SlideShare a Scribd company logo

Web hacking refers to exploitation of applications via HTTP which can be done

Download as PPTX, PDF
S
ssuserf8636d

Cyber Laws

Education
1 of 11
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
UNIT-V WEB APPLICATION HACKING AND SECURITY
Content ╸ Introduction to Hacking Web Applications ╸ Cross-Site Scripting (XSS) ╸ Cross-Site Request Forgery (CSRF) ╸ XML External Entity (XXE) ╸ Injections: SQL Injection& Code Injection ╸ Denial of Service (DoS) ╸ Exploiting Third-Party Dependencies ╸ Web Application Security: Securing Modern Web Applications ╸ Secure Application Architecture ╸ OWASP Top 10 Web Application Security Risks and Tools
Introduction to Hacking Web Applications ╸ A web application is a program or software that runs on a web browser to perform specific tasks. Any web application has several layers – the web server, the content of the application that is hosted on the web server, and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components that have high availability.
Introduction to Hacking Web Applications ╸ Ethical Hacking is the process of appropriating the web application from its actual use by tinkering in various ways. The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application. ╸ Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.
Web Application Types ╸ Single Page Applications (SPAs) ╸ Web applications have changed a bit in the last decade or two. Many modern web applications today are Single Page Applications (SPAs). Single page applications look like this. All dynamic data on the page is dynamically gathered and loaded by client-side JavaScript.
Web Application Types ╸ Traditional Web Applications ╸ More traditional web applications typically look like this: entire pages are refreshed every time data needs to be updated. The full responses are typically prepared server-side and sent to the browser in one big lump:
Cross-site Scripting (XSS)
Cross-site Scripting (XSS) Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Cross-site Scripting (XSS) How does XSS work? Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.
Cross-site Scripting (XSS) Working
How to prevent XSS attacks Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data. In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: •Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. •Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding. •Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend. •Content Security Policy. As a last line of defense, you can use a Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

More Related Content

PPTX
Cross-Site Scripting (XSS)
Daniel Tumser
 
PPTX
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
PDF
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 
PPTX
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
PDF
Xss 101 by-sai-shanthan
Raghunath G
 
PDF
Xss 101
n|u - The Open Security Community
 
PPTX
Cross Site Scripting (XSS)
Barrel Software
 
PDF
XSS Exploitation
Hacking Articles
 
Cross-Site Scripting (XSS)
Daniel Tumser
 
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
Xss 101 by-sai-shanthan
Raghunath G
 
Xss 101
n|u - The Open Security Community
 
Cross Site Scripting (XSS)
Barrel Software
 
XSS Exploitation
Hacking Articles
 

Similar to Web hacking refers to exploitation of applications via HTTP which can be done (20)

DOC
HallTumserFinalPaper
Daniel Tumser
 
PPT
Cross site scripting (xss)
Manish Kumar
 
PDF
AJAX: How to Divert Threats
Cenzic
 
PPTX
Cross Site Scripting
Ali Mattash
 
PDF
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
PDF
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
PDF
Luis Grangeia IBWAS
Luis Grangeia
 
PDF
C01461422
IOSR Journals
 
PPTX
Web hack & attacks
Apurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
PDF
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
PPTX
LECTURE-DEC-6_web-application-attacks (1).pptx
JhonFrancisDuarte
 
PPT
Web Security Overview and Demo
Tony Bibbs
 
PDF
cyber security-ethical hacking web servers.pdf
jayaprasanna10
 
DOCX
Pantallas escaneo Sitio Web
andres1422
 
PDF
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PDF
www.webre24h.com - Ajax security
webre24h
 
PPTX
Security testing for web developers
matthewhughes
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
Session7-XSS & CSRF
zakieh alizadeh
 
HallTumserFinalPaper
Daniel Tumser
 
Cross site scripting (xss)
Manish Kumar
 
AJAX: How to Divert Threats
Cenzic
 
Cross Site Scripting
Ali Mattash
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia
 
C01461422
IOSR Journals
 
Web hack & attacks
Apurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
LECTURE-DEC-6_web-application-attacks (1).pptx
JhonFrancisDuarte
 
Web Security Overview and Demo
Tony Bibbs
 
cyber security-ethical hacking web servers.pdf
jayaprasanna10
 
Pantallas escaneo Sitio Web
andres1422
 
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
www.webre24h.com - Ajax security
webre24h
 
Security testing for web developers
matthewhughes
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Session7-XSS & CSRF
zakieh alizadeh
 

Recently uploaded (20)

PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
Institutional Correction lecture only . . .
limvtheghins
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 

Web hacking refers to exploitation of applications via HTTP which can be done

  • 2. Content ╸ Introduction to Hacking Web Applications ╸ Cross-Site Scripting (XSS) ╸ Cross-Site Request Forgery (CSRF) ╸ XML External Entity (XXE) ╸ Injections: SQL Injection& Code Injection ╸ Denial of Service (DoS) ╸ Exploiting Third-Party Dependencies ╸ Web Application Security: Securing Modern Web Applications ╸ Secure Application Architecture ╸ OWASP Top 10 Web Application Security Risks and Tools
  • 3. Introduction to Hacking Web Applications ╸ A web application is a program or software that runs on a web browser to perform specific tasks. Any web application has several layers – the web server, the content of the application that is hosted on the web server, and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components that have high availability.
  • 4. Introduction to Hacking Web Applications ╸ Ethical Hacking is the process of appropriating the web application from its actual use by tinkering in various ways. The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application. ╸ Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.
  • 5. Web Application Types ╸ Single Page Applications (SPAs) ╸ Web applications have changed a bit in the last decade or two. Many modern web applications today are Single Page Applications (SPAs). Single page applications look like this. All dynamic data on the page is dynamically gathered and loaded by client-side JavaScript.
  • 6. Web Application Types ╸ Traditional Web Applications ╸ More traditional web applications typically look like this: entire pages are refreshed every time data needs to be updated. The full responses are typically prepared server-side and sent to the browser in one big lump:
  • 8. Cross-site Scripting (XSS) Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
  • 9. Cross-site Scripting (XSS) How does XSS work? Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.
  • 11. How to prevent XSS attacks Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data. In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: •Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. •Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding. •Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend. •Content Security Policy. As a last line of defense, you can use a Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.