SlideShare a Scribd company logo

Web hacking refers to exploitation of applications via HTTP which can be done

Download as PPTX, PDF
S
ssuserf8636d

Cyber Laws

Education
1 of 11
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
UNIT-V WEB APPLICATION HACKING AND SECURITY
Content ╸ Introduction to Hacking Web Applications ╸ Cross-Site Scripting (XSS) ╸ Cross-Site Request Forgery (CSRF) ╸ XML External Entity (XXE) ╸ Injections: SQL Injection& Code Injection ╸ Denial of Service (DoS) ╸ Exploiting Third-Party Dependencies ╸ Web Application Security: Securing Modern Web Applications ╸ Secure Application Architecture ╸ OWASP Top 10 Web Application Security Risks and Tools
Introduction to Hacking Web Applications ╸ A web application is a program or software that runs on a web browser to perform specific tasks. Any web application has several layers – the web server, the content of the application that is hosted on the web server, and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components that have high availability.
Introduction to Hacking Web Applications ╸ Ethical Hacking is the process of appropriating the web application from its actual use by tinkering in various ways. The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application. ╸ Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.
Web Application Types ╸ Single Page Applications (SPAs) ╸ Web applications have changed a bit in the last decade or two. Many modern web applications today are Single Page Applications (SPAs). Single page applications look like this. All dynamic data on the page is dynamically gathered and loaded by client-side JavaScript.
Web Application Types ╸ Traditional Web Applications ╸ More traditional web applications typically look like this: entire pages are refreshed every time data needs to be updated. The full responses are typically prepared server-side and sent to the browser in one big lump:
Cross-site Scripting (XSS)
Cross-site Scripting (XSS) Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Cross-site Scripting (XSS) How does XSS work? Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.
Cross-site Scripting (XSS) Working
How to prevent XSS attacks Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data. In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: •Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. •Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding. •Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend. •Content Security Policy. As a last line of defense, you can use a Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

More Related Content

Similar to Web hacking refers to exploitation of applications via HTTP which can be done (20)

DOC
HallTumserFinalPaper
Daniel Tumser
 
PPT
Cross site scripting (xss)
Manish Kumar
 
PDF
AJAX: How to Divert Threats
Cenzic
 
PPTX
Cross Site Scripting
Ali Mattash
 
PDF
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
PDF
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
PDF
Luis Grangeia IBWAS
Luis Grangeia
 
PDF
C01461422
IOSR Journals
 
PPTX
Web hack & attacks
Apurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
PDF
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
PPTX
LECTURE-DEC-6_web-application-attacks (1).pptx
JhonFrancisDuarte
 
PPT
Web Security Overview and Demo
Tony Bibbs
 
PDF
cyber security-ethical hacking web servers.pdf
jayaprasanna10
 
DOCX
Pantallas escaneo Sitio Web
andres1422
 
PDF
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PDF
www.webre24h.com - Ajax security
webre24h
 
PPTX
Security testing for web developers
matthewhughes
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
Session7-XSS & CSRF
zakieh alizadeh
 
HallTumserFinalPaper
Daniel Tumser
 
Cross site scripting (xss)
Manish Kumar
 
AJAX: How to Divert Threats
Cenzic
 
Cross Site Scripting
Ali Mattash
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia
 
C01461422
IOSR Journals
 
Web hack & attacks
Apurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
LECTURE-DEC-6_web-application-attacks (1).pptx
JhonFrancisDuarte
 
Web Security Overview and Demo
Tony Bibbs
 
cyber security-ethical hacking web servers.pdf
jayaprasanna10
 
Pantallas escaneo Sitio Web
andres1422
 
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
www.webre24h.com - Ajax security
webre24h
 
Security testing for web developers
matthewhughes
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Session7-XSS & CSRF
zakieh alizadeh
 

Recently uploaded (20)

PPTX
ENGLISH LEARNING ACTIVITY SHE W5Q1.pptxY
CHERIEANNAPRILSULIT1
 
PDF
Exploring-the-Investigative-World-of-Science.pdf/8th class curiosity/1st chap...
Sandeep Swamy
 
PDF
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
PPTX
Maternal and Child Tracking system & RCH portal
Ms Usha Vadhel
 
