Chapter 9. Introduction to Hacking Web Applications

In Part II, we will be building on top of our recon skills in order to learn about particular exploits we can use to take advantage of vulnerabilities in web applications. Here you will learn how to take on the role of a hacker.

We will attack the hypothetical web application presented in Part I, mega-bank.com, using a wide array of exploits, all of which are extremely common and found often throughout many of today’s web applications. The skills acquired from Part II can easily be migrated elsewhere, as long as you also apply the skills and techniques from Part I. By the end of Part II, you will have both the recon skills required to find bugs in applications that you can exploit and the offensive hacking skills required to build and deploy payloads that take advantage of those security bugs.

The Hacker’s Mindset

Becoming a successful hacker takes more than a set of objectively measurable skills and knowledge—it also takes a very particular mindset.

Software engineers measure productivity in value-add through features, or improvements, to an existing codebase. A software engineer might say, “I added features x and y; therefore, today was a good day.” Alternatively, they might say, “I improved the performance of features a and b by 10%,” alluding to the fact that the work of a software engineer, while difficult to measure compared to traditional occupations, is still quantifiably measurable.

Hackers measure productivity in ways ...