Internal assessment – I ANSWER KEY

DEPARTMENT OF COMPUTE SCIENCE AND ENGINEERING

& INFORMATION TECHNOLOGY
TIME MANAGEMENT CHART

PART-A (10¿ 2=20)

Answer All Questions
(Each answer should have minimum 7 lines)
1. What is a Web Application? U CO1
A web-application is an application program that is usually stored on a remote server,
and users can access it through the use of Software known as web-browser.
2. Classify the difference between a web application and a website. R CO1
S.no web application website
1. A web application is a piece of software A website is a collection of
that users can access through a web related web pages containing
browser text, images, audio, video, etc
2. Users of web applications can both read Users of websites can only read
the content and manipulate data within the content; they cannot actively
the application. manipulate data.
3. Web applications often require Websites do not need
authentication (e.g., login credentials) precompilation; their static
to access personalized features. content is directly served
4. Web applications tend to have Websites have simpler functions
complex and are primarily focused on
functionality, involving server- content presentation
side scripts and client-side interactions
5 Web applications often require Websites also rely on browser
advanced browser capabilities to handle capabilities but are less
dynamic interactions. demanding in this regard
3. How do web applications work? R CO1

4. Analyze why is session management crucial in web applications. A CO1

Session management is vital for maintaining user authentication across multiple
requests and ensuring secure communication between the client and server. Without
session management, the server wouldn't know if multiple requests originated from the
same user or different users this would make it impossible for web applications.

5. Define Cloud Application. R CO1

Cloud applications require an online connection to work. Customers might also get
additional access to them by using a browser. Server computing refers to technologies
 when a device or program, also known as a server, is designed to manage network
resources. Servers accept and respond to requests made by another program, otherwise
known as a client. Such apps‟ data is stored, processed, and accessed through the cloud.
6. What is Cross-Site Request Forgery (CSRF)? R CO2
7. Evaluate the effectiveness of using the Same site attribute on cookies to mitigate A CO2
cookie-based attacks.
8. What is SQL Injection? R CO2
9. Design a secure strategy for managing client state in a web application to prevent U CO2
manipulation.
10. What is a cookie in the context of web security? U CO2

PART-B (5¿ 16=80)

Answer All Questions
(Each answer should be written for minimum 6 pages with
minimum 25 lines per page)
11. A Explain the evolution of web application security over the years, (16) R CO1
highlighting key milestones and challenges faced by developers.
The Evolution Of Web Security
The ever-growing number of devices and internet usage has escalated
security concerns across the globe. Web security was a part of computers
ever since its beginning. However, it evolved with the need of modern times
and demands.
More and more individuals and businesses need data and devices 24/7 to
support their business growth, client satisfaction, and employee retention.
However, the challenge of web security is increasing with the increasing
needs of internet and computer systems.
Web Security
 Web security or Cyber protection is an evolution of data protection
and cyber security approaches that fulfill modern security demands for
web pages and applications.
 Web security focuses on backup, cyber security, and endpoint
management tools to offer a solution against security risks. That enables
individuals and organizations to overcome the threats in case of cyber-
attacks efficiently.
 Antivirus software or anti-malware is a program built to prevent,
detect, and remove malware from the system. Antivirus software and
plugins play a significant role in preventing security risks. It protects
against several kinds of malware, viruses, and security threats.
Causes of Cyber security Threats
 Insufficient prevention measures, lack of security cyber education, weak
passwords, Phishing emails, and poor user practices are the most common
causes of security risks and successful cyber-attacks for any system and
software programs.
The Pre-Virus Phase
 The pre-virus phase witnessed the development of an experimental
virus. The first-ever virus was Creeper, made to test a software program
written in the early seventies. The „Creeper
system‟ was written by Bob Thomas at BBN Technologies.
 This virus was not malicious for the computer program. It used to
appear in the form of a thread with texts on the screen saying, “I‟m the
 creeper, catch me if you can.”, it was only a test to check if programs
could run through computer networks.
Reaper Appeared to Catch the Creeper
 The first antivirus spotted was Reaper. was the first antivirus software.
Ray Tomlinson created it to move across the ARPANET and delete the
on-going Creeper program. Reaper itself was a virus meant to find and
delete Creeper.
The Emergence of Web Security
Fast forwarded to the 1990s, several other benchmarks for the
evolution of web security were acquired.
 Symantec released its first Norton Antivirus in 1991 in the United
States.
 The European Institute for Computer Antivirus Research was
established in 1991. It worked for antivirus research and improvement
in the development of antivirus software.
 Meanwhile, Jan Gritzbach and Tomáš Hofer founded Grisoft
Technologies in the Czech Republic, later known as AVG. AVG
released its first Anti-Virus Guard (AVG) in 1992.
 Following this event, Igor Danilov released the first version of Spider
Web in 1992, later known as Dr. Web.
The Rise of Next-Gen
 The Next Gen cyber security trends included some intelligent
approaches to address security concerns. It had artificial intelligence and
machine learning algorithms to encounter new forms of security threats.
 Behavioral detection and cloud-based file detonation were
two of the latest security tactics. This era appeared as a new phase of
innovation and achievement in web security evolution.
 A key challenge of antivirus is that it can often slow a computer‟s
performance. One solution to this was to move the software off the
computer and into the cloud. In 2007, Panda Security combined cloud
technology with threat intelligence in their antivirus product.
The Evolution on the Rise
 Web security kept on evolving with newer and better protection, one
behind the other. Operating software security was an innovation in
security in this era.
 The operating system is built with security considerations to provide an
extra layer of security.
 This type of security practice includes performing regular OS
patch updates, account security management, installation of updated
antivirus software and firewalls.
 With the rise of smartphones and other handheld devices, virus
preventions developed for Android, iOS, and Windows operating
systems.
 Interestingly and expectedly, as cyber security began to prevent form
attacks and malware, the digital criminals expanded the threat span as
well. The types and variety of cyber-attacks grew alongside.
 Multi-vector attacks and social engineering attackers seemed to appear
as the new cyber enemies. With attackers becoming smarter, web
security practices need to change from limited detection methods to
next-generation innovations.
 Next-gen web security focuses on innovative ways to ensure
 protection. It uses different ways to improve attacks and fraud
detection of new and unprecedented threats.
 Strong passwords and authentications
 Multi-factor authentication methods
 Network Behavioral Analysis based on anomalies and users‟ behavioral
changes
 Threat intelligence and automation
 Real-time protection including on-access scanning, auto-protect, and
background guard
 Sandboxing by creating an isolated test environment to process a
suspicious data or URL
 Backup and preventive security measures
 Web application firewalls (WAF) protect against cross-site
counterfeit, cross-site scripting, file inclusion, and SQL injections.
(OR)
11. B Explain the different kinds of Authorization layers in Web Application (16) R CO1
Security.
Authorization is not a one-time thing. Authorization should happen at many
points and many times within a web application. These points come at
certain common boundaries that exist in most web applications, forming
"layers" that can be thought about, designed,and implemented in a holistic
fashion.
As you can see in Figure 4-2, authorization occurs both in the horizontal and
vertical directions. Horizontally, it takes place at the boundaries between
systems on the path from

