WEB

SECURITY
 OBJECTIVES
By the end of this lesson, students will be able to:

1 2 3
Define the Basics of Web security and VAPT test cases for a
Web and How does a common security Web Application and
website work flaws in Web best practices
Applications
 BASICS OF WEB
How Does a Website Work?
What happens when you visit a website?

Browser looks up IP address for the domain (DNS Comes

here). Browser initiates TCP connection with the server.
Browser sends the HTTP request to the server. Server
processes request and sends back a response.

We mentioned server. What is server?

Websites are collections of files, often HTML, CSS,

Javascript, and images, that tell your browser how to
display the site, images, and data. They need to be
accessible to anyone from anywhere at anytime, so hosting
them on your computer at home isn’t be scalable or TCP Three Way Handshake
reliable. A powerful external computer connected to the
Internet, called a server, stores these files.
 HTTP BASICS

Tool: Burp Suite

What Page or Endpoint to Fetch?

What website (or host) to fetch from?
Browser Information including name, version etc.
 HTTP METHODS
GET: To Fetch Data
HEAD: Does the same thing as get but doesn’t show the full response
POST: To create data

PUT: To modify/ Replace data

DELETE: To delete data

OPTIONS: To see available communication methods

 RESPONSE CODES
Have you seen 404 Not Found or 503 Service Unavailable on a website? These are
response codes. For every response, there’s a response code. Here’s a summary-

200 RANGE (2XX): SUCCESSFUL RESPONSE

300 RANGE - REDIRECTS
400 RANGE (4XX)
401 - UNAUTHORIZED OR UNAUTHENTICATED
403 - FORBIDDEN OR NO ACCESS TO RESOURCES
404 - NOT FOUND OR FILE DOESN'T EXIST
405-HTTP METHOD NOT ALLOWED

500 - INTERNAL ERROR WHERE THE SERVER DOESN'T KNOW HOW TO HANDLE THE REQUEST.

AND TONS MORE.

References: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
 HTTP VS HTTPS
HTTP and HTTPS are both used for transferring data online, but HTTPS is the secure version. It encrypts information like
passwords and credit card details, making it much safer than HTTP, which sends data in plain text.

HTTP
HTTPS
 COOKIES, SESSIONS, SOP

https://noobsec.notion.site/Cookies-and-Sessions-038cbb5d686c4a199c3540fb51da07c1
https://noobsec.notion.site/Sessions-bce1704984574f02a12198a2da31afc8
https://noobsec.notion.site/Same-Origin-Policy-e879e37292de402f8dac8330446f147c
 OWASP TOP 10
Rank Category Description

Applications fail to properly restrict access to functionality or data based on user roles or permissions. Attackers can exploit this to access
1 Broken Access Control (A01:2021)
unauthorized data, modify data, or perform unauthorized actions.

Weak encryption algorithms, insecure key management, or missing encryption altogether can leave sensitive data vulnerable to interception or
2 Cryptographic Failures (A02:2021)
tampering.

Attackers can inject malicious code (like SQL or script) into user inputs that are not properly validated and sanitized. This code can then be
3 Injection (A03:2021)
executed by the application, potentially leading to data breaches or system compromise.

Fundamental security flaws built into the application design make it inherently vulnerable to attack. This can include insecure data flows, lack of
4 Insecure Design (A04:2021)
proper authorization checks, or use of unsafe APIs.

Applications or systems are not configured securely by default. This can leave them vulnerable to common attacks by exploiting default settings or
5 Security Misconfiguration (A05:2021)
misconfigured security features.

Vulnerable and Outdated Components Applications rely on libraries, frameworks, or other components with known vulnerabilities. Attackers can exploit these vulnerabilities to gain a
6
(A06:2021) foothold in the system.

Identification and Authentication Failures Weak password policies, insecure authentication mechanisms, or lack of multi-factor authentication can make it easier for attackers to steal
7
(A07:2021) credentials or impersonate legitimate users.

Software and Data Integrity Failures Applications fail to ensure the integrity of software and data. Attackers can exploit this to tamper with code or data, potentially leading to
8
(A08:2021) unexpected behavior or security breaches.

