Homepen testingweb hax – pt.1

web hax – pt.1

August 11, 2022
WEB HACKING… a journey (will it ever end?)

What is web hacking?

Viewing and reviewing websites/web apps to find potential vulnerabilities and exploit them.

Let’s do our homework

  1. Find out all pages used in the website.
  2. Page source is your best friend.
  3. Inspect element.
  4. Debugger.
  5. Network tab under Developer Tools.

Example PAGE SOURCE

What can Page Source do for me?
To open the source code of a website, simply right-click the page and click the option “View Page Source”.

Here’s the source code for www.google.com

What can we possibly learn from this?

If you really want to get into web design, I recommend the resources listed here: https://www.reddit.com/r/learnprogramming/comments/m5fz6w/resources_to_learn_web_development_with_awesome/

Also, if you want to learn how to build a website from start to finish in html and css, check out this link.

  1. Post (https://www.reddit.com/r/webdev/comments/whzp66/how_to_build_a_website_from_start_to_finish_in/)
  2. Tutorial (https://youtube.com/playlist?list=PLMPdeA59PPg0Lb0NG6rug-DijxyzRXvMr)
  3. Finished site (https://www.mlc-music.com/)

STEP 1: Look for comments left by developers.

Let’s start simple: look for comments left by developers. Here’s an example:

HTML uses <!-- and --> to include comments in the code. Sometimes, these comments reveal too much info, like login info or new pages we wouldn’t see without Page Source.

In this case, you have found a new page: /new-home-page. Just append it to the end of the existing website you know to see where it takes you.

STEP 2: Check for attributes.

Also, check out for attributes. Some of these include links that may store juicy info about the business.

In this case, the href attribute includes a link to an additional page. Surely, /employee-info is of interest to us.

STEP 3: List of files in directory.

Another strategy that can be used to find vulnerabilities is to look for files listed in directories. Sometimes, all web pages are stored in a single directory. By searching for the directory, all files used in the website are listed as files. Some of these files are meant to be accessed by the public, but others are there “by accident”. Let’s check out how this directory webpage looks like.

STEP 4: Outdated framework version.

Finally, let’s consider how to find vulnerabilities using Page Source of a website using a framework. A simple mistake a web developer can make is to leave the framework being used as a comment somewhere in the source code. It can serve as reference for them, but also serves as possible attack vector for us. If the framework the website is using hasn’t been updated, look for documentation on the outdated version. Take advantage of the vulnerabilities the newest version tried to fix.

An example of documentation on the Apache framework.
Respective CVE based on version vulnerabilities.

Aftertaste

Page Source helps us discover more information about a web app. In the next post, we’ll tackle the Inspect Element tool.

Hey guys, thanks for reading this post. It’s my first one, and as expected, it needs some work. Feel free to suggest any edits on the post below.

Tags:, , ,

About The Author

jon

Just a dude that loves computers, likes answering questions about networking and cybersecurity, and hunts down free stuff. So yeah, just a dude.