Web Application Hacking

What is web application hacking

It is a process of detecting vulnerabilities in web applications. A web application hacker needs to have deep knowledge about the architecture of a web application to successfully hack it.

Web application hacking is based on breaking the defense mechanisms of a web application. This requires tenacity, attention to detail, observation, and focus.

Main defense mechanisms

There are three (3) main mechanisms through which we can protect a web application:

• User access handling
• User data input handling
• Attacker handling

User access handling

This mechanism consists of validating whether the user has permission or authorization to access a resource in the web application.

When this mechanism is poorly implemented, vulnerabilities such as:

• Broken Access Control Allows an attacker to gain unauthorized access to functionalities and sensitive data of an application.

• IDOR Allows an attacker to access objects directly through user inputs. This can happen through URL parameters, cookies, directories, among others.

User data input handling

This mechanism consists of validating the data that the user enters into the web application, in order to ensure that the user only enters what the web application expects, avoiding possible vulnerabilities.

This is one of the most complicated mechanisms to implement, as the implementation is never 100% effective, since new exploitation techniques are always emerging.

Through these data inputs, several vulnerabilities can arise that can compromise the application. These vulnerabilities are called "Input-Based Vulnerabilities", and here are some of them:

• Cross Site Scripting Allows the injection of JavaScript code into the web application. This JavaScript code reflects in the browsers of application users, and this can compromise the privacy of these users.

• SQL Injection Allows the injection of SQL commands into the application's database through an application input, enabling an attacker to execute arbitrary commands in the database, and thus view and edit any information.

• Open Redirect Allows an attacker to redirect users to a malicious application through a trusted application URL.

• Server Side Request Forgery Allows the attacker to forge requests using the application server. It is often exploited to access internal resources on the application server's network.

Attacker handling

This mechanism consists of monitoring the web application, providing notifications and statistics of the application to its administrators, and also hindering attack attempts through blocks and other means.

When this mechanism is poorly implemented, the application runs the risk of suffering attacks and not defending against them, not saving logs, and not even alerting administrators about what happened.

It is notable how important it is for a hacker to know how to break defense mechanisms, as these mechanisms are responsible for the security of the web application, and hacking a web application is nothing more than breaking its security.

In this article, you learned about what web application hacking is, what defense mechanisms are implemented in web applications, and what vulnerabilities can arise if they are poorly implemented. If you liked it, share this article.