GIS SCIENCE JOURNAL ISSN NO : 1869-9391

A Review on Security & Threats of Web

Application
Akhil Goplani
Department of Computer Engineering, Bharati Vidyapeeth’s College of Engineering, Lavale
Pune, Maharashtra, India
Email: [email protected]

Shubit Mattoo
Department of Computer Engineering, Bharati Vidyapeeth’s College of Engineering, Lavale
Pune, Maharashtra, India
Email: [email protected]

Shashank Kumar Gupta

Department of Computer Engineering, Bharati Vidyapeeth’s College of Engineering, Lavale
Pune, Maharashtra, India
Email: [email protected]

Darshan Amrutkar
Department of Computer Engineering, Bharati Vidyapeeth’s College of Engineering, Lavale
Pune, Maharashtra, India
Email: [email protected]

Prof. Yogesh Kadam

Department of Computer Engineering, Bharati Vidyapeeth’s College of Engineering, Lavale
Pune, Maharashtra, India
Email: [email protected]

Abstract— Web security is a critical aspect of online security, as more and more users rely on web applications to conduct business,
share information, and communicate with others. The increasing complexity and sophistication of web attacks, such as injection attacks and
cross-site scripting, have made it essential for organizations to take proactive measures to protect their web applications and users from potential
security breaches.
Keywords- Web Security, Threats, Attacks, Injection Attacks, SQL Injection, Brute Force Attack, Access Control Issues, IP Spoofing, Cross
Site Scripting, Insufficient Input Validation..
Web security is an ongoing process, and it requires continuous
I. INTRODUCTION monitoring and updating to keep pace with evolving threats and
attacks. By implementing strong web security measures,
Web security refers to the measures taken to protect websites organizations can help protect their web applications and users
and web applications from security threats and attacks. As more from potential security breaches and data loss.
and more information is shared and transactions are conducted
online, web security has become increasingly important.
II. THREATS & ATTACKS – ACCESS CONTROL
Some common web security threats include cross-site scripting THREAT
(XSS), injection attacks such as SQL injection, brute force,
access control issues. Access control is a security measure that is implemented to
restrict access to resources such as files, directories, databases,
Web security can be enhanced through a variety of techniques, or systems, to authorized individuals or entities. Access control
including secure coding practices, implementing access control, is an important aspect of information security as it helps prevent
and using encryption technologies such as SSL/TLS to protect unauthorized access to sensitive information and resources.
data in transit. Additionally, regular security testing and audits
can help identify and address vulnerabilities in web
applications.

