Scribd
Upload
19 views5 pages

Application Hacking

this is a application hacking books

Uploaded by

ronakshef
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views5 pages

Application Hacking

this is a application hacking books

Uploaded by

ronakshef
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Application Hacking

Web Applications acts as an interface between the users and servers using
web pages that consist of script code that is supposed to be dynamically
executed. One can access web applications with the help of the internet or
intranet. Web hacking in general refers to the exploitation of applications via
Hypertext Transfer Protocol (HTTP) which can be done by manipulating the
application through its graphical web interface, tampering the Uniform
Resource Identifier (URI) or exploiting HTTP elements. Some methods that
can be used for hacking the web applications are as follows: SQL Injection
attacks, Cross-Site Scripting (XSS), Cross-Site Request Forgeries (CSRF),
Insecure Communications, etc. Below mentioned are the Application Hacking
Mechanisms :

SMTP/Email-Based Attacks
The SMTP (Simple Mail Transfer Protocol) is responsible for the transmission
of electronic mail. Due to the e-mail tracking programs, if the receiver of the
e-mail reads, forwards, modifies, or deletes an e-mail, the sender of the e-mail
must know about it. Most e-mail tracking programs work by appending a
domain name to e-mail addresses, such as xyzRead.com. The tools that allow
an ethical hacker to track e-mail messages are MailTracking.com and
eMailTracking Pro. When these tools are used by the ethical hackers, the
resulting actions and the tracks of the original email are logged. Notification
of all the actions performed on the tracked e-mail by an automatically
generated e-mail is received by the sender. Web spiders are used by
spammers who are interested in collecting e-mail addresses

Preventive Measures:

1. Disable the VRFY and EXPN


2. If you need VRFY and EXPN functionality, do check your e-mail server or
e-mail firewall documentation.
3. Make sure that the company’s e-mail addresses are not posted on the
web application.

VOIP Vulnerabilities
VOIP stands for Voice Over Internet Protocol. It’s a technology that allows us
to make voice calls using a broadband Internet connection instead of a
regular phone line. Since VOIP uses the internet to function, it is prone to all
internet vulnerabilities such as DOS attacks. Online Security Mechanisms are
not able to handle VOIP that results in the daily or poor connections for your
call. VOIP is a digital file that can be easily misused. It raises additional
security concerns. These are some kinds of VOIP vulnerabilities :

4. Insufficient Verification of Data.


5. Execution Flaws.
6. String Manipulation Flaws.
7. Low Resources.
8. Low Bandwidth.
9. File Manipulation Flaws.
10. Password Management.
11. Permissions and Privileges.
12. Crypto and Randomness.
13. Authentication and Certificate errors.

Preventive Measures:

1. Make sure your computer’s OS and your computer’s anti-virus software


is updated.
2. Make sure that you have an Intrusion Prevention System (IPS) and a
VoIP firewall updated and intact.
3. Make use of VPNs to protect calls made through mobile/wireless
devices and networks.
4. If possible, have two separate connections. One connection for your
VoIP line, attacks or viruses, etc.

Directory Traversal
Directory Traversal attacks are also known as Unicode exploit. Windows 2000
systems running IIS are vulnerable to this type of attack. It happens only in
unpatched Windows 2000 systems and affects CGI scripts and ISAPI
extensions such as.ASP. It allows hacker’s system-level access. Unicode
converts characters of any language to a universal hexadecimal code
specification. Since it is interpreted twice and the parser only scanned the
resultant request once, hackers could sneak file requests through IIS. The
Unicode directory traversal vulnerability allows hackers to add, change,
upload or delete files and run code on the server.

Preventive Measures :

1. Avoid passing user-supplied input to file system APIs altogether.


2. Two layers of defense must be utilized together to prevent these types
of attacks.
3. The application must validate the user’s input before processing it
further.
4. Validation should verify that the input contains only permitted content,
such as purely alphanumeric characters, etc.

Brute Force Attack


The hacker uses all possible combinations of letters, numbers, special
characters, capital, and small letters to break the password in a brute force
attack. The probability of success is high in brute force attacks. It requires a
big amount of time and patience to try all possible permutations and
combinations. John the Ripper aka Johnny is one of the powerful tools to set
a brute force attack and it comes with the Kali distribution of Linux.
Preventive Measure :

1. Limit failed login attempts.


2. Create the root user inaccessible via SSH by editing the sshd_config file.
3. Edit the port line in your sshd_configfile.
4. Use a Captcha.
5. Limit login attempts to a specified IP address or range.
6. Two-factor authentication.
7. Create unique login URLs.
8. Monitor server logs etc.

SQL Injection
An SQL injection attack, malicious code is inserted into a web form field or the
website’s code makes a system execute a command shell or arbitrary
commands. SQL servers are a high-value target since they are a common
database servers and used by many organizations to store confidential data.

1. Preventive Measure :
2. Don’t use dynamic SQL.
3. Update and patch.
4. Consider a web application firewall to filter out malicious data.
5. Discard any unwanted or unimportant database functionality.
6. Avoid connecting to your DB using an account with admin-level
privileges.
7. Continuously monitor SQL statements from database-connected
applications
8. Buy better software.

XSS
XSS also knows Cross-site scripting. Cross-site scripting vulnerabilities occur
when web applications allow users to add custom code into a URL path or
onto a website that will be seen by other users. It can be exploited to run
malicious JavaScript code on a victim’s browser. Prevention strategies for
cross-site scripting include escaping untrusted HTTP requests as well as
validating user-generated content.

Preventive Measures :
1. Filter input on arrival.
2. Encode data on output.
3. Use appropriate response headers.
4. Content Security Policy.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy