Domains of CEH
Information Security and Ethical Hacking Overview – 6%
Phases of system hacking and Attack Techniques-17%
Network and perimeter hacking-14%
Web application hacking-16%
Wireless network hacking – 6%
Mobile platform, IoT and OT hacking – 8%
Cloud Computing 6%
We will be discussing the fifth domain of CEH: ‘web application hacking.
What is a Web Application?
It is no surprise that most people use mobile apps like Instagram, WhatsApp, and PUB-G. Let me give you an example of a website that can also be used as a mobile application. Now imagine you have lost your mobile phone or your mobile is turned off. You are able to scroll through your insta feed. What should you do? Log in to your account via Google Chrome. Right? That’s it! You can now use your Instagram via a web browser. It’s called a web app. Facebook, Flipboard and MakeMyTrip are just a few of the most well-known web applications.
Technically speaking, a web app is software or a program that performs a specific task by running on any browser, such as Google Chrome, Mozilla Firefox, Internet Explorer, and others.
The best thing about web applications is that you don’t have to download them. Devices will have more space for important data.
Hacking Web Applications
Web hacking is the act of manipulating HTTP applications using graphics, altering Uniform Resource Identifiers (URI) or altering HTTP elements beyond the URI.
There are many ways to hack web applications:
SQL Injection attacks: Structured Query Language can be used to query, operate, and manage data systems. SQL injection attacks are a common SQL attack that attackers use in order to modify, delete, or read data. SQL injections can also be used to command operating systems to perform certain tasks.
Cross-site scripting attacks: Cross-siteScripting, also known as XSS, is a method of injecting malicious code into websites that would otherwise remain safe. An attacker can send malicious codes to a user by exploiting a vulnerability in a target web app.
Fuzzing: Developers can use fuzz testing in software, operating systems or networks to find security holes and code errors. To find weaknesses, attackers could also use the same method to attack our websites or servers.
To crash the system, you first need to enter a lot of random data (fuzz). A fuzzer software tool is also used by attackers to detect weak areas. The attacker may exploit weaknesses in the target’s security further if they fail to do so.
Types of vulnerabilities that can lead to web application hacking
Unvalidated inputs: Web applications can accept input from users, and queries are built on top. If these inputs aren’t properly cleaned, the attacker can launch attacks such as cross-site scripting (XSS), SQL inject attacks and directory traversal attacks. This attack can also result in identity theft or data theft.
Directory traversal attack: This vulnerability allows the attacker to access restricted directories on the server, in addition to the root directory. This would allow an attacker to access system files, run OS commands and get details about the configuration.
There are many defense mechanisms that can be used to stop web application hacking. These are some of the most popular:
Authentication: To verify users, authentication is a defense mechanism. It checks the user ID as well as the password. With the increase in social engineering techniques, attackers are able to easily obtain your login credentials. Thus, two-step verification was created.
Two-step verification means that you send a “One Time Password”, to your mobile, to enable you to log in to your account.
Data safety: The majority of vulnerabilities in Web applications can be attributed to the incorrect processing of user data. Vulnerabilities can