Web Application Security Basics

Title: H T T P / H T T P S P r o t o c o l s

1. HTTP:
 Hyper Text Transfer Protocol (HTTP) is an application layer protocol that
is used to access and transfer data (text, images, video, multimedia, etc)
over the World Wide Web.

 HTTP is a client-server protocol that runs on top of the TCP/IP family of

protocols and uses the request/response protocol.

 HTTP uses port number 80.

 In HTTP, the client sends a request message to the server. After the client
responds, HTTP establishes a TCP connection between the client and the
server. HTTP delivers a request to the server, which collects the data that
was requested. After the server sends data to the client, the connection
will be terminated.

 If we want something else from the server, we should have to re-establish

the connection between client and server.

2. HTTPS:
 Hypertext Transfer Protocol Secure is a secure extension or version of
HTTP that is used for providing security to the data sent over the World
Wide Web.

 This protocol allows transferring the data in an encrypted form which is

particularly important when users transmit sensitive data such as login
credentials.

 To encrypt communications HTTPS uses an encryption protocol called

Transport Layer Security (TLS), formerly known as Secure Sockets Layer
(SSL).

 HTTPS protocol uses the 443 port number for communicating the data.

1
Web Application Security Basics

HTTP Request:
HTTP defines methods (sometimes referred to as verbs) indicate the desired action
to be performed on the identified resource.

Iman supports only GET, POST type requests.

GET
 GET requests query or ask the server for a resource. In a typical web services
scenario this is typically data, but the query could also be for an image, a file or html.

 GET requests can optionally include a query to limit/restrict the range of data or
resource to return.

 GET requests typically do not include a body.

 Assuming a valid request the service should respond with desired resource. The
response may be textual (data, html) or a binary format (pdf, image, other file type).

 This is the first part of the url, either http or https (other schemes exist).

Figure1:GET Request

POST
 POST requests are typically to send the service some data such as an order, an
invoice, or customer.

 POST requests do not have a query string.

 POST requests typically have a body, which is the data (image, textual, file) being
sent to the server.

 The response from a POST request will vary based on the request. The POST
request may respond just with an acknowledgement of the request. Or posts to data
2
Web Application Security Basics

services may respond with the full populated data record.

Figure1.1:POST Request

HTTP Response:
 The server, after processing the request will send a response.

 A response contains a response code (to indicate the success or failure of a

request), a set of headers and a body.

 GET requests respond with the requested resource whereas a POST request
may respond with success indicator only or it may respond with the fully
populated resource which was inserted/posted.

 Reponses may be textual or binary format.

3
Web Application Security Basics

Figure1.2:HTTP Response

HTTP Headers:
 HTTP headers let the client and the server pass additional information with an
HTTP request or response. Headers typically are used to pass authentication
values, indicate the content type of a request, the desired response content type,
and other custom values.

 An HTTP header consists of its case-insensitive name followed by a colon (:),

then by its value. Whitespace before the value is ignored.

Example Headers

 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; WOW64; Trident/5.0)

 Authorization: Basic YjhiZWU5ZGNiYzgxODhjNlZjE4YjBkOWIwZjdjZTY=

 Accept: application/json

4
Web Application Security Basics

HTTPS encryption with SSL/TLS.

1. HTTPS Encryption
HTTPS, which stands for Hypertext Transfer Protocol Secure, is an internet
communication protocol that protects the integrity and confidentiality of data
between the user's computer and the site

 HTTPS Works:
 HTTPS Connection: When a user connects to an HTTPS-secured
website, the site sends its SSL/TLS certificate to the user's browser.
This certificate verifies the site's identity.

 Encryption: If the browser trusts the certificate, it creates, encrypts,

and sends back a session key using the website's public key. From
this point, all transmitted data is encrypted and secure.

 Secure Data Transmission: The server decrypts the session key

using its private key and uses the session key to encrypt its
responses. The secure connection is established, and data can be
exchanged with encryption.

2. SSL Encryption
SSL, which stands for Secure Sockets Layer, is a standard security
technology for establishing an encrypted link between a web server and a
browser.

This link ensures that all data between the web server and browsers remains
private and integral.

