Web applications attacks/Intercept data over the network
The following graph shows how a web page, called from the browser is returned by the server and displayed on the browser.
Each communication that is transfered from the client to the server and from the server to the client are handled by the HyperText Transfer Protocol (HTTP). This protocol has not for objective to encrypt data. Hence, a hacker can sniff the traffic on the network (promiscuous mode or Man In The Middle Attack) to gather sensitive data.
- WeGoat, HTTP Basics shows that data that are transmitted over HTTP protocol are in clear. A hacker could intercept the traffic to gather sensitive data (credentials).
- WebGoat insecure login shows how to sniff credentials over the network.
- Encrypt sensitive traffic with SSL
- Webscarab or BurpSuite enable to intercept data that are sent from and to the browser.
- WireShark and Tcpdump enable to sniff data over a network