelines

Steps to follow:
1. Setup Proxy for Burp-Suite
2. Setup Burp Suite
3. Enter commands to host DVWA
4. Go to XSS (Reflected)
5. Perform an attack
 LDAP Injection

LDAP (Lightweight Directory Access Protocol) is used mainly on the intranet to find other
users, files, and devices.

Normal
operation (Normal query)

CLIENT LDAP SERVER

Normal
During LDAP injection, special
results characters like brackets, asterisks,
quotes, etc., are used in the input to
Operation with code
bypass the validation.
injection (Normal query)
+ Code
injection
CLIENT LDAP SERVER
Normal results
and/or
additional
information

https://miro.medium.com/max/1400/0*F7z_Bkq8UZjRDMdW
 SOAP Injection

Simple Object Access Protocol is used to transmit messages using HTTP

Protocol.

SOAP
• It uses XML to represent data.
SIMPLE
• When the user inputs data and changes the
OBJECT
request code, the vulnerability exists.
ACCESS
• If a hacker can embed <> or the request,
PROTOCOL the vulnerability exists.

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSbfWOMv3-fS5X0WrqYGC6JE1g9oh-
WOyLEGg&usqp=CAU
 HTML Injection

This is very similar to the XSS attacks. Like XSS uses JavaScript code to perform an attack,
HTML injection uses HTML tags to change the code and its response.

a
<extare
• HTML Injection is an attack similar

f
hre
<f

to Cross-Site Scripting (XSS).

m
or

<a
<b
e as <i
m
g • In the XSS vulnerability, the
attacker can inject and execute
Javascript code.

• The HTML injection attack only

allows the injection of specific
HTML tags.

https://cdn.acunetix.com/wp-content/uploads/2020/01/11111324/html-injection-featured.pn
 IDOR Attack
Insecure Direct Object Reference is a vulnerability used by a hacker to gain privileged access or
another user’s account.

Insecure Direct Object Reference

(IDOR) Vulnerability
1. Hacker identifies web
application with direct 2. Valid HTTP request is
object reference(s) and executed, and a direct object
requests verified reference entity is revealed
information

https://banksite.com/account? • This is done by changing the

id=1234
1 parameter value.
2
• This attack happens when the Object
Id= 1234 🡪 id =
Reference is not validated and not
1235
3 authenticated.
Hacker 4 Server
https://banksite.com/account?
id=1235

3. Direct object reference 4. HTTP request is performed

entity is manipulated, and without user verification, and
the HTTP request is the hacker is granted access
performed again to sensitive information

https://spanning.com/wp-content/uploads/2020/02/insecure-direct-object-reference-example.png
Hacking Tools
 Web Application Hacking Tools Requirement

Hacking tools are necessary to automate an attack on the target website. Tools make
hacking targets easier and faster.

https://hakin9.org/wp-content/uploads/2020/07/A00-2.png
 Tools Used in Web Application Hacking

Hacking tools generally crack or break computer and network security measures. Additionally,
hacking tools have multiple capabilities depending on the systems they have been designed to
penetrate. Some of the most used tools in web app hacking are as below:

https://play-lh.googleusercontent.com/xfEwmzQADrjODuFw94jDJpcUM2f15a9wKvzOExZ8hH7zvYaNpXUzH-
fcbAp3RTrPs18
 Common Hacking Countermeasures
Some of the effective preventions and countermeasures which organizations take to defend
themselves from an attack are:

Use WAF

High-standard
user
encryption and
encoding
Sanitize user
input
Train employees
against social
engineering

Create DMZ

Patch
vulnerabilities
regularly
Countermeasures
 OWASP Top 10 Vulnerabilities

OWASP is an organization that releases its top 10 vulnerabilities of websites in recent years.
Here is a comparative description for 2017 and 2021:

http://www.pentasecurity.com/wp-content/uploads/2021/09/All-You-Need-to-Know-About-the-OWASP-Top-10-Update-
Diagram.png
 WAF (Web Application Firewall)

A web application firewall (WAF) protects web applications from various application layer attacks
such as cross-site scripting (XSS), SQL injection, and cookie poisoning.