PPTX
Top 10 AI Tools, Like ChatGPT. You Must Learn In 2025
Digilearnings
 
PPTX
Room booking management - Meeting Room In Odoo 17
Celine George
 
PPTX
Virus sequence retrieval from NCBI database
yamunaK13
 
PDF
water conservation .pdf by Nandni Kumari XI C
Directorate of Education Delhi
 
PPTX
Folding Off Hours in Gantt View in Odoo 18.2
Celine George
 
PPTX
IDEAS AND EARLY STATES Social science pptx
NIRANJANASSURESH
 
PPTX
SCHOOL-BASED SEXUAL HARASSMENT PREVENTION AND RESPONSE WORKSHOP
komlalokoe
 
PPTX
LEARNING ACTIVITY SHEET PPTXX ON ENGLISH
CHERIEANNAPRILSULIT1
 
PPTX
Accounting Skills Paper-I, Preparation of Vouchers
Dr. Sushil Bansode
 
PDF
A guide to responding to Section C essay tasks for the VCE English Language E...
jpinnuck
 
PPTX
Qweb Templates and Operations in Odoo 18
Celine George
 
PDF
Comprehensive Guide to Writing Effective Literature Reviews for Academic Publ...
AJAYI SAMUEL
 
PPTX
Unlock the Power of Cursor AI: MuleSoft Integrations
Veera Pallapu
 
PDF
Module 1: Determinants of Health [Tutorial Slides]
JonathanHallett4
 
PDF
Right to Information.pdf by Sapna Maurya XI D
Directorate of Education Delhi
 
PPTX
Rules and Regulations of Madhya Pradesh Library Part-I
SantoshKumarKori2
 
ENGLISH LEARNING ACTIVITY SHE W5Q1.pptxY
CHERIEANNAPRILSULIT1
 
Exploring-the-Investigative-World-of-Science.pdf/8th class curiosity/1st chap...
Sandeep Swamy
 
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
Maternal and Child Tracking system & RCH portal
Ms Usha Vadhel
 
Top 10 AI Tools, Like ChatGPT. You Must Learn In 2025
Digilearnings
 
Room booking management - Meeting Room In Odoo 17
Celine George
 
Virus sequence retrieval from NCBI database
yamunaK13
 
water conservation .pdf by Nandni Kumari XI C
Directorate of Education Delhi
 
Folding Off Hours in Gantt View in Odoo 18.2
Celine George
 
IDEAS AND EARLY STATES Social science pptx
NIRANJANASSURESH
 
SCHOOL-BASED SEXUAL HARASSMENT PREVENTION AND RESPONSE WORKSHOP
komlalokoe
 
LEARNING ACTIVITY SHEET PPTXX ON ENGLISH
CHERIEANNAPRILSULIT1
 
Accounting Skills Paper-I, Preparation of Vouchers
Dr. Sushil Bansode
 
A guide to responding to Section C essay tasks for the VCE English Language E...
jpinnuck
 
Qweb Templates and Operations in Odoo 18
Celine George
 
Comprehensive Guide to Writing Effective Literature Reviews for Academic Publ...
AJAYI SAMUEL
 
Unlock the Power of Cursor AI: MuleSoft Integrations
Veera Pallapu
 
Module 1: Determinants of Health [Tutorial Slides]
JonathanHallett4
 
Right to Information.pdf by Sapna Maurya XI D
Directorate of Education Delhi
 
Rules and Regulations of Madhya Pradesh Library Part-I
SantoshKumarKori2
 

Web hacking refers to exploitation of applications via HTTP which can be done

  • 2. Content ╸ Introduction to Hacking Web Applications ╸ Cross-Site Scripting (XSS) ╸ Cross-Site Request Forgery (CSRF) ╸ XML External Entity (XXE) ╸ Injections: SQL Injection& Code Injection ╸ Denial of Service (DoS) ╸ Exploiting Third-Party Dependencies ╸ Web Application Security: Securing Modern Web Applications ╸ Secure Application Architecture ╸ OWASP Top 10 Web Application Security Risks and Tools
  • 3. Introduction to Hacking Web Applications ╸ A web application is a program or software that runs on a web browser to perform specific tasks. Any web application has several layers – the web server, the content of the application that is hosted on the web server, and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components that have high availability.
  • 4. Introduction to Hacking Web Applications ╸ Ethical Hacking is the process of appropriating the web application from its actual use by tinkering in various ways. The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application. ╸ Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.
  • 5. Web Application Types ╸ Single Page Applications (SPAs) ╸ Web applications have changed a bit in the last decade or two. Many modern web applications today are Single Page Applications (SPAs). Single page applications look like this. All dynamic data on the page is dynamically gathered and loaded by client-side JavaScript.
  • 6. Web Application Types ╸ Traditional Web Applications ╸ More traditional web applications typically look like this: entire pages are refreshed every time data needs to be updated. The full responses are typically prepared server-side and sent to the browser in one big lump:
  • 8. Cross-site Scripting (XSS) Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
  • 9. Cross-site Scripting (XSS) How does XSS work? Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.
  • 11. How to prevent XSS attacks Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data. In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: •Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. •Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding. •Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend. •Content Security Policy. As a last line of defense, you can use a Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.