Web application security - the fast guide 1.1 | Page 67

Chapter 4 - Be the attacker
P a g e | 67
Researches by Christian S. Fötinger Wolfgang Ziegler showed that
attackers have different categories depending on their motives and
mindset:
A. Old School Hackers: computer programmers from known
universities like Stanford or MIT interested in lines of code and
analyzing systems, but what they do is not related to criminal
activity as They don’t have a malicious intent.
B. Script Kiddies or Cyber-Punks: As an age group, they can be
between 12 and 30 years old, and on average have a grade 12
education. Bored in school, very adept with computers and
technology main intent is to vandalize or disrupt, like to brag
about skills and achievement.
C. Professional Criminals, or Crackers: make a living breaking into
systems and selling the information. They might get hired for
corporate or government espionage
D. Coders and Virus Writers: They like to see themselves as an elite.
They have a lot of programming background and write code but
won’t use it themselves they live that to others.
4.3 Attacking process
Figure 22 Attack process
Attack: is the set of activity applied trying to exploit a vulnerability or a group of
vulnerabilities in order to be able to affect availability, integrity or confidentiality.
Attacks can happen without being able to reach their targets. We call the attack
that succeeded to achieve any of its target a security breach and the application
as a compromised application.
Attackers normally follow a strict step by step approach to execute attacks
because it is well known that attacks based on random approach without good
planning mainly end unsuccessfully or by attacker identity discloser.
The process steps are the following:
1- Mapping: this step is about collecting information from all available
sources
2- Analyzing: in this step the attacker gains the real added value after
analyzing and intersecting collected information.
3- Executing: this step is where the attacker will begin the penetration trial
to compromise the victim application.
4- Covering trace: as hacking is an illegal act any trace that lead to disclosing
the attacker real identity will cause him a serious problem additionally
being detected in pre-attack or during attack might cause throwing all