 SSL Certificates
 SSL certificates are digital certificates that authenticate the identity
of a website and enable an encrypted connection.

 They are a crucial component of the security protocol known as

SSL (Secure Sockets Layer), which is used to secure data
transmitted over the internet.

 Types of SSL Certificates:

 Domain Validated (DV) Certificates: These are essential certificates that
validate ownership of the domain. They are usually issued quickly and involve a
simple check to confirm that the applicant controls the territory.

5
Web Application Security Basics

 Organization Validated (OV) Certificates: These certificates require more

validation than DV certificates. The CA checks the organization or business the
applicant represents, providing a higher level of security.

 Extended Validation (EV) Certificates: These offer the highest level of

validation and trust. The issuing process thoroughly examines the requesting
entity's legal, operational, and physical existence.

 SSL Certificates Work

 Public and Private Keys: An SSL certificate uses a pair of keys: a public key
and a private key. The public key is used to encrypt information, while the private
key decrypts it. When a browser connects to a secured website, it uses the
website's public key to encrypt data before sending it back to the server, where it
is decrypted using the private key.

 Certificate Issuance: SSL certificates are issued by Certificate Authorities

(CAs), trusted entities that validate the identity and legitimacy of the organization
or individual requesting the certificate. The CA verifies the applicant's credentials
before issuing the certificate.

3. TLS Encryption:
TLS, or Transport Layer Security, is a protocol that provides privacy and data
integrity between two communicating applications.

It's the most widely deployed security protocol used today for web browsers
and other applications that require data to be securely exchanged over a
network, such as file transfers, VPN connections, instant messaging, and
voice over IP.

 TLS Works:
 TLS Handshake: When a TLS connection is established, a process known as
the "TLS handshake" occurs. This involves the negotiation of various parameters
to create a secure connection between the client and server.

 Key Exchange: During the TLS handshake, the client and server agree on a
protocol version, select cryptographic algorithms, and authenticate each other.
They also generate shared secret keys used for encryption and decryption of the
data.

6
Web Application Security Basics

 Data Transmission: Once the secure connection is established, data can be

transmitted securely using the agreed-upon encryption standards.

Differences Between HTTP/1.1, HTTP/2,HTTP/3:

 HTTP/1.1:

 Text-based protocol.
 Uses persistent connections but still has head-of-line blocking.

 HTTP/2:

 Binary protocol, more efficient.

 Multiplexing allows multiple requests/responses in a single connection.
 Header compression reduces overhead.

 HTTP/3:

 Built on QUIC protocol (UDP-based).

 Eliminates head-of-line blocking entirely.
 Faster connection establishment and improved performance.

TLS Handshake Diagram

Figure1.3:TLS Handshake

7
Web Application Security Basics

Difference Between TLS and SSL

 SSL (Secure Sockets Layer):
 Older protocol, now considered insecure.
 Versions: SSL 1.0, 2.0, 3.0.

 TLS (Transport Layer Security):

 Successor to SSL, more secure.
 Versions: TLS 1.0, 1.1, 1.2, 1.3.
 Provides better security features and performance improvements.

Title: Basic Web Security Concepts

Web security protects networks, servers, and computer systems from damage to or the
theft of software, hardware, or data.

It includes defending computer systems from misdirecting or disrupting the services they
are designed to provide.

1. Same-Origin Policy (SOP) and Cross-Origin Resource Sharing

(CORS)
 Same-Origin Policy (SOP):
 Restricts how documents or scripts from one origin can interact with
resources from another origin.

 Prevents malicious scripts from accessing sensitive data on different

domains, thus mitigating risks like Cross-Site Scripting (XSS).

 Cross-Origin Resource Sharing (CORS):

 A mechanism that allows restricted resources on a web page to be requested
from another domain outside the domain from which the first resource was
served.

 CORS provides a way to relax SOP under controlled conditions, enabling

secure cross-origin requests.

2. Content Security Policy (CSP)

 Definition:
 CSP is a security feature that helps prevent a variety of attacks, including
XSS and data injection attacks.