user to application. Vertically, it takes place between interacting components

within an individual system. Fundamentally, AuthZ takes place whenever
one subject must access another. All of the elements in the figure are
software, which means they can do things, which means that for our
purposes they are security subjects to the downstream elements. All the
transition points in Figure 4-2 represent boundaries at which it is possible fo
authorization to occur.
Traditional computer security was only concerned with the vertical direction;
with the interaction of software components that were active on the same
computer at the same time. Web application security adds the horizontal
direction, because a modern web application is composed of a number of
discrete components that jointly mediate the user's interaction with the
application. The horizontal layers are as follows:
Web client:
• The "user agent," in web-speak, also known as the user's web
browser. The browser's job is to make well-formed HTTP requests to web
servers, and to render the results for the user. The computer running the
user's web client should have a minimal role in authorization for your web
application; if the web application is relying on the web browser to authorize
(or authenticate) the user, then you should stop and reexamine your design
because it's virtually impossible to properly and securely perform
authorization on the client.
• The most common authorization question that the browser
needs to answer is, "does this user have permission to run a web browser and
connect to the Internet?" Chances are excellent that the answer is yes;
otherwise, this web client won't be talking to your application at al l.
Front-end web server:
• The web server running at the host address that the base URL for
your web application resolves to. For example, if MyWebApplication.cxx
resolves to the IPv4 address 207 .I
02.99.1 00, then the front-end web server is the server listening for traffic at
that address. The fundamental authorization question this server needs to
answer is, "should I be talking to th is remote computer at all?" Perhaps yes,
but again, beware of granting hasty, blanket permission to anything.
• There may be reasons why your application (or a firewall)
needs to filter the IP addresses of incoming requests. In many B2B scenarios,
the IP addresses or address ranges of all legitimate clients are known in
advance. Thus, you can significantly reduce the pool of potential attackers by
applying basic IP restrict ions. This is actually one of the most effective
defenses for your web applications. AuthZ may also occur, as the web server
must decide whether the client (most likely anonymous at this point) is
allowed to access the resources being requested. In most cases, the web
server is responsible for providing static content, while the dynamic content
is returned by the application servers. Beyond that, the front-end web server
must process the AuthN credentials presented by the web client when a user
signs on.
Back-end application servers:
• The cluster of one or more application servers which, collectively,
share and service the aggregate traffic coming to the web application. For
high-volume web applications that must serve many thousands of incoming
requests per second, distributing the requests to a group of servers is often
the only way to handle the load.
• These servers, being where the bulk of the application logic resides,
are usually responsible for the lion's share of AuthZ management. They do th
is by comparing the AuthN information validated by the front-end server,
plus the resources named in therequest URL or session state, against the
permissions granted for that user.
Back-end database:
• The database component that holds the data resources managed by
the web application. It could also be another data store such as an LDAP
directory, although we will primarily consider traditional databases in this
 chapter. Depending on the overall application design and capabilities of the
database software, the backend database may also participate in authorization
decisions.
• For applications that usestored procedures to mediate all
access to the underlying data resources, the database itself may take on some
or all authorization duties in addition to managing the storing and fetching of
data. In any case, all back-end databases must answer the authorization
question, "does the client making this particular request have permission to
use this database at all?" Databases that are being used for their stored
procedure capabilities must also answer the questions relating to whether the
remote user is allowed to execute the stored procedure being requested. The
details may vary from one web application to The details may vary from one
web application to another for example, a small volume application.

12. A Discuss in detail about Vulnerabilities in Traditional Client Server (16) U CO2
Application and Web Applications.
(OR)
12. B Examine the role of Web Application Firewalls (WAFs) in protecting (16) A CO2
web applications from various threats, including SQL Injection, DDoS
attacks, and malicious bots.

13. A Compare and contrast session-based and token-based authentication (08) U CO1
methods along with their Strengths and weaknesses.
(OR)
13. B How the Content Security policy is used for XSS Prevention? (08) A CO2