On Friday January 18th, I had the chance to attend National Cyber Security Day, hosted in collaboration with CMS-CERN.
The conference, which discussed the latest cybersecurity challenges, trends, and solutions, featured a session by CERN Deputy Computer Security Officer, Sebastian Lopienski.
In his session, Sebastian discussed web application penetration testing through an ethical hacking lens, in order to help developers better design their web applications.
What is Hacking?
You may have seen hackers in movies trying to “gain access” or “hack the mainframe”, but this is mostly dramatization of what is something much more rigorous.
Hacking is defined by someone gaining access to information or functions in a piece of software that the developer never intended the user to have. This can range from simply adding a sentence in a website to getting all the information stored in the database of an application.
White Hat vs Black Hat Hackers
The cybersecurity knowledge you gain can be used for good or bad.
'White hat hacker' is the term used to refer to people who try to help companies patch their vulnerabilities by hacking into them, while a 'black hat hacker' might use this information for personal gain.
Nowadays, the demand for ethical hackers is on the rise with 0% unemployment rate, as was stated in the conference.
Ethics and Rules
Before trying to run any penetration tests, there are certain ethics and rules that you'll need to abide by in order to be safe.
First and foremost, it is essential to inform the owners of the services and systems that you will be conducting penetration testing on their web application.
Second, you need to make sure that the data you will try to exploit is safe and backed up. Some tests may affect the data or delete it completely.
Finally, if a vulnerability is found, you must report it immediately and make sure it has been patched before you can share it with a third party.
Web Application Basics
You will need to know some important functionalities of web applications before you can start thinking of ways to hack them.
The chain is as follows: the client can use their browser to see a web page that has been sent from a web server. This server is connected to a backend server that usually contains all the logic, functions, and data of the page.
A Uniform Resource Locator or URL can be used to send GET or POST requests to the server i.e. when you press a button on a page, a URL containing what action you want to see is sent to the server. Sometimes requests cannot be sent only using the URL, so they get sent in the request body, for example when logging in.
There are two ways to approach the problem at hand.
If you are the one testing your own system, you would be using the white box approach. This is usually the most effective as you know how things are related and can try to break it by making one of the functions fail.
But there is also the black box approach, in which all you have is the client side of the application. This might be helpful for someone to try and hack without any biases.
You are now set to start hacking into web applications. One of the simplest ways to start is by simply changing the information stored in the URL.
As previously stated, the URL contains information that will be sent back to the server and handled. Many web applications might be lacking the proper input validation causing them to perform certain actions they are not supposed to perform.
A simple example could be a web application for rating movies. Imagine a site that lists movies which can be searched for using a search bar on the page, and once a movie is selected, a series of numbers from 1 to 10 is displayed for the user to select one and rate that movie.
By selecting a digit, let’s say 3, you might find that the URL is now of the form: https://a.website.com/rate.php?movie_id=23&rating=3.
It is easy to see that the rating is being sent directly in the URL, so replacing the 3 with 1000 or -100 can affect the rating of this movie drastically.
The second way, which is slightly more difficult but more intrusive is sending malicious data, by SQL injection for example.
If the database used by our fictional movie rating site is an SQL database, then you could try typing the following in the search bar: “Matrix’ & ‘DROP TABLE movies”.
This statement is as harmful as it looks. The first part is simply completing what the search bar was requesting, so a search for “Matrix” will be performed. But a quick Google search will show you that the second part is an SQL command to delete the table called movies. This can be a very serious issue if the data is not backed up.
The Right Mindset
In order to be a good ethical hacker or cybersecurity engineer, you need to have the right mindset.
You will get stuck at some points and you will reach dead ends, but it is important to always try different things and make new assumptions about the system. There is always a way around.