 Functionality:
8
Web Application Security Basics

 It allows web developers to specify which dynamic resources are allowed to

load on a web page.

 By defining a CSP, developers can control the sources of content that can be
executed, significantly reducing the risk of malicious content being executed.

3. Secure Cookies and Session Management

 Secure Cookies:
 Cookies can store session information, and marking them as "Secure"
ensures they are only sent over HTTPS connections, protecting them from
being intercepted by attackers.

 Session Management:
 Proper session management practices include using secure tokens,
implementing session timeouts, and ensuring that sessions are invalidated
after logout.

 This helps protect user sessions from hijacking and ensures that sensitive
information remains secure.

4. Research on Same-Origin Policy (SOP) and Cross-Site Scripting

(XSS)

How SOP Prevents XSS

 Definition of XSS: Cross-Site Scripting (XSS) is a vulnerability that allows
attackers to inject malicious scripts into web pages viewed by other users.

 This can lead to data theft, session hijacking, and other malicious activities.

 Role of SOP:
 Isolation of Origins: SOP restricts scripts from one origin
(e.g., example.com) from accessing data on another origin
(e.g., malicious.com). This means that even if an attacker manages to
inject a script into a page, that script cannot access sensitive data from
another domain.

 Preventing Data Leakage: By enforcing SOP, browsers ensure that

scripts running on a compromised page cannot read or manipulate the
content of another page, thus protecting user data and session
information.
9
Web Application Security Basics

 Example: If a user is logged into their bank account on bank.com, and they visit
a malicious site that tries to execute a script, SOP prevents that script from
accessing the user's banking session or any sensitive information stored in
cookies.

5. Real-World Examples of CSP Bypasses

 Content Security Policy (CSP) Bypasses
 Definition of CSP: CSP is a security feature that helps prevent various
attacks, including XSS, by allowing developers to specify which sources of
content are trusted.

 Real-World Examples:
Google CSP Bypass:
 In another case, researchers found that Google’s CSP could
be bypassed by using data URIs. By encoding malicious
scripts as data URIs, attackers could circumvent the
restrictions set by CSP, allowing them to execute harmful
scripts.

6. SOP And It’s Importance

The same-origin policy is a web browser security mechanism that aims to prevent
websites from attacking each other.
The same-origin policy restricts scripts on one origin from accessing data from
another origin. An origin consists of a URI scheme, domain and port number.
When a browser sends an HTTP request from one origin to another, any cookies,
including authentication session cookies, relevant to the other domain are also sent
as part of the request. This means that the response will be generated within the
user's session, and include any relevant data that is specific to the user. Without the
same-origin policy, if you visited a malicious website, it would be able to read your
emails from Gmail, private messages from Facebook, etc.

10
Web Application Security Basics

Title: Common Web Vulnerabilities

Vulnerability is a hole or a weakness in the application, which can be a design flaw or an

implementation bug that allows an attacker to cause harm to the stakeholders of an
application. Stakeholders include the application owner, application users, and other
entities that rely on the application.

1. OWASP TOP 10

A06:2021-Vulnerable and
A01:2021-Broken Access Control
Outdated Components

A02:2021-Cryptographic Failures A07:2021-Identification

and Authentication
Failures

A03:2021-Injection A08:2021-Software and

Data Integrity Failures

A04:2021-Insecure Design A09:2021-Security

Logging and
Monitoring Failures

A05:2021-Security Misconfiguration A10:2021-Server-Side

Request Forgery

11
Web Application Security Basics

2. Tools For Vulnerability Detections

 BurpSuite:
Burp Suite is an integrated platform for performing security testing of web
applications. Its various tools work seamlessly together to support the entire
testing process, from initial mapping and analysis of an application’s attack
surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques
with state-of-the-art automation, to make your work faster, more effective, and
more fun.

 Proxy: -
Burp Suite contains an intercepting proxy that lets the user see and
modify the contents of requests and responses while they are in
transit. It also lets the user send the request/response under
monitoring to another relevant tool in Burp Suite, removing the burden
of copy-paste.

