How to Hack Web Application

Understanding Web Applications

Web applications are dynamic websites or software programs that run on web servers and are accessed through web browsers. Unlike static websites, web applications allow users to interact with the content, perform operations, and manipulate data in real-time. They are built using various technologies like HTML, CSS, JavaScript for the client-side, and server-side languages like PHP, Python, Ruby, or Java.

Web applications range from simple forms and shopping carts to complex enterprise systems like CRM software or social media platforms. Their functionality hinges on the ability to process user inputs, interact with databases, and deliver customized content back to the user’s browser. This interactivity is made possible through protocols like HTTP, which stands as the backbone for data communication on the web.

HTTP

HTTP (HyperText Transfer Protocol) is the foundation of any data exchange on the Web. It’s a protocol used for transmitting hypertext, which is structured text that uses logical links (hyperlinks) between nodes containing text.

# Request
GET / HTTP/1.1
Host www.hahwul.com

# Response
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 4332
  Characteristics
HTTP/1.1 Text-based, single connection, no header compression
HTTP/2 Binary framing, multiplexing, header compression (HPACK), server push
HTTP/3 Based on QUIC protocol, faster connection setup, multiplexing, header compression (QPACK), improved security and performance

Testing mechanism

A Man-in-the-Middle (MITM) attack typically refers to an intermediary attack. While in actual attacks this might involve techniques like sniffing, from a web testing perspective, we use tools that intervene in this middle position. These tools allow us to intercept and modify the communication between a device like a browser or mobile app and the server for testing purposes.

Modifies data between the Client and Server for testing.

Setting Up the Environment

Selecting a Proxy Tool

There are many MITM proxies in the world. However, in the field of security, there are three well-known tools that most hackers or security engineers use: Burp Suite, Caido, and ZAP. Typically, they use one or more of these tools.

For your information, I use ZAP, Caido, and Burp all at the same time.

Configuring Certificates

These tools can magically intercept requests, but well-known web browsers and clients aren’t naive. They check if the request has been intercepted through certificate validation. Since our goal is testing, we need to disguise the proxy tool as a trusted intermediary. To achieve this, we must configure the web browser, client, or the OS to trust the certificate from the proxy.

First, you need to obtain the certificate from the Proxy tool. This can be found through the manuals provided by these tools, and with tools like Burp and ZAP, you can directly access the proxy port to download the certificate.

Now, you’ll trust the certificate in your browser or OS.

  • Firefox: Setting > Privacy and Security > Security > Certificates
  • Safari: Key chanin
  • Chrome: Setting > Privacy and Security > Security > Manage Certificates

Embedded Browser

These tools often provide built-in browsers to streamline this process. However, personally, I recommend using an external browser because it’s easier to verify real issues, and you can customize it with extensions, making it more user-friendly.