VOLUME 10, ISSUE 5, 2023 PAGE NO: 1494

GIS SCIENCE JOURNAL
Access control can be implemented using various techniques,
such as:
1. Role-based access control (RBAC): In RBAC, access
to resources is granted based on the role or
responsibility of the user. Users are assigned roles
based on their job function, and access is granted based
on the permissions associated with their roles.
2. Mandatory access control (MAC): In MAC, access to
resources is granted based on a set of rules that are
predefined by the system administrator. These rules
are usually based on the security classification of the
resource and the user's clearance level.
3. Discretionary access control (DAC): In DAC, access
to resources is granted based on the discretion of the
owner of the resource. The owner of the resource
decides who is granted access and what level of access
is granted.
4. Attribute-based access control (ABAC): In ABAC,
access to resources is granted based on the attributes
of the user, resource, and environment. These
attributes are evaluated by a policy engine to
determine if access should be granted.
Access control is a critical security measure that should be
implemented in all information systems. It helps prevent
unauthorized access to sensitive information and resources, and
ensures that only authorized users can access and modify data.
III. THREATS & ATTACKS – INSUFFICIENT INPUT
VALIDATION THREAT
Insufficient input validation is a common security vulnerability
in web applications. It occurs when an application fails to
properly validate user input, which can allow attackers to inject
malicious data into the application. This can result in a variety
of attacks, including SQL injection, cross-site scripting (XSS),
and command injection.
For example, if a web application fails to validate user input on
a form field, an attacker could enter malicious code, such as
SQL statements or JavaScript, which could then be executed by
the application. This could lead to unauthorized access to the
application's database or the theft of sensitive user data.
VOLUME 10, ISSUE 5, 2023
ISSN NO : 1869-9391
To prevent insufficient input validation, web applications
should implement strong input validation measures. This
includes validating the format, type, and length of user input, as
well as implementing input sanitization techniques to remove
any potentially malicious content. Input validation should also
be performed on both the client-side and server-side of the
application, as client-side validation can be bypassed by
attackers.
Regular security testing and auditing can also help identify and
address insufficient input validation vulnerabilities in web
applications. By implementing these measures, organizations
can help prevent malicious attacks that exploit this common
security vulnerability.
Prevention of Input Validation
Insufficient input validation is a common vulnerability that can
allow attackers to inject malicious input into a web application,
potentially leading to data breaches, unauthorized access, and
other security risks. Here are some steps you can take to prevent
insufficient input validations:
1. Implement Server-Side Validation: Server-side
validation involves validating user input on the server
side, rather than relying solely on client-side
validation. Server-side validation can help prevent
attackers from bypassing client-side validation and
injecting malicious input directly into the server.
2. Validate Input Format and Type: It is important to
validate the format and type of user input to ensure that
it matches the expected format and type. For example,
you can validate email addresses to ensure that they
include an "@" symbol and a domain name, or validate
numeric input to ensure that it only contains numbers.
3. Implement Input Sanitization: Input sanitization
involves filtering user input to remove any potentially
malicious content, such as HTML tags or SQL
statements. This can help prevent attackers from
injecting malicious code into your web application.
4. Set Limits on Input Length: Setting limits on input
length can help prevent buffer overflow attacks and
other types of input-based attacks. By limiting the
amount of input that can be accepted, you can reduce
the risk of attackers injecting large amounts of
malicious code into your web application.
PAGE NO: 1495
GIS SCIENCE JOURNAL
5. Use Libraries and Frameworks: Using libraries and
frameworks can help ensure that your web application
is built with security in mind. Many libraries and
frameworks include built-in input validation and
sanitization functionality, which can help prevent
insufficient input validations.
By implementing these steps, you can help prevent insufficient
input validations and ensure that your web application is secure
against this common type of vulnerability. It is also important
to regularly test and audit your web application for security
vulnerabilities, and to promptly address any vulnerabilities that
are identified.
IV. THREATS & ATTACKS – BRUTE FORCE
ATTACK
Brute force attacks are a type of cyber-attack in which an
attacker uses automated software or scripts to try every possible
combination of characters until the correct password or
encryption key is found. These attacks are a popular method for
hackers to gain unauthorized access to web applications,
databases, and other sensitive systems.
To carry out a brute force attack, attackers use software that
generates and tests a large number of passwords or encryption
keys in a short amount of time. The success of the attack
depends on the strength of the password or encryption key
being targeted and the computing power available to the
attacker.
There are several techniques that can be used to defend against
brute force attacks. These include enforcing strong password
policies, implementing account lockout policies, limiting the
number of login attempts, and using two-factor authentication.
By combining these measures, web applications can reduce the
risk of successful brute force attacks and protect user data from
unauthorized access.
In addition to technical measures, user education is also
important in preventing brute force attacks. Users should be
encouraged to use strong passwords and to avoid using the same
password for multiple accounts. They should also be educated
about the risks of brute force attacks and how to identify and
report suspicious login attempts. By working together, web
developers and users can help protect against brute force attacks
and maintain the security of web applications.
Prevention
VOLUME 10, ISSUE 5, 2023
ISSN NO : 1869-9391
The attacker typically uses automated software or scripts to
generate and test thousands or millions of possible passwords
in a short amount of time. The success of a brute force attack
depends on the strength of the password or encryption key
being targeted, as well as the computational resources available
to the attacker.
There are several techniques that can be used to defend against
brute force attacks, including:
