[go: up one dir, main page]
Scribd
Upload
47 views2 pages

m14 Hackingweb App

The document provides an overview of web applications, explaining their structure with front-end and back-end components, and lists programming languages used for each. It highlights the OWASP Top 10 security vulnerabilities for 2021, detailing issues such as broken access control and injection flaws. Additionally, it introduces Burp Suite as a tool for penetration testing and outlines its Intruder tab functionalities for various attack strategies.

Uploaded by

hihim31592
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
47 views2 pages

m14 Hackingweb App

The document provides an overview of web applications, explaining their structure with front-end and back-end components, and lists programming languages used for each. It highlights the OWASP Top 10 security vulnerabilities for 2021, detailing issues such as broken access control and injection flaws. Additionally, it introduces Burp Suite as a tool for penetration testing and outlines its Intruder tab functionalities for various attack strategies.

Uploaded by

hihim31592
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Web Application Hacking

What is web application? - A web application (or web app) is application software
that runs on a web server, unlike computer-based software programs that are
run locally on the operating system (OS) of the device. Web applications are
accessed by the user through a web browser with an active network connection.

How web application works? - A web application functions works in two steps, Front-
end and Back-end these are the two function every web application use.

1. front-end: The frontend is what users interact with directly. It's the visual
part of a website or web application that you see and interact with in your
browser.

2. Back-end: The backend is the behind-the-scenes part of a web application. It


handles the logic, processes data, and communicates with databases.

Front-end/Clint side languages:


HTML
CSS
Javascript
perl

Back-end/Server-side languages:
PHP
Javascript
Python

-----------------------------------------------------------------------------------
-----------------------------------------------

Owasp Top 10 2021


1. Broken Access Control: Inadequate restrictions on user access.
# Example: A user accessing another user's data due to insufficient access controls
.

2. Cryptographic Failures: Weaknesses in encryption or hashing.


# Example: Storing passwords without proper encryption, making them vulnerable to
theft .

3. Injection: Allowing untrusted data in, leading to code execution.


# Example: SQL Injection, where malicious SQL queries are injected through user
inputs .

4. Insecure Design: Flaws in the overall design of the application.


# Example: Lack of proper security considerations during the design phase .

5. Security Misconfiguration: Improperly configured security settings.


# Example: Default credentials or unnecessary services exposed, providing easy
access to attackers .

6. Vulnerable and Outdated Components: Using outdated or vulnerable software


components.
# Example: Using an old version of a plugin / add-on with known security issues .

7. identification and authentication failures: Issues related to user


identification and authentication processes, potentially leading to unauthorized
access or identity spoofing( user enum , bruteforce attacks ) .
8. Software and Data Intigrity Failures: Failures in ensuring the integrity of
software(plugins,code,libraries etc) and data in ci/cd making them susceptible to
unauthorized modifications or tampering.

9. Security Logging and Monitoring Failures : Inadequate logging and monitoring


practices, making it challenging to detect and respond to security incidents.

10. Server-Side Request Forgery(SSRF): Allowing attackers to make requests to


internal resources, potentially leading to unauthorized access or data exposure.
( https://tryhackme.com/room/owasptop102021 )

------------------------------------------
Burpsuite :
Burp or Burp Suite is a set of tools used for penetration testing of web
applications.

-----------------------------------------------------------------------------------
---------------------------------------------------

Intruder tab :
Payload position type -
1. Sniper will work on one point.
2. In battering ram we will use single wordlist in different points.
3. In Pithfork we will use multiple wordlist for multiple positions both the
wordlist will go simultaneously.
4. In cluster bomb we can use different and multiple wordlist on different
different parameter and it will bruteforce first username with every password
and then go with another one.

-----------------------------------------------------------------------------------
-------------------------------------------------------

DVWA Lab :
We will perform testing on this vulnerable lab.

bruteforce
command injection
csrf - if a users/clients request can be changed

You might also like