Introduction

Web security is also known as “Cybersecurity”. It basically means

protecting a website or web application by detecting, preventing and
responding to cyber threats.
Websites and web applications are just as prone to security breaches
as physical homes, stores, and government locations. Unfortunately,
cybercrime happens every day, and great web security measures are
needed to protect websites and web applications from becoming
compromised.
That’s exactly what web security does – it is a system of protection
measures and protocols that can protect your website or web
application from being hacked or entered by unauthorized personnel.
This integral division of Information Security is vital to the protection
of websites, web applications, and web services. Anything that is
applied over the Internet should have some form of web security to
protect it.

1|Page
Security Threads-
The majority of web application attacks occur through cross-site
scripting (XSS) and SQL injection attacks

1.Through cross-site scripting (XSS).

Cross-site scripting (XSS) is an exploit where the attacker attaches
code onto a legitimate website that will execute when the victim loads
the website. That malicious code can be inserted in several ways.
Most popularly, it is either added to the end of a URLs or posted
directly onto a page that displays user-generated content. In more
technical terms, cross-site scripting is a client-side code injection
attack.

How can an attacker use cross-site scripting to cause

harm?
A typical cross-site scripting attack flow is as follows:
 The victim loads a webpage and the malicious code copies the
user’s cookies
 The code then sends an HTTP request to an attacker’s webserver
with the stolen cookies in the body of the request.
2|Page
 The attacker can then use those cookies to impersonate the user on
that website for the purpose of a social engineering attack or even
to access bank account numbers or other sensitive data.
*Cookies are temporary login credentials saved on a user’s computer.
For example, when a user logs onto a site like Facebook, the site gives
them a cookie so that if they close the browser window and go back to
Facebook later that day, they are automatically authenticated by the
cookie and won’t need to login again.

How to prevent cross-site scripting?

There is no single strategy for mitigating cross-site scripting, and
different types of web applications require different levels of
protection. A number of protective measures can be taken, below we
will outline a few.
 If possible, avoiding HTML in inputs - One very effective way
to avoid persistent cross-site scripting attacks is to prevent users
from posting HTML into form inputs. There are other options
which let users create rich content without the use of HTML,
such as markdown and WYSIWYG editors.
 Validating inputs - Validation means implementing rules that
prevent a user from posting data into a form that doesn’t meet
certain criteria. For example, an input that asks for the user’s
“Last Name” should have validation rules that only let the user
submit data consisting of alphanumeric characters. Validation
rules can also be set to reject any tags or characters commonly
used in cross-site scripting, such as “<script>” tags.
 Sanitizing data - Sanitizing data is similar to validation, but it
happens after the data has already been posted to the web server,
yet still before it is displayed to another user. There are several
online tools that can sanitize HTML and filter out

3|Page
2.SQL injection attacks.
SQL injection is a web security vulnerability that allows an attacker to
interfere with the queries that an application makes to its database. It
generally allows an attacker to view data that they are not normally
able to retrieve. This might include data belonging to other users, or
any other data that the application itself is able to access. In many
cases, an attacker can modify or delete this data, causing persistent
changes to the application's content or behaviour.
In some situations, an attacker can escalate an SQL injection attack to
compromise the underlying server or other back-end infrastructure, or
perform a denial-of-service attack.

What is the impact of a successful SQL injection attack?

There are a wide variety of SQL injection vulnerabilities, attacks, and
techniques, which arise in different situations. Some common SQL
injection examples include:
 Retrieving hidden data, where you can modify an SQL query
to return additional results.

4|Page
  Subverting application logic, where you can change a query to
interfere with the application's logic.
 UNION attacks, where you can retrieve data from different
database tables.
 Examining the database, where you can extract information
about the version and structure of the database.
 Blind SQL injection, where the results of a query you control
are not returned in the application's responses.

How to prevent SQL injection?

Parameterized queries can be used for any situation where untrusted
input appears as data within the query, including the WHERE clause
and values in an INSERT or UPDATE statement. They can't be used
to handle untrusted input in other parts of the query, such as table or
column names, or the ORDER BY clause. Application functionality
that places untrusted data into those parts of the query will need to
take a different approach, such as white-listing permitted input values,
or using different logic to deliver the required behaviour.
For a parameterized query to be effective in preventing SQL injection,
the string that is used in the query must always be a hard-coded
constant, and must never contain any variable data from any origin.
Do not be tempted to decide case-by-case whether an item of data is
trusted, and continue using string concatenation within the query for
cases that are considered safe. It is all too easy to make mistakes
about the possible origin of data, or for changes in other code to
violate assumptions about what data is tainted.

5|Page
Security technology-
While security is fundamentally based on people and processes, there
are a number of technical solutions to consider when designing,
building and testing secure web applications. At a high level, these
solutions include:
 Black box testing tools such as Web application security
scanners, vulnerability scanners and penetration testing software
 White box testing tools such as static source code analysers
 Fuzzing, tools used for input testing
 Web application security scanner (vulnerability scanner)
 Web application firewalls (WAF), used to provide firewall-type
protection at the web application layer
 Password cracking tools for testing password strength and
implementation

6|Page
 Conclusion
we looked at a range of issues affecting host and network security for
organizations operating web servers. We saw that practically every
business decision that you make for your computers can have
significant security impacts. Many businesses treat security as an
afterthought, something that can be added after other decisions have
already been made—such as the choice of vendor, the decision
whether or not to use consultants, and the allocated budget for
personnel.
A chapter such as this one cannot convey all the knowledge necessary
to securely operate a computer on the Internet today. This is just an
introduction to this important topic. For specific details of securing a
Unix computer on the Internet, we recommend our book Practical
Unix & Internet Security. Even though the book was published back
in 1996, much of the information that it contains is still current. That
book, combined with this one and updates from your vendor, will
provide you with the information that you need to operate a Unix
computer securely on the Internet today.

7|Page