1. Strong passwords: Strong passwords that are long,
complex, and include a combination of uppercase and
lowercase letters, numbers, and special characters can
make it more difficult for attackers to crack them.
2. Password policies: Enforcing password policies that
require users to change their passwords periodically,
use unique passwords for different accounts, and
prohibit the use of common or easily guessable
passwords can also help.
3. Account lockout: Implementing account lockout
policies that temporarily lock out users after a certain
number of failed login attempts can prevent brute
force attacks.
4. Rate limiting: Limiting the number of login attempts
that can be made within a certain time frame can also
help to prevent brute force attacks.
5. Two-factor authentication: Using two-factor
authentication, such as a one-time code sent to a user's
phone, can add an additional layer of security to
prevent brute force attacks.
Overall, protecting against brute force attacks requires a
combination of technical and human measures to ensure that
passwords and encryption keys are strong and secure, and that
users are aware of best practices for creating and managing
passwords.
V. THREATS & ATTACKS – IP SPOOFING
ATTACK
IP spoofing is a technique used by attackers to deceive network
systems by changing the source IP address of a packet to hide
their true identity or to impersonate another system. It is a
common method used in DDoS attacks and other network-
based attacks.
PAGE NO: 1496
GIS SCIENCE JOURNAL
In IP spoofing, the attacker modifies the source IP address of
the packet header to make it appear as if the packet originated
from a different system or location. This can be done using
various tools and techniques, such as packet generators or
custom software.
The main goal of IP spoofing is to bypass security measures that
rely on the source IP address for authentication or access
control. For example, an attacker could use IP spoofing to
bypass firewalls, intrusion detection systems, and other security
measures that rely on IP address verification.
To prevent IP spoofing, various techniques can be employed,
such as filtering packets that originate from outside the
network, implementing ingress filtering at the network edge,
and using cryptographic authentication mechanisms such as
IPsec. Network administrators can also monitor network traffic
and analyze patterns to detect potential spoofing attacks and
take appropriate action.
Overall, IP spoofing is a serious threat to network security, and
it is essential for organizations to implement effective security
measures to prevent and detect such attacks.
Prevention
There are several techniques that can be used to prevent IP
spoofing, including:
1. Filtering packets: One of the most effective ways to
prevent IP spoofing is to filter packets that originate
from outside the network. This can be done by
implementing ingress filtering at the network edge,
which examines incoming packets and filters out those
with source IP addresses that do not belong to the
network.
2. Using cryptographic authentication: Another approach
to preventing IP spoofing is to use cryptographic
authentication mechanisms such as IPsec. IPsec
provides data integrity, confidentiality, and
authenticity by encrypting network traffic and
verifying the identity of the sender.
3. Implementing network segmentation: Network
segmentation can help prevent IP spoofing by dividing
the network into smaller, isolated subnets and
enforcing strict access control policies. This limits the
scope of potential attacks and makes it harder for
attackers to spoof IP addresses.
VOLUME 10, ISSUE 5, 2023
ISSN NO : 1869-9391
4. Deploying anti-spoofing technology: Several anti-
spoofing technologies are available, such as reverse
path forwarding (RPF) and unicast reverse path
forwarding (uRPF). These technologies verify the
source IP address of incoming packets and filter out
packets with invalid source addresses.
5. Educating users: Finally, it's important to educate
users about the risks of IP spoofing and how to identify
and report suspicious network activity. This can help
prevent insider threats and social engineering attacks
that may be used to circumvent network security
measures.
By implementing these techniques, organizations can
significantly reduce the risk of IP spoofing and ensure the
integrity and security of their networks.
VI. THREATS & ATTACKS – CROSS-SITE
SCRIPTING
Cross-site scripting (XSS) is a type of web security
vulnerability that allows attackers to inject malicious code into
web pages viewed by other users. The attack occurs when an
attacker injects malicious code, typically in the form of a script,
into a web page viewed by a victim. The injected code is then
executed by the victim's web browser, which can lead to a range
of malicious actions, such as stealing sensitive information,
hijacking user sessions, and redirecting users to phishing sites.
XSS attacks can be classified into two main types: stored and
reflected. In stored XSS, the malicious code is injected into a
web application and stored on the server, where it can be viewed
by multiple users. In reflected XSS, the malicious code is
reflected back to the user in the response from the web server,
typically as part of a search query or other user input.
To prevent XSS attacks, web developers can implement several
security measures, such as:
1. Input validation: Validating user input and filtering out
malicious code can prevent most XSS attacks. This
can be done using input validation techniques such as
input sanitization and input encoding.
2. Output encoding: Encoding output before sending it to
the user's browser can help prevent reflected XSS
attacks. This involves converting characters that have
special meaning in HTML or JavaScript into their
equivalent safe representation.
PAGE NO: 1497
GIS SCIENCE JOURNAL ISSN NO : 1869-9391

3. Content Security Policy (CSP): Implementing a CSP

can help prevent both stored and reflected XSS attacks
by specifying which content sources are allowed to be
loaded on a web page.
4. Cookie security: Implementing secure cookie policies,
such as HttpOnly and Secure flags, can help prevent
session hijacking attacks that rely on stealing cookies.

5. By implementing these security measures, web

developers can significantly reduce the risk of XSS
attacks and ensure the security and integrity of their
web applications.

VIII. REFERENCES

1. OWASP (Open Web Application Security Project) -

https://owasp.org/
2. NIST (National Institute of Standards and
Technology) -
https://www.nist.gov/topics/cybersecurity
3. CERT (Computer Emergency Response Team) -
https://www.cert.org/
4. SANS (SysAdmin, Audit, Network, Security) Institute
- https://www.sans.org/
5. WASC (Web Application Security Consortium) -
http://www.webappsec.org/
6. CSIS (Center for Strategic and International Studies) -
https://www.csis.org/
7. WhiteHat Security - https://www.whitehatsec.com/

VOLUME 10, ISSUE 5, 2023 PAGE NO: 1498