MODULE 14 – HACKING WEB APPLICATIONS

PART 1: FOUNDATIONS (PAGES 1–14)

1. MODULE OBJECTIVES (MEMORIZE VERBATIM)

Objective ID Objective
O1 Summarize web application concepts
O2 Demonstrate web application threats
O3 Explain web application hacking methodology
O4 Explain web API and webhooks
O5 Summarize techniques used in web application security

Memory Hook:
C-T-M-A-SConcepts, Threats, Methodology, APIs, Security

2. WEB APPLICATION – CEH DEFINITION

Term Definition
Web Application A software program that runs on a web browser and acts as an interface between users and web servers through HTTP/HTTPS.

Key CEH Properties

  • Runs inside a browser

  • Uses client–server architecture

  • Handles dynamic content

  • Communicates via HTTP/HTTPS

  • Interfaces with databases and services

3. HOW WEB APPLICATIONS WORK (EXAM FLOW)

Step Description
1 User enters a URL in the browser
2 Browser sends an HTTP request to the web server
3 Web server checks requested resource
4 Static content → returned directly
5 Dynamic content → forwarded to application server
6 Application server processes logic
7 Database queried if required
8 Response returned to browser

Memory Hook:
URL → HTTP → Server → App → DB → Response

4. ADVANTAGES OF WEB APPLICATIONS (EXAM LIST)

Advantage
OS-independent
Accessible anytime and anywhere
Device-independent
Centrally managed servers
Scalable and cost-effective
Uses standard technologies (HTML, JS, JSP, ASP, PHP, .NET)

5. WHY WEB APPLICATIONS ARE VULNERABLE

Reason
Complex architecture
Multiple integration points
User-controlled input
Third-party components
Rapid development cycles
Poor input validation

Exam Trap:

CEH always links user input + poor validation to most web attacks

6. WEB APPLICATION ARCHITECTURE (3-LAYER MODEL)

6.1 ARCHITECTURE OVERVIEW

Layer Purpose
Presentation Layer User interface and input handling
Business Logic Layer Application processing and decision logic
Database Layer Data storage and retrieval

6.2 PRESENTATION LAYER

Component Description
Browser Sends HTTP requests
HTML/CSS UI rendering
JavaScript Client-side logic

Exam Note:
Client-side validation is NOT security

6.3 BUSINESS LOGIC LAYER

Component Description
Web Server Handles HTTP requests
Application Server Executes business logic
Firewall Filters traffic

Technologies

  • Java

  • PHP

  • Python

  • .NET

  • Node.js

6.4 DATABASE LAYER

Component Description
DBMS Stores application data
Examples MySQL, MSSQL, Oracle

Exam Trap:
Database attacks ≠ web server attacks, but web apps expose DBs

7. WEB SERVICES – CEH DEFINITION

Term Definition
Web Service An application or software deployed over the Internet that enables communication between applications using standard protocols.

8. WEB SERVICE ROLES (EXAM FAVORITE)

Role Description
Service Provider Hosts and publishes the service
Service Requester Requests and consumes the service
Service Registry Stores service descriptions

9. WEB SERVICE OPERATIONS (PUB–FIND–BIND)

Operation Meaning
Publish Provider publishes service
Find Requester discovers service
Bind Requester connects and uses service

Memory Hook:
PFB = Publish → Find → Bind

10. TYPES OF WEB SERVICES

Type Description
SOAP XML-based, protocol-driven
REST Lightweight, HTTP-based

11. SOAP VS REST (EXAM TABLE)

Feature SOAP REST
Data Format XML only JSON, XML
Protocol Strict HTTP
Complexity High Low
Performance Slower Faster

12. WEB SERVICE COMPONENTS

Component Description
UDDI Service registry
WSDL Service description
WS-Security Secures SOAP messages

13. VULNERABILITY STACK (7 LAYERS – VERY IMPORTANT)

Layer Target
Layer 7 Web application logic
Layer 6 Third-party components
Layer 5 Web server
Layer 4 Database
Layer 3 Operating system
Layer 2 Network
Layer 1 IPS/IDS

Memory Hook:
App → Third-Party → Web → DB → OS → Network → Security

14. LAYER-WISE ATTACK FOCUS (EXAM GOLD)

Layer Typical Attacks
7 XSS, input validation
6 Payment gateway abuse
5 Server misconfig
4 SQL injection
3 Privilege escalation
2 DoS
1 IDS evasion