Exploring the Client-Server Relationship 313
Pieces of the Web Application Puzzle
In a web application several components exist, each of which serves a specific function.
Each has its own vulnerabilities as well.
Login This component is what is presented to users in order for them to provide a
username and password for the authentication process.
Web Server This is the foundation for the whole system as it is the combination of
hardware and software used to host the web application itself. What capabilities the server
has depends on the type and configuration of the given server.
Session Tracking This component allows the web application to store information about a
client pertaining to their current visit or future visits to the web application.
Permissions Based on who they authenticate as and if the authentication is successful,
permissions determine what level of access the user has to resources on the server.
Application Content This is the information that the user is interacting with by providing
requests to the server.
Data Access Web pages in a web application are attached to a library that provides data
access.
Data Store This component is where the valuable information for the web application is
contained. By design this may or may not be stored on the same system.
Logic This component is responsible for interacting with the user and providing the
means for the correct information to be extracted from the database.
Logout This may be a separate function and is used by users to shut down their
connection to the web application.
Chapter 13 Web Servers and Web Applications
Web applications and web servers have many of the vulnerabilities you have encountered
in this book. Web servers and their applications can be the only face of companies that
have no traditional locations (for example, Amazon, eBay, and Facebook). Taking down or
compromising these systems can be a coup for the attacker and a major source of grief for
the target company.
Let’s take a look at some of the vulnerabilities that an attacker can exploit for gain.
Flawed Web Design
One common way to exploit a web application or site is in the code itself. Comments and
hidden tags that are embedded into a web page by the designer can yield information to an
attacker. Although these types of tags and information are not intended to be displayed in
a web browser, they can be viewed and analyzed using the View Code or Source capability
present in most browsers.