How to Hack Web Application


โ€œHow to Hack a Web Applicationโ€์€ Web ๊ธฐ๋ฐ˜์˜ Application์„ ํ…Œ์ŠคํŒ…ํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ์ „๋ฐ˜์ ์ธ ํ…Œ์ŠคํŒ… ๋ฉ”์ปค๋‹ˆ์ฆ˜๊ณผ ํ™˜๊ฒฝ ๊ตฌ์„ฑ์— ๋Œ€ํ•œ ๋‚ด์šฉ์„ ์ฃผ๋กœ ๋‹ค๋ฃน๋‹ˆ๋‹ค.

What is Web?

Web์€ ์›”๋“œ ์™€์ด๋“œ ์›น(World Wide Web, WWW, W3)์˜ ์ค„์ž„๋ง๋กœ ์‚ฌ์šฉ๋˜๋ฉฐ ์ธํ„ฐ๋„ท์— ์—ฐ๊ฒฐ๋œ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ์ปดํ“จํ„ฐ๋ฅผ ํ†ตํ•ด ์ •๋ณด๋ฅผ ๊ณต์œ ํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฐ„์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ์ธํ„ฐ๋„ท์— ์—ฐ๊ฒฐ๋œ ๋””๋ฐ”์ด์Šค๋“ค์€ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ํ”„๋กœํ† ์ฝœ์„ ํ†ตํ•ด์„œ ๋ฐ์ดํ„ฐ๋ฅผ ๊ตํ™˜ํ•ฉ๋‹ˆ๋‹ค. ์ด์ค‘ ์›น์—์„œ ๊ฐ€์žฅ ํ•ต์‹ฌ์ด ๋˜๋Š”๊ฑด HTTP(HyperText Transfer Protocol)์ž…๋‹ˆ๋‹ค.


HTTP๋Š” ์›น์—์„œ ์ •๋ณด๋ฅผ ์ฃผ๊ณ ๋ฐ›์„ ์ˆ˜ ์žˆ๋Š” ํ”„๋กœํ† ์ฝœ์ž…๋‹ˆ๋‹ค. TCP๋ฅผ ์ฃผ๋กœ ์‚ฌ์šฉํ•˜๋ฉฐ, HTTP/3 ๋ถ€ํ„ด UDP๋ฅผ ํ†ตํ•œ ํ†ต์‹ ๋„ ์ง€์›ํ•˜๊ณ  ์žˆ๊ณ , ๊ธฐ๋ณธ์ ์œผ๋กœ 80ํฌํŠธ์™€ SSL์ด ์ ์šฉ๋œ 443 ํฌํŠธ(https)๋ฅผ ๊ฐ€์žฅ ๋งŽ์ด ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.

๊ฐ ๋ฒ„์ „๋ณ„ ํŠน์ง•์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.

Version DT Desc
HTTP/0.9 TCP ์ดˆ๊ธฐ HTTP ํ”„๋กœํ† ์ฝœ, ๋‹จ์ผ Line, Only GET Method
HTTP/1.0 TCP Header ์ง€์›, Content-Type, StatusCode
HTTP/1.1 TCP Persistent Connection, Pipelining
HTTP/2 TCP Multiplexed Streams, Header Compression
HTTP/3 (QUIC) UDP QUIC(Quick UDP Internet Connections)

์ž์„ธํ•œ ๋‚ด์šฉ์€ Cullinan > HTTP๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

Hack Mechanism

MITM Proxy

MITM(Man In the Middle Attack)์€ ๋ณดํ†ต ์ค‘๊ฐ„์ž ๊ณต๊ฒฉ์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ์‹ค์ œ ๊ณต๊ฒฉ์—์„  ์Šค๋‹ˆํ•‘ ๋“ฑ์œผ๋กœ ํ‘œํ˜„๋˜์ง€๋งŒ, Web์„ ํ…Œ์ŠคํŒ…ํ•˜๋Š” ์ž…์žฅ์—์„  ์ด๋ ‡๊ฒŒ ์ค‘๊ฐ„์— ๊ฐœ์ž…ํ•˜๋Š” ๋„๊ตฌ๋“ค์„ ํ†ตํ•ด ๋ธŒ๋ผ์šฐ์ €, ๋ชจ๋ฐ”์ผ ๋“ฑ ๋””๋ฐ”์ด์Šค๊ฐ€ ์„œ๋ฒ„๋ž‘ ํ†ต์‹ ํ•˜๋Š” ๋‚ด์šฉ๋“ค์„ ๊ฐ€๋กœ์ฑ„๊ณ  ๋ณ€๊ฒฝํ•˜์—ฌ ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Client์™€ Server ์‚ฌ์ด์—์„œ ๋ฐ์ดํ„ฐ๋ฅผ ๋ณ€์กฐํ•˜๋ฉฐ ํ…Œ์ŠคํŠธํ•ฉ๋‹ˆ๋‹ค.

