Overview of the lesson
Web applications are an important part of our lives. Just like cars, most of us use them without really understanding what’s going on behind the scenes. And that’s perfectly okay if you are a typical user, but as a penetration tester, having a comprehensive understanding of the inside outs of web applications is essential.
What you'll learn
Welcome to the Uphack beginner’s Demistifying the Web course! In this first lesson, we introduce the concepts of web application and web browser, and answer to one of the most common questions for beginner ethical hackers: “Why should I start my information security career learning how to hack web applications?”. Let’s get started.
Prerequisites | None, but we recommend you watch this video on How the Internet works. It takes only 5 minutes! |
Objective | To get familiar with the concept of web application, what it is useful for, and how it differs from a website. |
TL;DR |
|
The Web has been around for more than 40 years, but it was not always as you know it today. A few decades ago, before gaining mainstream popularity, the Web was almost an insignificant technology used only by a handful of universities and military organisations. The first web applications were quite simple, but due to their widespread adoption, the early 2000s saw a shift to more and more complex web applications. Nowadays, they are an essential asset to our society. We use web applications for almost any imaginable purpose: to enrich our social life, to manage our finances, and even to vote for the leaders. But what exactly is a web application?
Simply put, web applications are application accessible through the web that generates web pagesA web page, or simply a page, is a document that can be displayed in a web browser. Typically, they are written in HTML, CSS, and Javascript. dynamically, often based on user interactions. Basically, when you use your web browser, you are likely interacting with a web application. They are the most common way to make information and services available on the Internet.
And they are great for a number of reasons.
First, web applications are available 24/7, and portability is the best word to describe them. All you need is a web browser and an Internet connection, and you are ready to go. That simple, you can access thousands of domains and business from any device, regardless of your operating system. That’s awesome, right?
They are easy to maintain from both a consumer and a business perspective. Web applications are stored on servers. Once you have changed the web application code on your server, those changes will be available in the very next second to all your visitors.
Web applications give businesses the ability to increase efficiency while reducing costs. That’s why they are the first choice for businesses willing to promote their services online.
Nowadays, web applications can get incredibly complex in order to satisfy the needs of users.
The terms web application and website refers to the same thing: a program that runs on a web browser. However, there is a difference between them. A website is a collection of static pages, while a web application consists of dynamic pages that allow the user to interact with the page (e.g., sign in, post a comment, etc.). Too abstract? Let’s have a look at their architecture to get a better picture.
The above diagram illustrates the basic architecture of a website. As you can see, the workflow is pretty simple: your web browser requests a static pageA static page is a web page that always returns the same hard-coded content from the server. from the web server. If the file exists, the web server responds with a success message and displays the content. Otherwise, if the file cannot be fetched, an error is returned (e.g., 404 Not found).
Figure 2 shows a more complex architecture. Not only the number of componentsdatabase, storage, web application itself, etc. has changed, but the entire workflow seems different. And indeed, it is different.
As we said previously, web applications generate pages on the fly, based on user input. To achieve this, they use HTML files that contain placeholders instead of actual data (templates). When a user sends an HTTP request, the server interprets the request (1) and forwards it to the web application (2). Next, web application fetches the appropriate data from the database, fills the placeholders in the HTML files (3), and returns the newly generated HTML file to the user (4).
Web applications use a client-server architecture where the browser is the client, and the application’s servers are the server.
The browser’s job is to intermediate the communication between the user and web application. It translates user requests into a “language”The web browser and server communicates through the HTTP Protocol. We will discuss more in a separate lesson. understood by the server and forwards messages back-and-forth based on user interactions.
Neither web server nor web client can achieve their purpose independently. Without a web server, the browser would have nothing to show you, while without the browser, a web server would not be able to serve you its content.
Even though we already explored this process in the Web application vs. website section, we mainly focused on what happens at a micro-leveli.e., how dynamic web pages are generated.
Now, let’s take a look at how web applications work from a holistic perspective. The best way to understand this process is by example, so let’s suppose you want to visit google.com in your browser.
Of course, this is an oversimplified explanation. There are many other processes behind the scenes, but we will discuss them in a further lesson.
Now you probably ask yourself why you should start your information security career learning how to hack web applications, right?
Shortly after the dot-com bubble, a significant number of businesses moved their activity on the Web, as the consumer use of the Internet became a possibility. This fast evolution required more complex web applications, which led to new security concerns. Once web applications started to store personal information, credit card data, and other sensitive information, they became a point of interest for fraudsters, too.
In 2019, web applications were responsible for more than a quarter of data breaches. The high value of data transferred through web applications makes them an important part of the overall security of a business.
Starting your career with web application security is an excellent decision for several reasons. Here are just a few of them:
The evolution of web applications has influenced how businesses are run nowadays. Since they handle data of millions of users, web applications must be secure. But in order to identify their weaknesses, you must have a comprehensive understanding of how they work, and how they don’t. In the next lessons, we will explore different architectures, technologies, and protocols used by web applications. Make sure you check them before getting into more technical concepts.