Welcome back budding pen-testers. 🙂 In the first part of the blog series we have discussed about the history of internet. Going ahead, we are continuing with the very basics. Today, we are going to discuss about web applications. Deep knowledge about web applications, it’s architecture and networking is necessary to become a successful penetration tester. We will discuss what are web applications, the difference between a website and a web application, how the client server model works, etc.
Have you ever thought why there is a distinction between a website and a web application? Do you know what are the differences between a website and a web application? Let’s go ahead and see that.
First of, speaking about websites, can be broadly considered as a set of web pages located under a single domain name. They contain a junk load of text, images and other graphical contents. They don’t have a login form, a comment box or a search field. https://www.mesutoezil.com/ is a website about Mesut Ozil showcasing his football career.
In the website, we can read about Mesut Ozil, view his images and analyse his career statistics. Have a look and leave policy.
Now, when coming to the case of web applications, there are certain differences. A web application would have more user interactions by means of Login, search, commenting, file upload and so on. Facebook is a typical example for a web application. There are lot of input points in the application through which a user can interact with the application. And more user interaction is a problem! That’s where we should concentrate more. Here each application entry point is an entry point for the attacker also.
An attacker can always inject unintended attack vectors through each of the application entry points. Imagine an attacker injecting a malicious code as a comment and another user opening the page in his browser and the malicious code getting executed at the user’s browser? Sounds scary rite?! (Though Facebook won’t let the code to be executed in such a way)
If you can’t imagine the scenario at the moment, don’t worry. Later in the blog series I will show you a working demonstration of such code injection attacks.
Easy, they work in the client – server model. 🙂
But what is client – server model? What is client and what is server? In Layman’s terms a client is someone who uses services and server is the one who serves the services. When coming to the case of web applications, a client is the user browser: Firefox, Chrome or whatever. A server is where all the web application code is laying. It is basically a computer somewhere in the world, somewhere in the internet.
I know it would be easy to understand a client. They can be simply a browser on a computer or a mobile or a tablet or so. In all the cases, it need not be necessarily a browser. Sometimes it can be a mobile app. Think about Uber; the client is Uber mobile app. Sometimes it can be a hardware device, think of the wearable devices such as smart watch. The list goes on. Its easy to understand a client, because we are literally seeing it, touching it and using it. But what about Servers? Who all have seen or used a server? Not most of us. So let’s get to know more about a server 🙂
In most simplest terms, a server is a computer. A slightly more detailed definition would be;
A server is a computer program or a device that provides functionality for other programs or devices, called “clients”.
Why do we call a computer a server? Do we call all the computers a server? No!
A server machine is a computer which is connected to the internet and serves a predefined purpose. In our case, we are dealing with Web Applications. So, in that case a server machine would be serving all the necessary codes, media and services needed by the web application. A server machine that serves the purpose of a web application is called a Web Server. If the services is e-mail instead of web application, then the server would be called mail server. If the service is file sharing and hosting, then that can be an FTP server or SSH server. We have more of them, such as DNS server, socket server, proxy server and so on depending upon the service it is providing.
Let’s get back to the case of Web Applications and try to understand a server by understanding web servers.
“Web Server” can refer to hardware or software, or both of them working together.
By Hardware, we mean the computer as explained above. Every server is literally a CPU.
Apache… Yes. I’ve heard it somewhere. What is it?
In simple words, Apache is a software that creates a web server inside a computer. You need server software like Apache or Nginx or Microsoft Server in order to create a web server in a computer. Sometimes the server software itself is called web server. I mean, you might have heard people saying, “Hey what’s the server your website is running on?” “Oh man, It’s Apache!”
So how do we install this software? There is nothing fancy about it. Just the same as you install any other software in your computer. If you are on Debian/Ubuntu you can use the apt command to install Apache.
sudo apt install apache2
Thats it. And if you are on Windows, the most compatible server is Microsoft IIS. But you can install Apache also on a Windows machine by making some configurations as described in the Apache website.
Now you have a server. Woah!
Alright, so we have just setup a server. But have we done with creating a web application? You may be thinking that we haven’t done any coding, so there is no application is created. Well yes, but NO 😀
In reality, during the installation, Apache will create a dummy web page in your computer at a specific location. You can view this page in your browser by either simply typing localhost or 127.0.0.1 or your IP into the address bar of your favourite browser. Let’s go ahead and check that.
Now, this is the most simplest example of a single page web site. Yes, that’s right. Apache have created a lite web site in our machine. So, there must be some codes related to this application right? Let’s go ahead and find out where it is.
In a typical Debian installation such as Ubuntu, the web application codes are stored at /var/www/html/ by Apache. You can customise this to any desired directory. Let’s go to that directory and see if there’s any code.
There you go, index.html!
Use any of your favorite text editing tools to inspect the code inside that file. I like nano. So,
I could see the code 🙂
Let’s delete the default index.html and create a new index file in the same location /var/www/html/.
$sudo rm index.html
$sudo nano index.html
and paste the following into that file.
<p>This is a test page.</p>
You can type localhost into the URL bar and see a page saying This is a test page.
So, what is localhost?
Localhost is, simply put, a host-name used to describe this computer. It also has an IP 127.0.0.1 (That is not exactly true, but for the time being, understand it that way). So you can use the IP address also to bring up the application in the browser instead of typing localhost.
I am being too much noob for the past couple of paragraph? Ain’t I? I know. So let’s go straight ahead see how other computers can see my website. That’s the purpose of a website rite?
If I am on a local LAN network, other computers can simply access my website by typing my IP address into their browser’s URL bar. So lets find out my IP address. To find that, type the following in a terminal.
The output would be something like as shown below:
There you can see inet addr: 10.7.40.9. That is the local IP address of my machine. Type this ip in the URL bar of any other computer and my application can be viewed. Your neighbour can identify your home by your house name or house number rite? That same analogy.
But what if someone from some other country needs to identify your home? Then simply telling him the house number won’t work. Because if your house number is 118 there may be several homes around the world with that same house number. That means you need more information to access your application from a computer other than the local LAN. We’ll see them in the next part of the blog
I know this part was too basic. We have a lot more coming up, details of the IP address, DNS, network firewalls and many more. Stay tuned to this space for more. If you like reading so far, hit the clap button. You can encourage me by clicking one or two ads shown in the blog as well 🙂
What is this web security checklist? Here is a curated web security checklist for developers… Read More
In the last part of the blog series we have seen the history of internet… Read More
I have been using an older version of Kali Linux. I used to update occasionally.… Read More