Table of Contents
Modern day web applications are a complicated mix of client and server-side programming languages, frameworks, cloud infrastructure, proxies, caches, and single sign-on solutions. Additionally, web applications are protected and monitored by several defense in-depth tools, including WAFs, IDS/IPS, etc. The learning curve to nd and exploit aws in web applications has never been higher.
In March 2020, I asked myself two questions that inspired me to write this book. The rst question: if I were an attacker in todays world, what targets would I attack and what techniques would I use to make the most money in the shortest time possible?
Many people dont understand the motivations of hackers and attackers. During one consulting engagement, a security analyst at a client site was having a conversation with an IT staff member and she asked him, But why would somebody do that? He tried to explain that cybercrime can result in monetary gain however, the point did not get across.
I had an interesting conversation recently when I found an un-authenticated SQL injection on a publicly accessible web application that allowed access to credit card and customer data. While showing the DBA the vulnerability, she made the remark, Wow! Dont you have a life?
Anyone that has worked in IT security has likely had similar conversations. The fact is that many people do not understand the motivations of the modern-day attacker. For that reason, I wanted to outline the potential motivations for nding and exploiting these attacks.
While attackers can be motivated by many things (political reasons, insider threats, monetary gain, nation-state hacker campaigns), a subset of attackers reside in developing countries and are interested in making money as quickly and easily as possible.
I know this rsthand. I have spent several years traveling and living in developing countries throughout south east Asia. These travels and talking with locals inspired the ctious hacker that will be used in this book. In one conversation I was asked to help steal a work provided laptop by removing the monitoring software and hacking the password used to encrypt the device.
Another memorable conversation happened with my girlfriends co-worker. The topic of cyber security came up and the co-worker asked if I knew what carding was, because she has a friend that does that and makes a lot of money off carding. I had used a credit card exactly one time while in the Philippines. Within a month, several purchases for Netflix and other streaming services showed up. For those who dont know, many services exist online where online accounts can be bought for discount. Its not uncommon to see a bundle of Netflix accounts sold for a dollar.
Since banks have gotten more serious about cracking down on carding, purchasing online accounts and reselling is one way to make use of a stolen credit card. Interestingly, both of these people were professionals with a degree. They would be considered middle class by their countrys standards. Even more concerning was that one of them worked in the accounts billing department of a hospital.
Despite the lessons learned about cultural differences concerning theft, the most interesting thing was the justifications given for wanting to steal. In many cases, when asked why they wanted to steal and risk losing their job, the responses were generally the same. Most felt that they were underpaid.
The above scenarios occurred before Covid-19. With the covid-19 situation, and especially the heavy-handed lockdowns enforced in the countries with strong armed governments like the Philippines, hundreds of millions of impoverished people are going to face an economic situation the likes of which most westerners cannot comprehend.
Going through one of if not the most extreme lock down in the world, I witnessed an overnight change in behavior and loss of wealth. Ive never seen so many people eating out of trash bins, cooking pag pag (rotten food gathered from the streets, garbage bins and other litter fried in oil or boiled in pots of water gathered from polluted rivers), and people sleeping on the streets. One bus terminal had several generations of families living in it. Grandma and grandpa, three of their adult children, and their childrens children about 20 people in all. Its not just the Philippines that is going to see a major increase in poverty but most of the world with developing countries baring the biggest brunt.
The UN in March 2020 estimated that due to the lockdowns childhood starvation would triple, and world hunger would double. At the time of this edit (early 2021) I couldnt have imagined the Philippines and many other developing countries with fragile economies still being locked down and I doubt the UN did either. The numbers they were afraid of are already worse than they have could of imagined and not going to stop anytime soon.
Record hunger in the Philippines as Covid restrictions bite (bangkokpost.com)
Amid Threat of Catastrophic Global Famine, COVID-19 Response Must Prioritize Food Security, Humanitarian Needs, Experts Tell General Assembly | Meetings Coverage and Press Releases (un.org)
U.N. Report Says Pandemic Could Push Up To 132 Million People Into Hunger : Coronavirus Updates : NPR
The effects of this have been devasting and one of reason I wrote this book. I wanted to anticipate and warn people about the effects Covid was going to have on our industry. Most experts were concerned with getting their employees to work remotely and securing those channels. I was much more concerned about how many more cyber criminals were about to be created due to the increase in unemployment and poverty sweeping the world.
Covid has been a game changer and the effects are just beginning. The economic fallout will cause a major spike in all forms of crime. Cybercrime is no exception and a likely candidate for predators. These predators could be created due to the economic situation or use the situations to their advantage to become better criminals as we will see in examples from this book.
Criminals thrive in chaos and Covid with its economic, political, and social fallout has created a perfect storm that most businesses and their customers are not prepared to deal with. This book will focus on one type of criminal that is likely to emerge from the chaos.
The second question: if I had a foundation in web application security (have read the web application hackers handbook for example), what knowledge and skills would I need to successfully find impactful vulnerabilities in modern web applications?
The conclusion I came to was that web application security flaws that target the client side and end users are generally the fastest ways to make large sums of money from an attackers point of view. Additionally, client-side attacks are widespread, easily automated, scale, can be given low vulnerability scores by security engineers (and are therefore often ignored), and generally require little effort to exploit. For these reasons, this book will focus on client-side attacks.
Perhaps a second book will focus on server-side attacks such as deserialization, SSRF and NoSQL injections. One exception to this rule is the inclusion of an SSN enumeration flaw found in an international bank. The SSN flaw was included because, in a way, it does involve attacking end users by abusing the way SSN numbers are generated and using public stores of information (Facebook, public death records, etc).
In order to meet the goals of this book (answering the two questions above and demonstrating attacker motivation), if it took me more than one hour to find a vulnerability in a real-world web application, or if I had not come across a particular vulnerability several times this year while performing penetration tests, then it wasnt included. Therefore, this book is not an exhaustive study on web application security flaws; however, it does contain many common and widespread issues that affect even the most security-conscious companies.