• This acts as a filter to the

traffic on the inbound and
outbound to the internet.
Destination
• It helps in the implementation
server
of access and IP restrictions.
Web application
firewall
HTTP traffic
sources

https://www.cloudflare.com/img/learning/ddos/glossary/waf/waf.png
 Periodic VA (Vulnerability Assessment)

Periodic VA (Vulnerability Assessment) is a security practice carried out by the security team to
find vulnerabilities in any website application.

• This needs to be done regularly to prevent any

new exploits.

• VA and Penetration Testing help in securing web

applications before getting hacked by a hacker.

https://lirp.cdn-website.com/64ff99e4/dms3rep/multi/opt/cloud+protect-640w.png
Knowledge Check
Knowledg
e Check
______________request web pages from the server.
1

Host
A.

Server
B.

Client
C.

Router
D.
 Knowledg
e Check
______________request web pages from the server.
1

Host
A.

Server
B.

Client
C.

Router
D.

The correct answer C

is
A client can request web pages from the server.
Knowledg
e Check
Which of the following is not a component of web application architecture?
2

Firewall
A.

Proxy
B.

Web Server
C.

Antivirus
D.
 Knowledg
e Check
Which of the following is not a component of web application architecture?
2

Firewall
A.

Proxy
B.

Web Server
C.

Antivirus
D.

The correct answer D

is
Anti-virus is not a component, whereas others are components of web application architecture.
Knowledg
e Check
3 Which of the following are defensive tools against website attacks?

WAF
A.

DMZ (Demilitarized Zone)

B.

IPS (Intrusion Prevention System)

C.

All of the above

D.
 Knowledg
e Check
Which of the following are defensive tools against website attacks?
3

WAF
A.

DMZ (Demilitarized Zone)

B.

IPS (Intrusion Prevention System)

C.

All of the above

D.

The correct answer D

is
All the tools that are mentioned above can be utilized against website attacks.
Knowledg
e Check
What is the second layer in the three-tier architecture model?
4

Application
A.

Data
B.

Physical
C.

Presentation
D.
 Knowledg
e Check
What is the second layer in the three-tier architecture model?
4

Application
A.

Data
B.

Physical
C.

Presentation
D.

The correct answer A

is
The second layer in the three-tier architecture model is the application layer. The first layer is the data
layer, and the third layer is the presentation layer.
Knowledg
e Check
Which of the following protocol is used to transmit the messages?
5

LDAP
A.

SSH
B.

SOAP
C.

SQL
D.
 Knowledg
e Check
Which of the following protocol is used to transmit the messages?
5

LDAP
A.

SSH
B.

SOAP
C.

SQL
D.

The correct answer C

is
The SOAP protocol is used to transmit messages using the HTTP protocol.
Knowledg
e Check
Which vulnerability can lead to database exploitation?
6

LDAP Injection
A.

SQL Injection
B.

IDOR
C.

XEE
D.
 Knowledg
e Check
Which vulnerability can lead to database exploitation?
6

LDAP Injection
A.

SQL Injection
B.

IDOR
C.

XEE
D.

The correct answer B

is
SQL injection attack uses database commands to exploit the database.
Knowledg
e Check
XSS vulnerability mainly embed which of the following language script?
7

A. PHP Script

JavaScript
B.

Bash Script
C.

Shell Script
D.
 Knowledg
e Check
XSS vulnerability mainly embed which of the following language script?
7

PHP Script
A.

JavaScript
B.

Bash Script
C.

Shell Script
D.

The correct answer B

is
JavaScript is used as a client-side script and is manipulated by the hacker during an XSS attack.
 Key Takeaways

A web application is an application program stored on a

remote server and delivered over the Internet through a
browser interface.

Web application architecture represents the interactions

between applications, middleware systems, and
databases to ensure multiple applications can work
together.
The OWASP Top 10 is a standard awareness document
for developers and defines a broad consensus about
web applications' most critical security risks.

Remote file inclusion (RFI) is an attack that targets

vulnerabilities in web applications that significantly
reference external scripts.
 Lesson-End Project

Problem statement:

Perform the File Inclusion Web App attack on DVWA.

 Lesson End Project: Guidelines

Steps to follow:
1. Open the Kali Linux Machine in the Lab
2. Start the DVWA Lab
3. Login and Open File Inclusion tab
4. Try a web attack known as Directory Traversal to expose sensitive data