1. CEH v11
Web Application Hacking
DOMAIN 5
www.infosectrain.com

2. www.infosectrain.com | sales@infosectrain.com 01
Domains of CEH
DOMAIN 1
Information Security &
Ethical Hacking Overview
DOMAIN 2
Reconnaissance
Techniques
DOMAIN 3
System hacking
phases
& Attack Techniques
DOMAIN 4
Network and perimeter
hacking
DOMAIN 5
Web application hacking
DOMAIN 6
Wireless network hacking
DOMAIN 7
Mobile platform, IoT,
& OT hacking
DOMAIN 8
Cloud Computing
DOMAIN 9
Cryptography
CEH v11
DOMAINS
6%
21%
17%
14%
16%
6%
8%
6%
6%

3. What is a Web Application?
Considering that most people have used mobile applications like PUB-G,
Instagram, and WhatsApp. I will give you an example of a web application that
is also a mobile app. Now assume you’ve lost your mobile or your mobile is
switched off, and you are willing to scroll the insta feed. What will you do? Login
to your account through Google Chrome. Right? And that’s it, as you can use
your Instagram by using a web browser. It is called a web application. A few
famous examples of web applications are Facebook, MakeMyTrip, Flipboard,
and the 2048 Game.
The technical definition of a Web Application
A web application is a software or a program that performs particular tasks by
running on any web browser like Google Chrome, Mozilla Firefox, Internet
Explorer, etc.
www.infosectrain.com | sales@infosectrain.com 02
DOMAIN 5
Web Application Hacking
In this blog, we will discuss the 5th
domain of CEH,
which is ‘Web Application Hacking’

4. www.infosectrain.com | sales@infosectrain.com 03
DOMAIN 5
Web Application Hacking
Hacking of Web Applications
Web hacking refers to exploiting HTTP applications by manipulating graphics,
altering the Uniform Resource Identifier (URI), or altering HTTP elements
outside the URI.
Different methods to hack web applications are:
> SQL Injection attacks
> Cross-site scripting
> Fuzzing
One of the coolest things about using web applications is you
don’t need to download them. Hence, devices will have space for
more important data.

5. www.infosectrain.com | sales@infosectrain.com 04
DOMAIN 5
Web Application Hacking
SQL Injection Attacks
We can use Structured Query Language to operate, query, and administrate
the data systems. The SQL injection attack is one of the prevalent SQL attacks
that attackers use to read, change, or delete data. SQL injections can also
command the operating systems to perform particular tasks.

6. www.infosectrain.com | sales@infosectrain.com 05
DOMAIN 5
Web Application Hacking
Cross-site Scripting
Attacks using cross-site scripting, also called XSS, involve injecting malicious
code into websites that would otherwise be safe. Using a target web
application vulnerability, an attacker can send malicious code to a user.

7. www.infosectrain.com | sales@infosectrain.com 06
DOMAIN 5
Web Application Hacking
Fuzzing
In software, operating systems, or networks, developers can employ fuzz
testing to identify code mistakes and security gaps. Attackers may also apply
the same method on our sites or servers to locate weaknesses.
It works by first entering a huge amount of random data (fuzz) to crash it.
Furthermore, attackers use a fuzzer software tool that is used to detect weak
areas. If the security of the target fails, the attacker might exploit it further.

8. www.infosectrain.com | sales@infosectrain.com 07
DOMAIN 5
Web Application Hacking
Unvalidated Inputs
Web applications accept input from the user, as queries are built on top of
that input. The attacker can launch attacks like cross-site scripting (XSS), SQL
injection attacks, and directory traversal attacks if these inputs are not
properly sanitized. This attack can also lead to identity theft and data theft.
Directory Traversal Attack
As a result of this vulnerability, the attacker can access restricted directories
on the web server in addition to the webroot directory. This would allow the
attacker to access system files, run OS commands, and find out details about
the configuration.
Defense Mechanisms
There are various defense mechanisms to control web application hacking.
Some of them are:
> Authentication
> Handling data safely
> Conducting audits
Types of vulnerabilities that cause
Web Application Hacking

9. www.infosectrain.com | sales@infosectrain.com 08
DOMAIN 5
Web Application Hacking
Authentication
Authentication is a defense mechanism that checks the user ID and password
to verify the users. But with the increasing social engineering techniques,
attackers can easily get your login credentials. Hence, the two-step
verification came into existence.
Two-step verification is nothing but sending a “One Time Password” to your
mobile so that only you can have the authority to login into your account

10. www.infosectrain.com | sales@infosectrain.com 09
Handling data safely
Most vulnerabilities in Web applications are caused by the improper
processing of user data. Vulnerabilities can frequently be overlooked, not by
verifying the input itself but by assuring safe processing. Secure Coding
approach that prevents typical issues. For example, the proper use of
parameterized database access queries can avoid attacks from SQL by
injecting.
DOMAIN 5
Web Application Hacking

11. www.infosectrain.com | sales@infosectrain.com 10
Conducting Audits
Effective audit logs should enable the application’s owners to understand
precisely what has happened, what vulnerability was exploited by attackers,
whether attackers got unwanted data access, or whether attackers
conducted any unauthorized actions. Audits can also provide the attacker’s
identity.
DOMAIN 5
Web Application Hacking

12. www.infosectrain.com | sales@infosectrain.com