LESSON 1

INTRODUCTION TO
WEB VULNERABILITIES

ALEXANDER S. COCHANCO, MSIT

WHAT IS A THREAT?
A threat is any potential event that could harm an asset,
malicious or otherwise. In other words, any bad thing that
can happen to an asset is a threat.

A threat is a statement of an intent to harm or punish, or

something that presents an imminent danger or harm.

Lesson 1 - Introduction to Web Vulnerabilities

WHAT IS A VULNERABILITY?
A vulnerability is a weakness which allows an attack. This
may be due to poor design, configuration errors or improper
and insecure coding techniques. Low input validation is an
example of a weakness in an application layer which can lead
to input attacks.

Lesson 1 - Introduction to Web Vulnerabilities

WHAT IS A WEB APPLICATION VULNERABILITY?
A web application vulnerability is a weakness or misconfiguration
in a website or web application code that enables an attacker to
gain some level of control of the site, and possibly the hosting
server.

Lesson 1 - Introduction to Web Vulnerabilities

WHAT IS A WEB APPLICATION VULNERABILITY?
Web application vulnerabilities involve a system flaw or weakness
in a web-based application. They have been around for years,
largely due to not validating or sanitizing form inputs,
misconfigured web servers, and application design flaws, and they
can be exploited to compromise the application’s security.

These vulnerabilities are not the same as other common types of

vulnerabilities, such as network or asset. They arise because web
applications need to interact with multiple users across multiple
networks, and that level of accessibility is easily taken advantage of
by hackers.

Lesson 1 - Introduction to Web Vulnerabilities

Lesson 1 - Introduction to Web Vulnerabilities
WHAT IS AN ATTACK?
An attack is an action exploiting a vulnerability or making a
threat. Examples of attacks include sending a malicious input
to an app or flooding a network to attempt to deny a service.

Lesson 1 - Introduction to Web Vulnerabilities

Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
To sum up, a threat is a future occurrence that can adversely
affect an asset, while the vulnerability in your system is
exploited by a successful attack.

Lesson 1 - Introduction to Web Vulnerabilities

ANATOMY OF AN ATTACK
An attack is composed of 5 stages: (a) survey and assess, (b)
exploit and penetrate, (c) escalate privileges, (d) maintain
access and (e) deny service.

Lesson 1 - Introduction to Web Vulnerabilities

ANATOMY OF AN ATTACK

Lesson 1 - Introduction to Web Vulnerabilities

SURVEY AND ASSESS
Surveying and assessing of the future target are performed in
parallel. The first step normally taken by an intruder is to survey
the possible target to define and assess its
characteristics.

These characteristics can include its supported services and

protocols along with possible vulnerabilities as well as entry
points. To plan an initial attack, the attacker uses the information
gathered in the survey and assess phase.

Lesson 1 - Introduction to Web Vulnerabilities

Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
EXPLOIT AND PENETRATE
Having assessed the potential target, the next move is to exploit
and penetrate. If the network and host are completely protected,
then the next platform for attack will be your application.

The easiest way for an attacker to get into an application is

through the same entrance that legitimate users use, for
example, through the logon page of the application or a page
that does not require authentication.

Lesson 1 - Introduction to Web Vulnerabilities

Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
ESCALATE PRIVILEGES
After attackers managed to enter an application or network by
injecting code into the application or creating an authenticating
session with the operating system, They will immediately try to
escalate privileges. In particular, they are looking for
administrative rights that are offered by accounts that are
members of the Administrators group. They 're just searching for
the high degree of rights the local network account provides.

Lesson 1 - Introduction to Web Vulnerabilities

Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
MAINTAIN ACCESS
When an intruder has obtained access to a network, he takes
steps to encourage future access and cover his or her tracks.

Popular approaches to encouraging potential access and making

them easier include planting of backdoor programs or the use of
an established account lacking strong security. Usually, covering
tracks includes clearing logs, and hiding tools.

Log files should be secured, and should be periodically

examined. Analysis of the log file will also show the early signs
of an attempted break-in before the harm is done.

Lesson 1 - Introduction to Web Vulnerabilities

Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
DENY SERVICE
Attackers who are unable to get access also launch a denial-of-
service attack to discourage anyone from using the device. For
other attackers, their target from the beginning is the denial of
service to the application.

Lesson 1 - Introduction to Web Vulnerabilities

Lesson 1 - Introduction to Web Vulnerabilities
Lesson 1 - Introduction to Web Vulnerabilities
SAMPLE CASE: ShopPro E-Commerce Website
An e-commerce platform, ShopPro, has been targeted by a malicious
hacker group. The group uses various techniques to compromise the
website and achieve their objectives. Below is a description of the
attack process:

Survey and Assess:

The attacker starts by gathering information about the website. Using
various tools, they identify that the website runs on an outdated
version of a popular CMS (Content Management System). They also
discover that the server exposes unnecessary open ports.

Lesson 1 - Introduction to Web Vulnerabilities

SAMPLE CASE: ShopPro E-Commerce Website
Exploit and Penetrate:
After identifying the vulnerabilities, the attacker crafts a malicious
payload to exploit a known vulnerability in the CMS. By submitting this
payload through the login page, they bypass authentication and gain
access to the administrative dashboard of the website.

Escalate Privileges:
Once inside the system, the attacker notices that the admin dashboard
has overly permissive access controls. They exploit this by modifying
configurations to grant themselves "super admin" privileges, allowing
access to sensitive customer data and payment details.

Lesson 1 - Introduction to Web Vulnerabilities

SAMPLE CASE: ShopPro E-Commerce Website
Maintain Access:
The attacker installs a backdoor on the server, allowing them to re-enter
the system later without detection. They also create a hidden "ghost
admin" account to ensure persistent access even if the initial breach is
discovered.

Deny Service:
To cover their tracks and distract the IT team, the attacker launches a
DDoS attack, flooding the server with traffic from a botnet. This causes
the website to become unresponsive, preventing legitimate users from
accessing it.

Lesson 1 - Introduction to Web Vulnerabilities