06. Overview of Web Hacking

Most of the services you are using operate over the Internet. In particular, web pages transmitted over the HTTP protocol may be at the heart of an Internet service. A home page that is used for a PC and a smartphone is a kind of Web service. Most companies basically block all service ports due to security, but port 80 remains open for Web services. Google, which is a typical portal site that people connect to everyday, also uses port 80. Web services recognize that you are using the port 80, if you do not specify a different port behind the URL. Through port 80, a web server transmits a variety of data to your PC, including text, images, files, videos. Through the port 80, a user can also transmit a variety of data from text to a large file to a web server.

6-1 Internet Service Conceptual Diagram

Port 80 can be used in a variety of ways. However, a firewall does not perform a security check on port 80. In order to address this vulnerability, a Web Firewall can be implemented. However, it is impossible to protect from all attacks, which evolve every day. At this moment, hackers are exploiting vulnerabilities in Web services and are trying to conduct fatal attacks.

The OWASP (The Open Web Application Security Project) releases security vulnerabilities on the web annually. The OWASP publishes a Top 10 list, and the details are as follows:

• A1 Injection

A hacker performs an injection attack by using unreliable data when transferring instructions to databases, operating systems, LDAP. Hackers execute a system command through an injection attack to gain access to unauthorized data.

• A2 Broken Authentication and Session Management

Programmers develop authentication and session management functions themselves, and skilled programmers can create a function safely. However, inexperienced programmers develop functions that are vulnerable to hacking. Hackers steal passwords using these vulnerabilities or even bypass authentication altogether.

• A3 Cross-Site Scripting(XSS)

An XSS vulnerability occurs when an application sends data to a web browser without proper validation. Important information on the PC that had been entered by the victim who executed the script XSS is then transmitted to the hacker.

• A4 Insecure Direct Object References

In an environment where appropriate security measures have been taken, a user cannot acces internal objects, such files, directories, and database keys via a URL. Only through auxiliary means is it possible to access internal objects. If an internal object is exposed directly to the user, it is possible to access unauthorized data by operating the method of access.

• A5 Security Misconfiguration

Applications, frameworks, application servers, web servers, database servers, and platforms have implemented a variety of security technologies. An administrator can change the security level by modifying the environment file. Security technology that has been installed can be exposed to a new attack over time. In order to maintain the safety of the system, an administrator has to constantly check the environment and need to ensure that software is up to date.

• A6 Sensitive Data Exposure

Web applications utilize various forms of important data, including private information and authentication information. A programmer must take protective measures, such as encrypting data, when storing or transferring sensitive data.

• A7 Missing Function Level Access Control

For security reasons, you have to verify permissions on Web applications on the server side. From time to time, developers make the mistake to check permissions with a script on the client side. A web scroller is a program that finds the URL of a web server and analyzes the HTML call. The permissions that are processed by the script can be verified to have been neutralized by a web scroller.

• A8 Cross-Site Request Forgery (CSRF)

The hacker creates a script containing functions to attack a specific site and publishes it on the Internet. When a victim clicks on the web page where the CSRF script is embedded, the script will attack other sites without the user’s knowledge.

• A9 Using Components with Known Vulnerabilities

The server has components that run using root previledges. If any hacker can gain access to such components, it can lead to serious consequences. Therefore, it is is very important to take appropriate measures against the security vulnerabilities that have been reported for the components.

• A10 Unvalidated Redirects and Forwards

Some scripts are able to forcibly move pages that a user is looking at. Trusted data must be used when deciding when, how, and where to move to a new page.

Most hacking attacks can be blocked using a firewall, IDS, IPS or a web application firewall. However, web hacking is difficult to block because it utilizes a normal web service and an open port 80. Realistically, web hacking is the easiest manner through which to implement a hacking technique. It is more powerful than any other hacking techniques. A SQL Injection, Password Cracking, and Web Shell attack are at the top of the OWASP Top 10 list. Now, let's look at these hacking techniques using Python.