Introduction Web3 hacking Part1

Web 1.0 is the term used for the earliest version of the Internet & its all about fetching and reading the data

Here are a few Features of Web 1.0-

Read-only web
Static websites
No user interaction
HTML forms are sent via email

Now lets move towards the Web2.0, Web2.0 term refers to Read-write web and current state of internet .An internet dominated by companies that provide services in exchange for your personal data & it allow us to create Dynamic information and user interaction via social media.

Here are a few Features of Web 2.0-

Read-write web
Dynamic content
User-friendly
User has the ability to create information in a global database

Web 2.0 is centralized system and users require to trust the platform to not change the rule, 0n click platform can block or delete your entire online life but web 3.0 offer decentralized system and censorship resistance features

Web3.0 is read-write-own web & it uses blockchain, cryptocurrencies, and metaverses. It focuses on taking back the control of the internet and our data from the giant tech companies

Basics Concept -

A blockchain is shared, immutable ledger for recording transactions & public database that is updated and shared across many computers in a pear to pear network.

Ethereum is a protocol like blockchain with a computer embedded in it. It is the foundation for building apps and organizations in a decentralized, permissionless, censorship-resistant way. Ethereum has its cryptocurrency coin which is knows as Ether(eth) ,Ether is also used as a primary form of collateral in the DeFi and NFT marketplaces, as payment earned for performing services or selling real-world goods, and more.

Dapp is builds on decentralized peer-to-peer network with help of smart contract(Ethereum) and front end UI, On Ethereum smart contracts are open-source and transparent . smart contract contain the business logic of our dapp and there are cost to perform read/write action on Ethereum blockchain.

Defi(Decentralized finance) Provide alternation Decentralized banking system without relying on third party and it based on open-source technology that anyone can program, Defi allow users to save, borrow, lend and trade without any cost. For more info on Ethereum structure , please refer the Documentation https://ethereum.org

ETHEREUM ACCOUNTS has two type of account -

Externally-owned account (EOA) — EOA can be controlled by anyone using token & has the ability to Receive, hold and send ETH

Contract account- smart contract contain the simple code that execute on EVM(ETHEREUM virtual machine that convert ) and has the ability to Receive, hold and send ETH but Creating contract has some cost because you will use blockchain storage.

Transactions — it can be initiated by EOA by sending or receiving Ether.for example, Account X sends Account Y to 1 ETH and X must be debited 1 eth and Y must be credited

While submitting Transactions , it contains following details -

from — the address of the sender
recipient — the receiving address
signature — the identifier of the sender.
nonce — a sequentially incrementing counter which indicates the transaction number from the account
value — amount of ETH
gasLimit — the maximum amount of gas units that can be consumed by the transaction

Gas fees is unit that measures the amount of computational effort in order to execute operation on Blockchain network. for more info. please refer- https://ethereum.org/en/developers/docs/gas/

SOLIDITY is high-level object oriented programming language for implementing smart contracts

Solidity tutorial- https://www.youtube.com/watch?v=M576WGiDBdQ&t=20781s&ab_channel=freeCodeCamp.org

How Authentication happen in Ethereum-

Web3 is a new technology, and have extra security as compare to web2 . As you know all the Ethereum dapps have a smart contract written in Solidity or vyper programming language and frontend user interface so Coding is another important thing that you should learn to understand things better.

Web3.0 application pentest will not change significantly on the client-side but DApps do not need databases so vulnerability like sql injection ,rce and file upload on the underlying server, however, will not. and web3 backends are smart contracts, which opens up a whole different ways for hacking the web3 .

steps-

Reconnaissance — it is basic steps to start the security testing assesment . some of different way you can use to perform Reconnaissance-

Read the Documentation

Understand the project use cases

understand the project architecture

Use the surya Tool to get the visual architecture

Threat Modelling- it is organized way to identify the potential vulnerability & can create test cases accordingly ,some of different way you can use-

List all potential test cases & identify common issues

Evaluate project (Defi,NFT .etc)

Identification & Discovery- Here we need to Identify common issue in smart code like function visibility , tranfer(),delegatecall(),selfdestruct().

Identify interesting parameter ,bussiness logic issues& smart contract actor

Exploitation- in This steps , we need to perform line by line static analysis of smart code ,fuzz the Identified intresting parameter, try to break the business logic. Use the slither & mythx automated tool for scanning the smart contract

Post Exploitation —

Here Review the performed test cases, manual and automated finding & reporting of issues to client.

Resource -