 Intruder: -
It is a fuzzer. This is used to run a set of values through an input point.
The values are run and the output is observed for success/failure and
content length. Usually, an anomaly results in a change in response
code or content length of the response. BurpSuite allows brute-force,
dictionary file and single values for its payload position. The intruder is
used for: - Brute-force attacks on password forms, pin forms, and other
such forms. - The dictionary attack on password forms, fields that are
suspected of being vulnerable to XSS or SQL injection. - Testing and
attacking rate limiting on the web-app

 Repeater: -
Repeater lets a user send requests repeatedly with manual
modifications. It is used for: - Verifying whether the user-supplied
values are being verified. - If user-supplied values are being verified,
how well is it being done? - What values is the server expecting in an
input parameter/request header

12
Web Application Security Basics

3. Table summarizing the vulnerabilities

1.
Open Redirect Using HTML Injection
Description
- HTML injection is a type of injection vulnerability that occurs when a user is able to control an input
point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can
have many consequences, like disclosure of a user’s session cookies that could be used to
impersonate the victim, or, more
generally, it can allow the attacker to modify the page content seen by the victims.

Affected Resource /Parameter Severity

Search Medium
Impact / Consequences
- Open redirection attacks are most commonly used to support phishing attacks, or
redirect users to malicious websites.
Recommendations
- Input should be validated as strictly as possible on arrival, given the kind of contentthat it is
expected to contain. For ex. Personal names should consist of alphabetical and a small range of
typography characters, and be relatively short, a year of birth should consist of four numerical,
email addresses should match a well-defined regular expression.
- User Input should be HTML encode at any point where it is copied into applicationresponses. All
HTML metacharacters, including < > “ ‘ and =, should be replace with the corresponding HTML
entities (< > etc.)
Tools Used References
Manual https://owasp.org/www-project- websecurity-
testing-guide/v41/4-
Web_Application_Security_Testing/11-
Client_Side_Testing/03-
Testing_for_HTML_Injection
CWE OWASP Top 10
Improper Neutralization of Script-RelatedHTML A03 Injection
Tags in a Web Page[CWE-80]

13
Web Application Security Basics

2.
Cross Site Scripting (XSS) - Reflected
Description
- Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code
within a single HTTP response. When a web application is vulnerable to this type of attack, it will
pass unvalidated input sent through requests back to the client.
- The value of request parameter is copied into the value of an HTML tag attribute which is
encapsulated in double quotation marks. The input was echoed unmodified in the application's
response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript
into the application's response.
Affected Resource / Parameter Severity
Location Search bar Medium
Impact / Consequences
- It allows an attacker to circumvent the same origin policy, which is designed to segregate different
websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to
masquerade as a victim user, to carry out any actions that the user is able to perform, and to access
any of the user's data. If the victim user has privileged access within the application, then the
attacker might be able togain full control over all of the application's functionality and data.
Recommendations
- It is recommended to Apply context-dependent encoding and/or validation to user input rendered
on a page by putting the Location dropdown menu.

Tools Used References

Manual https://owasp.org/www-project-top-
ten/2017/A7_2017-Cross- Site
Scripting_(XSS)
CWE OWASP Top 10
Improper Neutralization of Input During A04 XSS
Web Page Generation ('Cross-site
Scripting') [CWE-79]

14
Web Application Security Basics

3.
Cross Site Scripting (XSS) - Stored
Description
- Stored cross-site scripting (also known as second-order) arises when an application receives data
from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Suppose a website allows users to submit comments on blog posts, which are displayed to other
users.
-
Affected Resource / Parameter Severity
Insert Video Medium
Impact / Consequences
- The xss attack allow a malicious individual to insert java script code into input fields which then are
executed the clients browser to perform malicious actions under the established clients browser
and it will store in database.

Recommendations
- It is recommended to Apply context-dependent encoding and/or validation touser input rendered
on a page.
- Escaping user input.
- Validating Input
Tools Used References
Manual https://portswigger.net/web-security/cross-
site-scripting
CWE OWASP Top 10
Improper Neutralization of Input DuringWeb A04 XSS
Page Generation ('Cross-site Scripting')
[CWE-79]

15
Web Application Security Basics

16
Web Application Security Basics

17