Web Hacking is a way to intrude remote web server, thus can occur modification or leakage of information, trick users, or take over the web server itself.
1. How the web server works, and when web hacking take place
Good article about how web servers work, written in Korean: 웹 취약점과 해킹 매커니즘 #1 개요 Archive.org
2. Widely Used Techniques
2.1. SQL Injection
See SQL Injection for details.
2.2. Cross Site Script (XSS)
A detailed special report from EQST team tells a lot about XSS.
2.3. Client Side Request Forgery (CSRF)
A detailed special report from EQST team tells a lot about CSRF.
2.4. Server Side Request Forgery (SSRF)
A detailed special report from EQST team tells a lot about SSRF.
2.6. Directory Scanning
This is not a typical web hacking technology. It can rather be classified as ``Reconnaissance'' skill. But these directory scanners can be helpful, and reduce time to get to the target.
These tools are widely used directory scanners.
3. Reference
3.1. OWASP Top 10
-
Injection (SQL Injection, OS Command, LDAP)
-
Broken Authentication and Session Management
-
Cross Site Scripting (XSS)
-
Insecure Direct Object References (IDOR)
-
Security Misconfiguration
-
Sensitive Data Exposure
-
Missing Function Level Access Control
-
Cross Site Request Forgery
-
Using Components with Known Vulnerabilities
-
Unvalidated Redirects and Forwards
-
Injection (SQL Injection, OS Command, LDAP)
-
Broken Authentication
-
Sensitive Data Exposure
-
XML External Entities (XXE)
-
Broken Access Control
-
Security Misconfiguration
-
Cross Site Scripting (XSS)
-
Insecure Deserialization
-
Using Components with Known Vulnerabilities
-
Insufficient Logging & Monitoring
Reference: https://owasp.org/www-project-top-ten/2017/
-
Broken Access Control
-
Cryptographic Failure
-
Injection (SQL Injection, OS Command, LDAP)
-
Insecure Design
-
Security Misconfiguration
-
Vulnerable and Outdated Components
-
Identification and Authentication Failures
-
Software and Data Integrity Failures
-
Security Logging and Monitoring Failures
-
Server Side Request Forgery