Security Logging and Monitoring Failures

9 Applications lack sufficient logging or monitoring capabilities, making it difficult to detect and respond to security incidents.
(A09:2021)

Server-Side Request Forgery (SSRF) Attackers can trick the application into making unauthorized requests to external servers. This could be used to steal data, carry out denial-of-
10
(A10:2021) service attacks, or gain internal network access.
BROKEN ACCESS CONTROL
Broken access control refers to a security vulnerability that occurs
when a system fails to properly enforce restrictions on what
authenticated users are allowed to do. Essentially, it means that
users can access resources or perform actions that they shouldn't
be able to do according to their permissions. This can result in
unauthorized access to sensitive data, manipulation of data, or
other malicious activities.

For example, consider a website with two user categories: User 1

and User 2. User 1 is allowed to view only their own personal
information provided during account creation. However, User 2
should not be able to access User 1's personal data. If User 2 gains
access to User 1's data, it indicates a breach in access control,
compromising the privacy and security of User 1's information.
BAC: LAB

LAB: SECURITY-PEDIA.COM
BROKEN ACCESS CONTROL
Impact and Prevention

Impact:

Broken access controls increase the risk of compromise, endangering data confidentiality and integrity.
Attackers can exploit vulnerabilities to impersonate users or administrators, access privileged functions,
manipulate content, or gain full control of web applications.
Additional attacks targeting the web server and infrastructure may also occur.
The business impact varies depending on the application and data protection needs.

Prevention:

Deny access to functionality by default, except for public resources.

Implement access control mechanisms throughout the application and minimize CORS usage.
Disable webserver directory listing and remove file metadata and backup files from web roots.
Implement rate limiting for API and controller access to mitigate automated attacks.
Invalidate JWT tokens on the server after logout.
Include functional access control units and integration tests in development and QA processes.
 INJECTION

An injection attack is a type of security exploit

where an attacker inserts malicious data or
code into a program or system, typically
through input fields such as forms or URLs,
with the intent of manipulating the behavior
of the application. Injection attacks can target
various types of vulnerabilities, including SQL
injection, Command injection, and Cross-Site
Scripting (XSS).
 INJECTION
Cross Site Scripting (XSS)
Cross-Site Scripting, better known as XSS in the cybersecurity
community, is classified as an injection attack where malicious
JavaScript gets injected into a web application with the intention of
being executed by other users. This vulnerability is extremely
common nowadays.
The best way to introduce XSS is with a basic example. Consider the
following PHP code:
<?php
echo '<h4>Hello ' . $_GET['name'] . '</h4>';
?>
The above (silly) code prints a welcome message to the user whose
name is retrieved from the $_GET variable. Hello ' . $_GET['name'] . ''; ?
> log, comment field, etc. And then a victim is
There are commonly two types of XSS: Reflected XSS and Stored XSS.
There is another type of XSS, named DOM-based xss.
Reflected XSS: Reflected XSS occurs when
user input is immediately returned by a web
application in an error message, search
result, or any other response that includes
some or all of the input provided by the user
as part of the request, without that data
being made safe to render in the browser,
and without permanently storing the user
provided data.
Stored XSS: Stored XSS generally occurs when
user input is stored on the target server, such
as in a database, in a message forum, visitor
able to retrieve the stored data from the web
application without that data being made safe
to render in the browser.
 CROSS SITE SCRIPTING
How to Exploit?

Find parameter
Find Input field
Check for injection
Check the context
Attempt to exploit

LAB: security-vault.security-pedia.com
 XSS
VAPT Test Cases

TEST CASE 1: REFLECTED ERROR MESSAGE

TEST CASE 2: USER INPUT RETURNED WITHOUT FILTERING

TEST CASE 3: XSS VIA FILE UPLOAD

TEST CASE 4: XSS THROUGH SVG

More Readings:

https://noobsec.notion.site/Introduction-to-XSS-By-Mehedi-Hasan-42a1a052ec80430fa7d31358f04a9fae?pvs=4

https://noobsec.notion.site/XSS-writeup-by-Mehedi-Hasan-509e4e90d90747869d589e41f6b52d27?pvs=4