Unit-2

Web Security
Authentication (Unit-1)
Injection Flaws
Programming Bugs
Malicious Code

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 1

 Authentication
• Authentication is the process of verifying the identity of a user or
information.
• User authentication is the process of verifying the identity of the
user when that user logs in to a computer system.

• The two primary types of authentication are:

• Stateless Authentication
• Stateful Authentication

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 2

 Stateful Authentication: Using session IDs and Cookies.

Flow of Authentication:
• The user submits the login credentials, i.e. Username and Password.
• This is verified by the server against the DataBase.
• The server then generates a temporary user session.
• The server issues a cookie with the session ID.
• User/ client can send the cookie with each request.
• The server validates it against the session store and grants access.
• When a user logs out, the server destroys the session and clears the cookie.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 3

Stateless Authentication: Using Tokens, JWT, OAuth &
Others.
Flow Of Authentication using Tokens:
• The user submits the Login Credentials i.e. Username and Password.
• The server verifies the credentials against the DataBase.
• The server then generates a temporary Token and embeds the user data into it.
• The server responds back with the token (in body or header).
• User stores the token in client storage [localStorage or SessionStorage].
• User sends the token along with each request.
• Server verifies the token & grants access.
• When the user logs out, the token is cleared from the client storage.
Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 4
 Injection
• Injection attacks stem from a lack of strict separation between
program instructions (i.e., code) and user-provided (or external)
input. This allows an attacker to inject malicious code into a data
snippet.
• SQL injection is one of the most common types of injection attack. To
carry it out, an attacker provides malicious SQL statements through
the application.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 5

 Injection Flaws
• Injection flaws are a security vulnerability that allows a user to gain access to the
backend database, shell command, or operating system call if the web app takes
user input.
• Hackers append additional information within these input boxes and can create,
read, update, or delete data. They may be able to append complete scripts into
applications and can, therefore, execute such commands.
• An injection flaw is a vulnerability in that applications allow an attacker to relay
malicious code through an application to another system. It allows hackers to
inject client-side or server-side commands. These are the flaws through which
hackers can take control of web applications. Depending on the type of
vulnerability an attacker might inject SQL queries, javascript or OS commands, and
so on.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 6

Effects of Injection Flaws:
• Allows an attacker to compromise the victim’s system.
• Allows hackers to execute malicious codes.
• Allows attackers to do attacks cross-site attackers request forgery
(The website did not see that the request actually originated from
hackers or by itself).
• Allows hackers to compromise databases.
• Arbitrary file upload vulnerability may result in compromise of the
entire database.
• Loss of confidentiality, integrity, and availability

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 7

Types of Injection Attacks:
• SQL Injection
• XML Injection
• HTML Injection
• OS Command Injection
• LDAP Injection
• Cross-Site Scripting
• Fuzzing
• Arbitrary File Upload Vulnerability

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 8

 Programming Bugs
• A bug is an unexpected problem with software or hardware. Typical
problems are often the result of external interference with the
program’s performance that was not anticipated by the developer.
• Minor bugs can cause small problems like frozen screens or
unexplained error messages that do not significantly affect usage.
• Major bugs may not only affect software and hardware, but could
also have unintended effects on connected devices or integrated
software and may damage data files.
• Example: logic, syntax, semantic, compile time errors.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 9

 Classification of Bugs
• Functional Bugs: Functional bugs refer to defects or issues in software applications that affect their intended
functionality. These bugs can manifest in various ways, such as incorrect calculations, unexpected behavior,
crashes, or unresponsive features. They can arise due to coding errors, inadequate testing, compatibility issues,
or external factors like hardware limitations.
• Logical Bugs: Logical bugs occur when the code does not produce the expected output or behavior.
• Workflow Bugs: These bugs refer to glitches, errors, or bottlenecks within a workflow process, causing team
members delays, confusion, and frustration.
• Unit Level Bugs: Unit-level bugs refer to the defects or errors at the smallest testable component of a software
system, known as a unit. These units can be functions, methods, classes, or modules. When developers write
code, they break it into smaller units to make it more manageable and easier to test.
• System-Level Integration Bugs: System-level integration bugs refer to the issues that arise when different
components or subsystems of a complex system fail to work together seamlessly. These bugs can occur for
various reasons, such as incompatible interfaces, module miscommunication, or inadequate testing.
• Out of Bound Bugs: Out Of Bound Bugs occur with logical and arithmetic errors exceeding the allowable
boundaries of a specified operation.
• Security Bugs: These bugs refer to vulnerabilities or flaws in software, hardware, or systems that malicious
actors can exploit to gain unauthorized access, steal sensitive information, disrupt services, or cause other
harmful consequences.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 10

Common Examples of Software Bugs
• Unexpected program crashes
• Results that don’t match expectations
• The program encountering an infinite loop
• Incorrect calculations
• Data missing from a database
• Malfunctioning user interface elements
• Unresponsive API
• Security vulnerabilities
• Errors with file permissions
• Unnatural slowness
• Compatibility issues

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 11

 Malicious Code
• Malicious code is the term used to describe any code in any part of a software system or script that
is intended to cause undesired effects, security breaches or damage to a system.
• Malicious code is an application security threat that cannot be efficiently controlled by conventional
antivirus software alone. Malicious code describes a broad category of system security terms that
includes attack scripts, viruses, worms, Trojan horses, backdoors and malicious active content.

• Malicious code may also include time bombs, hardcoded cryptographic constants and credentials,
deliberate information and data leakage, rootkits and anti-debugging techniques. These targeted
malicious code threats are hidden in software and mask their presence to evade detection by
traditional security technologies.

• Once inside your environment, malicious code can enter network drives and propagate. Malicious
code can also cause network and mail server overload by sending email messages; stealing data and
passwords; deleting document files, email files or passwords; and even reformatting hard drives.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 12

Types of Malicious code
• Trojans
• Viruses
• Worms
• Ransomware
• Backdoor attacks

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 13

Avoidance of Malicious Code
• Use white box testing to check the security of your system from attacks
with a full understanding of how your system functions.
• Implement employee security training across your company.
• Use anti-phishing solutions to block phishing attempts from attackers
posing as trusted entities.
• Purchase and maintain antivirus and antimalware software.
• Use secure web browsing features.
• Frequently scan for software vulnerability.
• Frequently patch and update software.
• Use zero-trust access management, which treats each access attempt as
untrusted until successful identity verification.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS 14