Certified Ethical Hacker - Part 12-1 - Hacking Web Applications

by Riazul H. Rozen
Feb. 19, 2018 0 comments 3 minute read Certifications CEH
Download PDF


Hacking web applications is a way to gain information pertinent to malicious activities such as theft and manipulation. These malicious activities are usually detrimental to the victims, as they could not only experience loss of information, but monetary losses as well as relationship strains may occur should the attacker decide to impersonate the target.

Hacking is an intricate process, and as such it encompasses a whole range of methods, ranging from determining the victim, discovering system vulnerabilities for exploitation and finally the hacking process methodology. This article focuses on the pre-process as well as the major process.

Footprinting For Web Infrastructure

Footprinting works in the favour of attackers, as it helps determine which victim is worth exploiting, in addition to determining the system vulnerabilities. This happens by -

  • Discovering the physical servers that run the web applications (server discovery)
  • Discover the services that are executed on these servers, for the purpose of exploiting and creating a path to hack web applications
  • Use banners to determine the type and version of web server software (banner grabbing)
  • Get content that is not usually visible on the web application server (hidden content discovery)

Server Discovery

This determines the location of servers on the internet, and also ensures the target server is alive. The programs used for this technique are -

  • Whois lookup: this gives information on DNS server names, as well as the IP address of the server. http://www.tamos.com, is just one of the many tools used for this utility.
Whois looku
  • DNS interrogation: this gives information on types of servers and where you can find them. http:/www.dnsstuff.com is a tool used for this function
  • Port scanning: this tries to determine the service function for a specific server by connecting several TCP or UDP ports. Nmap, advanced port scanner and Hping are just some of the tools used for this function.
Port Scanning

Methodology for service discovery

  • Scan the target web server, to gain information of the common port the server uses to execute its services with the tools for port scanning.
  • These services are attack pathways for hacking web applications.

This is done by investigating the server header field, and extracting information on the model, type and version of the server software. Tools like Telnet, Netcraft, ID serve, Netcat are used to grab URL banners.

Banner Grabbing

Discovering firewalls and proxies on target web applications

For proxies

  • Figure out if the request being sent to the servers are routed through proxies. This is determined as proxies put certain headers in the response header field.
  • The trace method of HTTP/1.1 is used to determine the changes made to the requests sent to the proxy server.

For web application firewalls

These firewalls usually examine web traffic coming in

  • To determine if the target web application has a firewall, check the cookies in the response of the request sent. Majority of the firewalls for web applications, add their cookies to their response.
  • Tools such as WAFWOOF help determine which WAF is running in the target web application.

Hidden Content Discovery

For attackers to properly exploit the target system, it is necessary to have access to hidden content and functions. Here, the attacker has access to backup copies of configuration files, log files with pertinent information, live files, new functions not connected to the main web application and other hidden content. Methods used for this footprinting method are:

Web spidering: this happens by parsing HTML and client-side JavaScript requests and responses. Tools like Burp Site, WebScarab and OWASP Zed attack proxy are used for web spidering.

Attack-Directed Spidering: this works by using an intercepting proxy to discover hidden functions. The proxy intercepts the web application and parses all the information from requests and responses gleaned to the attacker. The tool used for this method is the OWASP Zed attack proxy.

Brute forcing: tools like Burp Site can be used to send a large number of requests to the target web application to determine the name or identities of hidden content or functions.

Hacking The Web Server

  • When the footprinting process is complete, and the target web application selected, run vulnerability scans with tools such as Urlscan, WebInspect, Nessus, Nikto, Acunetix web vulnerability to check for weaknesses in the system
  • Run an attack sequence when the weaknesses have been discovered.
  • Run a denial-of-service attack.

Hacking Through Authentication Flaws

Flaws regarding password strength or unsecure transmission pathways are exploitation points for attackers. Ways to hack through flaws are: Name enumeration Cookie exploitation Session attacks Password attacks

Name Enumeration

The attacker determines the account name through a predictable sequence and a trial and error method leading to a series of verbose failure messages. The attackers can only try this method if the web application does not have a lookout policy. This policy usually ensures the account is locked after a certain number of tries.

Password attacks

Here the attacker also performs a trial and error version on the password sections, by trying for ‘old password’, ‘new password’ and ‘confirm new password’ and then running comparism on the three sequences. This could be done through spidering or creating a new log-in account. Tools such as WebCracker and Brutus can be used to determine the passwords for target web applications.

Here, the attacker has a list of possible passwords for the target system, derived through footprinting, social engineering methods and commonly used passwords and use tools such as Dictionary maker to create this list.

Password attacks with brute-forcing are also possible. Here, the attacks try to crack the password using values from alphabets, numerical and symbolic values. Tools such as Brutus and SensePost Crowbar are used to brute-force passwords.

Script injection and eavesdropping are some of the means for extracting cookies from the target web applications. This method is used to glean important information, for instance passwords. Attackers replay these cookies with the same password, altered passwords or session identifies to exploit the web application by bypassing authenticating processes. Tools such as OWASP Zed attack proxy, Burp Suite can be used to access these cookies.

Published with the express permission of the author.