The Basics of Web Hacking: Our Approach

Basics of Web Hacking: Our approach is made up of four phases that cover all the necessary tasks during an attack.

1. Reconnaissance
2. Scanning
3. Exploitation
4. Fix

It’s appropriate to introduce and discuss how these vulnerabilities and attacks can be mitigated, thus there is a fix phase to our approach.

As a penetration tester or ethical hacker, you will get several questions after the fact related to how the discovered vulnerabilities can be fixed.

Consider the inclusion of the fix phase to be a resource to help answer those questions.

Our Targets

Our approach targets three separate, yet related attack vectors: the web server, the web application, and the web user. For the purpose of this article, we will define each of these attacks vectors as follows:

1. Web Server: The application running on an operating system that is hosting the web application. We are NOT talking about traditional computer hardware here, but rather the services running on open ports that allow a web application to be reached by user’s internet browsers. The web server may be vulnerable to network hacking attempts targeting these services in order to gain unauthorized access to the web server’s file structure and system files.

1. Web Application: The actual source code running on the web server that provides the functionality that web users interact with it the most popular target for web hackers. The web application may be susceptible to a vast collection of attacks that attempt to perform unauthorized actions within the web application.

1. Web User: The internal users that manage the web application (administrators and programmers) and the external users (human clients or customers) of the web applications are worthy targets of attacks. This is where a cross-site scripting (XSS) or cross-site request forgery (CSRF) vulnerabilities in the web application rear their ugly heads. Technical social engineering attacks that target web users and rely on no existing web application vulnerabilities are also applicable here.

The vulnerabilities, exploits, and payloads are unique for each of these targets, so unique tools and techniques are needed to efficiently attack each of them.

Our Tools

For every tool used in this article, there are probably five other tools that can do the same job. (The same goes for methods, too.) We will emphasize the tools that are the most applicable to beginner web hackers.

We recommend these tools not because they are easy for beginner to use, but because they are fundamental tools that virtually every professional penetration tester uses on a regular basis.

It’s paramount that you learn to use them from the very first day. Some of the tools that we will be using include.

• Burp Suite: Which includes a host of top-notch web hacking tools, is a must have for any web hacker and it’s widely accepted as the #1 web hacking tool collection.

• Zed Attack Proxy (ZAP): is similar to Burp Suite, but also include a free vulnerability scanner that’s applicable to web applications.

• Network hacking tools such as Nmap for port scanning, Nessus and Nikto for vulnerability scanning, and Metasploit for exploiting of the web server.

• And other tools that fill a specific role such as sqlmap for SQL injection, John the Ripper (JtR) for offline password cracking, and the Social Engineering Toolkit (SET) for technical social engineering attacks against web users.