๋Œ€ํ‘œ์ ์œผ๋กœ ๋งŽ์ด ์‚ฌ์šฉ๋˜๋Š” ๋„๊ตฌ๋Š” BurpSuite, ZAP ์ž…๋‹ˆ๋‹ค. ์ด์™ธ์—๋„ ๋” ๋งŽ์€ ๋„๊ตฌ๋“ค์ด ๊ถ๊ธˆํ•˜๋‹ค๋ฉด WHW > mitmproxy๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

Testing Methods

ํ…Œ์ŠคํŒ… ๋ฐฉ๋ฒ•๋“ค์€ ๋ช…ํ™•ํ•˜๊ธฐ ์ •์˜ํ•˜๊ธด ์–ด๋ ต๊ณ  ๊ฐœ๊ฐœ์ธ์˜ ๊ฒฝํ—˜๊ณผ ์ง€์‹ ๊ทธ๋ฆฌ๊ณ  ์Šคํƒ€์ผ์ด ๋ˆ„์ ๋œ ๊ฒฐ๊ณผ์ž…๋‹ˆ๋‹ค. ํ…Œ์ŠคํŒ… ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด์„œ ๊ณ ๋ฏผ์„ ๋“ค๊ฒŒ ํ•˜๋Š” ๋งํฌ๋“ค์ž…๋‹ˆ๋‹ค. ํ•„์š”ํ•œ ๋ถ€๋ถ„์€ ์ž˜ ์ ‘๋ชฉํ•œ๋‹ค๋ฉด ๋…ํŠนํ•˜๊ณ  ํšจ๊ณผ์ ์ธ ์ž์‹ ๋งŒ์˜ ํ…Œ์ŠคํŒ… ๋ฐฉ๋ฒ•๋ก ์„ ๋งŒ๋“ค์–ด๊ฐˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Testing Resources

ํ…Œ์ŠคํŒ… ๋ฐฉ๋ฒ•, ์ทจ์•ฝ์ , ๊ณต๊ฒฉ ๋“ฑ์€ ํ•˜๋‚˜์˜ ๋ฌธ์„œ๋กœ ํ‘œํ˜„ ํ•˜๊ธฐ์—๋Š” ๋„ˆ๋ฌด ๋ฐฉ๋Œ€ํ•ฉ๋‹ˆ๋‹ค. ์ž˜ ์•Œ๋ ค์ง„ ์ทจ์•ฝ์ , ๊ณต๊ฒฉ ๋ฐฉ๋ฒ• ๋“ฑ์€ ์•„๋ž˜ Resources์—์„œ ์ฐธ๊ณ ํ•˜์…”์„œ ํ…Œ์ŠคํŒ…ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. (์ œ ์ปฌ๋ฆฌ๋„Œ์„ ์ œ์™ธํ•œ ๋‚˜๋จธ์ง€๋Š” ์ •๋ง ์ฐธ๊ณ ํ•˜๊ธฐ ์ข‹์€ ๋ฆฌ์†Œ์Šค์ž…๋‹ˆ๋‹ค :D)

๐Ÿ›  Environment

Embeded Browser

Burpsuite, ZAP ๋“ฑ ์ผ๋ถ€ Proxy ๋„๊ตฌ๋“ค์€ ์ธ์ฆ์„œ ์‹ ๋ขฐ ์ฒ˜๋ฆฌ๊ฐ€ ์„ค์ •๋œ ๋ธŒ๋ผ์šฐ์ €๋ฅผ ๋‚ด์žฅํ•˜์—ฌ ์ œ๊ณตํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ํ…Œ์ŠคํŒ… ์‹œ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ์—ฌ๋Ÿฌ ๋ฌธ์ œ๋“ค์„ ํ”ผํ•ด๊ฐˆ ์ˆ˜ ์žˆ์–ด์„œ ๊ฐœ์ธ์ ์œผ๋กœ ์„ ํ˜ธํ•˜๋Š” ๋ฐฉ์‹์ž…๋‹ˆ๋‹ค.

Common Browser

๋งŒ์•ฝ Embeded Browser๊ฐ€ ์•„๋‹Œ PC ๋‚ด ๋ธŒ๋ผ์šฐ์ €๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ Custom Proxy ์„ค์ • ๋ฐ ์ธ์ฆ์„œ ์‹ ๋ขฐ ์„ค์ •์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

Set Custom Proxy

  • Firefox: Settings > General > Network Settings
  • Chrome: Settings > Advanced > System > Proxy settings
  • Safari: ์‹œ์Šคํ…œ ํ”„๋ก์‹œ๋ฅผ ์ด์šฉํ•ฉ๋‹ˆ๋‹ค.

์œ„ ๊ณผ์ •์œผ๋กœ ํ”„๋ก์‹œ ์„ค์ •์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ, MM3 ProxySwitch, FoxyProxy ๋“ฑ Browser Addon ๋“ฑ์„ ํ†ตํ•ด ํ† ๊ธ€ ์„ค์ •์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

Set CA Certificate

  • Firefox: Settings > Privacy & Security > Security > View Certificates
  • Chrome: Settings > Privacy & Security > Security > Manage certificates
  • Safari: Open Key Chain > System Root