Hacking Web Servers & Web Application Security | Chapter 10 | Ep. 10.2023

When you move past identifying open ports, you begin the process of web application hacking. In this episode, we pull back the curtain on the dynamic components that power the modern web—from PHP and JavaScript to database connectivity via ODBC/ADO. We analyze how developers’ design choices, like dynamic forms and server-side scripting, inadvertently create the vulnerabilities that attackers exploit, and we provide a roadmap for testing and securing these critical interfaces. Engage with the source material directly and test your knowledge with our AI-powered study tool: https://notebooklm.google.com/notebook/af9194f8-c109-4c4f-b913-5cb992a1cfdc Dr. Joseph H. Schuessler | Professor of Information Systems, Tarleton State University | Quality Matters (QM) Master Reviewer | ACUE Advanced Certification in Effective Teaching. Textbook Reference: Wilson, R. S., Simpson, M. T., & Antill, N. (2022). Hands-on ethical hacking and network defense (4th ed.). Cengage. https://www.cengage.com/c/hands-on-ethical-hacking-and-network-defense-4e-wilson-simpson-antill/9780357509753/ Resources Discussed: OWASP Top Ten Project: https://owasp.org/www-project-top-ten/ Burp Suite: https://portswigger.net/burp Zed Attack Proxy (ZAP): https://www.zaproxy.org/ What You'll Learn in This Episode: 0:00 – The Web Form Paradox: Perimeter vs. Application 1:33 – Application Security (AppSec): The Overlooked Middle Child 4:22 – The Evolution of the Web: Static vs. Dynamic 7:40 – Architecture: CGI, Web Forms, and Server Frameworks 12:06 – The Supply Chain Risk of Third-Party Frameworks 14:10 – Web Server Rivalry: IIS vs. Apache 18:16 – Scripting Languages: PHP, Cold Fusion, and JavaScript 21:36 – The Danger of Client-Side Execution (JavaScript) 23:51 – Database Interconnectivity: ODBC, OLE DB, and ADO 27:39 – The Anatomy of an ADO Connection 30:19 – The Impact of Web Server Compromise 32:15 – The OWASP Top 10: Mapping the Threat Landscape 34:12 – WebGoat: Safe Sandboxing for Security Testers 36:18 – Testing Methodologies: SAST, DAST, and IAST 39:07 – Information Gathering and Architecture Mapping 40:29 – Authentication vs. Authorization Testing 41:39 – Input Validation: The SQL Injection Breakdown 46:04 – Blind SQL Injection and Error Handling Risks 48:25 – Cryptographic Implementation Flaws 49:14 – Business Logic Testing: Subverting Sequential Flows 51:00 – Client-Side Controls: The Convenience Trap 52:14 – The Web App Analysis Toolkit 54:19 – Burp Suite: The Heavyweight Proxy 56:36 – Fuzzing with Wapiti: Chaos Engineering for Web Apps 58:52 – Conclusion: Thinking Like an Adversary AI-Assisted Learning Transparency: This content was developed with the assistance of Google Gemini and NotebookLM. These tools were leveraged to organize course concepts, synthesize technical documentation, and create interactive study materials for students.