Who ? What ? Where ?
How do attacks against web servers or web sites work ?
Web sites are interesting targets. Technically, the servers they resideon are supposed to accept connections. Often, with dynamic web sites,the web servers are expected to execute commands / scripts / SQLstatements / ... based on remote user input. Psychologically, theymatter as well. Websites are visible. Their defacements are thereforealso visible. And sometimes, they are easy targets.
Here are a few pages that inform about possible attacks on web sitesand web servers. Some are meant to educate web masters and web serveradministrators. Some are not.
- www.counterhack.net : Check the hacking challenges, and their answers. Some are about attacks against web servers
- The occasional hacking of web applications,at HackInTheBox. Although it's rather skriptkiddie style (do this, thendo that, without explaining how / why it works), it gave me a firstclue as to what to look for.
- The Unoficial WebHack FAQ. Rather old, but with clear (and often :still effective) exemples of the basic web crack/hack techniques. Ifthe site is too slow or offline, try this mirror.
- A very detailed study of common ways to attack or exploit a web server are discussed in this paper : fingerprinting HTTP attacks.Explains topics such as directory transversal, cross site scripting,SQL injection, etc. If you read only one of all listed here, choosethis one.
Lastly, if you want to practise / experiment against a real live website, leave the innocents alone and visit Hack This Site !