Introduction
Last updated on: 22 November 2024
Edit this page on GitHubLast updated on: 22 November 2024
Edit this page on GitHubWith thanks to
Michał “czesiek” Czyżewski https://czesiek.net
Yana Ghahramanyan
Websites are critical infrastructure used by media organizations and civil society to disseminate free flow of information as well as to provide functionalities to their stakeholders. Adversaries attack these web applications for various purposes, including shutting down the free flow of information, reputational damage, access to private systems, theft of sensitive information, surveillance, and device compromise. By preparing effectively for these sorts of attacks, you can reduce their impact, or in some cases prevent them entirely.
Attacks against websites generally fall into two categories: DoS (denial of service) and various forms of hacking. DoS attacks are intended to prevent people from being able to access the site and are usually performed by flooding the site with traffic. DoS attacks are often launched by criminal extortionists who wish to receive payment for stopping the attack, or by political rivals who wish to deny their targets a platform. Hacking attacks manipulate vulnerabilities and weaknesses in a web application, thereby generally requiring more skill, but can have a greater impact on the target site. The attacker profiles and goals vary widely, but common hacking goals include retrieving private data from a site, defacement or other content changes, taking over the site’s underlying infrastructure, pivoting to other targets, or targeting users of the site.
This learning path covers intermediate and advanced knowledge needed to prepare for and respond to attacks against web applications. Effective preparation is extremely important to respond to any sort of attack. Most of the response techniques covered in this learning path are difficult or impossible to carry out without the proper preparation. However, with proper preparation, it’s possible to render some forms of DoS attacks ineffective, mitigate DoS attacks quickly and effectively, and stop and recover from hacking attacks before too much damage is done. In this learning path we will cover:
Note that, while DoS attacks are more common than hacking attacks, hacking response takes up the majority of this learning path. This is because DoS attacks are almost always simpler than hacking attacks, and because preparing for and responding to DoS attacks mostly involves working with 3rd party providers who do most of the work. In comparison, hacking attacks are often more complicated, and responding to them requires deep, hands-on work with the site itself.
While some nation-state actors (famously the United States, China, North Korea, Russia, etc.) are both well-funded and have highly skilled agents, most nation-state actors have funding, but lack deep technical skills. To suppress the speech of their political rivals, they will frequently use large-scale DoS attacks to prevent people from viewing those rivals’ websites. Criminal organizations will happily rent out their botnets (networks of compromised computers) to people for use in DoS attacks. Here are some examples:
Adversaries, especially political rivals, have a history of attempting to hack into the websites of civil society groups. Some documented examples include:
Additionally, any site on the internet is subject to opportunistic and targeted attacks by financially-motivated threat actors. These adversaries have goals such as stealing user passwords, payment card information, etc. for resale, modifying site content for search ranking manipulation or click fraud,using the site’s infrastructure itself for cryptocurrency mining, sending spam, or launching denial of service attacks. Although many of these attacks may not be targeted based on political motivations, they nonetheless pose significant reputational and confidentiality risks to any organization. For more information on opportunistic and automated attacks on web applications, see this report by OWASP.
Practitioners will learn how to:
This learning path requires a working knowledge of web servers, possible exploits, and basic vulnerabilities. For this reason, we recommend that all learners who pursue it first and do not have good knowledge of web server architectures and vulnerabilities first complete the Infuse Web Application Security Fundamentals learning path.
While knowledge of website security testing and assessment is not a strict prerequisite to this learning path, some learners might find it easier to first go through the Web Application Security Assessment learning path prior to undertaking this one, especially if they would like to refresh their knowledge of key web application vulnerabilities.
In addition to the above, learners should have a basic understanding of the Unix command line, including concepts like piping commands. This learning path will also utilize the awk tool and will offer an introduction to it. If learners would prefer to practice the tool prior to embarking on the path, we recommend this introduction or this comprehensive ebook.
To complete many of the hands-on practice exercises recommended in this learning path, you will need a computer capable of running basic Unix command line tools, such as awk, cat, and grep. Those are installed on every macOS system, pretty much every Linux system.
If you are running Windows, we recommend you install WSL (Windows Subsystem for Linux) to run some of the tools in this learning path. While there might be other ways of running such tools, this will require much less fiddling with dependencies.
wsl --set-default-version 2
The output from this command will look like:
For information on key differences with WSL 2 please visit https://aka.ms/wsl2
The operation completed successfully.
wsl --list --online
Install a distribution from this list using wsl –install -d <Distribution Name> command.
wsl --install -d Ubuntu
After installation, each Linux distribution will have an icon on the Windows application menu. Once you have installed WSL, you will need to create a user account and password for your newly installed Linux distribution.
A new window should open with a Linux shell.
Here is a quick review of the WSL command line options.
Print the usage information and see the command line arguments:
wsl --help
List the installed distributions:
wsl --list
List only the running distributions:
wsl --list --running
Terminate a running distribution:
wsl --terminate Ubuntu-22.04
Shutdown all running distributions:
wsl --shutdown
Unregister the Linux distribution and delete the filesystem:
wsl --unregister Ubuntu-22.04
Update WSL to the latest version:
wsl --update
Start the default distribution:
wsl
Web Application Security Fundamentals: This Hardening, Forensics, and Incident Response learning path assumes a certain level of familiarity with web application security. If you are new to this area of security, then you should go through the Security Fundamentals learning path to gain the background information to effectively engage with this one.
Web Application Security Assessment: For digital defenders, attacking and defending are two important parts of a whole. As someone helping your clients secure their sites, knowing how to holistically defend against attacks allows you to provide them with better recommendations. This Learning Path provides a deeper understanding of the types of hacking attacks that websites may be subject to.
Congratulations on finishing the introduction!
Mark the checkbox to confirm you have read the introduction and continue to the next module.
Marks the introduction as completed and saves the progress for the user.
You've completed all modules in this learning path.