Application Hacking Mechanisms

Web Applications acts as an interface between the users and servers using web pages that consist of script code that is supposed to be dynamically executed. One can access web applications with the help of the internet or intranet. Web hacking in general refers to the exploitation of applications via Hypertext Transfer Protocol (HTTP) which can be done by manipulating the application through its graphical web interface, tampering the Uniform Resource Identifier (URI) or exploiting HTTP elements. Some methods that can be used for hacking the web applications are as follows: SQL Injection attacks, Cross-Site Scripting (XSS), Cross-Site Request Forgeries (CSRF), Insecure Communications, etc. Below mentioned are the Application Hacking Mechanisms :

SMTP/Email-Based Attacks

The SMTP (Simple Mail Transfer Protocol) is responsible for the transmission of electronic mail. Due to the e-mail tracking programs, if the receiver of the e-mail reads, forwards, modifies, or deletes an e-mail, the sender of the e-mail must know about it. Most e-mail tracking programs work by appending a domain name to e-mail addresses, such as xyzRead.com. The tools that allow an ethical hacker to track e-mail messages are MailTracking.com and eMailTracking Pro. When these tools are used by the ethical hackers, the resulting actions and the tracks of the original email are logged. Notification of all the actions performed on the tracked e-mail by an automatically generated e-mail is received by the sender. Web spiders are used by spammers who are interested in collecting e-mail addresses.

Preventive Measures: 

  1. Disable the VRFY and EXPN
  2. If you need VRFY and EXPN functionality, do check your e-mail server or e-mail firewall documentation.
  3. Make sure that the company’s e-mail addresses are not posted on the web application.

VOIP Vulnerabilities

VOIP stands for Voice Over Internet Protocol. It’s a technology that allows us to make voice calls using a broadband Internet connection instead of a regular phone line. Since VOIP uses the internet to function, it is prone to all internet vulnerabilities such as DOS attacks. Online Security Mechanisms are not able to handle VOIP that results in the daily or poor connections for your call. VOIP is a digital file that can be easily misused. It raises additional security concerns. These are some kinds of VOIP vulnerabilities :



  1. Insufficient Verification of Data.
  2. Execution Flaws.
  3. String Manipulation Flaws.
  4. Low Resources.
  5. Low Bandwidth.
  6. File Manipulation Flaws.
  7. Password Management.
  8. Permissions and Privileges.
  9. Crypto and Randomness.
  10. Authentication and Certificate errors.

Preventive Measures:

  1. Make sure your computer’s OS and your computer’s anti-virus software is updated.
  2. Make sure that you have an Intrusion Prevention System (IPS) and a VoIP firewall updated and intact.
  3. Make use of VPNs to protect calls made through mobile/wireless devices and networks.
  4. If possible, have two separate connections. One connection for your VoIP line, attacks or viruses, etc.

Directory Traversal

Directory Traversal attacks are also known as Unicode exploit. Windows 2000 systems running IIS are vulnerable to this type of attack. It happens only in unpatched Windows 2000 systems and affects CGI scripts and ISAPI extensions such as.ASP. It allows hacker’s system-level access. Unicode converts characters of any language to a universal hexadecimal code specification. Since it is interpreted twice and the parser only scanned the resultant request once, hackers could sneak file requests through IIS. The Unicode directory traversal vulnerability allows hackers to add, change, upload or delete files and run code on the server.

Preventive Measures :

  1. Avoid passing user-supplied input to file system APIs altogether.
  2. Two layers of defense must be utilized together to prevent these types of attacks.
  3. The application must validate the user’s input before processing it further.
  4. Validation should verify that the input contains only permitted content, such as purely alphanumeric characters, etc.

Input Manipulation

The input parameter manipulation is based on the manipulation of parameters exchanged between client and server in order to modify application data like user details and permissions, the number of products, and price. This information is stored in the form of cookies, hidden form fields, or URL Query Strings which is used to increase application functionality and control. This attack can be performed by a malicious hacker who wants to utilize the application for their own benefit or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. Web scarab and Paros proxy are used for this purpose.

Preventive Measures :

  1. Adopt SOA (Service Oriented Architecture).
  2. Use modular architecture for XML firewall where each module checks for a particular vulnerability etc.

Brute Force Attack 

The hacker uses all possible combinations of letters, numbers, special characters, capital, and small letters to break the password in a brute force attack. The probability of success is high in brute force attacks. It requires a big amount of time and patience to try all possible permutations and combinations. John the Ripper aka Johnny is one of the powerful tools to set a brute force attack and it comes with the Kali distribution of Linux.

Preventive Measure :

  1. Limit failed login attempts.
  2. Create the root user inaccessible via SSH by editing the sshd_config file.
  3. Edit the port line in your sshd_configfile.
  4. Use a Captcha.
  5. Limit login attempts to a specified IP address or range.
  6. Two-factor authentication.
  7. Create unique login URLs.
  8. Monitor server logs etc.

Unsecured Login Mechanisms

A lot of websites don’t give permission to perform any task with the application until the user logs in to the account of a website. This provides great help to the hacker. These login mechanisms often don’t handle wrong user IDs or passwords gracefully. The web application might return a generic error message, such as ‘user ID and password combination is invalid’, and returns different error codes at the same time in the URL for invalid user IDs and passwords.



Preventive Measures :

  1. Use a CAPTCHA (also reCAPTCHA).
  2. Use web login forms to prevent password-cracking attempts.
  3. Employ an intruder lockout mechanism on your webserver to lock user accounts after 10–15 failed login attempts.

SQL Injection

An SQL injection attack, malicious code is inserted into a web form field or the website’s code makes a system execute a command shell or arbitrary commands. SQL servers are a high-value target since they are a common database servers and used by many organizations to store confidential data.

Preventive Measure :

  1. Don’t use dynamic SQL.
  2. Update and patch.
  3. Consider a web application firewall to filter out malicious data.
  4. Discard any unwanted or unimportant database functionality.
  5. Avoid connecting to your DB using an account with admin-level privileges.
  6. Continuously monitor SQL statements from database-connected applications
  7. Buy better software.

XSS 

XSS also knows Cross-site scripting. Cross-site scripting vulnerabilities occur when web applications allow users to add custom code into a URL path or onto a website that will be seen by other users. It can be exploited to run malicious JavaScript code on a victim’s browser. Prevention strategies for cross-site scripting include escaping untrusted HTTP requests as well as validating user-generated content.

Preventive Measures :

  1. Filter input on arrival.
  2. Encode data on output.
  3. Use appropriate response headers.
  4. Content Security Policy.

Mobile Apps Security

Mobile apps are major channel for security threats. They are targeted by criminal elements searching to profit from companies and employees who use mobile devices but do not engage in proper mobile app security. The most popular scams and schemes in play with mobile apps are :

  • Ongoing financial losses
  • Negative and permanent impact on a brand’s reputation
  • Negative end-user experiences
  • Having SMS or TXT messages copied and scanned for private info
  • Device being used to spread malware to uninfected devices
  • Wholesale identity theft
  • Giving hackers access to their business network
  • Credit Card details stolen and resold
  • Financial login credentials being stolen

Preventive Measures :

  • Keep Your Phone in Your Possession.
  • Encrypt Your Device.
  • SIM Card Locking.
  • Turn Off WIFI and Bluetooth.
  • Use Security Protection.
  • Password secure your mobile apps.

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.




My Personal Notes arrow_drop_up

A Computer Science Student Web Developer Learner

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.


Article Tags :

Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.